The first thing any competent practitioner is going to ask is this:
What is your threat model?
Are you the next Edward Snowden? A Russian doing drug deals on dark markets? A clerk at a locally run convenience store? Some tech worker in the Bay Area? A journalist in Western Europe? A Wal-Mart employee organizing to form a union? A free-software proponent and developer?
The answer here is to do some threat modeling. What activities are you involved with that may be interesting to those with power and capabilities? Are you concerned with powerful state or corporate actors? Are you concerned with the run-of-the-mill privacy invasions in typical Android apps?
Threat model: I'm an ordinary consumer doing ordinary consumer things, and I don't want to have my identity stolen or my browsing habits being sold at auction. Highest feasible level of protection against state and nonstate adversaries. I assume a TLA could defeat me in a targeted attack, but don't want to get ensnared in a dragnet (hmmm, you just read a page on torproject, into the suspect list you go!)
Assuming you have a Nexus running Android 6.0, there's quite a bit you can do by denying capabilities to applications. This is a new feature of Android 6.0 that lets end users deny specific capabilities per app (Calendar, camera, contacts, location, microphone, phone, SMS, storage).
* Navigate to Settings -> Apps -> Config -> App Permissions, and disable permissions in each category.
* When you install a new application, only those targeting Android 6.0 or later will prompt you for permissions, so go in and edit the permissions for newly installed applications before you run them.
* Depending on your cellular provider, it may be helpful to setup a forward-all VPN through either your own server or a trusted VPN provider (feel free to read about Verizon X-UIDH supercookies). I don't trust VPN providers, so I do this myself.
* Enable device encryption, and use a sufficiently complex password. Assume when your device is powered on that all data on the device can be obtained.
* Set Firefox to your default browser, and install relevant extensions like uBlock Origin.
Thanks, much appreciated. I am new to android having used iOS for most of my phones in the past. I decided to switch to get away from Verizon and a general dissatisfaction with the way iOS makes decisions for you. So any practical advice for an android newb is helpful!
I'm in the same exact boat as you - always had iOS and am supposed to get my Nexus 6p on Monday (leaving Verizon for Google Fi) - I'm intently watching this thread for some suggestions/tips as a new Android user.
Yup, I finally got disgusted enough by Verizon's complete disregard for their customers that I was willing to switch to Android simply to try Google Fi. The tipping point for me was when I realized that 10 months had gone by after I'd paid off my iPhone and Verizon continued to charge me for it. When I called their CS, the best they could do was refund me 3 months of it. So I'm done.
For Nexus phones there's CopperheadOS [1], a hardened Android version focused on security. It sounds great but I haven't tried it. It's also nice that they try to upstream some of their work.
7 comments
[ 5.5 ms ] story [ 29.7 ms ] threadWhat is your threat model?
Are you the next Edward Snowden? A Russian doing drug deals on dark markets? A clerk at a locally run convenience store? Some tech worker in the Bay Area? A journalist in Western Europe? A Wal-Mart employee organizing to form a union? A free-software proponent and developer?
The answer here is to do some threat modeling. What activities are you involved with that may be interesting to those with power and capabilities? Are you concerned with powerful state or corporate actors? Are you concerned with the run-of-the-mill privacy invasions in typical Android apps?
* Navigate to Settings -> Apps -> Config -> App Permissions, and disable permissions in each category.
* When you install a new application, only those targeting Android 6.0 or later will prompt you for permissions, so go in and edit the permissions for newly installed applications before you run them.
* Depending on your cellular provider, it may be helpful to setup a forward-all VPN through either your own server or a trusted VPN provider (feel free to read about Verizon X-UIDH supercookies). I don't trust VPN providers, so I do this myself.
* Enable device encryption, and use a sufficiently complex password. Assume when your device is powered on that all data on the device can be obtained.
* Set Firefox to your default browser, and install relevant extensions like uBlock Origin.
I got my 6p yesterday and still learning my way around it. Overall I'm impressed but feel like such a noob and not sure what to do to stay safe. There's a decent checklist here: https://security.utexas.edu/handheld-hardening-checklists/an...
It's a bit generic and not specifically to Android 6.0, but helps point in the general direction of how to think about securing android.
[1]: https://copperhead.co/android/