
Ask HN: How to harden an android phone - czep
As a paranoid owner of a new nexus, what recommended steps should I take to enhance security and privacy?
======
tshtf
The first thing any competent practitioner is going to ask is this:

What is your threat model?

Are you the next Edward Snowden? A Russian doing drug deals on dark markets? A
clerk at a locally run convenience store? Some tech worker in the Bay Area? A
journalist in Western Europe? A Wal-Mart employee organizing to form a union?
A free-software proponent and developer?

The answer here is to do some threat modeling. What activities are you
involved with that may be interesting to those with power and capabilities?
Are you concerned with powerful state or corporate actors? Are you concerned
with the run-of-the-mill privacy invasions in typical Android apps?

~~~
czep
Threat model: I'm an ordinary consumer doing ordinary consumer things, and I
don't want to have my identity stolen or my browsing habits being sold at
auction. Highest feasible level of protection against state and nonstate
adversaries. I assume a TLA could defeat me in a targeted attack, but don't
want to get ensnared in a dragnet (hmmm, you just read a page on torproject,
into the suspect list you go!)

~~~
tshtf
Assuming you have a Nexus running Android 6.0, there's quite a bit you can do
by denying capabilities to applications. This is a new feature of Android 6.0
that lets end users deny specific capabilities per app (Calendar, camera,
contacts, location, microphone, phone, SMS, storage).

* Navigate to Settings -> Apps -> Config -> App Permissions, and disable permissions in each category.

* When you install a new application, only those targeting Android 6.0 or later will prompt you for permissions, so go in and edit the permissions for newly installed applications before you run them.

* Depending on your cellular provider, it may be helpful to setup a forward-all VPN through either your own server or a trusted VPN provider (feel free to read about Verizon X-UIDH supercookies). I don't trust VPN providers, so I do this myself.

* Enable device encryption, and use a sufficiently complex password. Assume when your device is powered on that all data on the device can be obtained.

* Set Firefox to your default browser, and install relevant extensions like uBlock Origin.

~~~
czep
Thanks, much appreciated. I am new to android having used iOS for most of my
phones in the past. I decided to switch to get away from Verizon and a general
dissatisfaction with the way iOS makes decisions for you. So any practical
advice for an android newb is helpful!

~~~
arnold_palmur
I'm in the same exact boat as you - always had iOS and am supposed to get my
Nexus 6p on Monday (leaving Verizon for Google Fi) - I'm intently watching
this thread for some suggestions/tips as a new Android user.

~~~
czep
Yup, I finally got disgusted enough by Verizon's complete disregard for their
customers that I was willing to switch to Android simply to try Google Fi. The
tipping point for me was when I realized that 10 months had gone by after I'd
paid off my iPhone and Verizon continued to charge me for it. When I called
their CS, the best they could do was refund me 3 months of it. So I'm done.

I got my 6p yesterday and still learning my way around it. Overall I'm
impressed but feel like such a noob and not sure what to do to stay safe.
There's a decent checklist here: [https://security.utexas.edu/handheld-
hardening-checklists/an...](https://security.utexas.edu/handheld-hardening-
checklists/android)

It's a bit generic and not specifically to Android 6.0, but helps point in the
general direction of how to think about securing android.

------
rahiel
For Nexus phones there's CopperheadOS [1], a hardened Android version focused
on security. It sounds great but I haven't tried it. It's also nice that they
try to upstream some of their work.

[1]: [https://copperhead.co/android/](https://copperhead.co/android/)

