Android Privacy / Security Checklist

A checklist aimed at hardening Android devices to protect privacy and security. Android by design has precious little protection for keeping your information private. Some technical knowledge and root access to the device is assumed, and FOSS solutions are used where possible. I will update and add to this page as regularly as possible as I learn more, sources and further reading is located at the footer.

Worth reading:

  • Droid-Break [droid-break.org] – Open-source and free alternatives for proprietary Android applications.
  • Tor Project [torproject.org] – “Mission Impossible: Hardening Android for Security and Privacy”
  • IzzyonDroid [android.izzysoft.de] – “Android without Google”
  • The Guardian Project [guardianproject.info] – Easy to use secure apps, open-source software libraries, and customized mobile devices to project from unjust intrusion, interception and monitoring.
  • NativeWrap [ncsu.edu] – Ad Hoc Smartphone Application Creation for End Users

Topics within:

  • Device / ROM Choice
  • Google Apps / Google Services Framework
  • Hosts-file blocking
  • Full device encryption
  • Built-in security settings
  • App privacy grading
  • IPtables-based firewall
  • VPN (OpenVPN)
  • Wifi/geolocation tracking and verification
  • Tor
  • Stingray / IMSI Catcher / Fake cell tower detection
  • On-device password safe / SSH
  • Xposed Framework
  • XPrivacy module
  • App Ops / Privacy Guard
  • F-Droid Repos
  • Self-hosted Contacts/Calendar
  • Non-Google Network Location Providers
  • Off-device APK download
  • Firefox for Android (Fennec) Config

Device / OS Choice:

  • Ideally, to ensure proper sandboxed baseband components, completely open-sourced hardware is preferred, such as the Neo900 or a GTA04-based device. However, for most people that’s impractical. The ReplicantOS project supports mainstream devices like the Galaxy S3 with limited functionality. For the purposes of this guide, I am assuming the device is running CyanogenMod 11/12.1 on an officially supported device, of which there are hundreds. A factory OEM image (even on a Nexus device) has many phone-home or proprietary components which cannot be vetted.
  • Once installed, make sure you relock the bootloader, or else the recovery partition can easily be re-written by somebody. If relocked, unlocking it will result in a wiped device. For a comprehensive read on why buying an older device outright makes far more sense than a new device on a contract, read my Contract Plan article.
  • If you are purchasing a phone from a carrier, definitely aim to wipe it as soon as possible, preferably before you put a SIM or any personal details in it, or connect it to your wifi network. Carriers often load a whole bunch of advertising-laden bloatware onto the phone for additional revenue, and there is no way to know what information is being exfiltrated. The safest practical option is to do a full wipe and load a known safe ROM onto it.

Google Apps:

  • If you must, then a minimum (known as a Pico/Nano package) Google Apps package. There are two common ones – TK GApps, which is a continuation of the original PA GApps, and Open GApps, which is an automated build which may cover some rarer devices. Ideally, this should not be required, but for some, having access to the Play Store and Google services is critical. This is a choice each individual will need to make, though most of the adverse effects can be mitigated in the checklist below. A section below will outline how to enable network location services without GApps installed.
  • After installing CM11, install Freecygn in recovery to remove Google Analytics phone-home components, or alternatively, flash a Hosts blocking file from recovery. Later on, you can automate the update of the hosts file with AdAway. The Hosts file BEFORE the first boot is important, to prevent any leakage occurring initially. The hosts file will also universally block analytics/advertising/malware hosts system-wide.
  • In addition, apply common sense. All the security and tools will not help if you have a host of invasive apps constantly running and reporting your location (Foursquare, Facebook, Twitter, etc). Even if you tunnel your connection, you still emerge with an easily identifiable ID and cookie on the other end. If an app can be replaced with a simple bookmark, do so, you’ll probably save battery and storage too. You can check apps privacy rating on PrivacyGrade, a project run by some Carnegie Mellon University.

Settings:

  • Enable Full Device Encryption (with a 16+ character boot password), without which anybody can pick up your device from the ground and read /data/ contents (app and internal storage info) from recovery. Newer builds of CM11 (or CryptFS Password) allow you to set a regular PIN unlock to remove the need to constantly enter the long password during normal use. Note that the boot password will only be active when the device is rebooted or shut down. so turn your device off in high risk areas (or set a Tasker task to shut the device down after 5 failed login attempts, or on receiving an emergency SMS message). Note that short encryption passwords can be easily brute-forced.
  • System Settings:

