If you're that worried you should really switch to a degoogled Android like GrapheneOS. But fwiw I doubt google would know your Protonmail address just from logging in through the protonmail app
Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
Doesn't change anything. On GrapheneOS, you still need to install play services to get push services working on ProtonMail. Another privacy friendly email provider, Tutanota, they wrote their own push notification stuff to get it to work on degoogled phones specifically.
Wow I never ever even consider tutonota over proton, but this is the kind of stupid and simple thing that make so much difference in my book. I don't want to install Proton in my Google Profile.
Yeah they both have their pros and cons, personally I prefer Tutanota as a company. Their client is a bit rough, but they make is secure, private, foss, and degoogled as much as possible. They're also super cheap and I only pay like $12 a year for premium and two custom domains.
They sure will if you use gboard or any other keyboard they buy data from
I would think a big reason to use proton is to keep google (or another provider) from reading the contents of your email.
Why is keeping your ProtonMail email “hidden” important to you? Answering that will hopefully let us come to a better way of achieving the goal.
Also, anyone can figure out if you're using Proton by the email address or DNS on the domain name.
I dont think you can. As long as you use Android with GMS, Google will always know. Best is to get yourself a Pixel, immediately flash GrapheneOS, and use it.
Basically pointless to hide from Google on OEM android, but tutanota, Molly, and im sure other apps, will at least not send message contents as a notification.
What Android, LineageOS? Where are you logged in, a Browser or Apps?
Apps are shit, Androids sandboxing security model is hillarious as all preinstalled bloat has all permissions.
Even on LineageOS Google knows
- your IP from Connectivity check
- your IP from captive portal check
- your location and device data from SUPL / A-GPS
but if you are logges into any accounts in apps, no chance.
Simply use your google accounts through a seperate browser and never in "Apps". Best would be to use 'shelter' from F-Droid, create a work profile, install a VPN in either the work profile or your regular one, set it to always on -block other connections in your network settings.
your location and device data from SUPL / A-GPS
IIRC this is worse on Qualcomm devices, where I believe the GPS almanac data is requested over plain HTTP, by the SoC itself outside of the OS's control
Craaazy.
Manufacturer's version of Android. I've logged in the apps with multiple Google accounts.
While I could consider using my browser instead of apps for all google related services, I don't think outright removing the accounts from my phone since Google has mandated use of mobile verification (the one where they ask to choose the correct option from the three given number) and I don't want to provide them a phone number for SMS verification. I fear I would be locked out of my Google accounts if I don't have them signed in in my phone directly.
I tried checking Shelter, however it says it is best optimized for Pixel phones and grapheneOS (which I have neither of) and you already said sandboxing in Android sucks, thus it may not be beneficial to go through all that effort to setting up the separate profiles if it isn't even going to work well.
No shelter is not optimized anywhere. It runs on Android thats it. GrapheneOS is secure but they dont care about it at all, they think "oh I can use a USB stick to transfer files between profiles" is the definition of usable.
Get any LineageOS phone and you are way better off. No you wont use your Google account, maybe they force you to use a Chromium based browser, but logging into that crap is the beginning of the end.
Of course Google now knows all your device IDs so anonymous you will never get anymore.
Aurorastore with an own Google account works currently. Its always a fight of course. But I use GrapheneOS without these services and its fine.
Don't use your own account with aurora, you can get banned
Yup but burner accounts seem impossible currently. But good point, I will try to create a new one
Just install a vanilla android rom without* gapps. Best you can do is install microg variant roms, if you want gms.
Edit: typo*
Best he can do is install non microg roms completely removing google from his system, but microg is a nice compromise.
Eh i was saying without gapps. Will edit my typo
Nono you don't understand. Graphene OS comes default without any version of google play services, neither the original one or the microg alternative. You can enable sandboxed google play for compatability, here it is pure preference if you prefer sandboxed google play or microg. I am not sure what I prefer yet. So the most degoogled way is actually no google api calls at all. Which I do think might be available with microg by disabling it? I forgot.
I thought I read custom roms weren't possible anymore. Are there any good options for a s20+?
They are not really possible for galaxy devices due to the locked down bootloader
Pure misinformation there are roms available for popular Samsung phones. Samsung never locked bootloader of their devices.
You are indeed correct. Whoops.
I just said I agreed
Thaaaat must be what I read. What phones are people using for customs these days? I quite enjoyed tinkering with them.
Now about OSs.
Most privacy oriented mobile OSs are based on AOSP. Ubuntu touch may qualify as an option that is not, but due to it's lack of the added security layer that Android provides, I would strongly advise against it.
The "golden standard" for Security and Privacy on a smartphone is GrapheneOS. GrapheneOS has extensive hardening, uses their own servers for services that are usually provided by Google and if a vulnerability is detected they are the first to patch it. I remember reading Kuketz's security blog, where he contacted the Graphene devs about the fact that at system start, their OS, by default, asks Google servers for the time. He analyzed a few OSs and all had this issue iirc, but it took the team of Graphene mere hours to make the device call their own Server and roll out an Update. They regularly patch vulnerabilities before Google does. What's the catch? It currently is only developed for Google devices due to their superior security. This includes the tablet. While GrapheneOS has a lot of amazing stuff, my favorite is the fact, that by default, no app has any permissions and I have even finer control over those permissions than I have on stock Android. The big one here is internet access permission. I would play Graphene badly though by just leaving it at that, so I would advise you to check the feature page. Graphene will support a device, as long as it gets security updates by it's vendor and fulfills their device requirements. This includes new Android versions and is another reason why the Graphene team chooses Google devices, as these logically always have the newest version first.
CalyxOS is a rom often compared to GrapheneOS. I believe this could be, because Calyx and Graphene favour Google devices. Calyx however is nowhere near as secure and as hardened as Graphene, though it is hardened well. The people behind Calyx are incredibly good at networking and by default you get an incredibly fine tunable firewall. It is often used to block certain IPs, say a Google Server. Unlike Graphene, Calyx has support for Microg, which all of the following roms have. This is bad for security and good for usability. Choose your poison. Calyx is also more performant than Graphene, as it is not quite as hardened. Taking Kuketz's blog as an example again, the answer of the Calyx institute on the question about the Google server call for time was that it is "intended behaviour". While I don't doubt that it is, I do not like this at all, especially as this service is easily replacable without consequence. The Calyx institute has a very friendly community and is more than just the OS. They have other tools at their disposal, most of which focus on networking, including the free VPN, that is not a scam, but really slow. Calyx works on the Fairphone, Pixels and the Shift phone. Please do check out the feature page.
Lineage is a rom that was created out of the need to bring devices that have lost update support from their vendors back to life. As a result, it is neither specifically made for security or privacy nor should it really be used for other reasons than it's reason for creation. It is supported over a wide range of devices and as such does not support specific security features offered by the hardware. It is made to just work on everything.
DivestOS is one of the few mobile OSs that is not built on top of AOSP. It is only by extension, as it is built on top of LineageOS. It too has a wide range of supported devices. What sets it apart from LineageOS is that it has a lot of the hardening that Graphene has. It still has the issue of the widely treaded support, but it would be my second choice for security. The "team" of this project is only made up of one very knowledgeable guy though, so as always be careful. Divest also has incredibly useful resources on their website where they e.g. compare browsers in privacy and security in a concise manner. As Divest does not have a singular feature list, just look through their website to find out if it's a match.
iodé is an OS created in one of the nordic countries. I believe it was sweden? They have a giant, system wide ad and tracker blocker that is incredibly configurable. This approach is not very beneficial, as this is not privacy friendly but ad reducing. The issue is, that there is one point of defense. That is not enough. Calyx has something like this with its firewall on top of it's great hardening and google reduction. While iodé does reduce the use of proprietary apps, their goal was never to provide a private experience, but to provide an adless one.
/e/ os is weird. I like it, but it's weird. I will call it æ from now on as that is faster to type. Project æ, the project behind æ OS, has the right goal. They want you to have a google free experience. I believe the OS has some hardening. Not on the same level of Graphene, Calyx and Divest however, which themselves are on differing levels. With this OS, you get some benefits. Project æ has created an app store. Inside this app store are reviewed and approved apps, which they apparently did by hand. I have never had an æ os device, but I believe that in this app store proprietary software is also available. You get a similar rating to the software that F-Droid and Exodus provide, just done by humans, so they have given the apps points in different categories and explain why, which is indeed more advanced than the alternatives. æ OS also comes with a possible cloud subscription. I do not recommend this, as it just seems to be a Nextcloud reskin. Nextcloud does not have a good encryption method, as the key for decryption of the files that are encrypted at rest is saved in clear text. Murena, which I think is the same group behind æ also sells phones with æ OS preloaded. They have partnered with fairphone to make the newest Fairphones available at their shop. All of this capitalism is not important for you though, that's to keep the project going. æ OS supports a wide range of devices which, again, is not desirable for security purposes. Check it out here.
