Hello guys. I recently acquired a Pixel 8A and it was Google stock os I bought it from a man locally all with cash I brought It home and I flashed grapheneos onto this phone.
What else needs to be done to anonymous this phone and make it a privacy phone and a spy free phone no tracking phone no interception phone and no monitored phone.
Any advice welcome!
Thanks.
It will never be any of those things.
If you want to get close as possible, this is going to be a LONG conversation and has less to do with the device and more to do with how you use it and what sacrifices you’re willing to make.
I use TrackerControl (f-droid).
It’s an app that can turn off entirely internet access to an app or granurarly tweak which domains can comunicate with.
For example, using Aurora Store and Obtanium instead of Google Play and avoid enabling Google Play Services.
Start with the basics. Use a VPN preferable a good one payed in crypto /XMR or cash. Use Foss apps only check out F-droid.
Also one that blocks malware and ads. If not use adguard.dns or other that filter traffic
Settings , disable 2-3 G if you always have access to 4-5 G .
Don’t change add browsers use vanadium. No gapps obviously.
The more challenging is to just use it as WiFi phone without SIM.
Vanadium doesn’t have good/any fingerprinting protection. Cromite or Mull would be better, Tor would be best.
Vanadium is purposefully made this way. It tries to minimise profiling by making your actions noise in a big mass of users. That only works if you use the standard config without anything to discern you.
Mull is the other extreme of this. They try to eliminate fingerprinting by reducing the amount of trackable things in your browser.
It’s hard to say what really is the better option. You can’t completely eliminate fingerprinting, and the more you try, the more you will stick out of the masses.
You can’t blend in with a crowd of vanadium users with the amount of data points given away by the browser. Your fingerprint will be decernable from other users. Without actual anti-fingerprinting, which theoretical can allow for a crowd only when fingerprinting of user browsers results in the same fingerprint ID, the best you can hope to do is thwart naive fingerprinting. Vanadium doesn’t have any anti-fingerprint built in, so the slightest differences between user can be used to easily fingerprint. Vanadium also has no strong method of in browser content blocking (eg an adblocker like uBlock) which is required on the modern web to remove JS tracking scripts (or straight allow and deny lists for specific web contents). Adblock is cyber security: https://www.ic3.gov/Media/Y2022/PSA221221
Examples of metrics include, but are not limited to, the following: Timezone, system and browser fonts (often automatically fetched by websites as a remote font that is cached by the browser), language, screen metrics (DPI, height x width, refresh rate, pixel ratio), canvas, CSS fingerprint, useragent, browsing mode (standard/private), video autoplay policy, audio device fingerprinting, installed plugins, cookie policy, device theme, and of course IP.
As a graphene OS vanadium user, assuming that the browser stays default, you would still have screen, audio, other hardware metrics, canvas (this one is a killer), IP, user agent (differences in installed versions of plugins and vanadium itself), timezone, remote Fonts, and others. Fingerprinting is an insane science which needs actual protection against to even begin hoping to create a crowd.
See some more details below.
Info on fingerprinting (about choosing a desktop browser but still relevant info): https://www.privacyguides.org/en/desktop-browsers
Browser comparison: https://divestos.org/pages/browsers
Fingerprinting test site: https://abrahamjuliot.github.io/creepjs/
Why would you use Chrome webview plus something else? You can’t replace just pile on. Not a good idea. https://grapheneos.org/usage#web-browsing
I read your source and am not convinced. While I do agree that piling on modifications is often fruitless and counterintuitive, Vanadium doesn’t have the Fingerprinting protection necessary to create a crowd. At best it can create many islands of crowd for each physical device graphene supports, for each version of the software installed, and only assuming all other method of fingerprinting don’t work (for some reason theoretically for the sake of this best case scenario). Read cromite’s patch list to see some of the changes needed to produce basic anti-fingerprinting (still not good enough to create a crowd).
Dont use system webview as your default browser. Webview is used by apps, your browser can and should be changed if privacy is your goal. Vanadium may be hardened, but it lacks any fingerprinting protection.
- That makes no sense.
- Vanadium have a different approach than trying to block it , blend in instead.
- Gecko based browser have crap sandboxing
- Again if you have 1 problem adding 1 more makes 2 problems.
Your system webview is for in app usage. You aren’t browsing the web using your system webview (generally). You can’t blend into a crowd if you have no anti-fingerprinting. Firefox does this through RFP by normalizing settings between users, and on mobile there is partial support for screen size normalization through letterboxing. Vanadium isn’t special, it is hardened chromium with some specific patches. You cannot form a crowd without special a lot of anti-fingerprint patching. See my other comment for details.
Firefox is missing per-site process isolation. This is theoretical an attack vector in the presence of multiple other major vulnerabilities. It has never been shown to be an attack vector in real world vulnerabilities. Don’t call Firefox’s sandboxing crap if you don’t know why people have said that.
You can’t blend in with a crowd of vanadium users with the amount of data points given away by the browser. Your fingerprint will be decernable from other users. Without actual anti-fingerprinting, which theoretical can allow for a crowd only when fingerprinting of user browsers results in the same fingerprint ID, the best you can hope to do is thwart naive fingerprinting. Vanadium doesn’t have any anti-fingerprint built in, so the slightest differences between user can be used to easily fingerprint. Vanadium
Anti-fingerprinting? By blocking javascript which the half-hearted privacy users can never afford? hahahahaha. Even privacy projects spread dirty javascripts.