Backup & Reset => Disable all backup and restore functions
Developer Options => Set hostname to a generic hostname (localhost)
Developer Options => USB Debugging Off (enable if troubleshooting)
Language & Input => Android Keyboard => Disable Contact Names / Voice Input
Location => Google Location History Off
NFC => Turn off all NFC functions (can be a security risk)
Privacy => Disable Cyanogenmod Statistics
Privacy => Enable Privacy Guard by Default (do this before installing anything)
Privacy => Lock down Google services in Privacy Guard (including wakelocks)
Privacy => Lock down all existing apps
Search => Turn off Web History (If you have Google Search installed)
Security => Allow Unknown Sources (for F-Droid installs)
SuperSU => Set to notifications, not toasts
Sync => Google Account => Opt out of interest-based ads
Wifi => Turn off automatic network detection (constantly broadcasts BSSIDs)
Wifi => Turn off avoid poor networks (pings Google servers to detect)

Network Setup:

  • AFWall+ (IPTables firewall), ensure blocking Linux Kernel (phones home to Google), enable startup data leak protection
  • Once your device is setup, disable network access for Google Account/Play Store/Play Services/Contacts
  • OpenVPN (with a suitable VPN provider, always leave enabled, preferably randomize endpoints periodically)
  • Test your VPN connection for DNS leaks, if so, then also adjust system DNS server (‘set prop dhcp.eth0.dns1 1.2.3.4’ in /system/etc/dhcpcd/dhcpcd-hooks/20-dns.conf) where 1.2.3.4 is preferred DNS server, and dns2 is the fallback server.
  • Wifi Privacy Police (prevents phone connecting to known networks if geolocation incorrect, to avoid spoofed networks)
  • Set up a Tasker task to disable and enable wifi entirely based on cell-tower location, since shops will track you based on your wifi. Prevents your BSSIDs spilling everywhere. Or use something like Pry-Fi.
  • Orbot (Tor client, can be used underneath VPN)
  • Orweb (Tor-enabled web browser)
  • Orwall (To ensure that apps ONLY go through your Tor connection)

System Tools:

  • AIMSICD (Fake cell tower detection, matches your geolocation against known cell tower DB to prevent Stingray-style interception)
  • KeepassDroid (Keepass password-management client, supports keyfiles and quick copy/paste)
  • KeySync (sync SSH keys)
  • Android System Webview (If you are using 4.3 or earlier, you are vulnerable to a webview exploit, this updates webview to the latest version, generally only applies to 5.1 and above)
  • Disable Service (disable specific components of apps, like GCM or phone-home / upload components, without breaking the entire app).
  • FreeOTP (for TOTP/HOTP 2FA, replaces Authy/Google Authenticator, except it’s FOSS)
  • OS Monitor (monitor background tasks and established internet connections, also supports Logcat and filtering)

Xposed Modules:

  • Requires Xposed Framework to be installed, preferably install Xposed + XPrivacy before first boot in recovery, then enter Airplane mode to prevent your ID leaking. Note there are separate Xposed versions for 4.4 and 5.1. Also pick the right one for ARM/ARM64/X86 architectures, and consult Wanam’s custom build for Samsung Touchwiz devices (ie. Galaxy S6 / Note 5).
  • XPrivacy (The most important one – Read the manual! Increased granularity of app protection, including spoofing of serial/ID/location/networks for applications for graceful fallback, extremely powerful. Even the built-in Privacy Guard/App Ops won’t prevent some information leaking). This by far is the most important single component of your loadout.
  • Amplify (Prevents apps from firing alarms and wakelocks in the background, very powerful, battery related)
  • ReceiverStop (Adjusts broadcast receivers for installed apps, preventing nefarious applications from firing for whatever reason, battery related)
  • Play Store Changelog (Defaults Play Store to expanded changelog, always read the full changelogs)
  • Play Store Fixes (Unhides full permission details on Play Store install dialogs, which Google cleverly ‘simplified’ a while ago)
  • BootManager (Prevents apps from launching on bootup, battery related)

Update (Nov-2015): A recently released paper testing the 110 most popular Android/iOS apps show that 73% of them share personal information (such as e-mail addresses) with third-party advertising platforms, many share geo-location and search-input terms, without notification to the user. As I wrote in my Android 6.0 permissions article, even WITH permissions control in Marshmallow, apps can still access your network name (and hence rough location), e-mail address, a list of installed apps, a list of running processes, the details of the other accounts you have (such as other emails, social networks), your user dictionary contents, clipboard contents and much more. Whether it’s for the purposes of simplicity, or for something more nefarious, Google hasn’t provided any more granular permissions, and most apps WILL take advantage of that, since nearly nobody will notice their information being siphoned off.

