So in summary:<p>- you unlocked your bootloader w/o re-locking it again → insecure<p>- you used a phone that doesn‘t receive OEM updates anymore → insecure<p>- you use firefox over tor: no sandbox, very unique fingerprint<p>- all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity<p>I don‘t think this is a good setup.
Tunneling all traffic through Tor can be risky, especially if you're using exit nodes to access clearweb applications. The traffic patterns of your tunnel will be significantly different from most Tor traffic (browsers, exclusively) which can help pinpoint your phone if the authorities are wiretapping your connection. Allegedly, the various law enforcement agencies around the world operate a significant amount of exit nodes and if they can pinpoint a particular traffic pattern, they may be able to trace it back home.<p>I would be more selective with my traffic. Use Tor Browser for browser traffic, but keep sending Signal/Session/whatever through normal means. That makes your phone stand out less. Consider using a decent VPN like Mullvad, that should provide enough plausible deniability not to stand out.
You are probably better off with GrapheneOS + Orbot.<p>Here is the list of issues I have with this blog.<p>1) LineageOS <a href="https://github.com/beerisgood/Smartphone_Security#custom-roms-like-lineageos-etc">https://github.com/beerisgood/Smartphone_Security#custom-rom...</a><p>2) Riseup email, they have a mailing list, which apparently makes them unable to add a proper DMARC policy. As a result, anyone can spoof an email at any @riseup.net address, and the email would show up as a legitimate email on most recipient mail servers and they do not encrypt the data at rest per-user with the user's own keys like ProtonMail.<p>3) Session is great but lacks PFS (perfect forward secrecy)<p>4) bromite usually behind in updates which leaves it vulnerable to exploits<p>btw, On Android, Firefox is still less secure than Chromium-based alternatives: Mozilla's engine, GeckoView, has yet to support site isolation or enable isolatedProcess.
Just yesterday there was a discussion about location services[1]
If you connect your phone to a cell network, just by triangulation they got your home address...someone also mentioned that the phone will connect to nearest towers without a sim for 911 services...
I guess is there hardware or software that can force the cellular modem to connect to a single tower of your choice?<p>[1]<a href="https://news.ycombinator.com/item?id=35779816" rel="nofollow">https://news.ycombinator.com/item?id=35779816</a>
A 2022 iPhone SE with an anonymous eSim like <a href="https://silent.link/" rel="nofollow">https://silent.link/</a>, an MDM profile that disables most of the things [here](<a href="https://support.apple.com/guide/deployment/restrictions-for-iphone-and-ipad-dep0f7dd3d8/web" rel="nofollow">https://support.apple.com/guide/deployment/restrictions-for-...</a>), a long alphanumeric password, Signal/some other secure data only messenger app with auto-deleting messages used solely for communication, and an OS that you update regularly is probably better than this. But I like that you wrote out everything descriptively and most of the advice is good.<p>- Rooting is definitely ill-advised but you note this<p>- I would not trust the security of most Android phones against phone unlock kits like Cellebrite
The #1 thing you can do right now is to add a application based firewall to your android phone. It emulates a VPN so all traffic is routed through it, then implements firewall rules based on application, IP address, etc. You can whitelist, blacklist, etc. Most of my apps have zero network access and don't need it. For those that do - I block them from sending to advertising domains. Imperfect but better than nothing.<p>Android conspicuously doesn't include 'network access' as a permission, for what I can only assume is nefarious reasons. There's no reason my Calculator app needs to phone home anywhere.<p>The problem though really lies in the network. LTE is GPS trackable inherently. If you want to eliminate that problem, a Pager can work quite well if you are interested in receive only.
I've used both LineageOS and GrapheneOS and the latter would have been my choice for security purposes as its entire focus is on privacy and security.
Thanks all for great comments. I am glad that this silly article made such a lot of bad and good ideas. So many anger and so funny stuff. And most important so many great suggestions and points to discuss that I didn't address. Please remember that this is just an article and not a recipe for being totally anonymous, and that each person can accept, or not some risk. I showed my way. Which is not best, but works for me. I am not a genius or person who tells you how you should act or do stuff. But I was judged by many. Its funny how things in the internet works and how quickly people says opinions, good and bad and even shitty. And sometimes how seriously take everything :) it's always big wave of good feedback mixed with hate when some of my article get on main page of hacker news :) I will review all comments and update article in next two weeks with all good ideas. Thank you all. Even people who wish me death by burning at the stake. Lol.
Huh, I hadn't considered that the rise of 5G, and faster internet more generally, would make "Tor phones" viable. The cost of using Tor as an everyday VPN, on any device, will soon be negligible (ignoring the usual server-side shenanigans that Tor users will probably have to deal with until Tor becomes more popular and more exit nodes come online).
I sincerely doubt this will go anywhere. I think any serious options will be shut down. Consider this option a couple years ago:<p><a href="https://insightcrime.org/news/brief/canadian-company-custom-made-encrypted-phones-cartels-authorities/" rel="nofollow">https://insightcrime.org/news/brief/canadian-company-custom-...</a>
How are you hiding the fact that you have a transmitter uniquely signing and encrypting a unique certificate (sim) along with your serial of device (IMEI)?<p>And there's the whole cell baseband has root to your phone issue.<p>This feels like a lost cause, TBH if you use cell providers.<p>Now this could be useful with wifi calling and anonymous voip services. But using Tor is destined to leave you in the internet shitcan, primarily thanks to ilk like cloudflare.
> we can find some homeless guy, and for bottle of whisky tell him to buy it for us in some pawn shop<p>this and a whole lot more<p>it's amazing what some of the guys in my area will do for a bottle of whisky<p>I guess you SF-based techies are even more blessed than the rest of us
Haha "Anonymous" to your neighbor maybe, if they don't work for 5Is or a 3 letter agency, or Google, or Facebook, or the ccp or ... tor is compromised, you didn't Not get caught, you're not a target yet.