Hacker News new | past | comments | ask | show | jobs | submit login
Smartphone Hardening non-root Guide 2.0 (for normal people) (lemmy.ml)
107 points by URfejk 11 months ago | hide | past | favorite | 29 comments

A bunch of app suggestions for reading reddit and watching youtube is terrible security advice and borderline dangerous. People should refrain from providing any (pseudo) security advice unless they know what they are talking about.

There may exist people with a genuine need for device hardening and I hope they do not read this article.

EDIT: I’ll leave my comment but I on second reading I notice that the author is specifically targeting normal people and is trying to make it accessible. Arguably should still not be called “hardening”.

The suggestions are more about privacy than hardening the device. Privacy-wise the article looks ok but I would research any single app before installing it.

Came here to post this. The guide has nothing to do with actual hardening. Recommending those apps is borderline idiot's assumption of what security is.

I'd rather recommend to check the postmarketos wiki for supported devices, check what's the latest upstream aosp builds (like omnirom builds) and upstream supported kernel versions and recommend to buy based on that information.

Turned out for my case that there aren't many "real" aosp compatible devices.

The ones I tried out and confirmed were Nexus 4/5P (not 5X!), sony xperia x and compact variant aka kugo, xiaomi redmi note 4 and 8/8T (mido and willow or gingko) and some older, very very outdated devices.

Owned a kugo for a while but android 10 builds became super unstable and caused a lot of crashes and reboots.

Went for xiaomi redmi note 8 (ginkgo) and ignoring the shitty needing-windows-and-168h to unlock bootloader problem it's a very nice device.

Compiled LineageOS from sources, and together with the official releases for Magisk, Blokada, Appwarden, Oeffi, OsmAnd+ and Orbot/TOR browser with ublock0 and umatrix it's pretty much as tracker free as possible.

I also would never recommend any android lower than 10, due to the privacyguard integration that is missing in older versions (privacyguard aka app rights management for location, wifi access, storage access etc).

Sidenote here: TOR browser includes mozilla telemetry service, but you can disable that with appwarden. Reported it upstream, didn't have the time to fix it yet.

The only tracker regarding exodus' list is actually the crashdump reporting feature in Telegram which I disabled with Appwarden.

I also would recommend to use f-droid or the github releases of apps you want to install. A lot of builds on f-droid are outdated for years, so it's better to check the source directly to be sure.

Additionally, never install gapps, never install firefox for android, never install chrome, never install whatsapp or any fb product, never install apps that require admob or play services.

Check spywarewatchdog's blog or do mitmproxy audits yourself.

[1] https://omnirom.org

[2] https://wiki.postmarketos.org

[3] https://f-droid.org/packages

[4] https://reports.exodus-privacy.eu.org

[...] probably forgot a hundred links...but textareas on smartphones are unusable.

>The ones I tried out and confirmed were Nexus 4/5P (not 5X!)

Why not the 5X? I have flashed AOSP Roms on my old 5x lots of times.

My knowledge is a bit outdated when it comes to the bullhead (and/or angler because they shared parts) kernel mods, but last time I checked huge parts of the firmware were relying on a legacy kernel version 3.x which is literally a decade old by now... And additionally wifi/bt/baseband had huge amount of proprietary blobs.

Please correct me if I'm wrong but it seems as this is also the case today.

>iPhone does not allow you to have privacy due to its blackbox nature

This is a stupid argument. My mobile banking app isn't open source either but I'm pretty sure it's reasonably private. Privacy <> open source. Two entirely separate topics than aren't mutually exclusive (or inclusive).

Besides I own & use both iOS & Android. My privacy worries are disproportionately on the android side. The respective pi-hole logs alone give me pause for thought. Canonical android seems OK, but the stuff that actually ships on specific manufacturers is infested for lack of better word. (Why did the pi-hole average block rate shoot up 400%? oh right friend with her android phone visited).

Block rates don't mean that much though. With Apple everything on an out-of-box iPhone goes through them so they only need one connection. A Samsung phone will want to talk to Google, Samsung, and whatever crap they have preloaded (in my case Facebook, OneDrive, "UpDay" and many others). They even made most of those system apps in case I'd have the audacity to remove Facebook :/ Of course they know how much I need it, much more than me.

Deep packet inspection is the only way to really tell (if they haven't done cert pinning, which I assume they have for stuff like activation).

I think the author's point is that you can at least harden Android a lot by uninstalling system apps and services, which you can't do on Apple. There's also many more options available for mitigation, like firewall software. I don't know whether that brings it to a better level than Apple. However loading another firmware certainly will (think LineageOS with MicroG or even nothing at all).

