Mobian (Supported Devices) - A Debian derivative for mobile devices
Ubuntu-Touch (Supported Devices) - We are building privacy and freedom focussed mobile software
GraphenoOS (Supported Devices) - Security and privacy focused mobile OS
postmarketOS (Supported Devices) - A real Linux distribution for phones
CalyxOS (Supported Devices) - Private by Design
DivestOS (Supported Devices) - A mobile operating system divested from the norm
LineageOS (Supported Devices) - A free and open-source operating system for various devices
Project Elixir (Supported Devices) - Unleash Innovation
Replicant (Supported Devices) - A fully free Android distribution running on several devices
Kali Mobile (Supported Devices) - Kali NetHunter is a free & Open-source Mobile Penetration Testing Platform
PiPhone - A DIY cellphone based on Raspberry Pi
Crdroid - https://www.crdroid.net/
Paranoid Android - https://www.paranoidandroid.co/
ResurrectionRemix - https://www.github.com/ResurrectionRemix
OmniROM - https://www.omnirom.org/
Evolution-x - https://www.evolution-x.org/
Droidontime- https://www.droidontime.com/
Projectsakura - https://www.sourceforge.net/projects/projectsakura/
Corvus-os - https://www.sourceforge.net/projects/corvus-os/
Havoc-os - https://www.sourceforge.net/projects/havoc-os/
Revengeos - https://www.sourceforge.net/projects/revengeos/
Superioros - https://www.sourceforge.net/projects/superioros/
AospExtended - https://www.github.com/AospExtended
Arrowos - https://www.arrowos.net/
Blissroms - https://www.blissroms.com/
Derpfest - https://www.derpfest.org/
Syberiaos - https://www.syberiaos.com/
Dirtyunicorns - https://www.dirtyunicorns.com/
Aosip - http://aosip.weebly.com/
Xiaomifirmwareupdater - https://www.xiaomifirmwareupdater.com/miui/
A Faraday bag is a simple, portable enclosure that blocks electromagnetic fields, preventing electronic devices inside from sending or receiving signals. It's useful for protecting your devices from tracking, hacking, or unwanted communication. Below is a step-by-step guide to making your own Faraday bag.
- Aluminum foil (heavy-duty preferred)
- Alternative: Copper or nickel mesh, which offers enhanced shielding and durability.
- Alternative: Conductive metallic fabric or Faraday fabric for a more durable and flexible bag.
- Plastic Ziploc bag or other durable, sealable plastic bag
- Alternative: Mylar bag or any other airtight, non-conductive pouch for better sealing.
- Duct tape or conductive tape (for reinforcement and sealing edges)
- Alternative: Aluminum or copper tape for a more secure, conductive seal.
- Scissors (for cutting foil or fabric)
- Optional: Velcro strips or zip ties (for creating a reusable closure)
| Technology | Decentralization | Anonymity | Resilience | Accessibility | Speed | Challenges |
|---|---|---|---|---|---|---|
| GSM (Traditional Mobile Networks) | Low | Low | Low (easily surveilled, controlled) | High (widely accessible) | High | Susceptible to government surveillance and control, requires centralized infrastructure. |
| Private GSM Networks | Medium | Medium | Medium (localized, difficult to monitor) | Low (requires setup and maintenance) | High | Limited range, regulatory challenges, expensive setup. |
| Satellite Phones | Medium | Medium | Medium (can bypass local networks but still traceable) | Low (expensive, regulatory restrictions in some areas) | Medium | High cost, signal blockage issues, legal restrictions in certain countries. |
| LoRa Networks | High | Medium | High (independent of traditional infrastructure) | Low (requires specific hardware) | Low | Limited bandwidth, short range without mesh network, specialized hardware needed. |
| Mesh Networks | High | Medium | High (difficult to censor/control) | Low to Medium (dependent on community adoption) | Medium | Requires widespread adoption, potential for limited range without sufficient nodes. |
| Tor (The Onion Router) | High | High | Medium (can bypass censorship but still dependent on the Internet) | Medium (requires technical knowledge) | Low | Weak end point, slow speeds, requires Internet access, subject to state attempts at blocking. |
| Amateur Radio (Ham Radio) | High | Low to Medium | High (operates independently of state networks) | Low (requires license, specialized equipment) | Low to Medium | Requires technical knowledge, legal restrictions, potential for interference. |
Basic Tips and Recommendations:
- Keep your device's operating system and apps up to date to mitigate known vulnerabilities.
