- Unlock bootloader as phone manufacturers should not be trusted. Even if the ROMs manufacturers provide are open-source, the firmwares are usually not.
- Unlocking bootloader also makes the phone receive secure updates again.
- Firefox is a great browser that can resist fingerprints. The sandbox function on Android should be achieved by restrictions on permissions and storage isolations.
- Traffic over Tor is also much better than just over telecommunicator. A small fraction of non-privacy nodes is also not a problem as routes are always changed, and how can a organize contorl most nodes?
I recently installed GrapheneOS on an old Pixel and recommended practice was to relock the bootloader after unlocking it and installing a custom OS, which is supported on Pixels.
An unlocked bootloader makes the phone vastly more insecure (see https://news.ycombinator.com/item?id=35790499). Phone firmware cannot be fully open-source nowadays due to manufacturer restrictions. Even the most open-source Android fork will still have to include binary blobs from e.g. modem manufacturers.
Additionally, the updates that the forked OS provides don't include firmware updates for essential parts like the modem (this is also the reason why phone updates are not available in the first place). So it's essentially a security theatre.
Firefox doesn't use per-site isolation, doesn't use process sandboxing and - on top of that has a JIT, so there's W^X violations. Normal app sandboxing via Android permissions is not sufficient for something as complex as a browser. The potential for possible exploits inherently is massive. Other browsers (chromium-based) like Vanadium have very sophisticated sandboxing, so there's no reason to use something inferior.
Traffic over tor is good, but shouldn't be used with authenticated services, as it deanonymizes your connection. Instead, it should only be used for specific (unauthenticated) actions, like browsing news.
> - all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
Wouldn't this would depend on if you had a stream isolation setup? Pretty sure Tails/Tor Browser do this, so you can have a signed in Facebook tab and another tab open and the two won't be linked. I don't think the guide here accounts for that though.
As long as you keep device in your possession with a quick option to wipe it, I believe that mitigates the unlocked bootloader. Graphene locks the bootloader as a more secure option.
I tried Invizible Pro and do not see option for split tunnelling. I suppose Orbot may be a better choice if authentication to one of those services is needed.
If you can't trust your OS, trying to anonymize it is useless.
Verified boot doesn't prevent you cleaning up the device. Modern android phones have wonderfully sophisticated per-file disk encryption.
In pixels, the decryption key is stored in a secure enclave (Titan M). If you want to wipe the device safely, you can just reset the OS. (This deletes the decryption key from the secure enclave which turns all user data on the user data partition into random junk).
GrapheneOS for example gets all of these things right. It is possible to make your phone secure, but not by permanently unlocking the bootloader and rooting the device.
> If you can't trust your OS, trying to anonymize it is useless.
Well yeah, welcome to the modern smartphone era. Those protections are useless or counter-productive because the base ROM has already spyware backed into it.
I don't know why some people consider a chinese no-name pre-installed rom more secured than lineage os but that's not how it works.
> In pixels, the decryption key is stored in a secure enclave (Titan M). If you want to wipe the device safely, you can just reset the OS. (This wipes the decryption key from the secure enclave which turns all user data on the user data partition into random junk.
None of that matters if your data is just sent to Google anyways.
> Well yeah, welcome to the modern smartphone era. Those protections are useless or counter-productive because the base ROM has already spyware backed into it.
If you assume this to be correct, then there's no point in attempting to make your phone private. Privacy isn't possible without security.
> None of that matters if your
data is just sent to Google anyways.
when you use a custom ROM, that's not necessarily true. But using a custom ROM doesn't necessarily mean you have to permanently unlock your bootloader, so that argument doesn't make sense.
> If you assume this to be correct, then there's no point in attempting to make your phone private. Privacy isn't possible without security.
You have it the other way around, security starts with privacy at its absolute minimum. If data is sent to a third party every time you tap something on the phone, you are using an insecure phone, regardless of what complex hardware they are using.
> But using a custom ROM doesn't necessarily mean you have to permanently unlock your bootloader, so that argument doesn't make sense.
True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.
I disagree. You can‘t keep data away from others when it isn‘t safe. Security doesn‘t necessarily imply privacy (as demonstrated by your argument), but making something private is impossible without making it secure. How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?
> True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.
Then you shouldn‘t use those phones for a secure setup. I think we can agree on that. But the author of the article used a phone that is capable of locking the bootloader with alternate ROMs.
> How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?
Security requires privacy. A phone without privacy is insecure by design, insecure because it leaks data.
And the biggest danger to consumers nowadays isn't a bootrom exploit but that their location, card payments and data profile is sent to advertisers.
You might never get a chance to wipe it. I had a cop whip out a loaded gun and point it at my head to take my phone out of my hand. I didn't even have a lock code as there was nothing to hide, but if I had been a criminal I would not have had time or opportunity to do anything without my brains leaving my skull.
- you unlocked your bootloader w/o re-locking it again → insecure
- you used a phone that doesn‘t receive OEM updates anymore → insecure
- you use firefox over tor: no sandbox, very unique fingerprint
- all of the device‘s traffic is routed over tor → any authentication on a non-privacy service compromises your anonymity
I don‘t think this is a good setup.