A note on Copperhead. The creator of CopperheadOS and the creator of GrapheneOS used to both develop for Copperhead. The current Copperhead owner has made bad choices back then, so the creator of GrapheneOS has split himself from the project and made his own. Do not trust Copperhead, it may still be recommended in some old post.
If you know german, please take a look at Kuketz's blog, where he currently is comparing these custom ROMs. I am not in any way affiliated with him.
Yes. To explain this further to you I will first define some jargon for you, as you seem to be new to this.
FOSS means "Free and Open Source Software". Here, free does not mean free as in beer, but means that the software is free to download, use, modify or study. This is different from just open source software, as this only means that the source code is publically available in some way.
Libre refers to the same concept as free, just in an edgy, viva la revolucìon, kind of way.
Privileged apps have a nasty amount of permissions and can access most of the device. They are always treated extra and are often the ones that get you.
Microg is an open source alternative for google services. It can directly replace them and only connects to the google servers when necessary for an app to function. This is also why Microg exists, as it keeps better compatability for apps, than just removing google services completely. It is not perfect though, so some apps might still not work. It can often times be completely disabled, so to have no Google API calls at all. The issue here is, that it is a priviledged App and can most times not be simply removed.
Sandboxed google play services are specific to GrapheneOS. Instead of using the rather incomplete and sometimes unstable Microg, they simply removed all privileges from Google services and made it an untrusted, sandboxed app, that may not even have internet access. This has the best "degoogled" implementation for compatability of apps using google services, but has obvious drawbacks of having closed source Google software on you device, though that device is the most secure device you will likely ever lay your hands on, so no biggie. GrapheneOS comes by default without any implementation or alternative of Google services, so it has incredible privacy with some incompatability issues, although if you use FOSS software, this should not really be an issue in the first place.
A proxy is essentially a server(1) you ask to ask another server(2) for some data. This way, the server(2) does not get your IP. It is different from a VPN you pay a subscription for, as not all your requests are run through a proxy. Only the specific app that uses the proxy will decide for which part of it's traffic it will use the proxy. There is also no fancy adblocking or other extra features like some VPNs provide.
F-Droid is an app store for FOSS apps. By default, it only lists the official F-Droid repository, which already has a bunch of good software. You can however add other repositories, as for example to add an app that is not quite FOSS, but still very private. The Proton E-mail client is an example, as it uses a singular proprietary library for popup notifications. IzzyOnDroid is a great example for a third party repository you can add for some more apps. Remember, the repositories can not hurt you, but the software you install from them may. Nothing is stopping anybody from distributing malicious software. Do not trust blindly.
Alternative front ends are nice if you want to access a service that has disadvantages you do not like. Libretube is a very nice Piped client. What does that mean? Well Piped acts as a middleman between Youtube (Google) and you, asking the Youtube Server for Videos, while your IP remains hidden. So, Libretube is basically a Youtube client with none of the tracking. Social media has frontends, but there are others. F-Droid has two popular front ends, Droidify and Neo Store. Why? Well, F-Droid is no bad guy. However, the app is rather old and developed for an old Android version. This is bad, as new Android patches and security updates may not hold. There are alternative front ends for a lot of stuff. There is this timetable client called Untis, which has an alternative frontend called BetterUntis lol. It's important to note though, that not every alternative frontend hides your IP by default. BetterUntis for example directly accesses Untis APIs from your phone. To hide your IP, use a VPN or configure the used app to use a proxy if the app provides an option for it.
The Aurora store is an alternative frontend for the google playstore, sharing a few google accounts between all of its users. You can also add your own account if you want, as the default accounts are often rate limited. Don't do that though.
The AOSP, or "Android Open Source Project" is exactly what it sounds like. It's simply supposed to make Android's code publically available.
