Phone

I haven’t owned a computer in ages but used ThinkPads (followed Luke Smith). Now I use old Google Pixel models, flashing LineageOS & Magisk. They’re easy to flash ROMs on and list for cheap on eBay—around $50. Personally I use a Pixel 2. Use a good case & screen protector (privacy one if you can find it). Wrapping the phone in tinfoil—at least 3 layers—blocks most radio signals. Putting it in a ziplock bag helps keep moisture away.

General advice: block mic & camera when not being used, and do the same for mobile data, Wi-Fi, bluetooth, GPS &c., disable internet GPS, USB debugging, &c.; set a lockscreen password/pin of 8-12 (more is better) letters/numbers, don’t use a pattern lock; disable all non-4G/LGE connections (2G, 3G, 5G) by dialing *#*#4636#*#* and selecting 4G/LGE only for network.

Old ThinkPads don’t have Intel’s Management Engine, or if present could be flashed over with Libreboot. On phones, the SIM card is something of an analogous backdoor, so avoid using one. Just use a burner instead. Pixels isolate the phone’s baseband, but I’m unsure which models began to do so. Keep the device set to airplane mode.

A very insignificant thing but, to disable the rotation pop-up, run via ADB or as root: settings put secure show_rotation_suggestions 0

Android ROMs/Root

LineageOS is as close to pure, vanilla Android as I think is feesable—but there is still some bloat, namely the cellular provider system apps, as Divested Dev demonstrated. Its support of older devices is why I like it, as I always favor older (cheaper priced) hardware. Most contemporary machines are overkill for basic tasks but seemingly neccesitated by poorly coded software. We want to minimize our attack surface for optimal performance, best security, and maximum privacy.

Root with Magisk to de-bloat & otherwise harden the system. Keep your attack surface minimal, have few apps installed. De-bloat system apps by making a Magisk module which overlays a blank file (or directory) over the system app’s APK. Magisk overlay documentation should tell you everything you need to know. Run cmd package path app to see where an APK is located. If the device bootloops, try going into safe mode by pressing volume-down while booting (Pixels only it seems). Should disable all modules when you boot after that. Universal Android Debloater has some information on what the different system apps are & how safe each is to de-bloat.

If you insist on using an app to do this rather than the command line, De-Bloater is an app to de-bloat with.

For network monitoring, use nethogs or netstat in a terminal (both require root). PCAPdroid is an app which does the same as a VPN without root.

To make backups, in Termux run:

tar -c /path/to/files | gpg -o output.tar.gpg -r your@email -e

How to make a GPG key.

General Apps

• Obtainium — App Manager
• Simple Keyboard — Keyboard
• Termux — Terminal
• Open Camera — Camera
• Fossify Gallery — Image Viewer
• mpv — Media Player
• MuPDF viewer — Document Viewer
• Orbot — VPN/Proxy
• RiseupVPN — VPN

See the Browser page for recommended browsers & configs.

Fossify has other apps phone calling, texting, contacts, alarm clock, &c.

If you must use a propietary app, then quarantine it with Shelter.

Instead of using KeePassDX, K-9 Mail, LibreTorrent, Read You, &c., use command line programs in Termux. Although, if you can’t (or plain won’t) use the command line, then those can be useful alternatives.

Pacman (the package manager) is installable in Termux. Also install termux-api so programs can read & set the clipboard.

Remember to configure apps to use Tor as proxy: socks5://localhost:9050

Network

Disable captive portal pings to Google by running via ADB or as root:

settings put global captive_portal_mode 0
settings put global captive_portal_use_https 0
settings put global captive_portal_http_url about:blank
settings put global captive_portal_https_url about:blank
settings put global captive_portal_fallback_url about:blank
settings put global captive_portal_other_fallback_urls about:blank

For NTP:

settings put global ntp_server pool.ntp.org # or `about:blank` to disable

NTP Pool Project.

If all your internet traffic is going through Tor, then the DNS should be resolved at the exit node. This includes apps connecting through Orbot as a VPN. So don’t set a system private DNS unless you’re not using Tor. That said, use Mullvad ( Tor).

Termux by default uses Google DNS in its /etc/resolv.conf. Make sure to change it to, e.g. Mullvad, or blank if using Tor.