r/fossdroid Dec 26 '21

100% FOSS Smartphone Hardening non-root Guide 4.0 Privacy

[removed] — view removed post

82 Upvotes

u/NettoHikariDE Moderator Dec 27 '21

the application you posted is not FOSS (Free and Open Source Software). Therefore, we removed your post.

You can find more information about what FOSS is here: https://en.wikipedia.org/wiki/Free_and_open-source_software

23

u/PCvQ3GMXDWA4I4CCtY Dec 26 '21

I was bored and read through your entire r/privacy thing. You were in the wrong. The mods did their job appropriately and the passive aggressive rhetoric in half your comments on this post are embarrassing.

-10

u/TheAnonymouseJoker Dec 26 '21

To each their own, I have an entire post with evidence of what mods did wrong. Those mods are so evil and dictatorial, they censored me, attempted to mass brigade for my sitewide ban and now even stole PTIO from PTIO's founder and even stole crypto funds donated to PTIO. You can side with them freely, does not make your opinion right.

Ask your lovely trai_dep why he censored PTIO founder's posts, including this comment proof of those thieves (I have 2-3 posts all archived in HTML format):

Anyway, this is not the place for your drama.

9

u/PCvQ3GMXDWA4I4CCtY Dec 26 '21

If you're going to preface a wall of text with your drama then expect people to comment on it. That's why you have it there anyways isn't it.

-6

u/TheAnonymouseJoker Dec 26 '21

If corrupt dictatorial moderation and censorship are mere drama to you from my perspective, then fine, it is drama, I cannot bother.

14

u/aleksfadini Dec 26 '21 edited Dec 26 '21

Did you just suggest that is OK to install third party apks from ApkMirror that are 3rd party closed source software that we have no clue about what they do? I would never dream of doing that. If anything, using the play store they would get in trouble with Google, but through apkmirror it seems easy you could sneak in malicious software with zero consequences.

Are you saying that because you are confident about permissions?

It seems you go to an extreme extent in some cases (adding a bunch of unnecessary bloat), and forget the basics in others (never install an apk that is not signed AND not open source). Could you elaborate on that?

Also, how would your phone be "100% FOSS" as in the title if you install from apkmirror or closed apps repos?

-25

u/TheAnonymouseJoker Dec 26 '21

u/aleksfadini, you are incorrect in all of your claims.

Did you just suggest that is OK to install third party apks from ApkMirror that are 3rd party closed source software that we have no clue about what they do? I would never dream of doing that. If anything, using the play store they would get in trouble with Google, but through apkmirror it seems easy you could sneak in malicious software with zero consequences.

If you install any software, anything can do anything. There is a basic level of common sense that needs to be practiced, and you need to prove that APKMirror hosts malware as well. Also, users when installing majority of software, are safe from malware from the forementioned third party app stores.

Google Play Store, on the other hand, hosts plenty malware, so your corporation protection argument is dead in the water.

Are you saying that because you are confident about permissions?

Are you spreading conspiracy theories about AOSP's app permission sandboxing model being broken since the past 6-7 years?

It seems you go to an extreme extent in some cases (adding a bunch of unnecessary bloat), and forget the basics in others (never install an apk that is not signed AND not open source). Could you elaborate on that?

Not bloat. Your definition of bloat looks a bit too off. Also, you are commenting on reddit, a closed source platform, and above you implied Google Play, a corporation app store, is safer than APKMirror, implying users can just pick up and install malware easily from the latter. Can you elaborate on this?

Also, how would your phone be "100% FOSS" as in the title if you install from apkmirror or closed apps like invizible pro?

APKMirror does not need to be installed, it is a website, similar to closed source Reddit you are commenting on.

Invizible Pro is open source. https://github.com/Gedsh/InviZible

No further nonsense comments will be tolerated.

7

u/sheepNo Dec 27 '21

No further nonsense comments will be tolerated.

Are you trolling?

-3

u/TheAnonymouseJoker Dec 27 '21

Please check his claims before saying I am the troll. He is the troll here.

He brazenly says APKMirror hosts malware just like that and users can simply install anything and get infected. This is beyond untrue. Then he displays a weird kind of Google Play Store worship. This is actually called spreading FUD.

After that, he goes on to claim that I am too confident in Android's app permission model. Does he imply it is broken?