Rooting is rather fun. As Android is based on Linux, Android inherits a lot from Linux. One such thing is the base of it's file system. The lowest path (imagine a folder) for Linux is called root. This makes sense, as it's the root of everything. When rooting a device, you kind of reenable the file system of the underlying Linux system that Android is built upon. Doing this used to be kewl, is rather problematic however, as this exposes the underlying system of Android, which creates a huge attack surface with a bunch of known vulnerabilities. It's kind of like stealing someone's belt, now everyone could pull down their pants.
The word ROM is a little falsely used sometimes. A ROM, or Read Only Memory, is a persistent data storage type that can not be written to, only read. Android OSs are often called ROMs. I don't actually know why, but it could be a decendant of video games, as those were often stored on ROM back in the day and maybe they still are, dunno. Android sort of runs on top of Linux, which feels similar to, say, a Nintendo game from a cartridge.
A bootloader is basically a small program that kickstarts the operating System (also called OS), a large and very complex program. For security purposes, most bootloaders are locked from the factory. This means, that you can't just change the program that is started when the device is booted without rooting the device. Some bootloaders are not unlockable however, so you would have to root the device to change the OS, which is insecure.
A secure execution environment is essentially a processer that has limited access to system resources and can thus improve security if properly used.
Google Pixels are very special devices. They are made by Google so you may think they are naturally bad for privacy. They are surprisingly not as intrusive as other devices. Take a Samsung device for example. The Galaxy has Android. Not AOSP, but Google's Android. They just take Google's Android that is meant to be installed on non Google devices and slap their own spyware on top of Google's spyware. So now, you are being spied on by an american monopoly as well as a korean monopoly. Yikes. Now, you want to install a custom rom anyways, right? So why care? I can just take any device, remove everything and use a custom rom. Well, most devices do not have good security in comparison to the Pixel, like the Fairphone. The Pixel has simply has good security. It's not all sunshine and roses though. You still support Google financially by buying a Pixel. In order to unlock a Pixel, you will also have to connect to the internet, send Google the phone's IMEI, which is unique and known by Google. So Google knows which devices have had an unlocked bootloader at least once and which didn't.
The Fairphone is my favorite. It is user serviceable, has pretty decent specs, and is supported by privacy respecting ROMs. It does not have a secure execution environment and generally has sub par security. It does not notify Google or Fairphone when unlocking the bootloader, this is, to my knowledge, Google specific.
The Shift phone is also very nice. It is very similar to the Fairphone, as it is user serviceable, has bad security, yet is just as free. It differs, in that it is not as easily repairable as the Fairphone. It is still extremely easy, but unlike the Shift, the Fairphone does not have weak little wires that can break. The Fairphone is literally just Lego at this point. The Shift phone however seems to be less talk than Fairphone, so if you want to be certain that what you pay for (in the case of these two, environmental friendliness) is achieved, the Shift has got you covered.
Hardening refers to the process of altering a piece of software in a way, that makes it more secure. It is also sometimes used to describe the process of making the software more private. This sounds very good and in theory it is. It does of course come with drawbacks. A hardened Linux kernel will bring the system to a crash on purpose, every time anything suspicious happens. That's kind of wrong, but for this example it's enough. This is incredibly secure, but brings along the con of having an artifically more unstable system than before. The biggest con of hardening is performance impact. You can often harden something to quite a high degree without performance degradation, but once you go the extra mile, things just slow down. GrapheneOS is hardened to the very most extreme. It is also a lot slower than most OSs.
I was out of town yesterday, but I just wanted to let you know that I read both of these. I do already know most of the basics, I use F-droid and have used custom Roms in the past, but I appreciate the OS breakdown you provided.
Thanks mate!
You should also realize graphene is only made for pixel devices. Because of verified vendor boot.
Why should I realise that and why does it matter?
Because op didn't mentioned he owns a pixel.
And yet he did not mention he does not own one. Am I supposed to withhold information because I'm not sure which information helps him? Am I supposed to play government?
I'm sorry, but I do not have the time, experience or knowledge to set up custom ROMs in my device at the moment.
Then it's literally impossible because you can't compleatly degoogle your phone without custom rom. Else they know which apps you have installed and for how long you use them and even have access to notifications.
you can degoogle without a custom rom
Then my friend you can't remove Google from your device. Only vanilla roms without any google shenanigans is your way to go.
login to your protonmail through tor browser and voilà… i would have wrote but you used the same login for your proton vpn
don't tell me that you're using GBoard 😬
[This comment has been deleted by an automated system]