
Smartphone Hardening non-root Guide 2.0 (for normal people) - URfejk
https://dev.lemmy.ml/post/38770
======
thornjm
A bunch of app suggestions for reading reddit and watching youtube is terrible
security advice and borderline dangerous. People should refrain from providing
any (pseudo) security advice unless they know what they are talking about.

There may exist people with a genuine need for device hardening and I hope
they do not read this article.

EDIT: I’ll leave my comment but I on second reading I notice that the author
is specifically targeting normal people and is trying to make it accessible.
Arguably should still not be called “hardening”.

~~~
cookiengineer
Came here to post this. The guide has nothing to do with actual hardening.
Recommending those apps is borderline idiot's assumption of what security is.

I'd rather recommend to check the postmarketos wiki for supported devices,
check what's the latest upstream aosp builds (like omnirom builds) and
upstream supported kernel versions and recommend to buy based on that
information.

Turned out for my case that there aren't many "real" aosp compatible devices.

The ones I tried out and confirmed were Nexus 4/5P (not 5X!), sony xperia x
and compact variant aka kugo, xiaomi redmi note 4 and 8/8T (mido and willow or
gingko) and some older, very very outdated devices.

Owned a kugo for a while but android 10 builds became super unstable and
caused a lot of crashes and reboots.

Went for xiaomi redmi note 8 (ginkgo) and ignoring the shitty needing-windows-
and-168h to unlock bootloader problem it's a very nice device.

Compiled LineageOS from sources, and together with the official releases for
Magisk, Blokada, Appwarden, Oeffi, OsmAnd+ and Orbot/TOR browser with ublock0
and umatrix it's pretty much as tracker free as possible.

I also would never recommend any android lower than 10, due to the
privacyguard integration that is missing in older versions (privacyguard aka
app rights management for location, wifi access, storage access etc).

Sidenote here: TOR browser includes mozilla telemetry service, but you can
disable that with appwarden. Reported it upstream, didn't have the time to fix
it yet.

The only tracker regarding exodus' list is actually the crashdump reporting
feature in Telegram which I disabled with Appwarden.

I also would recommend to use f-droid or the github releases of apps you want
to install. A lot of builds on f-droid are outdated for years, so it's better
to check the source directly to be sure.

Additionally, never install gapps, never install firefox for android, never
install chrome, never install whatsapp or any fb product, never install apps
that require admob or play services.

Check spywarewatchdog's blog or do mitmproxy audits yourself.

[1] [https://omnirom.org](https://omnirom.org)

[2] [https://wiki.postmarketos.org](https://wiki.postmarketos.org)

[3] [https://f-droid.org/packages](https://f-droid.org/packages)

[4] [https://reports.exodus-privacy.eu.org](https://reports.exodus-
privacy.eu.org)

[...] probably forgot a hundred links...but textareas on smartphones are
unusable.

~~~
Dahoon
>The ones I tried out and confirmed were Nexus 4/5P (not 5X!)

Why not the 5X? I have flashed AOSP Roms on my old 5x lots of times.

~~~
cookiengineer
My knowledge is a bit outdated when it comes to the bullhead (and/or angler
because they shared parts) kernel mods, but last time I checked huge parts of
the firmware were relying on a legacy kernel version 3.x which is literally a
decade old by now... And additionally wifi/bt/baseband had huge amount of
proprietary blobs.

Please correct me if I'm wrong but it seems as this is also the case today.

------
Havoc
>iPhone does not allow you to have privacy due to its blackbox nature

This is a stupid argument. My mobile banking app isn't open source either but
I'm pretty sure it's reasonably private. Privacy <> open source. Two entirely
separate topics than aren't mutually exclusive (or inclusive).

Besides I own & use both iOS & Android. My privacy worries are
disproportionately on the android side. The respective pi-hole logs alone give
me pause for thought. Canonical android seems OK, but the stuff that actually
ships on specific manufacturers is infested for lack of better word. (Why did
the pi-hole average block rate shoot up 400%? oh right friend with her android
phone visited).

~~~
GekkePrutser
Block rates don't mean that much though. With Apple everything on an out-of-
box iPhone goes through them so they only need one connection. A Samsung phone
will want to talk to Google, Samsung, and whatever crap they have preloaded
(in my case Facebook, OneDrive, "UpDay" and many others). They even made most
of those system apps in case I'd have the audacity to remove Facebook :/ Of
course they know how much I need it, much more than me.

Deep packet inspection is the only way to really tell (if they haven't done
cert pinning, which I assume they have for stuff like activation).

I think the author's point is that you can at least harden Android a lot by
uninstalling system apps and services, which you can't do on Apple. There's
also many more options available for mitigation, like firewall software. I
don't know whether that brings it to a better level than Apple. However
loading another firmware certainly will (think LineageOS with MicroG or even
nothing at all).