But I do agree that an Android out of the box (for most vendors!) is full of tracking, way more than Apple seems to do. And of course almost no user even tries to remove system apps.

>Block rates don't mean that much though.

Agreed. It's very much a questionable approximation. I do think it is indicative of the manufacturer's overall mindset towards these matters though.

>There's also many more options available for mitigation, like firewall software. I don't know whether that brings it to a better level than Apple.

You can probably do something like NextDNS. Most devices seem to use a domain not hardcoded IP

yes but if you have read the next few words the author links to this exploit https://9to5mac.com/2020/08/01/new-unpatchable-exploit-alleg... which is highly problematic

If you're looking for a hardening guide for iOS, then try the iVerify app. It will help you detect jailbreaks, check critical security settings, and teach you about many more.


Hmmm. I know a thing or two about mobile devices and my best advice is to avoid installing ANY third-party applications, especially any “security/antivirus” apps that request dangerous permissions in order to break out of their sandbox.

I have examined several antivirus apps from well-known security companies and they ALL cause more privacy/security issues than most malware does.

Third party advertising SDK’s that harvests the users location and social media data, accessing WhatsApp internal databases, access the users microphone, clipboard and camera.

But to be fair I have never looked at the app you mentioned but I have my doubts.

While I disabled a bunch of things using “Universal Android Debloater”, there is a non-zero chance you wil end up disabling something important, or causing your phone to bootloop (which can require a full reset to fix). This shouldn't be recommended for non-nerds.

Yeah I used all the privacy settings of WPD (Windows Privacy Dashboard) on my computer and was never able to re-enable my microphone for visio-conferences !

Yep, I took a look at the lists and they're sometimes quite excessive. Why would you disable OnePlus icon packs and clock widget? The AOSP list is even funnier, it disables even com.android.egg which is.. why? (TIL about being able to disable it at all) How is it bloat?

And real nerds will just disable what they want with ADB :)

Add _nomap to your SSID to stop Google from using your access point for location services.


The fact that you have to change your SSID to opt out of third parties using it is... shady at best. What happens when two competing third parties have conflicting name requirements for you to opt-out?

And how do you know they actually obey it? :/

Knowing Google it will still go somewhere.

> What happens when two competing third parties have conflicting name requirements for you to opt-out?

No worries! One or the other of them will change its mind as soon as any significant number of people start using the option.

Meanwhile, about four posts down on the same HN front page is an article announcing Check Point just uncovered about 400 hardware exploits affecting Snapdragon chipsets so even after bulletproofing the OS you still have a zero trust environment and imho we best either get used to that or switch back to pen and paper processing.

[1] Snapdragon chip flaws put 1B Android phones at risk of data theft - https://news.ycombinator.com/item?id=24092545

Came here to mention this as well.

Really negates the security benefit to running a specific type of hardware.

A design is only considered secure until we realize that it isn’t. And who can say that these vulnerabilities weren't being exploited before being disclosed to the public?

In my opinion choosing to have a smartphone in itself means accepting a degree of privacy loss of and risk if security issues in one form or another.

Phones are a big attack surface, and no design is perfect.

One of the first things this article lists is enabling Huawei screen capture and record. This is overall an unserious guide and of questionable provenance at best. Doesn't belong on HN.

A low hanging fruit for locking down problematic apps would be to use Android profiles: https://medium.com/@kloudtrader/reducing-whatsapp-digital-fo...

I find it ironic that the website that gives tips on hardening a mobile device requests that I enable JavaScript to view it.

I never enable JS on a mobile browser especially Safari on iOS.

There is something very, very wrong with WebKit and some very disturbing crash logs appear when viewing the WWW with JS enabled.

For a secure and private OS which doesn't need root you can try GrapheneOS: https://grapheneos.org/

No need to "harden" it after you install because things are locked down by default.

I've been using it for the last six months and I think it's fantastic.

How "hardened" is it? Can you completely control network traffic and permission access of every installed app?

For example, if you wanted to spoof the android_id (something you usually can't do with regular permissions) to some app, could you do that?

Also, is app storage isolated? This is a new feature in Android 10 but a pretty easy way to allow for cross-application tracking/fingerprinting in earlier Android versions.

I currently run Lineage with microG but I still had to get root access to effectively counter those things.

As an alternative look ar RattlesnakeOS: https://github.com/dan-v/rattlesnakeos-stack

Needs a Google Pixel but you can customize all kinds of things and still have a locked boot loader.

Great guide but I don't expect regular people being able to follow even the "not nerd" steps.

I give it very low grades.

It suggests installing many closed source, Advertising-ridden apps from the play store.

And to one of those ad-ridden apps, it even suggest you use adb to give it supper powers of sorts.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact