Maximum security and anonymity

Ladron

New here with limited tech skills — please explain step-by-step which settings to change for maximum security and anonymity. Thanks!

de0u

Ladron New here with limited tech skills — please explain step-by-step which settings to change for maximum security and anonymity.

Some "maximum security" settings may increase the risk of losing data. For example, the "maximum security" setting for the USB-C port will make it impossible to unlock the device with a USB keyboard if the screen or touch sensor is broken.

In terms of "good practice"...

Use a PIN of at least six randomly-chosen digits (longer is better, and a passphrase is better yet),
Consider installing a VPN (and using a trustworthy VPN service),
Avoid installing privacy-invasive apps.

Beyond that, it depends a lot on what it is that you most wish to protect from whom, since it's generally not possible to conceal everything from everybody.

mattachu

Ladron

Hello friend,

I recommend reading from start to finish the grapheneos features page on the website https://grapheneos.org/features

This will give you and idea of what the OS can do. Nothing will make you 100% private or anonymous just by changing a few settings.

Also check out privacyguides.org and go to the recommendations page and have a read.

Best of luck

Watermelon

Ladron

The first thing you should do is configure automatic system updates. Make sure to enable security preview releases! https://grapheneos.org/usage#updates-settings
The second thing you should do is open the pre-installed App Store, configure its settings as you like, and install all available updates. After doing this, you'll have a fully up-to-date GrapheneOS device.
The third thing you should do is configure a screen lock. There are two tiers of unlock methods: primary, which is your PIN/password; and secondary, which can only be set up if you've set up a primary unlock method, and includes both fingerprint unlock and the optional 2nd-factor PIN feature that GrapheneOS adds on top of fingerprint unlock. You MUST remember your primary unlock method, otherwise you'll have to do a factory reset!!! The secondary unlock method (including the two-factor fingerprint+PIN) is always available to use alongside your primary unlock method, so there's no data loss risk in forgetting your 2nd-factor PIN, and you must choose a 2nd-factor PIN that's different from your primary unlock PIN. I recommend inventing a PIN/password but not setting it up yet as your primary unlock method — try to memorize it repeating it in your mind for at least two weeks, and only after you're fully confident that you can repeat your PIN/password by memory without fault, then set it up as your primary unlock method, and don't change it anymore. The secondary unlock method can be used to avoid having to type your primary unlock method in public, where it could be seen. You cannot use your secondary unlock method in any of the following cases: 48 hours have passed since the last time you unlocked your device with your primary unlock method; you've entered Lockdown Mode from the power button menu; or the device has powered off or rebooted and not yet unlocked (this is called Before First Unlock (BFU) state). If you use your primary unlock method once every day when you're alone, e.g. every morning, you'll be able to avoid using it again throughout the rest of the day. Your device could reboot automatically in two cases: the auto-reboot setting in the System Updater is enabled; the auto-reboot security feature that GrapheneOS adds is enabled (enabled by default). You can enable the optional PIN input layout scrambling feature that GrapheneOS adds separately for your primary PIN and for your 2nd-factor PIN, to protect yourself against shoulder surfing.
Once your device is fully up-to-date and locked, you should open the Settings app, open the security section, and configure everything in there. Make sure to notice the auto-reboot security feature and the USB-C port control feature. I recommend choosing an auto-reboot value that's the lowest you can manage to never encounter during your normal use of the device. Note that the auto-reboot timer can be bypassed while an app is pinned using the app pinning feature which you can enable in this section! I recommend setting the USB-C port control feature to charging-only, so you could charge your device freely without ever worrying about something attacking your device through it; if you set it to any of the charging-only when locked options, note that you can connect USB into your device while it's locked, and then enter your PIN/password to enable data communication — you're not required to connect USB only while unlocked. Note that your screen timeout, auto-reboot, and USB-C port settings are always password-protected even while your device is left unlocked. You'll also see the toggle for automatically granting the Sensors permission to new apps for compatibility with Android, because Android always gives apps access to the sensors without permission; I recommend disabling it — from my experience, even apps that try to access sensors don't really need it. Sensors access isn't needed for auto-rotation and manual screen rotation to work. I haven't encountered apps that crash without the Sensors permission granted; you'll probably only truly need it for compass apps and some games. The Network permission has a toggle for new apps added in the app installation window instead of in the security settings section.
Try to see if you have good cellular connection with LTE-only mode: https://grapheneos.org/usage#lte-only-mode
