- Unlock bootloader as phone manufacturers should not be trusted. Even if the ROMs manufacturers provide are open-source, the firmwares are usually not.
- Unlocking bootloader also makes the phone receive secure updates again.
- Firefox is a great browser that can resist fingerprints. The sandbox function on Android should be achieved by restrictions on permissions and storage isolations.
- Traffic over Tor is also much better than just over telecommunicator. A small fraction of non-privacy nodes is also not a problem as routes are always changed, and how can a organize contorl most nodes?
I recently installed GrapheneOS on an old Pixel and recommended practice was to relock the bootloader after unlocking it and installing a custom OS, which is supported on Pixels.
An unlocked bootloader makes the phone vastly more insecure (see https://news.ycombinator.com/item?id=35790499). Phone firmware cannot be fully open-source nowadays due to manufacturer restrictions. Even the most open-source Android fork will still have to include binary blobs from e.g. modem manufacturers.
Additionally, the updates that the forked OS provides don't include firmware updates for essential parts like the modem (this is also the reason why phone updates are not available in the first place). So it's essentially a security theatre.
Firefox doesn't use per-site isolation, doesn't use process sandboxing and - on top of that has a JIT, so there's W^X violations. Normal app sandboxing via Android permissions is not sufficient for something as complex as a browser. The potential for possible exploits inherently is massive. Other browsers (chromium-based) like Vanadium have very sophisticated sandboxing, so there's no reason to use something inferior.
Traffic over tor is good, but shouldn't be used with authenticated services, as it deanonymizes your connection. Instead, it should only be used for specific (unauthenticated) actions, like browsing news.
> - all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
Wouldn't this would depend on if you had a stream isolation setup? Pretty sure Tails/Tor Browser do this, so you can have a signed in Facebook tab and another tab open and the two won't be linked. I don't think the guide here accounts for that though.
As long as you keep device in your possession with a quick option to wipe it, I believe that mitigates the unlocked bootloader. Graphene locks the bootloader as a more secure option.
I tried Invizible Pro and do not see option for split tunnelling. I suppose Orbot may be a better choice if authentication to one of those services is needed.
You might never get a chance to wipe it. I had a cop whip out a loaded gun and point it at my head to take my phone out of my hand. I didn't even have a lock code as there was nothing to hide, but if I had been a criminal I would not have had time or opportunity to do anything without my brains leaving my skull.
Tunneling all traffic through Tor can be risky, especially if you're using exit nodes to access clearweb applications. The traffic patterns of your tunnel will be significantly different from most Tor traffic (browsers, exclusively) which can help pinpoint your phone if the authorities are wiretapping your connection. Allegedly, the various law enforcement agencies around the world operate a significant amount of exit nodes and if they can pinpoint a particular traffic pattern, they may be able to trace it back home.
I would be more selective with my traffic. Use Tor Browser for browser traffic, but keep sending Signal/Session/whatever through normal means. That makes your phone stand out less. Consider using a decent VPN like Mullvad, that should provide enough plausible deniability not to stand out.
The routes of Tor traffic are dynamically changed, so a node can just pinpoint the pattern during a small period of time. So compared to a VPN which may monitor you constantly, Tor should be preferred.
If you think your traffic is not being monitored over Tor, then you have thought incorrectly. It can be monitored at the exit node no problem, and is likely monitored _more_ closely than other endpoints.
Your only hope is either not using exit nodes (and only using hidden services), or encrypting all of your traffic _and_ making sure different apps/services use different Tor circuits. This does not happen by default, meaning all of your traffic is mixed together. It doesn't matter that it migrates routes every so often.
Exit nodes don't know where the traffic is coming from, until, of course, you accidentally access your personal domain name over HTTPS just by visiting it, which leaks through SNI. Hope you don't host your own services!
2) Riseup email, they have a mailing list, which apparently makes them unable to add a proper DMARC policy. As a result, anyone can spoof an email at any @riseup.net address, and the email would show up as a legitimate email on most recipient mail servers and they do not encrypt the data at rest per-user with the user's own keys like ProtonMail.
3) Session is great but lacks PFS (perfect forward secrecy)
4) bromite usually behind in updates which leaves it vulnerable to exploits
btw, On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, GeckoView, has yet to support site isolation or enable isolatedProcess.
About Vanadium, it is mostly focused on security, and it takes advantage of OS hardening to do that. Brave is a fine choice, and it does offer fingerprinting protections that Vanadium doesn’t. It’s up to you which you’ll choose for you use case, but Vanadium takes the cake when it comes to a robust, secure and minimal browser
Just yesterday there was a discussion about location services[1]
If you connect your phone to a cell network, just by triangulation they got your home address...someone also mentioned that the phone will connect to nearest towers without a sim for 911 services...
I guess is there hardware or software that can force the cellular modem to connect to a single tower of your choice?
Every tower essentially allows an unauthenticated device to log on as an 'emergency' user to a special 'emergency' APN and grants an IMS connection to the emergency number (112/911/etc). See: https://www.sharetechnote.com/html/IMS_SIP_PSAP.html ("Emergency Call without Normal Registration")
My CBRS test networks all have their cells configured to explicitly deny an emergency bearer request for life-safety purposes. As soon as they see the deny they keep moving on to the commercial networks.
Source selection logic most often is completely in firmware and as most antenna firmware are closely kept binary blobs that the soc comes preinstalled with.
I would wager to say that, while possible to do, it is practically impossible for the average joe unless they own a Librem 5 which afaik is the only one with an open source antenna firmware.
A 2022 iPhone SE with an anonymous eSim like https://silent.link/, an MDM profile that disables most of the things [here](https://support.apple.com/guide/deployment/restrictions-for-...), a long alphanumeric password, Signal/some other secure data only messenger app with auto-deleting messages used solely for communication, and an OS that you update regularly is probably better than this. But I like that you wrote out everything descriptively and most of the advice is good.
- Rooting is definitely ill-advised but you note this
- I would not trust the security of most Android phones against phone unlock kits like Cellebrite
Is there a way to make an Iphone anonymous? TMK you must always log in with an Apple ID. Information including location is always sent to the biggest corporation in the world.
That's my understanding as well. I have an purification iPhone SE that I used exclusively for bank apps for a couple years. I wanted it to amount to an air gapped device not never could find a way around Apple ID login for even the simplest task like installing an app.
You can opt out of signing in during setup, problem is you need an account to download stuff off the app store. You can make an account, download Signal, then sign out. The coming sideloading feature could make this easier.
The #1 thing you can do right now is to add a application based firewall to your android phone. It emulates a VPN so all traffic is routed through it, then implements firewall rules based on application, IP address, etc. You can whitelist, blacklist, etc. Most of my apps have zero network access and don't need it. For those that do - I block them from sending to advertising domains. Imperfect but better than nothing.
Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.
The problem though really lies in the network. LTE is GPS trackable inherently. If you want to eliminate that problem, a Pager can work quite well if you are interested in receive only.
GrapheneOS has a network permission that you can toggle.
I'm still hoping for an application firewall that will also let me use my real VPN, or hoping that my VPN provider will integrate this functionality directly so I don't have to choose between one or the other. I find trying to do everything over Tor quite limiting due to the number of web admins blocking it entirely. Even VPNs are starting to get frequently blocked, unfortunately.
> Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.
I know that some Android ROM's don't allow blocking all network access (only mobile data). But LineageOS, CalyxOS and GrapheneOS all allow blocking all/VPN/mobile network access.
Well that's silly, since we know the entire baseband is compromised anyway. In reality it's all about your threat model.
I refuse put the NSA in my threat model. If we get to that point as a business, we're going to have warrants blowing us up, secret fisa courts threatening our livelyhoods, and so forth.
However - there's no reason we should allow all advertisers to track us just because we are worried about the NSA
How does GrapheneOS help with broadband chip firmware bypassing whatever it wants to prevent? All cellphones are rooted by default, just not by their owners.
Thanks all for great comments. I am glad that this silly article made such a lot of bad and good ideas. So many anger and so funny stuff. And most important so many great suggestions and points to discuss that I didn't address. Please remember that this is just an article and not a recipe for being totally anonymous, and that each person can accept, or not some risk. I showed my way. Which is not best, but works for me. I am not a genius or person who tells you how you should act or do stuff. But I was judged by many. Its funny how things in the internet works and how quickly people says opinions, good and bad and even shitty. And sometimes how seriously take everything :) it's always big wave of good feedback mixed with hate when some of my article get on main page of hacker news :) I will review all comments and update article in next two weeks with all good ideas. Thank you all. Even people who wish me death by burning at the stake. Lol.
Readit News
- you unlocked your bootloader w/o re-locking it again → insecure
- you used a phone that doesn‘t receive OEM updates anymore → insecure
- you use firefox over tor: no sandbox, very unique fingerprint
- all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
I don‘t think this is a good setup.
- Unlocking bootloader also makes the phone receive secure updates again.
- Firefox is a great browser that can resist fingerprints. The sandbox function on Android should be achieved by restrictions on permissions and storage isolations.
- Traffic over Tor is also much better than just over telecommunicator. A small fraction of non-privacy nodes is also not a problem as routes are always changed, and how can a organize contorl most nodes?
Additionally, the updates that the forked OS provides don't include firmware updates for essential parts like the modem (this is also the reason why phone updates are not available in the first place). So it's essentially a security theatre.
Firefox doesn't use per-site isolation, doesn't use process sandboxing and - on top of that has a JIT, so there's W^X violations. Normal app sandboxing via Android permissions is not sufficient for something as complex as a browser. The potential for possible exploits inherently is massive. Other browsers (chromium-based) like Vanadium have very sophisticated sandboxing, so there's no reason to use something inferior.
Traffic over tor is good, but shouldn't be used with authenticated services, as it deanonymizes your connection. Instead, it should only be used for specific (unauthenticated) actions, like browsing news.
Wouldn't this would depend on if you had a stream isolation setup? Pretty sure Tails/Tor Browser do this, so you can have a signed in Facebook tab and another tab open and the two won't be linked. I don't think the guide here accounts for that though.
I tried Invizible Pro and do not see option for split tunnelling. I suppose Orbot may be a better choice if authentication to one of those services is needed.
In doing so, it also disables integrity checks, thus making persistence (even without rollback) a lot easier for a potential attacker.
So your phone becomes a lot more vulnerable to all kinds of attacks, not just physical ones.
See also: the Android Documentation for verified boot (https://source.android.com/docs/security/features/verifiedbo...)
how does it compromise anonymity if you sign in to a burner gmail account over tor?
I would be more selective with my traffic. Use Tor Browser for browser traffic, but keep sending Signal/Session/whatever through normal means. That makes your phone stand out less. Consider using a decent VPN like Mullvad, that should provide enough plausible deniability not to stand out.
Your only hope is either not using exit nodes (and only using hidden services), or encrypting all of your traffic _and_ making sure different apps/services use different Tor circuits. This does not happen by default, meaning all of your traffic is mixed together. It doesn't matter that it migrates routes every so often.
Exit nodes don't know where the traffic is coming from, until, of course, you accidentally access your personal domain name over HTTPS just by visiting it, which leaks through SNI. Hope you don't host your own services!
Not only applications can leak all sort of data in cleartext, but your traffic is visible to exit nodes, and some are malicious.
Here is the list of issues I have with this blog.
1) LineageOS https://github.com/beerisgood/Smartphone_Security#custom-rom...
2) Riseup email, they have a mailing list, which apparently makes them unable to add a proper DMARC policy. As a result, anyone can spoof an email at any @riseup.net address, and the email would show up as a legitimate email on most recipient mail servers and they do not encrypt the data at rest per-user with the user's own keys like ProtonMail.
3) Session is great but lacks PFS (perfect forward secrecy)
4) bromite usually behind in updates which leaves it vulnerable to exploits
btw, On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, GeckoView, has yet to support site isolation or enable isolatedProcess.
About Vanadium, it is mostly focused on security, and it takes advantage of OS hardening to do that. Brave is a fine choice, and it does offer fingerprinting protections that Vanadium doesn’t. It’s up to you which you’ll choose for you use case, but Vanadium takes the cake when it comes to a robust, secure and minimal browser
[1]https://news.ycombinator.com/item?id=35779816
My CBRS test networks all have their cells configured to explicitly deny an emergency bearer request for life-safety purposes. As soon as they see the deny they keep moving on to the commercial networks.
I would wager to say that, while possible to do, it is practically impossible for the average joe unless they own a Librem 5 which afaik is the only one with an open source antenna firmware.
- Rooting is definitely ill-advised but you note this
- I would not trust the security of most Android phones against phone unlock kits like Cellebrite
Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.
The problem though really lies in the network. LTE is GPS trackable inherently. If you want to eliminate that problem, a Pager can work quite well if you are interested in receive only.
I'm still hoping for an application firewall that will also let me use my real VPN, or hoping that my VPN provider will integrate this functionality directly so I don't have to choose between one or the other. I find trying to do everything over Tor quite limiting due to the number of web admins blocking it entirely. Even VPNs are starting to get frequently blocked, unfortunately.
For example, if you block facebook with a firewall, it can still send an intent to the download manager to make network connections.
(see https://madaidans-insecurities.github.io/android.html#firewa...)
It's nice to be able to sandbox an app so it can't do anything, especially call home.
I know that some Android ROM's don't allow blocking all network access (only mobile data). But LineageOS, CalyxOS and GrapheneOS all allow blocking all/VPN/mobile network access.
I refuse put the NSA in my threat model. If we get to that point as a business, we're going to have warrants blowing us up, secret fisa courts threatening our livelyhoods, and so forth.
However - there's no reason we should allow all advertisers to track us just because we are worried about the NSA
Has tonnes of hardening though.