I am increasingly conscious of security and privacy. I don’t want my data or telemetry being sent to google or Facebook, and I want to make sure my device is encrypted and not readable by anyone other than me.
Is there a standard go-to guide on securing an android device with these types of goals in mind? Is true privacy possible without having to install Graphene?
“True” privacy is up to you and what you do with your phone. By default Android uses some Google services impossible to remove without changing ROM, like Google Play Services, SUPL and PSDS.
What you can do for other apps and services is what I’ve done with my old phone (not GrapheneOS compatible):
I remember reading time ago that Google enforces file-based encryption by default on Android which gets decrypted on first unlock when you boot your phone.
Try to look up in your settings for “encrypt”, then you should find the option “Encrypt Phone” with or without the label “Encrypted”.
Anyway this defends you only from an “hands-on” attack with physical access to the phone.
I run GrapheneOS its a 3rd party degoogled ROM with lots of great security features. Its also incredibly entertaining every time google or apole comes out with a new security update or patch to a critical security issue and the GrapheneOS devs go yeah we did that 2years ago.
AFAIK, there’s two types of “secure” when it comes to Android:
Secure against your phone getting stolen
Secure against Google’s data harvesting
(I guess a third “secure” would be 'Secure against exploits", but that’s outside the scope of my advice).
It’s not impossible to be both types of secure, but it is difficult. The main reason both is hard is because to achieve #2, you have to unlock the bootloader which leaves you open to #1 since re-locking it after installing a good custom ROM will prevent the device from working (or brick it at worst).
Achieving #2 is sufficient for me since I don’t keep a lot of sensitive data on it, and that sounds like what you’re asking.
On my phones that support it, I do unlock bootloader, install LineageOS without GApps, and make sure I have root available. I run few apps, but the ones I do all come from FDroid (or Aurora Store in a pinch).
On phones where I can’t unlock the bootloader, my options are much more limited. Typically I’ll disable all the Google and carrier services (including Play Services) and disable and replace all the stock apps with ones from F-Droid.
If my phone is physically compromised and the bootloader is unlocked, my hope is that storage encryption would make it a “non-issue”. Yes, they could wipe the device and delete my data then resell the phone, but at that point all they’ve stolen is a $300 phone with maybe $80 resale value and not my entire identity
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
5. Engage respectfully: Harassment, flamebaiting, bad faith engagement, or agenda posting will result in your posts being removed. Excessive violations will result in temporary or permanent ban, depending on severity.
6. Memes are not allowed to be posts, but are allowed in the comments.
7. Posts from clickbait sources are heavily discouraged. Please de-clickbait titles if it needs to be submitted.
8. Submission statements of any length composed of your own thoughts inside the post text field are mandatory for any microblog posts, and are optional but recommended for article/image/video posts.
“True” privacy is up to you and what you do with your phone. By default Android uses some Google services impossible to remove without changing ROM, like Google Play Services, SUPL and PSDS.
What you can do for other apps and services is what I’ve done with my old phone (not GrapheneOS compatible):
I prefer grayjay! It’s great and it has a good-ish desktop version
Is Android encrypted by default, or does it depend on the device vendor?
I remember reading time ago that Google enforces file-based encryption by default on Android which gets decrypted on first unlock when you boot your phone.
Try to look up in your settings for “encrypt”, then you should find the option “Encrypt Phone” with or without the label “Encrypted”.
Anyway this defends you only from an “hands-on” attack with physical access to the phone.
I run GrapheneOS its a 3rd party degoogled ROM with lots of great security features. Its also incredibly entertaining every time google or apole comes out with a new security update or patch to a critical security issue and the GrapheneOS devs go yeah we did that 2years ago.
I’m running it on a Pixel 9 pro. It seems like I get updates every other day, which I’m not complaining about.
Yeah the devs are doing an excellent job. I would like to see it ship with fdroid tho.
Yeah I just don’t want to ditch my perfectly good Galaxy A54 until it’s actually broken
AFAIK, there’s two types of “secure” when it comes to Android:
(I guess a third “secure” would be 'Secure against exploits", but that’s outside the scope of my advice).
It’s not impossible to be both types of secure, but it is difficult. The main reason both is hard is because to achieve #2, you have to unlock the bootloader which leaves you open to #1 since re-locking it after installing a good custom ROM will prevent the device from working (or brick it at worst).
Achieving #2 is sufficient for me since I don’t keep a lot of sensitive data on it, and that sounds like what you’re asking.
On my phones that support it, I do unlock bootloader, install LineageOS without GApps, and make sure I have root available. I run few apps, but the ones I do all come from FDroid (or Aurora Store in a pinch).
On phones where I can’t unlock the bootloader, my options are much more limited. Typically I’ll disable all the Google and carrier services (including Play Services) and disable and replace all the stock apps with ones from F-Droid.
If my phone is physically compromised and the bootloader is unlocked, my hope is that storage encryption would make it a “non-issue”. Yes, they could wipe the device and delete my data then resell the phone, but at that point all they’ve stolen is a $300 phone with maybe $80 resale value and not my entire identity