GrapheneOS enables all possible exploit protections on the entire base OS (the OS itself + all pre-installed apps) with only two general exceptions: there's some few system components (for example SurfaceFlinger) that have some protections temporarily disabled because they're buggy, but there's no way for you to change this; and there's two opt-in protections you can enable — one for PDF Viewer and one for Vanadium. Note that Vanadium already uses this “opt-in” exploit protection on all websites by default, and provides a website permission toggle to change it on a per-site basis enforced by Vanadium, instead of protecting the whole of Vanadium enforced by the OS, which is a reasonable compromise to add a website permission inside Vanadium that actually works properly by default. Opting into this protection on Vanadium in the OS settings would keep the website permission usable but devoid of effect.
Open Vanadium, open the three-dot menu, and open the settings. Check all of the security settings, and all of the site settings where all the website permissions are. I recommend keeping all OS-level permissions granted for the Vanadium app, and managing only the website permissions inside Vanadium's settings, although you could revoke the OS-level permissions, but I'm not sure if that might cause problems.
I strongly recommend against revoking permissions of any pre-installed or system app and/or disabling any pre-installed or system app.
Bonus: Set up the Auditor app. It's pre-installed on GrapheneOS, and available as a separate variant on Google Play Store. The Auditor app changes nothing on its own, it only securely relays info to you, so if you don't understand the info/warnings it gives you, you don't gain a security benefit. The output is separated into two sections: the first section is info that the secure element chip in the verified device trusts by itself, including the identity of the installed operating system (which the Auditor app running on the verifying device checks that it's the authentic official GrapheneOS operating system); and the second section is info provided by the assumed-uninfected OS (after the OS is recognized as authentic and valid from the previous section), including the identity of the installed Auditor app (which the Auditor app running on the verifying device checks… you get the idea). The underlying feature that the Auditor app uses is called attestation — a component inside a device being verified is securely attesting info to another device verifying it, and the verifying device checks the info from the device being verified. There are multiple options as to which component in the verified device can attest to the verifying device — the most secure component is the secure element chip, also called the Hardware Security Module (HSM). The Auditor app on the verifying device checks that the attestation it receives from the verified device comes from an authentic Google Pixel HSM component. The Auditor app is also capable of switching from recognizing attestations from a Pixel's HSM to recognizing your specific Pixel's HSM, guaranteeing that the info comes from your device rather than an authentic Pixel device set up elsewhere by an attacker. The Auditor app includes all of this info: look for the security level, where it tells you whether you received the attestation from the HSM and whether the HSM supports pairing itself with the verifying device by creating a new pairing-specific key just for you; also look for the first line which should say either “Successfully performed basic initial verification …” or “Successfully performed strong paired verification …”, and at the bottom you'll see the first and last verification times as stored on the verifying device to help you further recognize your specific verified device. You're only secure if all of the info reported by Auditor matches your expectations and doesn't have any warnings; otherwise, either there's some fault somewhere, or something malicious happened. For the first time using the Auditor app, I recommend booting your verified device into Safe Mode after a hardware-enforced power cycle to ensure no third-party app or attacker can maliciously interfere with the initial pairing: First, hold the power button for slightly over 30 seconds to force the device to reboot, and release all buttons when you see it has lost power, it'd eventually power on by itself after a few seconds; then wait for the Google logo, and when you see it, start holding only the volume down button until you see your usual lockscreen with the text “Safe mode” at the corner. Airplane Mode would be enabled automatically, don't turn it off! Open the Auditor app and pair it with your verifying device. Take note of the current time and day, this will get permanently stored as your “first verification” time on the verifying device. Finally, disable Airplane Mode and then reboot like normal. From now on, you can use the Auditor app outside Safe Mode, just make sure the info comes from your verified device's HSM.
Advanced: Set up the dangerous duress PIN feature so you could almost instantly wipe the entire device using it. In addition to getting rid of all stored data, this feature also gets rid of all decrypted traces and key material from the active memory of the device, and only afterwards powers off, so when the device powers off you know it's completely wiped with no leftover traces. You could be drunk/drugged/confused/mentally ill/etc, and accidentally enter the duress PIN instead of your normal PIN, so either don't use this feature unless absolutely needed or find a way to set up a duress PIN that you'll never use, such as by letting a trusted person set it up for you without telling you the PIN. This feature is useful in any one of these three cases: you don't trust yourself to resist threats or torture from other people who want to extract the normal PIN from you; you've become aware/suspect that your normal PIN has been discovered or become guessable somehow, and you need to quickly wipe the device; or you've become aware/suspect that the secure element chip (HSM) in your device, which safeguards the encryption keys to unlock your device against brute force attacks, is vulnerable, and you're using a weak password or a PIN which aren't sufficient for strong encryption on their own and rely on the secure element to resist brute force attacks. Note that it's always possible to do factory resets from the recovery mode without needing the duress PIN nor without unlocking the device.

