Hacker News new | past | comments | ask | show | jobs | submit login
Smartphone Hardening Guide (github.com/aronmolnar)
10 points by securityguideme 13 days ago | hide | past | favorite | 10 comments

It looks like this is a more general overview for people who don't have any background on this concept, but I have some issues/suggestions.

Step one should be to install GrapheneOS (or if this isn't Android specific, at least mention it). Don't bother with any other ROM, it's the only one that actually takes security seriously [0].

No mention of alternative app stores that don't require a Google account e.g. F-Droid Aurora Store.

No mention of user profiles for isolating apps.

Browser hardening section is fine.. But I think mentioning Bromite would be a good idea. It's a chrome-based browser with privacy protections and ad-block built in [1].

0: https://grapheneos.org/features (list of security features).

1: https://www.bromite.org/

Thanks for your constructive suggestions! I opened a ticket and I will look through them in detail. https://github.com/aronmolnar/smartphone-hardening-guide/iss...

My problem with GrapheneOS is that only Pixel devices are officially supported, which makes it a very tight use case in my point of view. > "GrapheneOS also supports generic targets, but these aren't suitable for production usage and are only intended for development and testing use."


> My problem with GrapheneOS is that only Pixel devices are officially supported, which makes it a very tight use case in my point of view.

Yes that's fair enough, especially for your guide which again seems to be more general to all mobile phones (which is not a bad thing). Not sure if their website touches on it, but I can see a couple reasons they've gone for Pixel devices only:

- Guaranteed support by google for some time - Official AOSP source (straight for Google) - Titan security chips

If you take sec seriously, you buy your device after reviewing software and hardware viability... not the other way around.

Absolutely. You find this in the section "Choosing a phone". In my point of view, it would be the wrong recommendation, everyone should buy a Pixel phone, just because it supports a certain operating system.

A android hardening guide that does not at least mention grapheneos? I'm not sure if I'd follow their advice...

I opened a ticket for it but as mentioned above I find that GrapheneOS not enough officially supported devices.

Android can't be secured unless it's stock with verified boot/ root of trust. Even then, the verified apps from the store leak your data at every opportunity, as does the OS. iPhone is the way to go

I avoid discussions which say one of them is "the way to go". Both are acceptable in my point of view. Both have their drawbacks and benefits.

iPhones for example have had massive security issues in iMessage and still prevents other (more secure) apps to receive SMS. Why? iPhones could all be targeted with zero click attacks of Pegasus because they have a consistent OS throughout all devices.

Are iPhones bad because of this? - No! But iOS vs Android must not be a religion (same for Windows vs Unix)

Due to the $99 annual Apple Developer Program membership fee required to keep apps in the App Store, iOS has a rather paltry selection of free and open source apps. On the other hand, Android has an excellent selection of FOSS apps in F-Droid. Apps on F-Droid are reviewed for data collection and other privacy concerns, which are disclosed on the listing. Nearly all F-Droid apps have no such concerns.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact