Say I wanted to have the most secure Sony Xperia Z Ultra possible (without "too much" sacrifice of useability).
In the context of this thread I define security as broadly anything barring network anonymity ie. hiding your device public IP address.
So I want security from network attackers (eg. drive-by download, WiFi attacks), physical device attackers (eg. customs searching devices for IP violations ... no really, that's about to become a thing apparently, GF and/or mistresses) .
How would you do it?
Could you please use sections of
Code:
firmware
phone settings
app settings
behavior
because I want to curate the best answers from users in this post for the good of the forum.
My thoughts so far are:
Firmware:
Root is disabled
Bootloader should be locked.
^^ These I'm not sure about - see if we don't have root then we don't have iptable firewall and hosts level server blocking.
One recovery should be used
Honestly I'm not sure which ROM is more secure than another but I'm assuming the latest and greatest is more secure so that would be MM atm. No idea if Sony is more secure than another flavour of ZU Android.
Phone settings:
Developer options off
Sideload apps off
Do not connect to unknown WiFi
NFC Off by default
Bluetooth Off by default
PIN unlock required
Auto-lock ON
App settings: (this includes apps you should have/not have and their settings)
I figure every additional app that I don't use is a needless attack surface so start with no apps at all - uninstall everything. Only install what you use ... for which you need root unless the ROM is premade like this.
Firewall app (Netguard no-root Firewall, DroidWall if we have root)
Adblock (if we have root)
AV - honestly most mobile AV seems pathetic at being secure and not acting like malware (notifications, popup windows etc) but Avast at least seems to not hog resources.
-Auto update every app
User behaviour:
NEVER:
-install apps from anywhere other than Google Play. Or possibly FDroid
-let another person use your device
I'd like to hear your suggestions, critique and everything else, cheers!
So you're not gonna install from other than google play, then what ad blocker are you going to use? Where is adblocker connecting to?
You're talking about still having a lot of apps connecting through servers that you don't control.
morestupidemailnames said:
You're talking about still having a lot of apps connecting through servers that you don't control.
Click to expand...
Click to collapse
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
panyan said:
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
Click to expand...
Click to collapse
Exactly my point.
The op is a long winded question that leaves you with more questions.
Probably why there's been such a landslide of security tips here
my question is as above in the title
btw i saw about replucant on gnu's website
thoughts about it?
how would it protect my privacy
and i have been told that even if i start using repulcant google service will be another privacy threat
i want to know also how google services can be privacy threat do they have malicious code made by like other trackers (like windows trackers ...websites... etc..)
The most basic thing you should do:
do not grant various apps on your phone the permission to access your album, contact, sms or email, location and so on, unless you really need to use their functions that require such permission.
finalvagas said:
The most basic thing you should do:
do not grant various apps on your phone the permission to access your album, contact, sms or email, location and so on, unless you really need to use their functions that require such permission.
Click to expand...
Click to collapse
ik ! but i want to protect myself from the tracking or spying of google
Root your device, preferably a 'clean' way (without questionable root software that can do more harm than good). Make a TWRP backup or similar, just in case you stuff your device.
Allow installation of apps from unknown sources in "Security > Unknown Sources". Then install AdAway (ad-blocker) from f-droid.org. https://f-droid.org/packages/org.adaway/. F-droid is officially linked from the AdAway website https://adaway.org/ since it was banned on the Google Play Store, which is testament to how much of a threat it is to Google.
The key (to me) is to kill Google's main revenue first: ads. Along with the revenue of all the other adware/tracking/spyware creators who wish to do business on the Spyware Store. The second way to kill them is to use ad-free apps as much as possible (f-droid.org can probably cater to most needs).
Installing a keyboard that doesn't spy on you is fairly important to me. You might consider AnySoftKeyboard or others from f-droid.org. After switching to the new keyboard, uninstall your default Google keyboard using your preferred root uninstaller. You can use Play Store apps like Titanium Backup to uninstall & backup if you wish. You can download Play Store apps without using Play Store by just getting their APK files on sites like https://apps.evozi.com/apk-downloader/ though some apps and games will require Google Play Store and related spyware to run. To me, those that do require Google Play Store and related spyware components aren't even worth considering.
