Phone

I haven’t owned a computer in ages but used ThinkPads (followed Luke Smith). Now I use old Google Pixel models, flashing LineageOS and Magisk. They’re easy to flash ROMs on and list for cheap on eBay—around $50. Personally I use a Pixel 2. Use a good case and screen protector (privacy one if you can find it). Wrapping the phone in tinfoil—at least 3 layers—blocks most radio signals. Putting it in a ziplock bag helps keep moisture away.

General advice: block mic and camera when not being used, and do the same for mobile data, Wi-Fi, bluetooth, GPS &c., disable internet GPS, USB debugging, &c.; set a lockscreen password/pin of 8-12 (more is better) letters/numbers, don’t use a pattern lock; disable all non-4G/LGE connections (2G, 3G, 5G) by dialing *#*#4636#*#* and selecting 4G/LGE only for network.

Old ThinkPads don’t have Intel’s Management Engine, or if present could be flashed over with Libreboot. On phones, the SIM card is something of an analogous backdoor, so avoid using one. Just use a burner instead. Pixels isolate the phone’s baseband, but I’m unsure which models began to do so. Keep the device on airplane.

A very insignificant thing but, to disable the rotation pop-up, run via ADB or as root: settings put secure show_rotation_suggestions 0

Android ROMs/Root

LineageOS is as close to pure, vanilla Android as I think is feesable—but there is still some bloat, namely the cellular provider system apps, as Divested Dev demonstrated. Its support of older devices is why I like it, as I always favor older (cheaper priced) hardware. Most contemporary machines are overkill for basic tasks but seemingly neccesitated by poorly coded software. We want to minimize our attack surface for optimal performance, best security, and maximum privacy.

Root with Magisk to de-bloat and otherwise harden the system. Keep your attack surface minimal, have few apps installed. De-bloat system apps by making a Magisk module which overlays a blank file (or directory) over the system app’s APK. Magisk overlay documentation, should tell you everything you need to know. Run cmd package path to see where an APK is located. If the device bootloops, try going into safe mode by pressing volume-down while booting (Pixels only it seems). Should disable all modules when you boot after that. Universal Android Debloater has some information on what the different system apps are and how safe each is to de-bloat.

There’s no need for large apps when small scripts can accomplish the same tasks. That said, De-Bloater is an app to de-bloat with.

For network monitoring use nethogs in a terminal (requires root). PCAPdroid is an app which does the same as a VPN without root, but still has root capabilites.

To make backups, in Termux run:

tar -c /path/to/files | gpg -r your@email -e > path/to/file.tar.gpg

How to make a GPG key.

General Apps

• Obtainium – App Manager
• Simple Keyboard – Keyboard
• Termux – Terminal
• Fossify Camera – Camera
• MuPDF mini – Document Viewer
• Fossify Gallery – Image Viewer
• Next Player – Video Player
• mpvKt – Media Player
• Orbot – VPN/Proxy

Instead of using KeePassDX, LibreTorrent, Read You, YTDLnis, &c, use command line programs in Termux. Although, if you can’t (or plain won’t) use the command line, then those can be useful alternatives.

Pacman (the package manager) is installable in Termux. Also install termux-api so programs can read and set the clipboard.

Remember to configure apps to use Tor as the proxy (socks5://localhost:9050).

Fossify has other apps phone calling, texting, contacts, alarm clock, &c.

If you must use a propietary app, then quarantine it with Shelter.

Network

Disable captive portal pings to Google by running via ADB or as root:

settings put global captive_portal_mode 0
settings put global captive_portal_use_https 0
settings put global captive_portal_http_url about:blank
settings put global captive_portal_https_url about:blank
settings put global captive_portal_fallback_url about:blank
settings put global captive_portal_other_fallback_urls about:blank

For NTP:

settings put global ntp_server pool.ntp.org # or `about:blank` to disable

NTP Pool Project.

If all your internet traffic is going through Tor, then the DNS should be resolved at the exit node. This includes apps connecting through Orbot as a VPN. So don’t set a system private DNS unless you’re not using Tor. That said, use Mullvad ( Tor).