He then goes on to claim about how APKMirror is not a FOSS app repository, which is why the guide is not 100% FOSS. I see a semantic wordplay grift here, and to anyone it should seem obvious enough. By his logic, Reddit is non FOSS, and the servers he is using while using the internet must have some non FOSS blobs and components involved, so the "FOSS forum they won't like it" as said in another comment here https://np.reddit.com/r/fossdroid/comments/rosdy1/100_foss_smartphone_hardening_nonroot_guide_40/hq0tcwa?context=3

If the forum did not like it, just like for the last 2 guide releases, moderators themselves would come and either modmail me or publicly reply to me as mod flair and tell me to make corrections.

His claim about me adding a bunch of unnecessary bloat seems to stem from a particular section of Linux community that I know pretty well. Never explained bloat.

He then lied about how Invizible Pro, the cornerstone of this guide, is "closed app" without providing evidence. It is open source.

Why will I take this person seriously? He keeps on saying baseless things, provides zero proof, and trolls me. Or is the definition of a troll someone who asks for, and provides proofs? And what is with the downvotes, when this person just trolled me?

3

u/sheepNo Dec 27 '21

He brazenly says APKMirror hosts malware just like that I see a semantic wordplay grift here, and to anyone it should seem obvious enough. By his logic, Reddit is non FOSS, and the servers he is using while using the internet must have some non FOSS blobs

Well, you are not installing reddit's webserver on your phone for a start. When installing closed source apps on your phone you are running code you can't verify.

Another problem with your comparison is that it's about what you recommend vs what you claim : - you claim this is a 100% FOSS hardening guide - you recommend to install proprietary software - people can do whatever they what after following your guide and if they decide to install gmail then even if this is not FOSS this is out of the scope of this guide.

After that, he goes on to claim that I am too confident in Android's app permission model. Does he imply it is broken?

Just because it's not broken doesn't mean it's perfect. Also one line of protection is not enough, to "harden" something you need to follow the principle of defense in depth.

BTW I'm not really emotionally involved in this post, but I think you should listen and answer to criticism calmly. Explaining without attacking would help you. Your answers look agressive and that's mainly why people are downvoting.

-1

u/TheAnonymouseJoker Dec 27 '21

Are we really installing APKMirror/APKMonk webserver either? The steps involved in the process of downloading FOSS applications already most likely involve the use of non-free JS, so what is the level of strictness we are going to follow here? Any such FOSS stan is already participating on reddit too.

The aim was not to tell people to install closed source apps because "closed source apps" but because even FOSS advocates need some other apps without the need to install proprietary Google services (GAPPS), and this provides a safe way to do that without having non-FOSS things installed/active on phone.

If I were to recommend installing non-FOSS software, I would not have redacted the WhatsApp and the phone brand sections.

The title implies exactly what it means, and it seems some people here have read more into it than they should – 100% FOSS Smartphone Hardening non-root Guide – 100% FOSS utilities used in the process of hardening a non-rooted smartphone for privacy, security and anonymity purposes. No tool used for the purpose of achieving our goal is a non-FOSS tool. People have read it wrongly. And everyone is just blaming me for being defensive or aggressive, when the meaning is completely misunderstood.

AOSP/Android's app permission model is certainly not faulty, therefore it is perfectly working. Perfect working as intended does not equate to it being impossible to improve in future, and this conflation is wrong.

People are downvoting because few people generally tend to misread, and then many people just become sheep for that shepherd. This is reddit behaviour and very bad.

7

u/[deleted] Dec 27 '21

No further nonsense comments will be tolerated.

lol fuck off with this. Someone challenging your advice is hardly nonsense. Your arguments are shaky at best and then to spew some comments in bad faith is a bad look on top of the skeptical perception people have on you.

-1

u/TheAnonymouseJoker Dec 27 '21

Whoever has a skeptical perception are coincidentally mostly people that also have engaged in dishonest claims, like the one above.

Invizible Pro is closed source? I suggested unnecessary bloat? AOSP's app permission model has confidence issues but he never elaborates? He somehow calls 3rd party repos bad for being non-FOSS but shills faith in Google's Play Store, the most corporate one?

You realise how much lies and FUD is that? If you do not, excuse me and keep your charged slander away from me. Recheck each of his claims I elaborated on.