Uninstall every single Google app on your device. Including Voice components. Plus the Play Store and related Services Framework and heaps of other Google Spyware. I have finally started to compile a list of those I have found to be safe to remove, so if you need more details, I might be able to help a bit.
There are usually better apps for Mail, Contacts, Maps, Gallery, Calculator, SMS, messaging, Calendar, Camera, etc. They are freely available without tracking/analytics, adware & spyware. An extremely good place to start inorder to get the basics are the Simple Mobile Tools apps from Tibor Kaputa https://simplemobiletools.github.io/
If you want to spend your money, consider giving it to guys like this.
Some root uninstallers I have tried have been extremely unreliable, leaving your device essentially bricked after they fail to start after removing a component, or by giving you dumb error messages after removing a safe component that other root uninstallers have no trouble with. Regrettably, I have yet to find a decent open source root uninstaller. At the moment I am using Titanium Backup to uninstall unwanted apps and components from Google, unwanted spyware from the chipset manufacturer & unwanted spyware from the device manufacturer. Personally I don't use any of the stock apps, including the stock launcher. All of these companies have a long history of customer privacy violations. All profit from profiling you and selling you out to their partners.
There are useful (adware/tracking-infested) Play Store apps like MyAndroidTools that allow you to disable certain components from certain apps which might also be useful to you. This was available on Google's Play Store but now does not appear. I use it for apps like Firefox, to disable the Crap Components I do not want running.
You might also consider XPrivacy or XPrivacyLua which gives you more control over what apps can do. You might also consider changing your DNS settings from Google's to another with apps like DNS man.
Google is the Spyware King at the moment with literally billions of devices in use, eclipsing Microsoft and Apple soyware in terms of numbers of devices in use.
You have many different ways to protect your Android phone. You should use a strong password and backup your phone. Here is good article about it: imei.info/news/android-privacy-protect
You can just check it.
S10 stock cleanup actions
yet another phone this year V30->Note9->6T->Mi9->S10, time to update guides. Goal is to have a clean phone after each update, and since reboot doesn't happen often, but defly happens during upgrade, i'm putting cleanup commands into a [boot] script.
Boot script
What it does:
* choose 8 categories of app removal, in the beginning of the file
* use more switch to disable some questionable/helpful stuff
* disable up to 100 apps (preferred method, ppl can reenable)
* remove usage access for google (this is the part not tested and disabling device/trust admins can not be scripted)
Tested ok on recent stock. Not much to put in script unlike on MIUI which used shady practices. Samsung not hiding processes, not persisting apps (except Payment triggers some soft brick - interesting), and not sending tcpdumps to china. Also not having privacy policy in every basic app. It's on you to accept Fourthsquare, Google and then Bixby 3rd party stuff. Well I initially sniffed network and saw some 3rd party sleezy connection to social networking IPs (nonstop monitoring by facebook etc), but that is obvious and well known, and is swiftly disabled by the script. Will see later if there's something that could be tweaked further.
Download: file attached
Installation:
- run in su terminal or add to any startup script
Which plugins to use for S10
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Now i use old version 0.3 as i feel new SandHook/Yahfa bipolar releases make phone sluggish. This case is to be monitored.
* Bixby button remapper -- so in Samsung case, extra key is not released after Bixby debloat, so we first slap this plugin into phone and then customize via Xposed Edge
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) Universal GMS Doze (disappeared from repository?) or Sysconfig patches -- cools down GMS services. Questionable impact but i use it.
* (optional) YouTube Vanced black themed -- brings usable YouTube experience
* (impossible) QuickSwitch -- we can't have Quickstep+Hyperion (the most capable Quickstep launcher) as there's no pill but Samsong custom recents
* (untested) - FDE, LKT - in a short time, i wasn't optimizing battery. It's good out of the box(!).
XPosed plugins:
* Xposed Edge Pro - a must have and best plugin. Here, by the way, we will modify Bixby button once again, including double press and long press. Because why not
* XPrivacy - Screw the big brother. Must have. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit - so this is our main customization app, and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also we will remove Restart action and replace with Recovery action and rename it to Restart
* afWall - Problems with this firewall and some VPN clients. Should by disabled in Xposed but we want to have this tool
* (optional) Exi for Swiftkey - you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Other stuff
- booting to non-root ok, impact could be lost pairings. So let's have it as a useful safe mode.
