- Unlock bootloader as phone manufacturers should not be trusted. Even if the ROMs manufacturers provide are open-source, the firmwares are usually not.
- Unlocking bootloader also makes the phone receive secure updates again.
- Firefox is a great browser that can resist fingerprints. The sandbox function on Android should be achieved by restrictions on permissions and storage isolations.
- Traffic over Tor is also much better than just over telecommunicator. A small fraction of non-privacy nodes is also not a problem as routes are always changed, and how can a organize contorl most nodes?
I recently installed GrapheneOS on an old Pixel and recommended practice was to relock the bootloader after unlocking it and installing a custom OS, which is supported on Pixels.
An unlocked bootloader makes the phone vastly more insecure (see https://news.ycombinator.com/item?id=35790499). Phone firmware cannot be fully open-source nowadays due to manufacturer restrictions. Even the most open-source Android fork will still have to include binary blobs from e.g. modem manufacturers.
Additionally, the updates that the forked OS provides don't include firmware updates for essential parts like the modem (this is also the reason why phone updates are not available in the first place). So it's essentially a security theatre.
Firefox doesn't use per-site isolation, doesn't use process sandboxing and - on top of that has a JIT, so there's W^X violations. Normal app sandboxing via Android permissions is not sufficient for something as complex as a browser. The potential for possible exploits inherently is massive. Other browsers (chromium-based) like Vanadium have very sophisticated sandboxing, so there's no reason to use something inferior.
Traffic over tor is good, but shouldn't be used with authenticated services, as it deanonymizes your connection. Instead, it should only be used for specific (unauthenticated) actions, like browsing news.
> - all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
Wouldn't this would depend on if you had a stream isolation setup? Pretty sure Tails/Tor Browser do this, so you can have a signed in Facebook tab and another tab open and the two won't be linked. I don't think the guide here accounts for that though.
As long as you keep device in your possession with a quick option to wipe it, I believe that mitigates the unlocked bootloader. Graphene locks the bootloader as a more secure option.
I tried Invizible Pro and do not see option for split tunnelling. I suppose Orbot may be a better choice if authentication to one of those services is needed.
If you can't trust your OS, trying to anonymize it is useless.
Verified boot doesn't prevent you cleaning up the device. Modern android phones have wonderfully sophisticated per-file disk encryption.
In pixels, the decryption key is stored in a secure enclave (Titan M). If you want to wipe the device safely, you can just reset the OS. (This deletes the decryption key from the secure enclave which turns all user data on the user data partition into random junk).
GrapheneOS for example gets all of these things right. It is possible to make your phone secure, but not by permanently unlocking the bootloader and rooting the device.
> If you can't trust your OS, trying to anonymize it is useless.
Well yeah, welcome to the modern smartphone era. Those protections are useless or counter-productive because the base ROM has already spyware backed into it.
I don't know why some people consider a chinese no-name pre-installed rom more secured than lineage os but that's not how it works.
> In pixels, the decryption key is stored in a secure enclave (Titan M). If you want to wipe the device safely, you can just reset the OS. (This wipes the decryption key from the secure enclave which turns all user data on the user data partition into random junk.
None of that matters if your data is just sent to Google anyways.
> Well yeah, welcome to the modern smartphone era. Those protections are useless or counter-productive because the base ROM has already spyware backed into it.
If you assume this to be correct, then there's no point in attempting to make your phone private. Privacy isn't possible without security.
> None of that matters if your
data is just sent to Google anyways.
when you use a custom ROM, that's not necessarily true. But using a custom ROM doesn't necessarily mean you have to permanently unlock your bootloader, so that argument doesn't make sense.
> If you assume this to be correct, then there's no point in attempting to make your phone private. Privacy isn't possible without security.
You have it the other way around, security starts with privacy at its absolute minimum. If data is sent to a third party every time you tap something on the phone, you are using an insecure phone, regardless of what complex hardware they are using.
> But using a custom ROM doesn't necessarily mean you have to permanently unlock your bootloader, so that argument doesn't make sense.
True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.
I disagree. You can‘t keep data away from others when it isn‘t safe. Security doesn‘t necessarily imply privacy (as demonstrated by your argument), but making something private is impossible without making it secure. How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?
> True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.
Then you shouldn‘t use those phones for a secure setup. I think we can agree on that. But the author of the article used a phone that is capable of locking the bootloader with alternate ROMs.
> How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?
Security requires privacy. A phone without privacy is insecure by design, insecure because it leaks data.
And the biggest danger to consumers nowadays isn't a bootrom exploit but that their location, card payments and data profile is sent to advertisers.
You might never get a chance to wipe it. I had a cop whip out a loaded gun and point it at my head to take my phone out of my hand. I didn't even have a lock code as there was nothing to hide, but if I had been a criminal I would not have had time or opportunity to do anything without my brains leaving my skull.
Tunneling all traffic through Tor can be risky, especially if you're using exit nodes to access clearweb applications. The traffic patterns of your tunnel will be significantly different from most Tor traffic (browsers, exclusively) which can help pinpoint your phone if the authorities are wiretapping your connection. Allegedly, the various law enforcement agencies around the world operate a significant amount of exit nodes and if they can pinpoint a particular traffic pattern, they may be able to trace it back home.
I would be more selective with my traffic. Use Tor Browser for browser traffic, but keep sending Signal/Session/whatever through normal means. That makes your phone stand out less. Consider using a decent VPN like Mullvad, that should provide enough plausible deniability not to stand out.
The routes of Tor traffic are dynamically changed, so a node can just pinpoint the pattern during a small period of time. So compared to a VPN which may monitor you constantly, Tor should be preferred.
If you think your traffic is not being monitored over Tor, then you have thought incorrectly. It can be monitored at the exit node no problem, and is likely monitored _more_ closely than other endpoints.
Your only hope is either not using exit nodes (and only using hidden services), or encrypting all of your traffic _and_ making sure different apps/services use different Tor circuits. This does not happen by default, meaning all of your traffic is mixed together. It doesn't matter that it migrates routes every so often.
Exit nodes don't know where the traffic is coming from, until, of course, you accidentally access your personal domain name over HTTPS just by visiting it, which leaks through SNI. Hope you don't host your own services!
>If you think your traffic is not being monitored over Tor, then you have thought incorrectly.
Tor exit nodes can only monitor traffic for a very short period of time, you create a new circuit and pick an entirely new path through the network very often.
>This does not happen by default, meaning all of your traffic is mixed together. It doesn't matter that it migrates routes every so often.
Absolutely true, a solution to this is to use Whonix or Tails which automatically stream isolates all pre-installed programs, therefore correlation by circuit sharing is impossible. Unfortunately that does not work on a phone, but in the end, using Tor for this is no worse than a VPN.
>Exit nodes don't know where the traffic is coming from, until, of course, you accidentally access your personal domain name over HTTPS
This seems like a straw man. There's not many options to Tor. A VPN will know where you're coming from by default.
> This seems like a straw man. There's not many options to Tor.
It wasn't intended to be a straw man, it was intended to highlight the complexity of hiding your identity online. Tor is indeed one of the best mixnets out there, but it is _not_ a panacea, and if used incorrectly can actually make your privacy _worse_.
The Tor Project itself has official guidelines on how to use Tor safely when you do need it: Tails or Tor Browser. Recommendations that stray from this, from an engineer not familiar with Tor, can actually be _harmful_.
2) Riseup email, they have a mailing list, which apparently makes them unable to add a proper DMARC policy. As a result, anyone can spoof an email at any @riseup.net address, and the email would show up as a legitimate email on most recipient mail servers and they do not encrypt the data at rest per-user with the user's own keys like ProtonMail.
3) Session is great but lacks PFS (perfect forward secrecy)
4) bromite usually behind in updates which leaves it vulnerable to exploits
btw, On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, GeckoView, has yet to support site isolation or enable isolatedProcess.
About Vanadium, it is mostly focused on security, and it takes advantage of OS hardening to do that. Brave is a fine choice, and it does offer fingerprinting protections that Vanadium doesn’t. It’s up to you which you’ll choose for you use case, but Vanadium takes the cake when it comes to a robust, secure and minimal browser
Just yesterday there was a discussion about location services[1]
If you connect your phone to a cell network, just by triangulation they got your home address...someone also mentioned that the phone will connect to nearest towers without a sim for 911 services...
I guess is there hardware or software that can force the cellular modem to connect to a single tower of your choice?
Every tower essentially allows an unauthenticated device to log on as an 'emergency' user to a special 'emergency' APN and grants an IMS connection to the emergency number (112/911/etc). See: https://www.sharetechnote.com/html/IMS_SIP_PSAP.html ("Emergency Call without Normal Registration")
My CBRS test networks all have their cells configured to explicitly deny an emergency bearer request for life-safety purposes. As soon as they see the deny they keep moving on to the commercial networks.
Source selection logic most often is completely in firmware and as most antenna firmware are closely kept binary blobs that the soc comes preinstalled with.
I would wager to say that, while possible to do, it is practically impossible for the average joe unless they own a Librem 5 which afaik is the only one with an open source antenna firmware.
A 2022 iPhone SE with an anonymous eSim like https://silent.link/, an MDM profile that disables most of the things [here](https://support.apple.com/guide/deployment/restrictions-for-...), a long alphanumeric password, Signal/some other secure data only messenger app with auto-deleting messages used solely for communication, and an OS that you update regularly is probably better than this. But I like that you wrote out everything descriptively and most of the advice is good.
- Rooting is definitely ill-advised but you note this
- I would not trust the security of most Android phones against phone unlock kits like Cellebrite
Is there a way to make an Iphone anonymous? TMK you must always log in with an Apple ID. Information including location is always sent to the biggest corporation in the world.
That's my understanding as well. I have an purification iPhone SE that I used exclusively for bank apps for a couple years. I wanted it to amount to an air gapped device not never could find a way around Apple ID login for even the simplest task like installing an app.
You can opt out of signing in during setup, problem is you need an account to download stuff off the app store. You can make an account, download Signal, then sign out. The coming sideloading feature could make this easier.
The #1 thing you can do right now is to add a application based firewall to your android phone. It emulates a VPN so all traffic is routed through it, then implements firewall rules based on application, IP address, etc. You can whitelist, blacklist, etc. Most of my apps have zero network access and don't need it. For those that do - I block them from sending to advertising domains. Imperfect but better than nothing.
Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.
The problem though really lies in the network. LTE is GPS trackable inherently. If you want to eliminate that problem, a Pager can work quite well if you are interested in receive only.
GrapheneOS has a network permission that you can toggle.
I'm still hoping for an application firewall that will also let me use my real VPN, or hoping that my VPN provider will integrate this functionality directly so I don't have to choose between one or the other. I find trying to do everything over Tor quite limiting due to the number of web admins blocking it entirely. Even VPNs are starting to get frequently blocked, unfortunately.
> Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.
I know that some Android ROM's don't allow blocking all network access (only mobile data). But LineageOS, CalyxOS and GrapheneOS all allow blocking all/VPN/mobile network access.
Well that's silly, since we know the entire baseband is compromised anyway. In reality it's all about your threat model.
I refuse put the NSA in my threat model. If we get to that point as a business, we're going to have warrants blowing us up, secret fisa courts threatening our livelyhoods, and so forth.
However - there's no reason we should allow all advertisers to track us just because we are worried about the NSA
How does GrapheneOS help with broadband chip firmware bypassing whatever it wants to prevent? All cellphones are rooted by default, just not by their owners.
Thanks all for great comments. I am glad that this silly article made such a lot of bad and good ideas. So many anger and so funny stuff. And most important so many great suggestions and points to discuss that I didn't address. Please remember that this is just an article and not a recipe for being totally anonymous, and that each person can accept, or not some risk. I showed my way. Which is not best, but works for me. I am not a genius or person who tells you how you should act or do stuff. But I was judged by many. Its funny how things in the internet works and how quickly people says opinions, good and bad and even shitty. And sometimes how seriously take everything :) it's always big wave of good feedback mixed with hate when some of my article get on main page of hacker news :) I will review all comments and update article in next two weeks with all good ideas. Thank you all. Even people who wish me death by burning at the stake. Lol.
Huh, I hadn't considered that the rise of 5G, and faster internet more generally, would make "Tor phones" viable. The cost of using Tor as an everyday VPN, on any device, will soon be negligible (ignoring the usual server-side shenanigans that Tor users will probably have to deal with until Tor becomes more popular and more exit nodes come online).
I'm not an expert I think the main barrier to Tor speeds now is # of nodes and concentration of nodes (should have more nodes outside of OVH, BuyVM, Flokinet and M247...). Worth noting too that 5G also makes triangulation substantially more accurate due to higher tower density.
Also I feel like the Cloudflare problem and reCAPTCHA hell on Tor are stunting Tor adoption and I'm pretty sad about that. Higher speeds wouldn't necessarily solve those problems.
Hahah, awesome idea. In the past I wanted to stick phones to the trees in the random forest and made my own onion mobile phone network. But cars are better because moving all the time.
These scooters already have modems on them. Hah, hacking them to be a mesh network (although I guess not many have WiFi/Bluetooth), sounds like a plot device for some "hacker" movie.
How are you hiding the fact that you have a transmitter uniquely signing and encrypting a unique certificate (sim) along with your serial of device (IMEI)?
And there's the whole cell baseband has root to your phone issue.
This feels like a lost cause, TBH if you use cell providers.
Now this could be useful with wifi calling and anonymous voip services. But using Tor is destined to leave you in the internet shitcan, primarily thanks to ilk like cloudflare.
> I resigned totally from using phone as phone itself, I have no physical number, or sim card, and I can only communicate securely using various channels like apps or emails.
> How are you hiding the fact that you have a transmitter uniquely signing and encrypting a unique certificate (sim) along with your serial of device (IMEI)?
The page doesn't want to load for me right now, but that may or may not be a problem depending on their threat model. If none of the things you're connecting to can see anything but a tor connection, and the cell network can see exactly where you are and who you are but not what you're talking to, how much of a problem is that?
> And there's the whole cell baseband has root to your phone issue.
So use one of the modems that just connects to the main processor over USB. I see this repeated a lot, but this particular problem is entirely solvable.
Funny is how much is this SF for you. In country where I live these people are called "słup". Literally "pole". In english it would be something related to "bogus company". People who for money, drugs or alcohol do stuff for you. Like buy and register sim card. Provide you their identity details with ID. For 200 USD they can even go to the bank and create account providing all details to you. You even can register fake companies on these people if you get them flat, clean clothes and something to drink every week :) It is so many scams in central and east Europe, that for me funny and SF is that if you do not understand something or you didn't see it, it's a fake in your opinion.
Wow, that's fascinating! Thanks for your insight. I'd love to live in an area with słup, so many opportunities come to mind. In the US/UK the closest you get to that is Taskrabbit, but there's obviously strong limits on what you can do without getting into trouble.
Yeah I know. This is really scarry, but it still works pretty well and each month you can hear news about some scams for money on auction or local offers portals similar to Ebay, where people pay for something, never get products and money are lost as action was done over the weekend money went to the fake account registered for some homeless guy, who register account and sold access to some cyber criminals. For example they sold 12 Iphone 14 for very cheap price, and before it was reported to the police and bank company to block accounts, money was not there already. They track money, and its already exchanged for crypto or took from ATM by another poor guy (recorded by bank cameras), who was hired just to withdraw money for percent of amount he withdraw. Sic stories but works.
My question is always, what are you trying to accomplish? If you don't want someone to know who you are, why would anyone listen to you? Considering AI, voice and text, how do I know I'm talking to you the you I want to talk to?
In the past when I worked for people with questionable ethics they would often just schedule a lunch and discussing a noisy restaurant their dealings. If they had adversarial contacts, they would have lawyers send letters.
Public private keys are great yet there's still no way to verify the source if the key is compromised.
I suppose, if I really wanted to send a message to someone, I would encode the message, with a shared secret or use of language, acting as a signature, and they would know it as me.
My family members have verbal and nonverbal cues, noises, phrases that will tell them they're in danger or to bring a weapon or if they are under duress.
I recently received my text message from an unknown number. I knew exactly who it was. I had the context and history allowing me to validate that the only person who would message me as such is a fellow HN reader.
Haha "Anonymous" to your neighbor maybe, if they don't work for 5Is or a 3 letter agency, or Google, or Facebook, or the ccp or ... tor is compromised, you didn't Not get caught, you're not a target yet.
You're the second person in this thread to claim that Tor is compromised, without giving any explanation. This isn't productive discussion. Care to elaborate in what exact manner is Tor compromised? Bonus points for not hitting anything from the known list of speculative attacks. [1]
Traffic correlation: All the large state actors are well capable of recording every single IP transaction between devices. You can create detailed correlation maps from these transactions. Considering that this wouldn't cost much for state actors to implement, one has to assume such traffic correlation systems currently exists.
Node compromise: It costs less than 5 dollars a month to create a TOR node. There are currently ~8000 TOR nodes/relays in existence. That is 40k USD per month (at most). Do you really believe state actors can't afford 40k USD per month to compromise the vast majority of TOR nodes? Even a single millionaire can compromise the vast majority of TOR nodes.
Another problem is that TOR is an outdated privacy tech. considering modern state actor capabilities. Mixer networks + network jitter is necessary to protect privacy at this stage, yet no such project exists yet.
TOR is not a good option for privacy. Currently only valid option for privacy is external Wi-Fi jacking and ensuring you don't send any private info like CPUID.
Or alternatively, you can hack routers/computers and put your own TOR nodes in them, then you can only use these known nodes.
> Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.
We all know which one you fall under.
> Node compromise: It costs less than 5 dollars a month to create a TOR node. There are currently ~8000 TOR nodes/relays in existence. That is 40k USD per month (at most). Do you really believe state actors can't afford 40k USD per month to compromise the vast majority of TOR nodes? Even a single millionaire can compromise the vast majority of TOR nodes.
As someone who has ran a Tor exit node for 5+ years, lolol at this statement. Pure ignorance.
Common sense is not the same as actual understanding. Tor is not limited to exit nodes, the most valuable thing is the onion network with millions of users. Both are being actively monitored for anomalies by the devs, with multiple thwarted attempts to subvert it in the past.
> TOR is not a good option for privacy. Currently only valid option for privacy is external Wi-Fi jacking and ensuring you don't send any private info like CPUID.
What is known for sure is that high profile drug dealers are using it without being caught for years. All known cases are related to either poor OPSEC, client/server 0-days, classic real-life investigations, or known attacks Tor can't protect from (correlation of the large amounts of onion server traffic, for example, which is not that easy as you make it sound). It is entirely possible that somebody was caught using unknown or unavoidable attacks, but no such case is known for sure at this time.
> Mixer networks + network jitter is necessary to protect privacy at this stage, yet no such project exists yet.
Tor does use packet shuffling and delays to protect from timing attacks to an extent. It's less advanced than I2P which also mixes the traffic, but has a much larger client pool and a unified browser used by nearly everyone, which provides users with huge buckets to blend into. There are also several delayed onion message services available.
Of course it is susceptible to certain kinds of attacks you have to be aware about. This isn't the same as "Tor doesn't provide anonymity" or "Tor is compromised".
People who have used Tor who have been deanonymized in every single case that we are aware of made other mistakes ("altoid", "pimp_alex_91@hotmail.com", etc) or the vulnerability was in an outdated version of Tor Browser (basically Firefox). Of course you can say there was parallel construction, maybe there was in some cases, but if they didn't make those other mistakes there would be no case that could be brought against them because no one is going to be convicted on the basis of some probabilistic attack against Tor that the government doesn't want to reveal to begin with.
These are just 0-days in the Tor Browser/Firefox, not Tor. While in practice Tor Browser cannot be decoupled from the network (it provides users with large enough crowd to blend into), it can be surrounded with additional security layers. If you're a high-value target worthy of wasting a 0-day on you, running Tor Browser on a general-purpose system might be a bad idea; there are distros like Whonix specifically tailored for secure communication - they are far less vulnerable to this kind of attack.
- you unlocked your bootloader w/o re-locking it again → insecure
- you used a phone that doesn‘t receive OEM updates anymore → insecure
- you use firefox over tor: no sandbox, very unique fingerprint
- all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
I don‘t think this is a good setup.