Designed Cybersecurity

Harden Your Cell Phone

Posted: . Last updated: .
Tag: Phone, Grapheneos, Android, Privacy, Security

Introduction

Goals:

Google Pixel Phone

One goal of this article is to run GrapheneOS. The phones supported by GrapheneOS Releases are currently limited to Google Pixel devices.

Pick the newest Google Pixel Phone that is on the list of GrapheneOS supported devices and is in your price range.

GrapheneOS

GrapheneOS is a privacy and security focused mobile OS based on the Android Open Source Project (AOSP). GrapheneOS currently only supports Google Pixel devices, so this article assumes that you have a supported Google Pixel phone.

Follow the GrapheneOS Install Instructions. This article does not cover the OS installation procedure. After you complete the GrapheneOS install, return to this article for information and recommendations on app stores, specific applications, and configuration settings.

App Stores

This section covers app store options within GrapheneOS and their preferred order for obtaining apps.

GrapheneOS App Store

The GrapheneOS App Store is extremely limited and only contains GrapheneOS maintained apps (Camera, Messaging, PDF Viewer, Vanadium, …); Accrescent (a private and secure Android app store); and several core Android apps from Google for users that want to install them in a sandbox (Google Play Store, Google Play services, Android Auto, Markup).

Install:

Do NOT install the Google Play Store, Google Play services, or the other Google apps unless absolutely necessary for your use case.

Accrescent

Accrescent is an Android app store focused on security, privacy, and usability. Accrescent is still in alpha, and doesn’t contain many apps. However, it is implicitly recommended by GrapheneOS via their app store, and it is a convenient way to install and update several apps.

Install:

As more apps are added, prefer installing apps via Accrescent instead of the following methods.

Obtainium

The Obtainium website, wiki, and GitHub repository cover how to use the Obtainium app to install, update, and receive release notifications for other Android apps directly from their respective release pages on GitHub, GitLab, and other sources.

Install Obtainium directly from the project’s GitHub Releases page. Since we are using a newer Google Pixel device and are avoiding F-Droid packages, you want the app-arm64-v8a-release.apk.

Once Obtainium is installed and granted permission to install apps, you can Add App and either directly enter an app source URL, search various sources for the app, or use the link at the bottom of the panel to search supported crowdsourced app configurations. The following list will either specify searching the crowdsourced configurations or will provide a direct repository URL to enter into Obtainium.

Install:

Google Play Store

Some apps are only available from the Google Play Store.

Use Aurora to install:

F-Droid

The PrivSec article on F-Droid Security Issues and the Privacy Guides article on Obtaining Android Apps describe multiple problems with the F-Droid app store.

This article avoids using the F-Droid app store in any way.

Configuration

System Text-to-Speech

Text-to-Speech (TTS) support is required for turn-by-turn voice instructions in GPS navigation apps.

The following steps will temporarily grant the Google TTS app network permissions, download the data files for your selected voices, reduce the number of cases where the app will try to phone home, and then revoke the network (and all other) permissions. Once complete, you will have an offline TTS app that is unable to phone home.

Navigation App Text-to-Speech

Once the system is configured for Text-to-Speech (TTS), the GPS navigation apps must be configured to use the system’s TTS features.

Configure Organic Maps

Configure CoPilot GPS

Applications

Password Manager

OpenPGP

Online Communication

Virtual Private Network (VPN)

Signal Private Messenger

Proton Suite

https://protonapps.com/

https://protonapps.com/

https://protonmail.com/download/CalendarAndroid/ProtonCalendar-Android.apk https://proton.me/download/DriveAndroid/ProtonDrive-Android.apk

Email

It looks like K-9 Mail is half-way through re-branding as Thunderbird for Android.

Web Browser

YouTube

In addition to the privacy concerns with Google’s official YouTube app, the official YouTube app has become unusable with multiple pre-video, mid-video, and post-video ads.

NewPipe is a lightweight, open source, privacy friendly application for playing YouTube videos.

Offline Communication

Meshtastic

Meshtastic is an open source project that uses affordable, low-power, LoRa radio devices to build off-grid, decentralized, mesh networks.

Automatic Packet Reporting System (APRS)

Offline Navigation

Text-to-Speech

A text-to-speech (TTS) service is required for GPS navigation apps to provide turn-by-turn voice directions. GrapheneOS does not yet include a text-to-speech (TTS) service.

While eSpeak NG is usable, and one of the better open source options, it still sounds like a 1980s Speak and Spell and is hard to understand if there is any significant road noise.

Google’s Speech Recognition and Synthesis package that ships with regular Android is unfortunately the best option for better sounding TTS in GrapheneOS at this time. This Google app does not depend on Google Play Services being present, and after initial configuration, all of its app permissions can be revoked to prevent it from sending out any data.

CoPilot GPS

Organic Maps

Organic Maps is a privacy-focused offline map and GPS app that uses OpenStreetMap data.

TAK

The United States Government (USG) developed the Tactical Assault Kit (TAK). When they make a version available to civilians, the civilian name was changed to the Team Awareness Kit (TAK).

Unfortunately, due to Apple App Store requirements, plugins are not supported in iTAK.