Most of us have a mobile device nearby all day (and night) long, which essentially means we chose to have a tracking device running next to us 24/7 whether we're watching YouTube, chatting with friends or any one of the myriad tasks we conduct on these tiny devices.

So today we're diving into privacy and security on Android.

If you follow privacy advocacy and their tech recommendations on Reddit and the like, there are three names that usually come up when it comes to privacy.

Lineage, which works on a significant number of mainstream phones, then CalyxOS and GrapheneOS which both work on Pixel Phones and we'll take a good look at each.

We will also look into Android from vendors and the straight 'out of the box' operating system which comes with Samsung, Motorola and the like. There is also DivestOS, which is a great solution and one we can recommend and there is /e/ who ships a modified Lineage operating system which works 'out of the box' but faces other problems. We'll come to these later.

One feature of the privacy community is that they can look at what is most private, but forgot about security! Since this series here on decentralize.today is all about PrivSec we'll dive in today to try and identify a better balance between the two aspects.


First the good news, Android, by default, is a very secure operating system.

In fact, thanks to app sandboxing and (AVB) Verified Boot, Android is better than any desktop operating system out there. However, that said, issues start once the operating system comes out of the box. Many manufacturers chose to add a lot of intrusive bloatware. Samsung is one of the worst when it comes to this. Sure, you can ADB those away but Samsung also has some really useful apps, so take your time in deciding which apps you want ADB to remove.

do privacy at privacy.do comprehensive guide to online anonymity
privacy.do - #samsung - setups for maximizing your #onlineprivacy with Samsung devices

But even in doing this, you still have Samsung and Google and you can never fully escape from their trackers. If you leave Google Play Services, for example, Google has irrevocable privilege to access files, contact, logs, your SMS messages, location and even camera and microphone. On top of this, they have a hardware identifier and track every move, regardless of if you've switched location services off. With the newest Android, you can take those privileges away for most apps, but not for Samsung or Google's own apps. In other words, you will give up privacy by using Android 'out of the box'.

Rooting

Some people recommend rooting your phone, to have more control and be able to use specific firewalls and rules to make your phone more private. As good as this might sound, rooting decreases your security significantly as it weakens Android's security model.

Common rooting methods can involve tampering with the boot partition, which can, in turn, make it impossible to perform verified boots. Apps requiring to root will modify the system partition thereby rendering the verified boot disabled. Having the root directly exposed in the user interface will also increase the attack surface of your device and can help or facilitate privilege escalation vulnerabilities and SELinux policy by-passes.

Lineage

Which brings us to Lineage, which runs on many Samsung phones and, by extension, the products of many other cellphone manufacturers. The main issue with Lineage is not on the privacy end, but with security.

Firmware updates are a problem on Lineage and even /e/. OEMs only have support agreements with their partners for closed-source components for a limited period. These are published within the Android Security Bulletins.

Custom Android distributors are responsible for extracting the vendor firmware from the official operating system and then building and patching in their own.

Unfortunately, many of these distributors, including the more popular ones, such as like LineageOS and /e/ OS, don't send out firmware updates for most of their supported devices or components. Instead, they expect the user to keep track of stock OS updates, then extract the information and flash the firmware themselves. Leaving aside the lack of testing that likely takes place, the whole process is burdensome and probably not realistic for most end users. Another good reason to maybe not use these distributors.

Which brings us to a recommendation when it comes to Samsung and co., take whatever comes 'out of the box' and then use ADB to remove intrusive apps. Perhaps check out decloudus, if you want to stop Google at the DNS level.

DeCloudUs - Privacy DNS Blocks Trackers, Ads, and More
A secure, private, open source DNS resolver with no logs. DeCloudUs DNS is the best way to block online trackers, annoying ads, and protect your devices from malware, phishing, and malicious sites. Easily deGoogle, deApple, deMicrosoft, etc any device at any level you choose. Fully customize you…

When you are on an older phone, DivestOS is a good option. It is a soft-fork of Lineage but has signed builds, including verified boot, something I would always recommend leaving on. DivestOS is hardened, and it has automatic kernel vulnerability patching. They also have some security features that they've ported from GrapheneOS.

Coming to Pixel Phones!

I am personally a #teampixel guy! It's the most vanilla when it comes to Android, and the best phone to degoogle! Yes, the irony...you get a Google phone in order to remove Google!

Foremost, if you are in the market for a new Android Phone, I strongly recommend a Pixel Phone. The Pixel, regardless of whether it comes from Google, is the only phone with proper AVB support for third-party operating systems and the Google Titan security chip acting as the secure element.

If you go the route of having a Pixel device you have multiple options, leave it as is and have Google spy on you, but get the best security you could get from any vendor 'out of the box'. Additionally, the newest Android updates faster than on any other vendor.

CalyxOS

Option two is the often praised CalyxOS, I've put up a CalyxOS vs GrapheneOS article on privacy.do in case you want to catch up on the differences.

do privacy at privacy.do comprehensive guide to online anonymity
privacy.do - #calyxOS or #grapheneOS - compares both setups for mobile phones #onlineprivacy

The issue with CalyxOS is it being behind on security updates in the past and even on chromium webview updates. This one has been behind on CalyxOS for 3 months in January 2022 and 2 months in June 2022.