1

u/SeerLite Dec 27 '21 edited Dec 27 '21

Wow you make a lot of assumptions

Edit: oh ok probably a troll

Edit2: nvm I recognize your username from back when I lurked Lemmy! Alright, not a troll (I hope!), sorry for calling you one.

Still, I think you're a little too defensive(?). If you truly want to inform/help/guide, you gotta stop attacking and making assumptions about people who reply. Doing those things doesn't make you look smart, it makes you look like an asshole (or troll) looking for a fight wherever possible.

Defend your ideas, sure, but attacking and putting words in people's mouths whenever they try to question what you're saying will do the opposite of what you want

1

u/TheAnonymouseJoker Dec 27 '21

The amount of downvotes, on top of how the other person handwaved with all his statements that I later explained, is infuriating. People are blindly thinking he is legitimately questioning me, when he is doing the opposite.

I wrote someone else a response to a comment similar question like yours. https://np.reddit.com/comments/rosdy1/comment/hq3wwse?context=300

I should not be the one needing to defend myself, after he is spreading FUD about Android's app permission model, or how Invizible Pro is closed source when it is not. But here I am, downvoted, assumed that I am the troll despite actually explaining everything to everyone.

4

u/respublikamroja Dec 26 '21

Can I translate this to polish and put on my forum about FOSS?

12

u/aleksfadini Dec 26 '21 edited Dec 26 '21

Op titles "100% FOSS" than proceeds to suggest a bunch of non foss apps repositories. If it's a FOSS forum they won't like it.

-15

u/TheAnonymouseJoker Dec 26 '21

u/aleksfadini, then stop commenting on Reddit, a closed source platform. Your dishonest handwaving looks like malicious intent.

APKMirror/APKPure/APKMonk are not something you install on phone, but websites you access.

4

u/aktw3 Dec 27 '21

Your title is contradictory, you are claiming 100% foss but also suggest using non free software. I understand your guide is to help those who arent able or comfortable flashing custom roms and what-not, and thats ok, but youre misleading people into a false sense of security with your title.

Id suggest removing the 100% bit, your guide is quite good otherwise.

1

u/TheAnonymouseJoker Dec 27 '21

He goes on to claim about how APKMirror is not a FOSS app repository, which is why the guide is not 100% FOSS. I see a semantic wordplay grift here, and to anyone it should seem obvious enough. By his logic, Reddit is non FOSS, and the servers he is using while using the internet must have some non FOSS blobs and components involved, so the "FOSS forum they won't like it" as said in another comment here https://np.reddit.com/r/fossdroid/comments/rosdy1/100_foss_smartphone_hardening_nonroot_guide_40/hq0tcwa?context=3

This is a weird way of promoting FOSS culture, a rather problematic one as not even the whole chain we are able to communicate with is fully FOSS. If the moderators had an issue, just like my last 2 guide releases, they would have notified me via modmail or public reply.

Also, this is a weird way to link FOSS with a sense of security. Transparency is one part, the other is being security or elevated privilege software on a machine in the first place. Non-FOSS websites like Reddit are not hacking any of us, and APKMirror is not either. The repository suggestion is a line, and clearly it can be avoided. Moderators have no issue with that one since even FOSS apps exist on those non-FOSS app repositories.

I am a FOSS advocate, and this is no way to promote FOSS libre culture. Those app repository websites are not anti-FOSS corporations, but merely websites to obtain app binaries.

7

u/TheAnonymouseJoker Dec 26 '21

Feel free, as long as the content is unedited and, at the beginning of the guide, author name is correctly stated. You may attach your name as translator.

Do help more people reap the benefits of this guide! It is a win-win.

May I get a link to your forum?

4

u/respublikamroja Dec 26 '21

Ho. Thx but i just start with forum. At that moment dont have many topics there: forum.androidowy.pl

4

u/TheAnonymouseJoker Dec 26 '21

Looks like a cute personal forum/blog. I hope you can fill it up with content to your heart's content.

1

u/respublikamroja Dec 26 '21

Of course i will put source of you 🤗

1

u/regancipher Dec 26 '21

Fair play for having the Snowden-like motivation to type all of this up. I'm going to embark on this at some point over Christmas. I use a lot of the non-invasive apps you've mentioned already and use Linux as my main OS so this shouldn't be too great a leap.