Segregating apps into different user profiles is currently the only way to prevent apps (across user profiles) from seeing and interacting with each other. All apps can see all other apps in the same user profile. All apps in the same user profile that mutually consent, can interact with each other and send arbitrary data between each other, which allows one app to bypass the permissions you set on it by using another app (such as Google Play services) to which you did grant the permission the former lacks. However, I recommend avoiding multiple user profiles, because they have non-obvious oddities and unexpected behavior.

Murcielago

Ladron

Many good technical advice has already been given here on what measures can be taken to achieve maximum security and maximum anonymity.

I would suggest to step back and ask yourself:

Can your life or other important assets only be protected by such extreme measures?

If the answer is yes then you definitively have to take a step back, consider your often cited threat model, and build up your measures from the ground up accordingly. Failure is not an option, your enemies have nation-state resources so be strict and thoughtful and don't just randomly take measures.

The answer is no - security and (a certain degree of) anonymity are important to you, but your world won't collapse if you fail (that's what I assume because not a lot of people have such a high threat model)?

Then i would advice to take it slowly—especially (unfortunately, I can't tell from your post) if you haven't cared that much about security and anonymity until now. Your journey is not a sprint but a marathon: The topics of anonymity and security are too fast-paced for you to develop a fire-and-forget-setup once and never have to worry about it again and going from 0 to 100

New here with limited tech skills

can mean a steep learning curve.

Extreme measures entail a high level of responsibility - losing access to all your important data, privacy fatigue, and social implications are just three real and serious threats that immediately come to mind which shouldn't be underestimated and therefore be taken into account.

Don't forget: You're already doing great, using (one of) the most secure mobile operating systems in the world and being curious about privacy and security. That alone puts you ahead of the game.

grafenefan

de0u wait... what?!? You can unlock/operate a phone with a USB keyboard? I have have gone through so much pain because I didn't know this.

nashgraph

Watermelon Very good summary!

And I also did literally everything exactly the same :)

libertarian

Some more ideas:

Buy the phone in cash.
Buy Monero. I won't put a guide here, there are others.
Install Mullvad, create a Mullvad account, pay for it with Monero. Enable it, enable the "force all connections through VPN" toggle. If needed, use multi-hop routing and DAITA.
Get an anonymous eSIM from a provider such as silent.link, refill with Monero.
Create a Signal account using a number not tied to you, you can get the SMS verification code from some online services, again you can pay with Monero.

Then you have a device that is not linked to you, with mobile data which isn't linked to you, your internet traffic isn't linked to you. And you can chat with people on Signal, which collects the least amount of metadata. You could use this device to go to protests, talk with journalists or sources. Or, send vacation photos to your mother. I mean, for a lot of us setting up anonymous and unlinked devices is more of a hobby than a real need.

You could still be identified based on your cell tower location, so for perfect anonymity you might want to keep the phone in airplane mode unless you are not at home, and not use it where there are cameras.

LeslieFH

I wouldn't pay for Mullvad with cryptocurrency (because crypto has an immutable historical record of payments and future cryptographic breaks can suddenly deanonymize its entire transaction history, it's really a very bad technology from a privacy standpoint), you can buy Mullvad scratch-off cards which provide future-proof anonymity. :-)

libertarian

LeslieFH either way works.

One time, I was at a conference where a bunch of Mullvad people came to. They brought a stack of voucher codes. I may or may not have taken the ones that were left at the end of the conference. A bunch of people I talked to on IRC got free Mullvad time because of that.