- Use full-disk encryption to protect data at rest. Both iOS and Android offer this feature.
- Enable a strong, alphanumeric password rather than a simple PIN or pattern.
- Consider using a secondary device for sensitive communication that you do not use for other activities.
- Be aware of the physical security of your device; if it's seized, immediate access may be possible despite software protections.
- Consider using encrypted messaging apps like Signal or Session, which offer end-to-end encryption.
- Use a VPN (Virtual Private Network) to obscure your online activities from ISPs and other intermediaries.
- Disable Wi-Fi, Bluetooth, and GPS when not in use to reduce tracking risks.
- Regularly check app permissions to ensure no unauthorized access to your location or microphe.
Cellebrite's UFED (Universal Forensic Extraction Device) is a powerful tool used by governments to extract data from mobile devices bypassing security features. Understanding the vulnerabilities it exploits can help in securing your devices against such intrusions.
• LockUp: A Repository on GitHub
Additional References:
- EFF - Why You Should Care About End-to-End Encryption
- Wired - Mobile Phone Privacy and Security Tips
- The Intercept - The Government's Unfettered Access to Communications
The GSM network is highly traceable, even a turned-off cell phone is no longer safe.
- Avoid Reusing SIM Cards or Devices:
- Tip: Always use a new SIM card and a new device for each communication session. This prevents the possibility of linking different activities together through the same hardware or SIM.
- Avoid Carrying Different Devices Together:
- Tip: Never carry your burner phone along with your primary phone or other devices. If you do, the devices can be correlated through proximity tracking or geolocation data.
- Avoid Creating Physical Associations Between Different Devices:
- Tip: Use different locations when using different devices. Do not use a burner phone in places you frequently visit or where your primary phone is usually active. This prevents linking the burner to your personal identity.
- Avoid Calling or Being Called by the Same Contacts on Different Devices:
- Tip: Make sure that your burner phone is used to contact individuals who do not have your primary phone number. This helps avoid linking different devices through shared contacts.
- Use Cash or Anonymous Payment Methods:
- Tip: Purchase burner phones and SIM cards with cash or through anonymous payment methods. Avoid using credit cards or any payment method that can be traced back to you.
- Buy Devices Far from Home:
- Tip: Purchase your burner phone and SIM card from locations far from where you live or frequently visit. Avoid places with surveillance cameras that could capture your purchase.
- Disable GPS and Location Services:
- Tip: Turn off all location services, GPS, and Wi-Fi on the burner phone to reduce the risk of location tracking. If possible, disable or remove the GPS hardware entirely.
- Avoid Storing Personal Information:
- Tip: Do not store any personal information, contacts, or messages on the burner phone. Use it strictly for the intended temporary purpose and dispose of it afterward.
- Use Encrypted Communication Apps:
- Tip: When communicating through a burner phone, use encrypted messaging apps like Signal, Session, SimpleX, or Telegram. Be cautious as some apps may still leak metadata.
- Be Aware of IMSI Catchers:
- Tip: Avoid areas known to have heavy surveillance or where IMSI catchers (devices that mimic cell towers to intercept communications) might be deployed. These can be used to track and intercept burner phone communications.
- Practice Good Operational Security (OpSec):
- Tip: Develop and maintain strict OpSec habits, such as only turning on the burner phone when necessary, and never using it at home or work. Dispose of the phone after use in a secure manner, such as by dismantling and destroying it.
- Remove or Disable Microphones and Cameras:
- Tip: Consider physically removing or disabling the phone’s microphones and cameras to prevent audio and video surveillance. Many phones have multiple microphones, often one near the speaker and one near the bottom of the device. These components can be removed or disabled, but doing so may affect the phone's functionality.
- Dispose of the Phone Securely:
- Tip: After the phone has served its purpose, dispose of it in a way that ensures it cannot be traced back to you. This may involve physically destroying the device or disposing of it in a location far from where you live or work.
Additional References:
- The Complete Guide to Burner Phones by Wired
- Operational Security for Activists by EFF
- Whonix - Anonymize Other Operating Systems
- IMSI Catchers and How They Work by Privacy International
- Schneier on Security - Burner Phones
Cryptophones are specialized mobile devices designed to provide secure communication through encryption. One notable example is the Encrochat case, where criminals used highly encrypted phones.
https://www.vice.com/en/tag/encrypted-phones/
Tips and Recommendations:
- Choose cryptophones that have been vetted by reputable cybersecurity experts for potential backdoors or vulnerabilities.