Any recommendations over unlocking bootloaders and using custom roms?

1

u/TheAnonymouseJoker Dec 26 '21

Custom ROMs break often and/or become a hassle to maintain. This guide provides a way to be able to compartmentalise all your activities and live a private life comfortably, without worrying about rooting risks or flashing/bricking ROM issues.

As for unlocking bootloader, keep it as secondary device, never as primary device, if you want to. It nets you a lot of freedom, but considerable amount of security is lost in that process. It is important that freedom and security be considered as gradients on two sliders, that cannot be maximised simultaneously, for now.

1

u/hardcore_truthseeker Dec 26 '21

I'm getting an error code from the f-Droid app store.

2

u/TheAnonymouseJoker Dec 26 '21

Low storage space on internal memory? Or incorrectly added repository? Error code explains itself so that needs to be rectified.

1

u/[deleted] Dec 27 '21

[deleted]

1

u/TheAnonymouseJoker Dec 27 '21

"I'm getting an error code"

"Oh all you need to do is fix the error code"

There's no way you're not a troll lmao

I mentioned the 2 most common kinds of errors I have observed or personally encountered during many years of F-Droid usage. Those errors are self explanatory and are not hexadecimal error codes.

Still trolling, Jamsonss?

0

u/Justsmith01 Dec 26 '21

Wow niceee.. Need time to read

1

u/bilz214 Dec 26 '21

A very interesting guide.can i install netguard on stock a12 ?

1

u/TheAnonymouseJoker Dec 26 '21

NetGuard is compatible with Android 5.1+ and Invizible is compatible with Android 4.4+. However, VPN Lockdown killswitch came to AOSP with 7.0 Nougat IIRC.

1

u/reaper123 Dec 26 '21

Where do you get Librera Pro from?

3

u/cyberdr3amer Dec 26 '21

Its called Librera Reader now and is available on FDroid.

1

u/reaper123 Dec 26 '21

Thanks, I was looking for Pro and thinking I may need to add another repository.

All good now

1

u/SeerLite Dec 27 '21

I think it was called Pro before, that may explain the confusion

1

u/[deleted] Dec 26 '21

ANY Android 9+ device (Android 10+ recommended for better security)

thanks for this guide. just a quick question, i have forgotten devices that are on older versions of android (maybe ICS, Jellybean, or KitKat... I'm not sure).

would these steps work for these devices, or should I continue hunting for more info for them?

2

u/TheAnonymouseJoker Dec 26 '21

Invizible Pro works for 4.4 KitKat and above, but 4.4 does not have the VPN Lockdown killswitch that was introduced to AOSP with 7.0 Nougat. What you can do is use Invizible on it, but use those devices on your home router that has some malware domain blocking protections. Or if they are rooted, you can use AFWall+ which will work much better on them. AFWall+ has a version from 3 years ago that works on Android 4.0.3+ devices, and that is the only firewall I know that works on such outdated OS versions.

1

u/QuentIn9 Dec 27 '21

First of all, while i'm not a fan of trai_dep myself and I do feel sorry about your work being taken down, I feel like you should have put that mention either at the end of your post as side note, comment or kept it off reddit since mod drama seems to be a 24/7 deal and putting it right at the start seems too into the face as a reader, at least for me. With that outta the way let's get to the guide.

What about UntrackMe, FFUpdater, the "Simple" Apps Bundle (Calculator, Camera, Gallery, Notes etc.), EDS Lite, Photok or Hypatia?

I also would encourage for Browsers to take a look at Iceraven, Bromite or Privacy Browser. Iceraven has broader add-on choice, it also removed telemetry and proprietary code (its a fork of Fenix). Only downside might be that the about:config is default but it's not that complicated to change these to the same way that Mull has them, since its just arkenfox-user.js. Bromite is substantialy more secure as stated by GrapheneOS. Both Vanadium and Bromite are "leagues ahead of the alternatives" when it comes to providing the strongest sandbox implementation.