As we mentioned before, privacy and security are not the same, but should be both working hand in hand to ensure privacy is provided. On the vendor patch level, CalyxOS been a full 4-months behind in switching from Android 11 to Android 12 and did not bother to push any firmware updates at all. When you consider that we are currently in the transaction to Android 13, this could very well be another potential issue in the future.

Other than that, CalyxOS is a decent enough operating system, which comes with MicroG if you so choose, but again not something I would recommend using.

For a fuller review of CalyxOS, see here:

do privacy at privacy.do comprehensive guide to online anonymity
privacy.do - #calyxOS - looks at available setups for mobile phones #onlineprivacy

GrapheneOS

Coming next to GrapheneOS, and this is really the best way to go when it comes to privacy/security or privsec on your Android Pixel phone.

GrapheneOS has not just hardened their privacy and security on the Pixel, but also comes (if you so choose) with a sandboxed Google Service, which works just like any Google Service installed on the original firmware. The difference is that GrapheneOS does not grant Google the privileges it usually ships with these apps.

Recently, GrapheneOS added Storage Scopes, which allows you to force apps that require broad storage access permission to function with scoped storage. That means that the apps to which you don't give full access but choose to give Storage Scopes to instead believe they have full access, but really only have access to the files they created themselves. Additionally, you can specify storage they can be allowed to access. This is great for both security and privacy.

GrapheneOS has a build in network toggle (meaning you can remove complete network access for specific apps). That is useful if you like to use Gboard as your keyboard, for instance.

GrapheneOS also has cross user notifications. This means that if you have messaging or email services installed on a different profile, you will get a notification even if you are on a different profile. This can be enabled or disabled. There will be no private information shown on the other profiles, just the app name and the profile name including time stains will show on the push notification. I don’t know of any other vendors who have this feature. Maybe Samsung with their secure folders can do that, but you need a Samsung account and to be signed in on Samsung profiles, not something I would feel comfortable with...

For a fuller review of GrapheneOS, see here:

do privacy at privacy.do comprehensive guide to online anonymity
privacy.do - #grapheneOS - looks at the best available setup for mobile phones #onlineprivacy

Android

Regardless of which vendor you are in, have a look and use Global Toggles, these help you disable Bluetooth, camera and microphone access.

Go to Settings → Privacy → permission manager and remove permissions which some apps really shouldn't have.

If you use a VPN enable VPN Kill Switch and be sure no app can escape your internet connection without being on the VPN.

When it comes to the App Store, use Aurora if you need anything on the Google Play Store, or if you use a vendor which comes with all Google Service, and you can’t remove them, use the original Play Store.

F-Droid is an option where you can get open-source software apps and options.

If you are sticking with the original vendor and Google, you might as well use the Advanced Protection Program from Google.

The APP provides enhanced threat monitoring and enables:

  • Stricter two-factor authentication; e.g. that FIDO2 must be used and disallows the use of SMS OTP, TOTP and OAuth
  • Only Google and verified third-party apps can access account data
  • Scanning of incoming emails on Gmail accounts for phishing attempts
  • Stricter safe browser scanning with Google Chrome
  • Stricter recovery process for accounts with lost credentials
  • If you use non-sandboxed Google Play Services (common on stock operating systems), the APP also comes with those following additional benefits:
  • The installation of any apps from outwith the Google Play Store universe, or from the OS vendor’s own app store or via ADB is prohibited
  • Obligatory device scanning utilising Play Protect
  • Provides warning notifications for unverified applications

Disable Advertising ID

On Android distributions with Sandboxed Google Play:

Go to Settings → Apps → Sandboxed Google Play → Google Settings → Ads, and select Delete Advertising ID

On Android distributions with privileged Google Play Services (such as stock OSes), the setting may be in one of several locations, so check:

Settings → Google → Ads
Settings → Privacy → Ads

You will be offered the choice between deleting the Advertising ID or to opt out of interest-based ads. This may vary between differing OEM distributions of Android. The preferred option would be deletion, and if this is not available, be sure to opt out and then reset your Advertising ID.

As I've mentioned, Android is pretty secure, and you should have security in mind even as you aim for privacy.

If you want a mix and the best of both, in my opinion, GrapheneOS on a Pixel is it! And really the only solution you should choose when it comes to buying a new phone.

Most of all, consider privacy as not having to be all or nothing, but that privacy without security is not privacy at all!

Stay safe, stay secure

The Privacy Advocate


Attribution

Sections of this article are based on work published by privsec.dev under the CC-BY-SA 4 license arrangement, DT acknowledges their excellent work on online privacy & security.

💡
We publish daily doses of decentralization news every day and update on Mastodon, Twitter, Telegram and Element (Matrix). Please like & share our output. We rely on you for content, so why not write for us. We welcome sponsorship and donations to help us continue our work - all major cryptos accepted or buy us a coffee. Contact us at blog@decentralize.today - many thanks for all donations received, much appreciated.
Share this post