- Be cautious of the supply chain when purchasing a cryptophone; only buy from trusted vendors.
- Regularly update the cryptophone's software to protect against newly discovered vulnerabilities.
- Consider using separate devices for sensitive communication and daily tasks to minimize exposure.
- Always assume that encrypted communication could eventually be decrypted, so limit the sharing of highly sensitive information.
References:
- Encrochat Case - Criminals Building Their Own Communication System
- Vice - Encrochat Hack and Police Arrests
- Forbes - Encrochat Hack Shows Police Reach into the Criminal Web
- Schneier on Security - UFED Phone Hack
- Kaspersky - Forensics and Bypassing Device Encryption
- Citizen Lab - The Theft of Encrypted Smartphones via Government Hacking
• XDA Forums - https://xdaforums.com
• Magisk - https://github.com/topjohnwu/Magisk
• TWRP - https://twrp.me
• Android Debloater - https://github.com/0x192/universal-android-debloater
• RootzWiki Forums - https://rootzwiki.com/index
• Android Central - https://forums.androidcentral.com/
• Android Forums - https://androidforums.com/
• PHONEDB - https://phonedb.net/index.php?m=repository&list=rom_update
• TheUnlockr - https://theunlockr.com/roms/android-roms/
• SamMobile - https://sammobile.com/
• r/androidroot - https://reddit.com/r/androidroot
• F-droid - https://f-droid.org
• IzzyOnDroid - https://apt.izzysoft.de/fdroid
• DivestOS - https://divestos.org
• Aurora Store - https://auroraoss.com
*Note: https://privacyguides.org/en/android/#f-droid
For intermediate security, it's no military-grade security.
• Shelter - https://gitea.angry.im/PeterCxy/Shelter#shelter• Insular - https://secure-system.gitlab.io/Insular
• Wasted - https://f-droid.org/en/packages/me.lucky.wasted
• Ripple - https://github.com/guardianproject/ripple
• Find My Device (FMD) - https://f-droid.org/en/packages/de.nulide.findmydevice
• Extirpater - https://f-droid.org/en/packages/us.spotco.extirpater
• RandomFileMaker - https://f-droid.org/en/packages/io.github.randomfilemaker
• WipeFiles - https://github.com/peterhearty/WipeFiles
• Exodus - https://github.com/Exodus-Privacy/exodus-android-app
• Rethink-app - https://github.com/celzero/rethink-app
• KeePassDX - https://github.com/Kunzisoft/KeePassDX
• Aegis - https://github.com/beemdevelopment/Aegis
• Authenticator Pro - https://github.com/jamie-mh/AuthenticatorPro
• Yubico - https://github.com/Yubico/yubioath-flutter
• Encrypt your Android phone - http://howtogeek.com/141953/how-to-encrypt-your-android-phone-and-why-you-might-want-to
• Cryptomator - https://f-droid.org/en/packages/org.cryptomator.lite
• Cryptonite (TrueCrypt) - https://code.google.com/p/cryptonite/
• OpenKeychain (OpenPGP) - https://f-droid.org/en/packages/org.sufficientlysecure.keychain/
• EDS Lite - https://f-droid.org/packages/com.sovworks.edslite
• Hash Checker - https://github.com/hash-checker/hash-checker
• Hash Easily - https://github.com/seoulcodingcafe/HashEasily
• InviZible - https://github.com/Gedsh/InviZible
• Orbot - https://github.com/guardianproject/orbot
• Florisboard (Beta) - https://github.com/florisboard/florisboard
• AnySoftKeyboard - https://anysoftkeyboard.github.io
• HackersKeyboard - https://github.com/klausw/hackerskeyboard
• EtchDroid - https://github.com/EtchDroid/EtchDroid
• Android Faker - https://github.com/Android1500/AndroidFaker
• Free implementation of Play Services - https://github.com/microg/GmsCore
• Phones Ref.- https://gsmarena.com
• Phones Ref.- https://phonescoop.com
• https://github.com/botherder/androidqf
• Anonymous Chat, IRC, XMPP in Whonix.