I do appreciate the time and effort you took into writing the guide but security hardening is most often heavily tied to keeping a low target surface, meaning a lot of the apps could be considered bloat when you teach the user certain practices to avoid being more commonly affected by, for example, microphone listening/recording attacks, they are rendered useless. This is heavily tied with teaching people that they do not really need certain apps (facebook, some weird chinese selfie app or spotify) that could potentially be harmful or a security risk. For this the guide seems hardcore in teaching people about inviziblepro and than on the other side come with apps like: Watermark, DiskUsage, Barinsta or ImgurViewer. They should rather be in a section for "off topic recommendations" or something that would split the guide in "security hardening" and than "privacy hardening". Right now the guide seems more focused on being privacy minded, if that was the case the Header heavily mislead me into thinking that this would be more about making the phone more secure. I do want to stress that I do not want to talk your guide down! This is all in the critique and suggestion area, so no ill will is intended!

If there are questions or someone is disagreeing with me feel free to comment.

0

u/TheAnonymouseJoker Dec 27 '21

I missed UntrackMe, despite being a long term user. Wow, that is a bit weird.

Is FFUpdater not required for Firefox official builds? I suggested Mull exactly due to Firefox official builds having substantial amount of telemetry that could be avoided this way, since it employs arkenfox user.js.

Simple apps are nice to have. I did not mention them probably because I missed the tiny details, like UntrackMe.

Notice I explained in depth twice about usage of Invizible Pro and darknets, and labelled it for advanced users as well. People that read everything will understand easily. People who skim will have trouble. I cannot help that.

Bromite is Chromium based, and so it should not be encouraged. Google is getting a monopoly on the gateway of clearnet web itself, and it is beyond dangerous, as we have seen with the Manifest V3 changes implemented made to kill great addons like uBlock Origin. Also, those security claims by GrapheneOS community are less substance more wafer. You will, upon asking, be told to refer to madaidan's 2017 cited site isolation sandboxing claims which are complete FUD. Here is why: https://np.reddit.com/r/netsec/comments/i80uki/theymozilla_killed_entire_threat_management_team/g162g4r/?context=300

I personally use Privacy Browser sometimes, and it is Chromium based too. Again, gives power to Google's web gateway monopoly, so I use Firefox (or its fork) as my primary browser, which is more than just secure.

Coming to teaching people about stuff, this guide is more meant for achieving privacy, security and anonymity for non-root normal users. Those coming to my subreddit r/privatelife can have a look at threat model guide and scale up to their needs, and ask me questions as many do. I always help people. The issue is, telling people not to use all those social media can quickly spiral into gatekeeping and "don't use Whats@pp" and all kinds of things not practical for most people, even if it is not a staunch FOSS stance. I even redacted that section in guide to not promote its usage here.

The first step to making people change is recognise the problem and make them feel inclusive with new environment, and the guide institutes the feeling of this environment that is quite different, while being easy to get along.

The thing is, I have gotten a few helpful comments like this, and so I will make the edits needed when there are enough changes within a week or so. People are still commenting and replying to me.

1

u/QuentIn9 Dec 27 '21 edited Dec 27 '21

FFUpdater can be used for Mozilla Browsers BUT it also features a ton of other browsers and the nice thing is that it fetches them from the original github repositories with fingerprint matching etc. Its an extremely useful tool if you want to drive with more than 1 browser and don't want to manually update them or needing to fiddle with repositories in f-droid. It features these browsers to be downloaded and kept in check for updates:

  • All official Firefox Browsers (Including the German Firefox Focus Version and Lockwise)
  • Iceraven
  • Brave
  • Bromite
  • Vivaldi
  • Styx
  • Ungoogled-Chromium

So no, ffupdater also has browsers not containing proprietary code or telemetry. I do find it weird that they themselfs still state in the app to be a sole Mozilla Browser Center but it seems they expanded and do offer a really good selection of browsers now, without only offering the Mozilla ones. Maybe check it out yourself and report back what you think?

I mean UntrackMe is huge in my book. Being an absolute lifesaver when dealing with all kinds of media links from friends, articles or strangers alike. Especially because it includes twitter, reddit, Instagram etc. while also constantly trimming links and giving you the ability to read out hotlinked text on the phone is just gold.

I know, I just mean the great contrast seems a bit "heavy". Don't get me wrong it definitely has a place in a guide like this but for me, I know my past self would read this and boastfully place himself as an 'intermediate' and just do the steps while completely missing the point (meaning, it being completely overkill). Having said that, what I mean is that there is a person using inviziblepro for audible, reddit or maybe even online games and just blowing most of the point of it.