Anti-fingerprinting isn’t as simple as blocking JavaScript. There are dozens of other parameters. You can fingerprint with pure CSS. When I say anti-fingerprinting is necessary for a crowd, I am referring to data normalization. Like Firefox’s Resistant Fingerprinting and letterboxing. I find most of RFP’s effects unobtrusive, but it always for a crowd to form in specialized cases. Only Tor browser and Mullvad can reasonably form a crowd.
I dont know what you mean by privacy projects spreading dirty JS. I recommend you read up on actual anti-fingerprinting techniques. Your knowledge of anti/fingerprinting seems limited. Basic anti-fingerprinting is necessary on the modern web, same thing with a content blocker. Security and privacy sometimes come at the cost of convenience, but not always.
I have a sim card in this phone. The sim card is one I heavily rely on. I have disabled the option for disable 2G in sims is this good? Even without the LTE mode as my phone doesn’t seem to have this.
I don’t have any crypto / XMR and in this case, shall I just set the DNS you recommended me without any VPN and just always use that? Thanks.
I used adguard.dns before now I have VPN that have DNS filter. Disabling 2-3g minimize attack surface but just a small thing use 3 g if you need it. You can use both private DNA in settings and a free VPN if you want.
If I use adguard dns in my phone settings, what is best free VPN to use with it? Other than proton / Riseup?
Proton riseup and calyx comes to mind.
I had to put dns.adguard.com and my preferred network is 3g with Allow 2g disable is this good always? And Riseup vpn
Are you recommending I change Preferred network type " to 3G? other options are 4G only 5G ( recommend ) 4G if I use that DNS with what VPN u recommend, and have allow 2g disable am I good?
It’s only an attack surface minimation , security is better on new generations. I use all since I am in the middle of nowhere. If you don’t need it disable it, otherwise let it be
Its preferred network type 3g and allow 2g disable and I use dns.adguard.com am I good now mate?
I have the DNS set to the one you said and the preferred network type set to 3g and the VPN calyx VPN, am I good now?
Its still being tracked even with gos. Just maybe Google isn’t tracking you.
(OP can ignore this comment)
I’m a bit upset that GrapheneOS does not follow OpenBSD: ignore any person hating it, ignore anyone who wants to interferes with project personnel and donations like usa is doing on Viet Nam like they are speaking for the Vietnamese, and don’t care if the feature works “for you” or not, just going on code improvements & maximally free code. And do whatever Micay want to do. Accept donations from whatever company. There’s so much dramas. But they already achieved over-detailed documentations. Focusing on unprivileged google play is the true path, since the demand on google play is much larger and other “private” apps repos are expected to work on the “privacy” people’s phone.
Maybe because GrapheneOS haven’t made any world-significant project that every companies depend on so that companies have to put so much money on the project.
Congratulations on your first steps in GrapheneOS!
In order to best help you and give relevant suggestions, we need more information of who you are trying to be private from.
If your threat model is particularly sophisticated, it may be recommended that you do not use a sim card, or at least never when your phone is at home. Instead, exclusively rely on WiFi. It may also involve desoldering your microphone and camera and only make calls using an earpiece.
These are not recommendations, but simply examples of how far one can go with respect to their threat model. If you would rather want to avoid “regular” spying by google, Facebook and the likes, you may be better off selecting a private DNS (for example Mullvad’s extended DNS which comes with social media filtering https://mullvad.net/en/help/dns-over-https-and-dns-over-tls ). You would need to make sure you do not install Google services (nor microg) and especially no google apps.
Much more can be said, but we would need specific information about your case to provide better guidance.
EDIT: I do not want to give the impression that GrapheneOS does not make a good job in improving your situation already. They do! But to do more you would need to justify it with your threat model, that’s what I’m getting at.
I have already inserted a sim card into this phone. The sim card is a kyc sim card. I want to do best I can without compromising my identity. My threat model does involve government interception and tracing, but it’s more about staying Safe with this phone whilst I’m possibly under surveillance. Local police entities. More so than government contractors / third parties. What is best VPN to use in this phone? I rely in the sim card in this phone so always keeping in aeroplane mode isn’t possible as this is my primary number and I need to have constant connection to it. In this case, what shall I do with this phone?
Removed by mod
deleted by creator
Removed by mod
I’m upset that GrapheneOS does not follow OpenBSD: ignore people likes you and work on any feature they want. On the 90s, the NetBSD core team expelled Theo de Raadt and revoked his access on the code which others could. On 2020s, you, not any core of GrapheneOS, trying to expell Micay from GrapheneOS’s project leader role. Like what cia is doing to Viet Nam and China.
Removed by mod
Laugh on your “basic decency and criticism”.
then such projects/forks should be abolished to the valley of death
It seems these guys failed to abolish OpenBSD to death so they find an easier target: GrapheneOS. In fact, both project accept “inputs, basic decency and criticism”. OpenBSD have a friendly connection with FreeBSD. But the os is make for their developers, and they can ignore whatever wideopenbsd or isopenbsdsecure without having problem, they can have the user to read man pages without having problems. On the linux world drama is caused by having user to read faq themselves, and Micay failed to ignore the dramas.
Same for any such individuals like Micay who believe in witch hunting, cultism and silencing people.
Micay is just dumb when he stepped down for your pleasure.
Removed by mod
Don’t even read your reply, all I want to say is you are acting like what CIA, through whatever self-claimed civil society organizations or NGOs is doing to Viet Nam and China now.
Removed by mod
Here is an alternative Piped link(s):
https://piped.video/V9O94UTDAJQ
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