- after setup, never used Power+Bixby+VolUp. After shutdown, not needed. Rebooting with modified Restart command. Easy
- using TWRP to flash blank Samsung boot logos, to see files etc
- not using multidisabler as i'm on stock and i do want encryption, ROMs/MODs push it thou
- next monthly upgrade will be interesting, as it'll be time to verify what unwanted stuff is being reenabled
Battery saving:
- unknown effect of {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} in such a short time.
- not big impact by dozes (AOD, fp icon, dt2wake, raise2wake) - that's cool.
- having 1.0-1.2%/hr in home wifi standby, VPN, locationtracking, perma BT watch, and tons of widgets and apps
- not liking memory filling up by thrashware even after debloat. From 4GB free to 2GB free quickly.
someone try on this ?
Hi dogg,
seems to work on multiple apps, and has some exceptions thrown, but how can i enable apps again if i need?
thanks and regards.
pep086 said:
Hi dogg,
seems to work on multiple apps, and has some exceptions thrown, but how can i enable apps again if i need?
thanks and regards.
Click to expand...
Click to collapse
do you know which process has thrown fc or exception?
many ways to reenable individually, or to roll back the script, use the undo script attached
i thought i'd debloat Device Security (which i think is the Mcaffe antivirus noone uses), but it's hooking up to app installations. So when disabled, gplay installations will freeze forever. So another memory hog has to stay in memory.
Hi dog,
I will try again I think, there were apps that I don't have already on the phone maybe.
I sure had to enable Samsung experience and contacts sync only cause I needed them.
Thank you very much.
Like the way you inspect packages and traffic.
Keep sharing your knowledge with us.
Thanks.
Thank you very much! Really helpful script, pretty much what I was looking for.
doggydog2 said:
S10 stock cleanup actions
yet another phone this year V30->Note9->6T->Mi9->S10, time to update guides. Goal is to have a clean phone after each update, and since reboot doesn't happen often, but defly happens during upgrade, i'm putting cleanup commands into a [boot] script.
Boot script
What it does:
* choose 8 categories of app removal, in the beginning of the file
* use more switch to disable some questionable/helpful stuff
* disable up to 100 apps (preferred method, ppl can reenable)
* remove usage access for google (this is the part not tested and disabling device/trust admins can not be scripted)
Tested ok on recent stock. Not much to put in script unlike on MIUI which used shady practices. Samsung not hiding processes, not persisting apps (except Payment triggers some soft brick - interesting), and not sending tcpdumps to china. Also not having privacy policy in every basic app. It's on you to accept Fourthsquare, Google and then Bixby 3rd party stuff. Well I initially sniffed network and saw some 3rd party sleezy connection to social networking IPs (nonstop monitoring by facebook etc), but that is obvious and well known, and is swiftly disabled by the script. Will see later if there's something that could be tweaked further.
Download: file attached
Installation:
- run in su terminal or add to any startup script
Which plugins to use for S10
Similarly to Mi9, collecting what i think is useful to keep on stock rooted firmware.
Magisk plugins:
* Riru - Core, Riru - Ed Exposed -- brings XPosed to Pie. Need also installer. Now i use old version 0.3 as i feel new SandHook/Yahfa bipolar releases make phone sluggish. This case is to be monitored.
* Bixby button remapper -- so in Samsung case, extra key is not released after Bixby debloat, so we first slap this plugin into phone and then customize via Xposed Edge
* libsecure_storage companion -- helps us keep the bluetooth pairings
* (optional) Universal GMS Doze (disappeared from repository?) or Sysconfig patches -- cools down GMS services. Questionable impact but i use it.
* (optional) YouTube Vanced black themed -- brings usable YouTube experience
* (impossible) QuickSwitch -- we can't have Quickstep+Hyperion (the most capable Quickstep launcher) as there's no pill but Samsong custom recents
* (untested) - FDE, LKT - in a short time, i wasn't optimizing battery. It's good out of the box(!).
XPosed plugins:
* Xposed Edge Pro - a must have and best plugin. Here, by the way, we will modify Bixby button once again, including double press and long press. Because why not
* XPrivacy - Screw the big brother. Must have. Disabling analytics, tracking, telephony, network, identification for all visible apps and all Google and Samsung apps with some exceptions.
* Firefds kit - so this is our main customization app, and enables the very important call recording, which is beutifully integrated into call history. Bye bye external apps. Also we will remove Restart action and replace with Recovery action and rename it to Restart
* afWall - Problems with this firewall and some VPN clients. Should by disabled in Xposed but we want to have this tool
* (optional) Exi for Swiftkey - you can make Swiftkey great again, GBoard is still the best, Samsung keyboard is very good, but too tall and leaves gap in fullscreen mode
Other stuff
- booting to non-root ok, impact could be lost pairings. So let's have it as a useful safe mode.
- after setup, never used Power+Bixby+VolUp. After shutdown, not needed. Rebooting with modified Restart command. Easy
- using TWRP to flash blank Samsung boot logos, to see files etc
- not using multidisabler as i'm on stock and i do want encryption, ROMs/MODs push it thou
- next monthly upgrade will be interesting, as it'll be time to verify what unwanted stuff is being reenabled
Battery saving:
- unknown effect of {LSpeed, Naptime, Servicely, FDE, LKT, Universal GMS Doze, Sysconfig patcher} in such a short time.
- not big impact by dozes (AOD, fp icon, dt2wake, raise2wake) - that's cool.
- having 1.0-1.2%/hr in home wifi standby, VPN, locationtracking, perma BT watch, and tons of widgets and apps
- not liking memory filling up by thrashware even after debloat. From 4GB free to 2GB free quickly.
Click to expand...
Click to collapse
Hello sir! I'm new to all of this, but i have learned a lot by myself already, and I have researched a lot about privacy on android and how to make the phone more secure! I need some help and guidance please. I have debloated and played around with my s10 for a long time, and had to flash and root 4 times now. The first two times the AOD didn't work anymore(probably bixby related -_-), the next two times I had a soft brick because I removed payment services! I'm really annoyed as I just want to use regular phone functions and I want be as untrackable and unhackable as possible. I mostly use apps from F-DROID, almost all! I also removed google services, basically everything google is gone.
As I understand your Guide, I have to:
1. Flash/root my phone again
2. Run script in su terminal <- here I have no idea what where and how to do this.
or
1. Flash/Root my phone again
2. Install all magisk plugins
3. Install Xposed and all plugins
4. Now Run script in su terminal <- again no idea what where and how to do this.
Could you explain in which order I should proceed and how to do the scripting part? And, when I use Xprivacy, can I leave google play services on the phone for youtube vanced?(or even other nongoogle apps and feed them false data?)Right now I use NewPipe for youtube. does XMPP work?
My biggest concern is privacy, I dont want any f***ers to spy on me. Another thing, how good is LineageOS, I could buy a SDcard and I try it or sell my stupid phone!
Thank you if you could help me, I'm really annoyed by all of this, I used a normal 30 € phone for 2 years because I don't want be spied on and not forget how nice the world is without phone that knows everything, for and about me!
---------- Post added at 11:39 PM ---------- Previous post was at 11:34 PM ----------
.TanTien said:
Thank you very much! Really helpful script, pretty much what I was looking for.
Click to expand...
Click to collapse
Hi! Can you tell me how to do the scripting??? greetings
kejsix said:
Hello sir! I'm new to all of this, but i have learned a lot by myself already, and I have researched a lot about privacy on android and how to make the phone more secure! I need some help and guidance please. I have debloated and played around with my s10 for a long time, and had to flash and root 4 times now. The first two times the AOD didn't work anymore(probably bixby related -_-), the next two times I had a soft brick because I removed payment services! I'm really annoyed as I just want to use regular phone functions and I want be as untrackable and unhackable as possible. I mostly use apps from F-DROID, almost all! I also removed google services, basically everything google is gone.
As I understand your Guide, I have to:
1. Flash/root my phone again
2. Run script in su terminal <- here I have no idea what where and how to do this.
or
1. Flash/Root my phone again
2. Install all magisk plugins
3. Install Xposed and all plugins
4. Now Run script in su terminal <- again no idea what where and how to do this.
Could you explain in which order I should proceed and how to do the scripting part? And, when I use Xprivacy, can I leave google play services on the phone for youtube vanced?(or even other nongoogle apps and feed them false data?)Right now I use NewPipe for youtube. does XMPP work?
