Android Recommendations
Android is a highly secure operating system with full verified boot, strong sandboxing, a permission control system, modern exploit mitigations, and more.
Google Pixel phones are the only secure phones as they fully support verified boot, use the custom Titan M2 chip, use the Trusty TEE OS, and can effectively randomize the device's MAC address. There is a reason why GrapheneOS only supports Google Pixel phones. Do not even think about buying a different phone. All other phones are a security nightmare and should be avoided at all costs!
Reading Material: https://source.android.com/security/features https://source.android.com/security/verifiedboot/ https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html https://source.android.com/docs/security/features/trusty#whyTrusty https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html https://madaidans-insecurities.github.io/android.html
Android Operating Systems
Most custom operating systems substantially weaken the Android security model. Never leave your bootloader unlocked and do not root your device. If your phone does not support GrapheneOS, use the stock operating system.
Reading Material: https://privsec.dev/os/choosing-your-android-based-operating-system/ https://www.privacyguides.org/android/ https://madaidans-insecurities.github.io/android.html#custom-roms
GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project. It's focused on the research and development of privacy and security technology including substantial improvements to sandboxing, exploit mitigations and the permission model. GrapheneOS also develops various apps and services with a focus on privacy and security. Vanadium is a hardened variant of the Chromium browser and WebView specifically built for GrapheneOS. GrapheneOS also includes our minimal security-focused PDF Viewer, our hardware-based Auditor app / attestation service providing local and remote verification of devices, and the externally developed Seedvault encrypted backup which was initially developed for inclusion in GrapheneOS.
GrapheneOS improves the privacy and security of the OS from the bottom up. It deploys technologies to mitigate whole classes of vulnerabilities and make exploiting the most common sources of vulnerabilities substantially more difficult. It improves the security of both the OS and the apps running on it. The app sandbox and other security boundaries are fortified. GrapheneOS tries to avoid impacting the user experience with the privacy and security features. Ideally, the features can be designed so that they're always enabled with no impact on the user experience and no additional complexity like configuration options. It's not always feasible, and GrapheneOS does add various toggles for features like the Network permission, Sensors permission, restrictions when the device is locked (USB peripherals, camera, quick tiles), etc. along with more complex user-facing privacy and security features with their own UX.
GrapheneOS will never include either Google Play services or another implementation of Google services like microG. Those are not included in the Android Open Source Project and are not required for baseline Android compatibility.
Android is an operating system for mobile devices such as smartphones and tablet computers. It consists of a kernel based on the Linux kernel, with middleware, libraries and APIs written in C and application software running on an application framework which includes Java-compatible libraries based on Apache Harmony.
Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. Developers write primarily in a customized version of Java.
Apps can be downloaded from third-party sites or through online stores such as Google Play Store , the app store run by Google.
App Stores
You should never use F-Droid as it substantially weakens the Android security model. Most people should only install apps from the Google Play Store. If your threat model requires not logging into Google, you can use the Aurora Store but must understand the risks of using third-party app stores. Source: https://wonderfall.dev/fdroid-issues/
Google Play (formerly the Android Market) is an online store by Google for Android devices. Browse and search for apps, books, and movie rentals from your web browser or Android device.
Browsers
Use Chromium browsers only. Firefox on Android still does not support site isolation. You should access most websites including YouTube, Twitter, and Reddit inside the browser instead of their apps since websites in a browser are much less privileged than an app.
GrapheneOS users should just use Vanadium. For stock Android users, use one of the browsers listed below. Mulch was considered as it is a hardened fork of Chromium with timely updates, but is not listed here as it is not available on the Google Play Store but F-Droid.
Reading Material: https://grapheneos.org/usage#web-browsing
A free web browser developed by Google from the open source Chromium project with a focus on speed and minimalism. Chrome offers fast start-up and web page loading, supports a minimalist user interface, automatically updates in the background, and offers syncing of browser bookmarks, extensions, passwords, and history between multiple computers by your Google account.
Additionally, Chrome has PDF support built into the browser for better speed and security.
Chrome Web Apps and Extensions are available on Chrome Web Store .
Available in more than 50 languages.
Messaging Apps
If possible, convince your family and friends to use Signal as it uses end-to-end encryption by default, can hide metadata, has a good track record, and is recommended by many security researchers. Otherwise, use Google Messages.
Using Signal, you can communicate instantly with your relatives without making a compromise on privacy or security. Make video calls, send messages, pictures, videos, documents, voice recordings, GIFs, contacts & location, create groups so that you can chat in real time with all your friends at once and react to their messages with emojis -all with complete privacy-. Signal servers never have access to any of your communications and never store any of your data.
- Say Anything - Share text, voice messages, photos, videos, GIFs and files for free. Signal uses your phone's data connection so you can avoid SMS (No longer supports SMS or MMS) and MMS fees.
- Speak Freely - Make crystal-clear voice and video calls to people who live across town, or across the ocean, with no long-distance charges.
- Make Privacy Stick - Add a new layer of expression to your conversations with encrypted stickers. You can also create and share your own sticker packs.
- Get Together with Groups - Group chats make it easy to stay connected to your family, friends, and coworkers.
- No ads. No trackers. No kidding. - There are no ads, no affiliate marketers, and no creepy tracking in Signal. So focus on sharing the moments that matter with the people who matter to you.
- Remain Connected - Push notifications let you know when new messages have arrived, and they'll be waiting for you even if your battery dies or you temporarily lose service.
- View Source - All of our code is free, open, and available on GitHub (https://github.com/signalapp).
- Join Movements - Technology developed by Open Whisper Systems is trusted and used by millions of people around the world every day.
Messages is Google's communications app for Android to helps send and receive SMS and MMS messages. You can also send group texts as well as your favorite pictures, videos and even audio messages to your contacts.
FEATURES
• Faster sharing: Select or take pictures and videos directly from the app and share easily. You can even send audio messages to your contacts. • Easy search: Search through contacts and conversation threads to find exactly what you are looking for. • Purposeful design: New, fluid, material design that is intuitive and delightful. • More control: Ability to block SMS senders. No interruptions when you don’t want them! • More features: audio messages, emoji support 😃, stickers, location sharing, colored text threads, message archiving and more.
Security and Privacy
Security Our secure VPN sends your internet traffic through an encrypted VPN tunnel, so your passwords and confidential data stay safe, even over public or untrusted Internet connections.
Privacy Keep your browsing history private. As a Swiss VPN provider, we do not log user activity or share data with third parties. Our anonymous VPN service enables Internet without surveillance.
Freedom We created Proton VPN to protect the journalists and activists who use Proton Mail. Proton VPN breaks down the barriers of Internet censorship, allowing you to access any website or content.
Internet security for everyone Our goal is to make online privacy accessible to all. To do this, we have focused on making the advanced security technology in Proton VPN effortless to use and freely available.
Free VPN We believe privacy and security are fundamental human rights, so we also provide a free version of Proton VPN to the public. Unlike other free VPNs, there are no catches. We don't serve ads or secretly sell your browsing history. Proton VPN Free is subsidized by Proton VPN paid users. If you would like to support online privacy, please consider upgrading to a paid plan for faster speeds and more features.
Easy to Use The best security tools in the world will only protect you if used correctly and consistently. We have extensively simplified the Proton VPN interface to make it as intuitive as possible – so you can stay protected every day, hassle free.
Fast VPN Speeds A 10 Gbps server network combined with our unique suite of VPN Accelerator technologies can improve speeds by over 400%. The advanced network TCP flow control algorithm we utilize provides unparalleled performance and connection stability.
Multi-Platform Support Proton VPN is available on all your devices, including PCs, Macs, smartphones, and even routers. A secure Internet connection that you can trust is essential to maintaining your privacy on your laptop at home, your mobile device on the road, or your workstation at the office. Proton VPN has native apps for Windows, macOS, Linux, Chromebook, Android, Android TV and iOS/iPadOS.
Stream from anywhere Proton VPN unblocks a wide selection of popular online media services, allowing you to access your favorite streaming content from anywhere in the world as if you were at home. Our fast server network and unique VPN Accelerator technology also ensure your experience is smooth and buffering-free.
VPN Accelerator VPN Accelerator is a set of technologies unique to Proton VPN that can increase your VPN speeds by over 400%. By overcoming CPU limitations that affect how VPN protocols are processed, using advanced networking techniques to reduce latency, and redesigning VPN protocols themselves to reduce inefficiencies in their code, VPN Accelerator can dramatically increase speed performance.
Shelter is a Free and Open-Source (FOSS) app that leverages the “Work Profile” feature of Android to provide an isolated space that you can install or clone apps into.
Shelter comes with absolutely no advertisement / statistics / tracking SDKs bundled with it. All source code is available in at https://git.angry.im/PeterCxy/Shelter or mirror https://github.com/PeterCxy/Shelter and the sources are licensed under WTFPL.
This app depends on your Android system’s implementation of Work Profile. Some vendor / custom ROMs may have a broken implementation that may cause crashes and even bricking of your device. One such example is MIUI from Xiaomi. I currently provide no support for such ROMs because I personally do not own any of these devices. If you are running Shelter on these ROMs, you are on your own. If any developer out there own these devices and could make Shelter run on these ROMs, please send pull requests and I’ll be happy to merge them.
Features / Use Cases
- Run apps inside the isolated profile so they cannot access your data outside the profile
- “Freeze” (disable) background-heavy or seldom-used apps when you don’t need them. This is especially true if you use apps from "some company".
- Clone apps to use two accounts on one device
Caveats
Shelter is not a full sandbox implementation. It cannot protect you from:
- Security bugs of the Android system or Linux kernel
- Backdoors installed in your Android system (so please use an open-source ROM if you are concerned about this)
- Backdoors installed into the firmwares (no way to work around this)
- Any other bugs or limitations imposed by the Android system.
Also, Shelter cannot create more than 1 work profile on one Android device, and cannot co-exist with any other apps that manages a Work Profile. This is due to the limitations of the Android system, and I can do nothing about this.
The Auditor app uses hardware security features on supported devices to validate the integrity of the operating system from another Android device. It will verify that the device is running the stock operating system with the bootloader locked and that no tampering with the operating system has occurred. It will also detect downgrades to a previous version.
Other Apps
Use stock apps when possible as installing third-party apps gives you another party to trust and increases attack surface. Unless the app is something you need (such as WhatsApp), only install third-party apps either if there is no stock app replacement or if the stock app can be uninstalled from the system. Choose apps that require as few permissions as possible.
Feeder is a fully free/libre feed reader. It supports all common feed formats, including JSONFeed. It doesn't track you. It doesn't require any setup. It doesn't even need you to create an account! Just setup your feeds, or import them from your old reader via OPML, then get on with syncing and reading.
Features
Parses HTML and displays it in a native TextView
Offline reading
Background synchronization
Notifications
OPML Import/Export
Handy access to enclosure links
Material design
Notally is a minimalistic note taking app with a beautiful material design and powerful features.
Organization:
- Create lists to stay on track
- Add labels to your notes for quick organization
- Archive notes to keep them around, but out of your way
- Create rich text notes with support for bold, italics, mono space and strike-through
Sharing:
- Export notes as plain text, HTML or PDF files with formatting
Convenience:
- Auto save
- Dark mode
- Completely free
- Material design
- No ads, trackers or analytics
Stores:
Organic Maps is an Android & iOS offline maps app for travelers, tourists, hikers, and cyclists based on top of crowd-sourced OpenStreetMap data and curated with love by MAPS.ME founders.
• Detailed offline maps with places that don't exist on other maps • Cycling routes, hiking trails and walking paths • Contour lines, elevation profiles, peaks and slopes • Turn-by-turn walking, cycling and car navigation with voice guidance • Fast offline search on the map and bookmarks • Dark mode to protect your eyes
Organic Maps is pure and organic, made with love:
• Respects your privacy • Saves your battery • No unexpected mobile data charges
Organic Map is free from trackers and other bad stuff:
• No ads • No tracking • No data collection • No phoning home • No annoying registration • No mandatory tutorials • No noisy email spam • No push notifications • No crapware • No pesticides
At Organic Maps, we believe that privacy is a fundamental human right:
• Organic Maps is an indie community-driven open-source project • We protect privacy from Big Tech’s prying eyes • Stay safe no matter wherever you are
Zero trackers found according to Exodus Privacy Report. No excessive permissions requested.
This is a modern camera app focused on privacy and security. It includes modes for capturing images, videos and QR / barcode scanning along with additional modes based on CameraX vendor extensions (Portrait, HDR, Night Sight, Face Retouch and Auto) on devices where they're available.
Modes are displayed as tabs at the bottom of the screen. You can switch between modes using the tab interface or by swiping left/right anywhere on the screen. The arrow button at the top opens the settings panel and you can close it by pressing anywhere outside the settings panel. You can also swipe down to open the settings and swipe up to close it.
The app has an in-app gallery and video player for images/videos taken with it. It currently opens an external editor activity for the edit action.
Zooming via pinch to zoom or the zoom slider will automatically make use of the wide angle and telephoto cameras on Pixels and other devices supporting it. It will become more broadly supported over time.
By default, continuous auto focus, auto exposure and auto white balance are used across the whole scene. Tapping to focus will switch to auto focus, auto exposure and auto white balance based on that location. The focus timeout setting determines the timeout before it switches back the default mode. The exposure compensation slider on the left allows manually tuning exposure and will automatically adjust shutter speed, aperture and ISO. Further configuration / tuning will be provided in the future.
Camera permission is the only one that's required. Images and videos are stored via the Media Store API so media/storage permissions aren't required. The Microphone permission is needed for video recording by default but not when including audio is disabled. Location permission is only needed if you explicitly enabling location tagging, which is an experimental feature.
By default, EXIF metadata is stripped for captured images and only includes the orientation.
Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions.
The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.
Reading Material: https://source.android.com/security https://privsec.dev/os/android-tips/ https://www.privacyguides.org/android/overview/ https://madaidans-insecurities.github.io/android.html https://github.com/beerisgood/Smartphone_Security
Replace Chrome with brave or bromite (or Vanadium on GrapheneOS) and the PlayStore with AuroraStore for better UX and privacy
Aurora Store lacks important security features including certificate pinning, still requires the legacy store permission, among other security issues.
Bromite is much slower to update than other browsers.
Sources: https://gitlab.com/AuroraOSS/AuroraStore/-/blob/26f5d4fd558263a89baee4c3cbe1d220913da104/app/src/main/AndroidManifest.xml#L28-32 https://gitlab.com/AuroraOSS/AuroraStore/-/issues/697 https://privsec.dev/os/android-tips/#aurora-store https://divestos.org/misc/ch-dates.txt
Reply written