Application Repos:

  • F-Droid (Open-source apps only, everything is built from source. Ensure you add the Guardian Repo as well)
  • Aptoide (often has apps from the Play Store as well, usually vetted, supports third-party repos at your own risk)
  • APKMirror (web-only, download APKs for sideloading)

Secure Encryption / Communication:

  • Signal Private Messenger (Secure Voice/Messaging, previously Redphone/TextSecure, note requires GCM, but Websockets alternative available)
  • CSipSimple (Voice – ZRTP capable VOIP Client, requires VOIP provider)
  • SMSSecure (SMS – Encrypted SMS messaging, no GCM requirement)
  • Chatsecure (Messaging – Encrypted XMPP Client)
  • Telegram (Messaging – Open-source messaging client, supports optional end-to-end encryption)
  • K9 Mail (Mail – Use in conjunction with OpenKeychain or APG for encrypted email)
  • OpenKeychain (Mail – PGP implementation compatible with K9, easy to import certificates, also see APG)

Calendar / Contacts / File Sync:

  • CalDav Sync (or DavDroid, supports variety of Calendar or self-hosted providers)
  • CardDav Sync (or DavDroid, supports variety of Contact or self-hosted providers)
  • Owncloud (Calendar/Contacts/Sync/Gallery)
  • Syncthing (mesh File Sync only, alternatively consider closed-source Bittorrent Sync, both options are self-hosted, a far safer option than Google Drive / Dropbox / OneDrive / Evernote)

Avoiding Google Play Services Entirely:

  • UnifiedNLP (Multi-source Network Location Provider for GSM/wifi geolocation without relying on Google, requires one/more providers below):

GSMLocationNlpBackend (NLP via GSM tower, using OpenCellID Database)
LocalGSMNlpBackend (NLP via GSM tower, using local database)
Local WifiNlpBackend (NLP via known wifi networks)
Apple UnifiedNlp Backend (NLP via wifi)
MozillaNlpBackend (NLP via Wifi, using Mozilla’s Wifi network DB)
NominatimNlpBackend (Reverse address geocoding, via Mapquest Nominatim DB, required for any reverse lookups)
OpenBmapNlpBackend (NLP via Wifi, using Openbmap DB)

  • GSMCore – The creator of UnifiedNLP has also extended it to now cover Google Cloud Messaging (auth via OAuth). Seems to work well so far, all the benefits of Play Store / GCM, without the tradeoffs. Also see Blankstore.apk for Play Store alternative (even does updating of apps).
  • Raccoon Downloader (Java-based, downloads Play Store apps, including paid apps if you have purchased them on your account, desktop app)
  • Google Play Downloader (downloads Play Store apps on desktop)

Firefox for Android Extensions:

Firefox user.js:

Firefox on Android also supports user.js, which makes configuring a large number of user settings at once very easy. Create your user.js somewhere and drop it into /data/data/org.mozilla.firefox/files/mozilla/(profile)/user.js. The next time Firefox starts, it will merge user.js into it’s own prefs.

Here are a few of the settings that are commonly recommended:

user_pref("app.creditsURL", "");
user_pref("app.faqURL", "");
user_pref("app.feedback.postURL", "");
user_pref("app.marketplaceURL", "");
user_pref("app.privacyURL", "");
user_pref("app.update.enabled", true);
user_pref("beacon.enabled", false);
user_pref("breakpad.reportURL", "");
user_pref("browser.cache.disk.filesystem_reported", 1);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk.smart_size.use_old_max", false);
user_pref("browser.migration.version", 1);
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");
user_pref("browser.search.countryCode", "EN");
user_pref("browser.search.defaultenginename", "Startpage");
user_pref("browser.search.geoip.url", "");
user_pref("browser.search.isUS", true);
user_pref("browser.search.region", "EN");
user_pref("browser.search.suggest.prompted", false);
user_pref("browser.send_pings.max_per_link", 0);
user_pref("browser.snippets.countryCode", "DE");
user_pref("browser.snippets.enabled", false);
user_pref("browser.snippets.firstrunHomepage.enabled", false);
user_pref("browser.snippets.geoUrl", "");
user_pref("browser.snippets.statsUrl", "");
user_pref("browser.snippets.syncPromo.enabled", false);
user_pref("browser.snippets.updateUrl", "");
user_pref("browser.startup.homepage_override.mstone", "40.0");
user_pref("browser.tiles.reportURL", "");
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.updateURL", "");
user_pref("browser.ui.zoom.force-user-scalable", true);
user_pref("canvas.filters.enabled", true);
user_pref("datareporting.healthreport.about.reportUrl", "");
user_pref("datareporting.policy.dataSubmissionEnabled", false);
user_pref("device.camera.enabled", false);
user_pref("dom.apps.reset-permissions", true);
user_pref("dom.battery.enabled", false);
user_pref("dom.broadcastChannel.enabled", false);
user_pref("dom.enable_performance", false);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.event.contextmenu.enabled", false);
user_pref("dom.gamepad.enabled", false);
user_pref("dom.indexedDB.experimental", true);
user_pref("dom.ipc.plugins.enabled", true);
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
user_pref("dom.ipc.plugins.reportCrashURL", false);
user_pref("dom.max_chrome_script_run_time", 60);
user_pref("dom.mozApps.signed_apps_installable_from", "");
user_pref("dom.mozApps.used", true);
user_pref("dom.push.serverURL", "");
user_pref("dom.vibrator.enabled", false);
user_pref("extensions.hideInstallButton", false);
user_pref("extensions.pendingOperations", false);
user_pref("extensions.safeforamoled.always", true);
user_pref("extensions.safeforamoled.black", true);
user_pref("extensions.safeforamoled.percent", 46);
user_pref("extensions.safeforamoled.transition", true);
user_pref("font.size.inflation.minTwips", 80);
user_pref("gecko.buildID", "20150803103944");
user_pref("gecko.mstone", "40.0");
user_pref("general.useragent.override.youtube.com", "Mozilla/5.0 (Linux; Android 4.4.2; Nexus 4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36");
user_pref("geo.enabled", false);
user_pref("intl.charset.fallback.override", "windows-1252");
user_pref("intl.locale.os", "en-US");
user_pref("layout.spellcheckDefault", 2);
user_pref("media.mediasource.enabled", true);
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.video.h264_enabled", true);
user_pref("network.IDN_show_punycode", true);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.cookie.lifetime.days", 30);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.cookie.prefsMigrated", true);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dnsCacheEntries", 0);
user_pref("network.dnsCacheExpiration", 0);
user_pref("network.http.keep-alive.timeout", 300);
user_pref("network.http.max-connections", 30);
user_pref("network.http.max-persistent-connections-per-proxy", 15);
user_pref("network.http.max-persistent-connections-per-server", 10);
user_pref("network.http.pipelining.max-optimistic-requests", 3);
user_pref("network.http.pipelining.maxrequests", 10);
user_pref("network.http.redirection-limit", 5);
user_pref("network.http.referer.XOriginPolicy", 1);
user_pref("network.http.sendRefererHeader", 1);
user_pref("network.http.sendSecureXSiteReferrer", false);
user_pref("network.http.spdy.allow-push", false);
user_pref("network.http.use-cache", false);
user_pref("network.predictor.cleaned-up", true);
user_pref("network.prefetch-next", false);
user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, 0.0.0.0");
user_pref("network.proxy.socks_remote_dns", true);
user_pref("reader.has_used_toolbar", true);
user_pref("searchActivity.default.migrated", true);
user_pref("security.OCSP.enabled", 0);
user_pref("security.cert_pinning.enforcement_level", 2);
user_pref("security.csp.experimentalEnabled", true);
user_pref("security.password_lifetime", 7);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.url", "");
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
user_pref("security.ssl3.rsa_aes_128_sha", false);
user_pref("security.ssl3.rsa_des_ede3_sha", false);
user_pref("security.ssl3.rsa_rc4_128_md5", false);
user_pref("security.ssl3.rsa_rc4_128_sha", false);
user_pref("security.tls.version.min", 3);
user_pref("security.xpconnect.plugin.unrestricted", false);
user_pref("services.sync.engine.noscript", true);
user_pref("signon.rememberSignons", false);
user_pref("social.directories", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.toast-notifications.enabled", false);
user_pref("social.whitelist", "");
user_pref("storage.vacuum.last.index", 0);
user_pref("toolkit.telemetry.enabled", false);
user_pref("toolkit.telemetry.infoURL", "");
user_pref("toolkit.telemetry.server", "");
user_pref("webgl.disabled", true);

Please leave a comment for any thoughts, corrections or additions.

Advertisements

4 thoughts on “Android Privacy / Security Checklist

  1. Nice collection! Some notes:

    instead of using GApps, one nowadays can use the open-source alternative microG. See: https://android.izzysoft.de/articles/named/android-without-google-5a – you’ve already mentioned GmsCore (note: GmsCore only for devices with no GApps at all, or there are conflicts. Counterpart for devices with GApps: UnifiedNLP (is already contained in GmsCore, so don’t install both at the same time ;)
    for F-Droid, there are some more repos available. I’ve tried for a mostly complete list, but surely didn’t find them all: https://android.izzysoft.de/articles/named/list-of-fdroid-repos
    “Play Store Fixes” unfortunately was not updated since 2014, and no longer works with recent GPlayApp versions :(
    Instead of using 2 apps (CardDAV Sync + CalDAV Sync) to sync apps & calendars, simply use DAVDroid to cover both. FOSS via F-Droid :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s