Having previously covered Samsung specific phones and stock android, let's go the extra mile and talk now about rooted phones.
On XDA developers forum you can find almost every phone and see how to root it to find your perfect customized ROM. If you are up for a new phone, consider one that is is compatible with GrapheneOS or LineageOS.
GrapheneOS was formerly known as CopperheadOS and sold as part of a bundle with a pixel phone or you could install it if you wanted your own pixel phone. sadly, the developing partners had a bit of a nasty falling out and we ended up with GrapheneOS. However, it is still open source and still only for Pixel phones, so if you have one of these (and bear in mind, so far it is not for the Pixel 4), then that would be your best and safest bet.
If you have other phones, for example Samsungs, Lineage is going to be your best and safest bet! It comes Google free and that makes it a more privacy friendly phone. One of my two daily drives is a OnePlus7 Pro which runs super smoothly and perfectly well on Lineage. Again, strongly recommended if you are up for a new phone.
Here is the XDA link on how to root and how to install lineage on a oneplus7 pro
Let's assume you have managed to find your phone on the XDA developers forum, have followed the rooting instructions and managed to run Lineage or GrapheneOS so you are almost there.
Thanks to the rooting you have some pretty great features you would't have without it!
One of those features is that you can run multiple VPN applications at the same time, say WireGuard and a Firewall as an example.
But let's take it one step at a time.
The first almost 'must have' application is AFWall+ similar to NetGuard or AdGuard so you can block access to applications on the internet,. With AFWall+ you do this not just at a VPN level but with an actual Firewall and iptable editor too! You can restrict access for apps to the internet all together, but you can also allow apps to only be online when another VPN is up, for example WireGuard, or TOR! You can even restrict roaming in doffernet networks (on vacation etc)
This makes it far more powerful than NetGuard or AdGuard
- List and search for all installed applications
- Sort installed applications by installation date, UUID or in alphabetical order
- Receive notification for any newly installed applications, AFWall only lists apps with INTERNET_PERMISSION
- AFWall comes with it's logs service to see what's going on
- Display notifications for blocked packets
- Filter blocked packet notifications per app
- Export & import rules ("Import All Rules" requires the donate version)
- Option to prevent data leaks during boot (requires init.d support or S-OFF)
- Password protection
- Option to manage iptable rules with a custom script
After installing AFWall+ you need grand root access, next to the search feature you can select Allow selected (which is pre selected) or Block selected (which we recommend to do)
Settings -> Rules/Connectivity
select Roaming control, LAN control, VPN control and Tor control (if you don't use any of these you do not need to select these)
Also select IPv6 support on your tick list only works on IPv4 and Facebook and Google and other "friends you don't need" can still track you.
Click also Experimental and select Dual App Support
After you have done this select all apps you like to block from access to the internet, or give some the ability to be online only over Tor or a VPN. Leave the WireGuard or a VPN app you are using or be offline all together. so also leave (Any app) and select each manually or you will end up being totally offline.
The second app what works perfectly hand in hand with the AFWall+ is AdAway (this is also based on iptabels and needs rooting). You can use any or all of our recommended blocklists.
Most recommended lists are:
AdAway - Blocking mobile ad providers and some analytics providers
hpHosts - Ad and Tracking servers only
CHEFKOCH - NSA Blocklist
CHEFKOCH - Canvas font fingerprinting
CHEFKOCH - Audio fingerprinting
CHEFKOCH - Canvas fingerprinting
CHEFKOCH - Trackers
CHEFKOCH - Facebook
StevenBlack - with the fakenews, gambling and social extensions
Google - Blocks all Google domains and services
Facebook & FB - Blocks Facebook and its Apps
GoodByeAds - Great list of Ads blocked
Yhosts - Great list!
Crimeflare - Cloudflare domains
Android - Android Ads and Tracking
AdGuard Mobile - Mobile Ads
AMP Mobile - Google AMP Mobile
Now we personally install Shelter and have a work profile running at the same time. This is powerful as you can use apps isolated to the main space of your phone. Or run a second iteration of any of your favorite apps, Signal, Riot, whatever...
To use the power of AFWall+ on the Shelter setup please go to AFWall+ Settings-> Experimental-> and click Dual Apps Support.
Now within the Shelter app, clone the apps you like to use on your work profile and use them in the isolated space. For example, run WireGuard on Shelter, or run WireGuard on both sites but with two different locations.
And talking of being paranoid...
You won't have any gapps or Google Playstore apps if you use Lineage, there is a Lineage version with microG (this is an open source replacement for most of the Google stuff but without inviting Google on to your phone. It even allows you to receive push notifications. However there is always a little 'googley' stuff in it and if you can live without it, we strongly recommend to use your phone with f-droid and perhaps Aurora Store (for Google Playstore downloads)
Just as on the setup of a stock android which was covered in the last Privacy Cookbook chapter, you can use any of these recommended apps.
The Lineage setup is our daily drive and we would recommend everyone to do the same. Sadly. Lineage doesn't have the best camera software, so if you want a super strong and amazing camera, it might not be your first choice, but what you get is more privacy and less tracking on your phone plus a pretty amazing extended battery life.