https://whonix.org/wiki/Chat
• XMPP vs Matrix vs MQTT
https://rst.software/blog/xmpp-vs-matrix-vs-mqtt-which-instant-messaging-protocol-is-best-for-your-chat-application
• https://github.com/matrix-org
• https://en.wikipedia.org/wiki/Matrix_(protocol)
• https://reddit.com/r/Mastodon/comments/mzubbb/mastodon_vs_matrix
• https://xmpp.org/software/?platform=linux
• https://xmpp.org/software/gajim/
• https://github.com/profanity-im/profanity
• https://github.com/zom/zom-android
• http://conversations.im
• https://github.com/psi-im/psi
• https://github.com/dino/dino
• https://github.com/nioc/xmpp-web
• https://github.com/simplex-chat/simplex-chat
• https://github.com/oxen-io/session-desktop
• https://github.com/oxen-io/session-android
• https://github.com/GNU-Linux-libre/Awesome-Session-Group-List
• https://arxiv.org/pdf/2002.04609.pdf
• https://signal.org/android/apk/
• https://github.com/signalapp
• https://community.signalusers.org/t/overview-of-third-party-security-audits/13243
• Signal Did NOT Get Hacked - https://youtube.com/watch?v=QEq2JQ6nzuQ
https://github.com/prof7bit/TorChat/wiki
https://whonix.org/wiki/HexChat
https://chatsecure.org
https://code.briarproject.org/briar/briar
https://jitsi.org - (Windows, OSX, Linux): open source software for encrypted video, audio calls
• MySudo - https://mysudo.com
• SilentLink - Instant eSIM - https://silent.link
• Textverified - https://textverified.com
Telegram
https://whonix.org/wiki/Telegram
"Beware of impersonators (carefully check out Telegram bio as the scammer may insert any nickname to his bio and leave his own nickname blank), fake notifications about logging into Telegram (check out them carefully, they should come into the official telegram news & tips channel) with a phishing link, fake bots (yep, bots - not user accounts - may DM first) and so on."
"NONE of the telegram chats are E2E encrypted not 1:1, not groups - only TLS. Only the secret chat one iirc!"
-
Phone Number → Who can see my phone number — Nobody.
-
Data and Storage → Auto Download Media → Toggle off
-
Phone Number → Who can find me by my number — My Contacts.
-
Last Seen & Online → Who can see my timestamp — Nobody.
-
Profile photo → Who can see my profile photo — My Contacts.
-
Calls → Who can call me — My Contacts (or Nobody, if you prefer).
-
Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners).
-
When you start the call, you will see four emojis at the top right corner - ask the person you are calling to name them and compare them to yours (they should be the same as yours). This is protection from MitM.
-
Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts.
-
Never add contacts to Telegram (if there are any - erase them), and always use VPN.
-
Groups & Channels → Who can add me — My Contacts.
-
Set up a 2FA (cloud password)!
-
Disable sticker loop animation! Animated Stickers = danger.
-
Disable auto-downloading (both wi-fi and cellular): Privacy & Security → Data Settings !
-
Disable P2P calls for everyone as it may expose your IP! Same with secret chats! End-to-End encryption means thats your IP will become known the person you’re chatting with. And vice versa.
-
Disable link & image previews in secret chats, scroll down in a Privacy and Security section!
-
Never activate (via /start) any telegram bot! Do not even touch telegram bots (only public chat bots are considered safe, you can operate them in a public chat via commands), never DM a Telegram bot! (any button can contain a SQLi vulnerability or even worse)!
-
If you have to open PDF (CV for example), use dangerzone.rocks or google drive preview regime (ask to upload)!
-
Watch out active session! Terminate inactive sessions! Watch out session stealers!
-
If you receive a message about logging into your account - check that it is on a legitimate telegram notification & news channel. Scammers can impersonate this notification channel to force you to give them the OTR code from the SMS.
Discord
-
Use a randomly generated password. Grab a password generator like BitWarden and use it to generate and store your passwords. It’s 2021. You can’t afford to use lame passwords stored in .txt files on your computer, especially when your crypto is at risk. Be smart and sleep better at night.
-
Turn on two-factor authentication (2FA) in Discord. You can find this setting in User Settings on Discord. Discord allows you to use Aegis, Authy (disable multi-device for a better OpSec) or other methods.