I wouldn't be too worried about cryptocurrencies. The vast majority of us use VPNs out of principle, not to do anything harmful. But I see your point. With some cryptocurrenties, there is a risk of Quantum computing deanonymizing past transactions. However, as far as I am aware this does not apply to all cryptocurrencies, I believe that Monero is safe. And also from a practical standpoint, by the time this is an issue (useful quantum computing is always a decade away, at least it has been like that for the past four decades), nobody will really care, and the little logs that existed will be gone, and whatever naughty things you did with your secretary in the office after work will have expired by the stature of limitations.

So, yeah. Scratch-off cards are a good choice. Perfect security is not possible. Don't do dumb things. Also, say hi to your secretary for me, I always thought she was charming.

Maketrades

LeslieFH I wouldn't pay for Mullvad with cryptocurrency (because crypto has an immutable historical record of payments and future cryptographic breaks can suddenly deanonymize its entire transaction history, it's really a very bad technology from a privacy standpoint), you can buy Mullvad scratch-off cards which provide future-proof anonymity. :-)

If you keep the wallet where you pay the vpn or whatever with anonymous there are no worries of being able to track the transaction history.. Cut the link on some way and all will be fine

oci3o

There are many ways to harden GrapheneOS beyond its already hardened state.
I usually do the following.

Once initial setup is done, use the Auditor app and get that working with remote verification.
Network and Internet:
Wifi - Network Preferences - Turn off Notify for public networks & Allow WEP network.
SIMs - make sure the phone is only working over 4G, disable Vo5G, enable 2G protections regardless, enable Wi-Fi Calling.
Hotspot - Change the device name to device, set the security to WPA3.
Turn on Data Saver to help mitigate potential background usage.
Connected Devices:
Bluetooth - Change the bluetooth name to device.
Connection Preferences - Turn off Audio sharing (if it works), NFC set that to require authentication then disable, disable Printing services also.
About Phone:
Change the device name to device.
Security and Privacy
Device unlock is fingerprint with 2nd factor, the main password to the owner is a password.
Privacy controls - disable camera and mic, keep show clipboard access enabled.
Exploit protection - Auto reboot 12 hrs, WiFi and bluetooth timers are set to 2 mins, all App exploit protections enabled or blocked, depending on the setting.
More security and privacy - Disable allow sensors, disable auto app exploit protection, enable notify about system process crashes.

Once this is all done, I make sure all apps via the App Store are up to date, then install play store, accressent, obtanium and droidify (this is used as an app search, not to install apps).

I then go ahead and install what I need for all profiles, but disable the apps in the installer profile once installed.
I also disable Vanadium and other unused apps here, its for installing and admin stuff only, not daily stuff.

Profiles are as follows

Owner (Installer). - Password lock
Daily. - Biometrics & PIN
Car (android Auto). - PIN
Banking. - Password

My apps are then installed into each profile, note, the sensors toggle re-enables on profile creation, so you need to go into the profile first, disable it, then move the apps into the profile, once done, I turn off the ability for that profile to install apps, updates still get pushed through.

Each profile has a VPN except banking, I use Mullvad for this.

Some key apps to note are:

Pulse - Redirects calls to E2EE apps, I use this for Signal and WhatsApp (Daily profile).
Signal Note to self - quick notes, replaces a dedicated notes app for me, works very well.
Tubular (NewPipe fork, or NewPipe) or Metrolist cover music and YouTube related tasks (Daily and Car profiles), allows me to use sponsor block to skip none music parts.
Geoshare - This sits in my car profile, it takes coordinates from say Google or Apple Maps, then gives them to something like CoMaps or Magic Earth.
KDE Connect - gives you good integrations with KDE based systems (Or GNOME if you have an add-on), like file transfers, mouse / keyboard controls etc.

There maybe better or more secure ways to do this (happy to take notes if so), but its a pretty good setup, however profiles would likely become useless to me when GOS ships this block IPC (if they ever do).

CGG

oci3o very good! Thanks for sharing!

gMan

oci3o NFC set that to require authentication

can you elaborate on that - i'm not seeing any authentication pref in NFC, just 'require device unlock'

oci3o then install play store, accressent, obtanium and droidify

re: droid-ify - while it's handy to use that for finding stuff, what happens if the service is compromised? - personally, i just bookmark the app stores and search that way

wulwen

oci3o Do you just download the mullvad app? or do something more sophisticated? I already have a mullvad account

Ladron

thank you from the bottom of my heart

Probably9857

gMan IVPN is out since they sold to a crappy co.

