Privacy enhanced mobile

Orde Saunders' avatarPublished: by Orde Saunders

With their plethora of sensors and always-on data connections, mobile devices track a large amount of data which is passed on to the services you use. There are numerous reasons why you might want a device that has enhanced privacy - even if you have nothing to fear hide. Setting one up isn't a simple task but can be completed in a evening*. If you haven't changed the operating system on a mobile before it can seem a bit daunting but follow the steps through and be patient.

Privacy Enhanced Nexus 4

* It took me significantly longer to write up this guide than it did to set up my device.

Caveat Lector

Setting up a device following this guide will not guarantee your anonymity. This is intended to provide enhanced anonymity. If you require anonymity for your safety do not rely on the information presented here.

This does not provide an inherently more secure device, if there is any security benefit from this kind of set-up then it is a side effect of reduced attack surface.

Install new operating system

Ideally for this purpose you would use CopperheadOS' security enhanced Android build but the device requirements for that are quite high, you might not be prepared to make that financial commitment.

The most practical alternative is to use LineageOS. If you have an old mobile you'd like to repurpose for this you can check their device list to see if there is a build available. If you need to get something else an easy device to work with that has good support is the Nexus 4, especially as they can be acquired second hand for under £100.

I'm not going to cover the detailed steps to install a new operating system but there are instructions on the LineageOS wiki for the Nexus 4 (mako). (At the time of writing, the instructions are still not that clear as they haven't finished porting all the information over to the new documentation system but I followed them to successfully install it on my test device.)

The key steps in this process are:

  1. Unlock the boot loader
  2. Install Team Win recovery image
  3. Install LineageOS

You will see references to installing the Google services, ignore this step as this will enable Google to track the device - something we are specifically trying to avoid.

The operating system will take a very long time to boot for the first time, stretch your legs and make yourself a cup of tea and leave it to do its thing. Once it's up and running follow the short set-up wizard and you're ready to use it.

Install F-Droid

As we don't have Google services we don't have the Play Store so we need an alternative source of apps. F-Droid is the best option and can be downloaded from their site. (There are other app stores out there but the quality is highly suspect. The other alternative is Amazon's app store but, whilst not as pervasive as Google, it still re-introduces tracking.)

If you try to install the downloaded APK file you will be presented with a security warning, to pre-empt this go into the the security section of settings. From the "Device Admistrators" sub-section you should enable "Unknown sources".

Allow Unknown sources toggle

As you do this you will be presented with another security confirmation dialogue. Select "OK".

Installing unknown apps warning

Installation of apps from unknown sources will now be enabled.

Allowed Unknown sources

With this out of the way you can now install the F-Droid APK you have downloaded.

Once installed, open F-Droid and, from the menu select "Repositories".

Select Respositories from the F-Droid menu

Enable the "Guardian Project Official Releases" then refresh the repository information.

F-Droid Repository Selection

Install applications

Now we have F-Droid set up we can use it to install apps.

As this is intended as a privacy enhanced device we'll use Tor to anonymise our internet connection. On Android Orbot gives you access to the Tor network and Orfox gives you a browser specifically configured to use Tor and enhance your anonymity. Search for "orbot" and "orfox" and install them by tapping on the version from the Guardian Project repo.

Check it's the Guardian Project repo

You may wish to install other applications as needed however, bear in mind that without the Google Play Store only a limited number of applications are available. Some suggestions are:

If you search for "tinfoil" in F-Droid you will find apps that act as wrappers round the Twitter or Facebook websites allowing you to use social media in a sandboxed environment. If you install the Facebook or Twitter apps they have enormous access to your device, even when sitting 'dormant' in the background, and this is something we want to explicitly avoid in this situation. You can use the websites in the browser but this will leave cookies and other trackers in the browser which can be used to follow you round the websites you visit - by sandboxing them you prevent this.

Gmail specific

If you are already an Android user then there's a good chance you use Gmail for mail and contacts. As this device isn't using Google services you won't have access to the Gmail app or contacts. There are a few ways to approach a solution to this.

The least disruptive is to use K9 as an IMAP mail client for Gmail. IMAP is well supported by Google and will give you full access to your mail. For contacts you'll need to export as vCard, transfer them to the device and import using the Import Contacts app available in F-Droid. However, unlike email, the contacts won't sync so you might end up dual handling them.

The most disruptive would be to switch away from Gmail to a different cloud provider that is dedicated to privacy and supports fully open protocols - I recommend Kolabnow. This will provide you with synchronised mail, contacts, calendar and more across all your devices and they will provide set-up instructions.

A half-way house would be to start with a different cloud provider, set them up for use on this device and use that as a first step in migrating other devices to them. When you are comfortable with the new provider you can start to migrate to them from Google.

Set up apps to use Tor

Open up Orbot and start Tor running - this can take a while first time round. To check you are connected hit the "BROWSE" button which will open Orfox and load the Tor Check.

To route other apps' netowrk traffic through Tor from the hamburger menu enable "Apps VPN Mode".

Orbot's Apps VPN Mode

This will issue you with some warnings but select all apps and allow Tor to create VPNs.

If you install new apps make sure to go into Torbot's settings and enable them to be routed via Tor.

Use it!

This device is going to be different and less convenient to what you're used to. The instinctive reaction to this tends to be to revert to what's familiar.

To counter this make an effort to use it at home along side your normal devices to start with, it's easier to sort out issues when you've got a good connection and other devices to work with. Then put your SIM card in and take it out for a walk - find out what you need from it when you're mobile. Steadily increase the time you spend with it so you're happy that you can rely on it as your only device for an extended period - I've found that with my privacy enhanced mobile it's nice at times not to be carrying the world round with you in your pocket.