This page looks best with JavaScript enabled

Securing an Android Phone or Tablet (Lineage OS)

 ·  ☕ 7 min read  ·  ✍️ anz007

Security & Privacy on Android

There is no use trying to secure Android if you are not running an up-to-date version of the Operating System. At its core, Android is another (highly specialized) Linux distribution.

Beyond that, it is important to take into account that:

  • Most Android apps distributed via Google Play and F-Droid repositories are collecting telemetry data, and some are straight-up malicious.
  • Your Wireless Service Provider is likely monitoring your every move to increase their profits by selling this information to advertisers.

Here are my Android security & privacy tips:

  • Stay informed by subscribing to Android Security Bulletins. Explore the Android Security Awesome list, the SecMobi Wiki, and the Mobile Security Wiki’s Best Practices
  • Enable Privacy guard to make sure you control what newly installed apps have access to, regardless of what permissions an Android App “requires”
  • You can opt not to install any App Store: Manually download the .apk, scan it online, then push it to your /sdcard using ADB for maximum control and privacy.
  • **Need the usability of Google Maps/Play Store? **Attach this to a new ‘Google Account’ and limit their tracking using their Privacy Check and delete recorded activity. Keep their Security settings enabled. **Browse **the web with Brave
  • Run F-Droid instead it has a large installable catalogue of free/open source Android apps. Keep “unknown sources” disabled if you are not using it.
  • To improve your privacy turn off Bluetooth, NFC and Location features. Don’t backup data to your Google or Dropbox accounts. Do not install Google Apps/Play Store (decreases usability!)
  • **Install as few apps as you need. **Take a moment to learn how to find an efficient and free Anti-malware solution for your Android device. Personally, I would never trust any banking apps
  • Encrypt your phone. Set a secure PIN or Password. Patterns and Biometrics are easier to bypass (or take by ‘legal’ force). Set up the SIM card lock
  • Disable Network notifications under your WiFi settings so you stay in control of what networks your device connects to. This prevents a few of the Man-in-the-Middle attacks possible.
  • Highly recommend unchecking “Make passwords visible” Capturing screen changes is easy and shoulder surfing is still effective over time
  • Enterprise System Administrators can connect users to an Exchange server and enable Remote Wipe, which erases everything but the data on the SD card. You can also enforce minimum password complexity
  • Maintain a cheap VPS with a privacy solution for your devices. Frequently updated projects are StreisandSovereign, and  Allowing you to tunnel your traffic beyond your Wireless Service Provider and across malicious WiFi networks.

Above all, keep your Android devices up to date!

Flashing Android

As long as you have a tested backup of all your contacts and photos, and you make sure your devices will not run out of power during the process — you will be able to recover from almost every other worst-case scenario.

The first step to “flashing” an updated Android distribution onto your phone’s chips is to do a modicum of research. Lucky for you, the community is very active, and many have written about their particular experience for your device.

I found my device in the LineageOS supported hardware list and took a minute to search for tips and tricks of fellow device owners before downloading the latest Build from the official website.

If your Android phone has never run a custom ROM, you will need to unlock your phone’s bootloader still. Anything stored on the mobile device will be erased.

Android Debug Bridge (ADB)

ADB is a development tool that allows your OS to talk to your Android device. Ensure you have the latest version of Android Debug Bridge set up on your preferred Operating System (OS).

Next, on your Android device:

  • Open Settings > About > Software Information > More > then tap 7x on Build number. You will get a notification upon success
  • Go back to Settings > Developer Options > check the box for USB debugging. You will have to accept a warning

After you plug in your Android phone into your computer, open up a terminal/command prompt and run:

adb devices

You will need to authorize your computer by selecting ‘Always allow’ on your Android phone. Running the previous command again will now give you a different output.

Unlocking the Bootloader

A bootloader acts kind of like the BIOS/UEFI for your Android device. Unlocking it gives you full control over the device, a feature every Android OS developer requires.

Since I can interact with my Android phone from my command line using ADB, I can reboot into fastboot mode by running:

adb reboot bootloader

You can observe your Android’s screen, and confirm success by running:

fastboot devices

If this returns any error, try running the command as root/Admin.

I can obtain an unlock key to unlock my bootloader by search in search engine.

If your device is not on the supported devices list, you can find refuge in KingoRoot or SunShine. __I prefer running binaries from “trusted” 3rd parties, always __proceed with caution.

Custom Recovery Firmware

The next step is to replace the stock recovery options with the latest Team Win Recovery Project (TWRP) firmware. You can install the official TWRP Android App later to receive updates!

I downloaded the latest TWRP version for my device using my browser. Because downloads can get corrupted it is important to verify the integrity of the .img file.

The project provides an MD5 checksum and GPG signature for each release:

cat twrp-3.1.0-0-m8.img.md5 && md5 twrp-3.1.0-0-m8.img

curl -O https://dl.twrp.me/public.asc

gpg --import public.asc

gpg --verify twrp-3.1.0-0-m8.img.asc twrp-3.1.0-0-m8.img

On MacOS, these commands confirm the checksum matches and a “Good signature from TeamWin.” I can now proceed to flash the recovery image onto my device:

fastboot flash recovery twrp-3.1.0-0-m8.img

I will need to reboot my device into recovery to verify the successful installation of TWRP.

  • Using the Volume Up/Down keys to navigate, and the Power button to select, Power down your device
  • Once powered down, hold the Volume Down and Power button until HBOOT appears on the screen, then release the buttons
  • Navigate to RECOVERY and select it using the Power button

This confirms I have replaced the stock recovery with TWRP 3.1. Swipe to confirm you want to grant TWRP the power to modify your device.

Upgrading to LineageOS

Insert a 1GB+ Micro SDCard and reboot into your stock Android OS one last time. Format it there for removable storage and make sure you have downloaded the LineageOS install .zip and any optional packages you require.

Verify the checksum before pushing the Zip file to the Android device:

md5 lineage-14*.zip

adb push lineage-14*.zip /sdcard/

adb push open_gapps*.zip /sdcard/

adb push addonsu*.zip /sdcard/

Reboot into TWRP recovery using the discussed key sequence or run:

adb reboot recovery

I cannot stress the importance of backing up your existing system and storing it long-term. It can be difficult to find the exact stock Android ROM that is compatible with your phone.

In TWRP recovery:

  • Select Backup > Select Storage > Micro SDCard > Select System/Boot partitions > then Swipe to Backup
  • If you have the space on your SDCard, you could backup the Data partition as well (selected by default)

Next, we will want to format several partitions:

  • Select Wipe > Advanced Wipe > Select Cache, System, Data partitions > then Swipe to Wipe

Finally, we can install each of the Zip files from the TWRP home screen:

  • Select Install
  • Navigate to /sdcard/
  • Click on the lineage-14*.zip package
  • Swipe to confirm Flash

Before you reboot, repeat this step if you want to install the Google Apps package. Note that this choice will improve the usability of your Android device but decreases your privacy.

I opted to “root” my device by installing the LineageOS ‘su’ package and install packages manually or via F-Droid instead. Rooting your device allows you to install packages like DNS66AdAway, and ProxyDroid.

  • Reboot your system

**LineageOS is now installed, and after a two-minute deployment, you will be prompted to set up your device. **Reward yourself by opening Settings and scrolling down to the About section.

Source: Medium

Share on