Do you have a source for this? Only thing similar I could find was that they acquired Safing, whom I know nothing about.

gMan

Probably9857 looks like i misspoke - i was working from memory - but yes, it appears IVPN acquired Safing

as for Safing being a sh***y company, i did a little research on them before and they appeared to be privacy-hostile

the tl;dr version: i might be wrong - unfortunately, i can't edit my previous post

oci3o

gMan

can you elaborate on that - i'm not seeing any authentication pref in NFC, just 'require device unlock'
That is the authentication

re: droid-ify - while it's handy to use that for finding stuff, what happens if the service is compromised? - personally, i just bookmark the app stores and search that way
You don't need to trust F-Droid, you use it to search for files, I use Droidify specifically because it has a quick and easy way to get the GitHub link to use in Obtanium.

gMan

oci3o ... I use Droidify specifically because it has a quick and easy way to get the GitHub link to use in Obtanium.

agreed 100%, but you may have misunderstood my question - in order to use an app store app, you have to install it ... so what happens if the app store app itself is compromised?

i think i might be a little too paranoid here given that any app can be compromised, but for whatever reason, i'm apparently more concerned with an app that has the capabilities that F-Droid/Droid-ify has

oci3o

gMan

gMan in order to use an app store app, you have to install it ... so what happens if the app store app itself is compromised?

Likely the same as what would happen if you updated or reinstalled an app and the private key didn't match, the system would warn the user.
Given GOS App Store is technically a system app, this would be a bigger problem, meaning the GOS build its self maybe compromised, and would be for the devs to fix.

If your installing apps, always use the app verifier app - https://github.com/soupslurpr/AppVerifier

The OS has ways to help protect against this, but the GOS devs would know exactly how it works and how to potentially mitigate it.

gMan

oci3o thanks for the info - i feel a little more comfortable about using Droid-ify now

oci3o

gMan No bother.

I personally, wouldn't use F-Droid to install apps, I take the source code link from Droidify and then use Obtanium to deploy them, Droidify just makes the link easier that way I get it via the dev directly.
https://privsec.dev/posts/android/f-droid-security-issues/ - some of this may have been fixed, but I've not heard anything new.

Usually, it goes like this for GOS.
GOS App Store > Accrescent > Google Play > Obtanium > F-Droid / Aurora > Manual APKs

Google play is listed as it is the most secure way to get apps, but its not private, Google does a lot to ensure the app is legit, safe and not tampered with on their server side, Accrescent has this FAQ part
https://accrescent.app/faq#verifying

Obtanium is great cause it gets apps directly from the source, like Github, Gitlab, Codeberg etc, but should be paired with App verifier, and has native integration with App verifier once installed.

gMan

oci3o yep, that's my intention exactly - to use Droid-ify as an app browser and nothing more - like you, i also use Obtanium to install/update

my chain is slightly different - i don't use Google's play store at all (GOS store, Accrescent, Obtainium) - according to my definition of malware (functionality unrelated to the stated purpose of the software, such as ads), the play store is loaded with malware, but even if we go with a traditional definition, it's probably still got a lot of malware in it

i recall a study several years ago that found all sorts of malware in the play store and none in the F-Droid repo (granted the latter is only a fraction of the size)

pizzadequeso

oci3o
why you rank aurora store so low? i thought aurora gets the same apk from google play store, right?

oci3o

gMan

gMan i recall a study several years ago that found all sorts of malware in the play store and none in the F-Droid repo (granted the latter is only a fraction of the size)

It's exactly that, F-Droids selection is tiny compared to Google, and the user base for F-Droid is smaller, and generally a more technical audience, smaller user bases can help with security by lowering the attractiveness of the platform.

However, Google also have multiple world class security teams, technology F-Droid and others could only dream of having, and can get telemetry / threat intel by leveraging the Google Play Safety systems, think Singularity Data Lake (Sentinel One), which allows for things like SOAR (Security, Orchestration, Automation and Response)

But the issues (already outlined on https://privsec.dev) with F-Droid are well known, I hope they get it sorted, but I've not heard anything towards that, Accrescent is our best bet, but its slow to get new apps.