But I do agree that an Android out of the box (for most vendors!) is full of
tracking, way more than Apple seems to do. And of course almost no user even
tries to remove system apps.

~~~
Havoc
>Block rates don't mean that much though.

Agreed. It's very much a questionable approximation. I do think it is
indicative of the manufacturer's overall mindset towards these matters though.

>There's also many more options available for mitigation, like firewall
software. I don't know whether that brings it to a better level than Apple.

You can probably do something like NextDNS. Most devices seem to use a domain
not hardcoded IP

------
dguido
If you're looking for a hardening guide for iOS, then try the iVerify app. It
will help you detect jailbreaks, check critical security settings, and teach
you about many more.

[https://blog.trailofbits.com/2019/11/14/introducing-
iverify-...](https://blog.trailofbits.com/2019/11/14/introducing-iverify-the-
security-toolkit-for-iphone-users/)

~~~
sloshnmosh
Hmmm. I know a thing or two about mobile devices and my best advice is to
avoid installing ANY third-party applications, especially any
“security/antivirus” apps that request dangerous permissions in order to break
out of their sandbox.

I have examined several antivirus apps from well-known security companies and
they ALL cause more privacy/security issues than most malware does.

Third party advertising SDK’s that harvests the users location and social
media data, accessing WhatsApp internal databases, access the users
microphone, clipboard and camera.

But to be fair I have never looked at the app you mentioned but I have my
doubts.

------
CJefferson
While I disabled a bunch of things using “Universal Android Debloater”, there
is a non-zero chance you wil end up disabling something important, or causing
your phone to bootloop (which can require a full reset to fix). This shouldn't
be recommended for non-nerds.

~~~
jmnicolas
Yeah I used all the privacy settings of WPD (Windows Privacy Dashboard) on my
computer and was never able to re-enable my microphone for visio-conferences !

------
evilelectron
Add _nomap to your SSID to stop Google from using your access point for
location services.

[https://support.google.com/maps/answer/1725632?hl=en](https://support.google.com/maps/answer/1725632?hl=en)

~~~
inetknght
The fact that you have to change your SSID to opt out of third parties using
it is... shady at best. What happens when two competing third parties have
conflicting name requirements for you to opt-out?

~~~
GekkePrutser
And how do you know they actually obey it? :/

Knowing Google it will still go somewhere.

------
jimmySixDOF
Meanwhile, about four posts down on the same HN front page is an article
announcing Check Point just uncovered about 400 hardware exploits affecting
Snapdragon chipsets so even after bulletproofing the OS you still have a zero
trust environment and imho we best either get used to that or switch back to
pen and paper processing.

[1] Snapdragon chip flaws put 1B Android phones at risk of data theft -
[https://news.ycombinator.com/item?id=24092545](https://news.ycombinator.com/item?id=24092545)

~~~
deeblering4
Came here to mention this as well.

Really negates the security benefit to running a specific type of hardware.

A design is only considered secure until we realize that it isn’t. And who can
say that these vulnerabilities weren't being exploited before being disclosed
to the public?

In my opinion choosing to have a smartphone in itself means accepting a degree
of privacy loss of and risk if security issues in one form or another.

Phones are a big attack surface, and no design is perfect.

------
bahmboo
One of the first things this article lists is enabling Huawei screen capture
and record. This is overall an unserious guide and of questionable provenance
at best. Doesn't belong on HN.

------
narrationbox
A low hanging fruit for locking down problematic apps would be to use Android
profiles: [https://medium.com/@kloudtrader/reducing-whatsapp-digital-
fo...](https://medium.com/@kloudtrader/reducing-whatsapp-digital-footprint-in-
the-age-of-facebook-3e087fee0ae0)

------
sloshnmosh
I find it ironic that the website that gives tips on hardening a mobile device
requests that I enable JavaScript to view it.

I never enable JS on a mobile browser especially Safari on iOS.

There is something very, very wrong with WebKit and some very disturbing crash
logs appear when viewing the WWW with JS enabled.

------
countermeasure
For a secure and private OS which doesn't need root you can try GrapheneOS:
[https://grapheneos.org/](https://grapheneos.org/)

No need to "harden" it after you install because things are locked down by
default.

I've been using it for the last six months and I think it's fantastic.

~~~
djeiasbsbo
How "hardened" is it? Can you completely control network traffic and
permission access of every installed app?

For example, if you wanted to spoof the android_id (something you usually
can't do with regular permissions) to some app, could you do that?

Also, is app storage isolated? This is a new feature in Android 10 but a
pretty easy way to allow for cross-application tracking/fingerprinting in
earlier Android versions.

I currently run Lineage with microG but I still had to get root access to
effectively counter those things.

------
woliveirajr
Great guide but I don't expect regular people being able to follow even the
"not nerd" steps.

------
gcb0
I give it very low grades.

It suggests installing many closed source, Advertising-ridden apps from the
play store.

And to one of those ad-ridden apps, it even suggest you use adb to give it
supper powers of sorts.