-
Configure privacy settings, which you can find in Privacy & Safety under User Settings. Choose whether you want to allow direct messages from server members or not. It’s up to you. Note, however, that if you have DMs turned off, then if you join a server with a Captcha or Verification bot that authenticates you via DM, you may not be able to use it. Check the server information to see if open DMs are required for that server.
-
In Privacy & Safety, select who can add you as a friend. If you’re extra paranoid, you can prevent anyone from adding you as a friend, or you can allow it just for members of the same server.
-
Run a VPN! Or rent a VPS and bootstrap an open-source VPN server!
• Simple Dialer - A handy phone call manager with phonebook, number blocking and multi-SIM support.
• Simple Contacts - A premium app for contact management with no ads, supports groups and favorites.
• Simple Calculator - A calculator for your quick calculations.
• Simple Calendar - Be notified of the important moments in your life.
• Simple Clock - A combination of a clock, alarm, stopwatch and timer.
• Amaze File Manager -
• Material Files -
• Ghost Commander -
• Firefox Focus - https://mozilla.org/en-US/firefox/browsers/mobile/focus/
• Firefox - https://play.google.com/store/apps/details?id=org.mozilla.firefox&hl=en_US&gl=US
• Bromite - https://bromite.org
• Ungoogled Chromium Android -https://uc.droidware.info
*Interesting - https://f-droid.org/pt_BR/packages/de.marmaro.krt.ffupdater/
• Neo-Launcher - https://github.com/NeoApplications/Neo-Launcher
• Lawnchair 2 - https://lawnchair.app
Continuation of Lawnchair 1; Pixel features; fork of Launcher3.
• Lawndesk - https://github.com/renzhn/Lawndesk
Fork of Lawnchair V2; app-drawer-free launcher.
• Librechair - Degoogled; fork of Lawnchair V2 & Launcher3.
• LawnChair 12 - https://github.com/LawnchairLauncher/lawnchair/releases
Contininuation of LawnChair V2 with support for QuickSwitch and more. Includes a nice simple design that mimics the design of Google's Pixel launcher. Also includes in app Monet'like theming with themed icons(optional with a separate package called LawnIcons) and wallpaper based theming.
• K-9 Mail - https://k9mail.app
• StreetComplete - https://f-droid.org/en/packages/de.westnordost.streetcomplete/
• OsmAnd - https://osmand.net
• Open Camera - https://opencamera.sourceforge.io
• Simple Camera - https://f-droid.org/en/packages/com.simplemobiletools.camera
• NewPipe - Lightweight Google-free YouTube client.
• LibreTube - An alternative YouTube front end, for Android.
• mpv - https://mpv.io
• VLC - https://videolan.org
• Collabora Office - https://collaboraoffice.com/release-news/collabora-office-android-beta
• CryptPad - Alternative to Google Docs
• Blokada - Ad blocker for Android using the VPN API.
• DNSfilter - Ad blocker for Android using a VPN, supports hosts files.
• DNS66 - DNS66 blocks advertisements on Android by intercepting DNS requests using Android's VPN layer and blocking requests for blacklisted hosts.
• NetGuard - NetGuard provides simple and advanced ways to block access to the internet - no root required.
• RethinkDNS + Firewall - DNS over HTTPS / DNS over Tor / DNSCrypt client, firewall, and connection tracker for Android.
• https://joinmastodon.org
• https://github.com/mastodon/mastodon
• https://en.wikipedia.org/wiki/Mastodon_(social_network)
• Mastodon - https://mastodon.social
• Nitter - Alternative to Twitter
• Diaspora - Alternative to Facebook
• Nostr - https://nostr.com
• Lemmy - https://join-lemmy.org
• Kbin -
• Saidit.net -
• https://forum.f-droid.org
• https://xdaforums.com/c/general-discussion.240/
• https://xdaforums.com/search/?q=
• https://reddit.com/r/privacy
• https://reddit.com/r/PrivacyGuides
• https://fossphones.com/os.html
• https://support.apple.com/en-us/HT212650
• 2FA - https://2fa.directory
• https://www.rtl-sdr.com
• https://android.gadgethacks.com
• https://www.gadgethacks.com/collection/tweaks-hacks/
• https://www.ifixit.com/Teardown
• https://github.com/waydroid/waydroid
• https://mcc-mnc.com
• https://www.i-digital-m.com
• https://www.t-mobile.com
• https://community.t-mobile.com