My biggest concern is privacy, I dont want any f***ers to spy on me. Another thing, how good is LineageOS, I could buy a SDcard and I try it or sell my stupid phone!
Thank you if you could help me, I'm really annoyed by all of this, I used a normal 30 € phone for 2 years because I don't want be spied on and not forget how nice the world is without phone that knows everything, for and about me!
---------- Post added at 11:39 PM ---------- Previous post was at 11:34 PM ----------
Hi! Can you tell me how to do the scripting??? greetings
Click to expand...
Click to collapse
i keep running the script without problems for months now.
to run a script, you need a terminal - use any terminal app, like 3C Toolbox or via adb. this is too generic question.
to run it, you need root, so at least magisk must be present. you normally flash your favorite image, then magisk, in magisk you load riru & exposed plugins, then in edxposed installer you load xposed plugins like xprivacy. i run strict privacy settings on every device and this requires some work. first thing i do, is press RESTRICT button on all visible apps for these permissions: identification, network, telephony, tracking, analytics, then calendars, call log, contacts, location and messages. Then i go throught individual apps and deselect neccessary permisions for some apps. on the left menu, i set 'restrict new apps'. this way i can control non-geeky users phone who install any app without thinking and accept all default choices without any hesitation. It's very hard for them to fight XPrivacy thou - they don't understand it luckily. unlike personal computers, phones are great source of snitching, as you have so much data available to the aggressive companies like SIM details (=directly identify your person via Telco), IP (=directly identify you via ISP), web services where you provided real name and phone number (to "recover account" blabla, real meaning is to identify you), tracking and analytics (to study your behaviour and share your internet presence via a token between companies). All this needs to be cloaked and more: browser should be full of privacy plugins, ad killers, fingerprinting killers, webrtc killers etc etc. VPN set, and firewall set. I also use Changer xposed plugin to cloak extra items not covered by XPrivacy.
I have zero ads in any apps. Zero suggestions by ecommerces. Getting dummy search hits without relevance. Always a blank user to each web or app. Email on the best privacy provider, with zero knowledge encryption, this and any web services paid via bishuffled bitcoin bought in person (Coinbase? really? send ID? seriously people do this?). IP is cloaked via trustful service, in case of need to express opinion on the internet (which i've given up to) in todays politically correct era, use also Tor and Psiphon. No phone numbers, IMEIs, IMSIs etc etc provided. No real names ever entered anywhere. I can have great privacy with commercial tools, and don't need to use Snowden type of blank OS. But it's difficult to set up, it takes hours and some tweaking later. I just find mobile encryption too weak, on PC an intruder (govt) needs to: enter BIOS password, enter TCG-OPAL password, enter bitlocker password, enter Windows password, enter fingerprint to USB flash drive with keys to data drive, unlock bitlocker of the same USB, then unlock data drive -- it's just 20 seconds of extra work once per day. Mobile phone: password and FBE and sensitive app locking. Don't use fingerprints (they belong to govt) or facelock (too lame). Or use fingerprints with lockdown feature (use AI button to map this action with XPosed Edge plugin), and lock it deeply when going to customs or similar checkpoint. Your data and thougts are yours and noone elses.
Yeah install instructions man.. su in terminal and then what ???
kejsix said:
Hi! Can you tell me how to do the scripting??? greetings
Click to expand...
Click to collapse
I opened the script file and picked the features i wanted to disable by manually typing the commands. Standard procedure should be starting terminal as su
Code:
chmod 777 filename.sh
and after that
Code:
./filename.sh
You should be in your file directory of course. You can get there by typing
Code:
cd /your/file/path
Will that work on Snapdragon s10?
i'm running this for 8 months now after each boot. And i didn't update firmware as the rooting process was so exhausting. Now i'm going through the horror again, hoping to keep the encryption, therefore strictly without a custom ROM.
Script should work on Snapdragon, it's not related to the root process.
easier way to run the .sh file:
1. su
2. cd /storage/emulated/0
3. sh S10_cleanup.sh