There may exist people with a genuine need for device hardening and I hope they do not read this article.
EDIT: I’ll leave my comment but I on second reading I notice that the author is specifically targeting normal people and is trying to make it accessible. Arguably should still not be called “hardening”.
I'd rather recommend to check the postmarketos wiki for supported devices, check what's the latest upstream aosp builds (like omnirom builds) and upstream supported kernel versions and recommend to buy based on that information.
Turned out for my case that there aren't many "real" aosp compatible devices.
The ones I tried out and confirmed were Nexus 4/5P (not 5X!), sony xperia x and compact variant aka kugo, xiaomi redmi note 4 and 8/8T (mido and willow or gingko) and some older, very very outdated devices.
Owned a kugo for a while but android 10 builds became super unstable and caused a lot of crashes and reboots.
Went for xiaomi redmi note 8 (ginkgo) and ignoring the shitty needing-windows-and-168h to unlock bootloader problem it's a very nice device.
Compiled LineageOS from sources, and together with the official releases for Magisk, Blokada, Appwarden, Oeffi, OsmAnd+ and Orbot/TOR browser with ublock0 and umatrix it's pretty much as tracker free as possible.
I also would never recommend any android lower than 10, due to the privacyguard integration that is missing in older versions (privacyguard aka app rights management for location, wifi access, storage access etc).
Sidenote here: TOR browser includes mozilla telemetry service, but you can disable that with appwarden. Reported it upstream, didn't have the time to fix it yet.
The only tracker regarding exodus' list is actually the crashdump reporting feature in Telegram which I disabled with Appwarden.
I also would recommend to use f-droid or the github releases of apps you want to install. A lot of builds on f-droid are outdated for years, so it's better to check the source directly to be sure.
Additionally, never install gapps, never install firefox for android, never install chrome, never install whatsapp or any fb product, never install apps that require admob or play services.
Check spywarewatchdog's blog or do mitmproxy audits yourself.
[...] probably forgot a hundred links...but textareas on smartphones are unusable.
Why not the 5X? I have flashed AOSP Roms on my old 5x lots of times.
Please correct me if I'm wrong but it seems as this is also the case today.
This is a stupid argument. My mobile banking app isn't open source either but I'm pretty sure it's reasonably private. Privacy <> open source. Two entirely separate topics than aren't mutually exclusive (or inclusive).
Besides I own & use both iOS & Android. My privacy worries are disproportionately on the android side. The respective pi-hole logs alone give me pause for thought. Canonical android seems OK, but the stuff that actually ships on specific manufacturers is infested for lack of better word. (Why did the pi-hole average block rate shoot up 400%? oh right friend with her android phone visited).
Deep packet inspection is the only way to really tell (if they haven't done cert pinning, which I assume they have for stuff like activation).
I think the author's point is that you can at least harden Android a lot by uninstalling system apps and services, which you can't do on Apple. There's also many more options available for mitigation, like firewall software. I don't know whether that brings it to a better level than Apple. However loading another firmware certainly will (think LineageOS with MicroG or even nothing at all).
But I do agree that an Android out of the box (for most vendors!) is full of tracking, way more than Apple seems to do. And of course almost no user even tries to remove system apps.
Agreed. It's very much a questionable approximation. I do think it is indicative of the manufacturer's overall mindset towards these matters though.
>There's also many more options available for mitigation, like firewall software. I don't know whether that brings it to a better level than Apple.
You can probably do something like NextDNS. Most devices seem to use a domain not hardcoded IP
I have examined several antivirus apps from well-known security companies and they ALL cause more privacy/security issues than most malware does.
Third party advertising SDK’s that harvests the users location and social media data, accessing WhatsApp internal databases, access the users microphone, clipboard and camera.
But to be fair I have never looked at the app you mentioned but I have my doubts.
Knowing Google it will still go somewhere.
No worries! One or the other of them will change its mind as soon as any significant number of people start using the option.
 Snapdragon chip flaws put 1B Android phones at risk of data theft - https://news.ycombinator.com/item?id=24092545
Really negates the security benefit to running a specific type of hardware.
A design is only considered secure until we realize that it isn’t. And who can say that these vulnerabilities weren't being exploited before being disclosed to the public?
In my opinion choosing to have a smartphone in itself means accepting a degree of privacy loss of and risk if security issues in one form or another.
Phones are a big attack surface, and no design is perfect.
I never enable JS on a mobile browser especially Safari on iOS.
There is something very, very wrong with WebKit and some very disturbing crash logs appear when viewing the WWW with JS enabled.
No need to "harden" it after you install because things are locked down by default.
I've been using it for the last six months and I think it's fantastic.
For example, if you wanted to spoof the android_id (something you usually can't do with regular permissions) to some app, could you do that?
Also, is app storage isolated? This is a new feature in Android 10 but a pretty easy way to allow for cross-application tracking/fingerprinting in earlier Android versions.
I currently run Lineage with microG but I still had to get root access to effectively counter those things.
Needs a Google Pixel but you can customize all kinds of things and still have a locked boot loader.
It suggests installing many closed source, Advertising-ridden apps from the play store.
And to one of those ad-ridden apps, it even suggest you use adb to give it supper powers of sorts.