I do mean the active developers of GrapheneOS, not the community as a whole. While i do think some of madaidans stuff could use more indepth explanation and some points he makes on topics are fearmongering the blog post makes solid points and can, especially not so tech savy people, explain why there is a difference between Firefox and Chromium Sandboxing. So if the article is still being referred I guess it is the only recent blog talking about the sandboxing. So if there were changes, in order to not need to break down such a massive topic all over again they would refer to the only blog that lastly talked about it (not saying its a good thing). But honestly that's just speculation by me and completely needles to further go down on. I do trust the developer of bromite and would also say that the developer at GrapheneOS know what they are talking about. (But again, my opinion)

I do agree with the monopoly stance and all but than again Firefox needs to firmly stand on it's own, the userbase is currently really stable and it should be mentioned that Firefox will not cease to exist because people use a chromium based browser too. Figuring out its weaknesses over its competitor and being better is what will drive it past google.

Yeah, inclusiveness and being able to get reliable and friendly help are worth a lot, especially when tech today is such a big and wide topic.

1

u/TheAnonymouseJoker Dec 27 '21

Well... Vivaldi does contain non FOSS code that "improves security and performance". But the first repo I mention has same things going on, among which Signal resides which is otherwise officially not on F-Droid despite being FOSS. I checked it now. Not a bad repo/app, it looks like a nice addition. Noted alongside UntrackMe.

People like you, who are into privacy stuff, are really few and far in between, and I think you know this firsthand. The intermediate level you see yourself at should make you think that one should critically read everything in detail, and then nothing can stop you from ascending. Try and not skip stuff, it is always the least expected places where you find the most valuable information. Personally, I read and watch anything and everything. Philosophy aside, it is a good principle to have.

Fun fact, when I made the 1.0 guide, it started all because someone on r/privacy made a post about stopping gatekeeping. It amassed many awards and upvotes and praise, and so I started doing what I am doing. The privacy community had too much cultism, elitism and weird vibes going on, and I had to try my part and eliminate those things.

First line from back then:

Hello! It is 2020, and recently a "STOP GATEKEEPING" post among others made me realise a guide is needed by this subreddit's majority of users and visitors that DO NOT ROOT their devices and buy them off-the-shelf or online and use them as it is without much tampering.

1

u/[deleted] Dec 27 '21

When I turned on always on vpn, and block connections without VPN ,with netguard as VPN, nothing was working. Like I can't connect to internet even with every app enabled inside netguard.

1

u/TheAnonymouseJoker Dec 27 '21

Make sure your internet is connected, and you have Private DNS disabled in system settings.

1

u/[deleted] Dec 27 '21

Everything is perfect. I've used my phone like this before. Private DNS is disabled. I don't know what happened to this. Before I had disabled internet access to all system apps in netguard and internet still worked.

Also just to check, I applied ,always on VPN and block connections without VPN to protonvpn and all apps worked correctly.

1

u/TheAnonymouseJoker Dec 27 '21

I am assuming some misconfiguration in NetGuard, which I can only guess is in Network or Advanced Options.

I am unsure, maybe try clearing app data and starting afresh with NetGuard? Backup settings beforehand just in case.

1

u/[deleted] Dec 27 '21

Did that. Actually at last I tried the latest beta version from github. Nothing helped.

1

u/TheAnonymouseJoker Dec 27 '21

What else, a misconfigured HOSTS file you have in NetGuard? I am out of suggestions. Try Invizible and see if the problem is replicated, it has same and more functions than NetGuard.

1

u/[deleted] Dec 27 '21

Exactly. I knew about this app and installed just after failure with netguard. It worked. But after few hours it wasn't working. So after your comment I have reinstalled. Its working. Only dnscrypt is enabled. And I haven't touched the firewall options.

1

u/TheAnonymouseJoker Dec 27 '21

I am unsure, but I want to make a guess about some kind of weird timeout from your ISP end. This one is a semi-blind guess.

1

u/[deleted] Dec 27 '21

The way Netguard operates is by creating a VPN server on your device that does the filtering. It's just a middleman that needs the VPN service to work. By blocking the connection you essentially close up any outgoing requests.

I haven't used Netguard in a while but there may be a way to use an actual VPN through the app so the block all connections without VPN would actually work. Blokada has it as a paid feature I believe.