SamSuka
The Hated One
The Hated One

patreon


How I anonymized my phone [Work in progress]

Intro

Molina’s arrest

This is Jorge Molina. On December 13, 2018, Molina was arrested as a murder suspect by Avondale police. His phone location data and footage of a white Honda he owned, confirmed his presence on the crime scene at the time of the murder.

Molina was held in jail for six days, during which time the police sent a press release to dozens of media outlets with his mugshot and name.

Molina’s reputation was ruined. He lost his job, his college program and his car was repossessed. He couldn’t pass a background check for a new employment because a quick Google search for his name would immediately show him as a prime murder suspect.

Molina’s innocence

But Molina was innocent. The location data of his phone were provided to the police by Google. At the time of the murder, Google’s data indeed showed that a device logged into Molina’s account was at the scene. It also showed the user of Molina’s Google account had searched for “shooting in Avondale” the night of the murder.

But Jorge Molina wasn’t the only person using his Google account. The other person was his step dad - Marcos Cruz Gaeta. A person with criminal history and a previous arrest for driving Molina’s white Honda without a license. Investigation later revealed that Gaeta was logged into Molina’s Google account the night of the murder.

Molina was able to prove his innocence. And one year later, he sued the local police and the city for defamation, gross negligence and intentional infliction of emotional distress. https://www.phoenixnewtimes.com/news/google-geofence-location-data-avondale-wrongful-arrest-molina-gaeta-11426374

https://www.abc15.com/news/region-west-valley/avondale/valley-man-suing-avondale-police-for-false-arrest

Trust issues

The story of Jorge Molina reaffirmed my position I held since the Snowden leaks. https://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data

https://www.theguardian.com/world/2013/jun/08/nsa-boundless-informant-global-datamining

https://www.washingtonpost.com/world/national-security/nsa-tracking-cellphone-locations-worldwide-snowden-documents-show/2013/12/04/5492873a-5cf2-11e3-bc56-c6ca94801fac_story.html

That I can’t trust anyone with my data. That even if I’m innocent, my digital footprint can and will be used to destroy my life, family or career. And that’s why I decided that I am never going to willingly give up my data to anyone. I decided I was going to anonymize the most sensitive device I own – my phone. And I am going to show you how I did it.

Geofencing

The location data Avondale police obtained from Google were part of a so called geofencing search warrant. It is a reverse location search tool that casts a digital dragnet over a specific area in a specific time frame. Instead of targeting an individual, a geofence warrant will collect information from every single device a requested company holds data on. A single warrant can yield results on hundreds of devices at a time. https://www.wired.com/story/geofence-warrants-google/

Warranting warrantless surveillance

Google isn’t the only company that is issued these warrants. If Molina had an iPhone, the story would have been the same. Apple, Uber, Lyft or social media companies have all been subject to the same geofence requests from law enforcement.  https://www.fastcompany.com/90452990/this-unsettling-practice-turns-your-phone-into-a-tracking-device-for-the-government

The popularity of geofence warrants have spiked dramatically in recent years, increasing by more than 1,500% in a single year just for Google. https://harvardlawreview.org/2021/05/geofence-warrants-and-the-fourth-amendment/

Apple and Google respond to government requests with handover about 80% of the time. At such a rate, it is inevitable that your data will be collected by the police even if there is no specific warrant filed or charges pressed against you.

https://transparencyreport.google.com/user-data/overview

https://www.apple.com/legal/transparency/us.html

https://www.apple.com/legal/transparency/

Choosing the right phone

This practice alone makes the vast majority of phones on the market unacceptable to me.

Ruling out Google and Apple

When I use a phone with a Google Account or Apple ID, these companies are by default going to be collect unique hardware identifiers, my location information and app usage data without possibility to opt out. https://apnews.com/828aefab64d4411bac257a07c1af0ecb/AP-Exclusive:-Google-tracks-your-movements,-like-it-or-not

https://www.apple.com/legal/privacy/data/en/apple-id/

If I want to use a phone I need to choose one that is going to allow me to use it completely anonymously and let me be in control of all of my data. So what are my options?

iPhones are unusable without an Apple ID, which cannot be created anonymously and Apple will always associate it with some location data and hardware device identifiers that cannot be reset. Using an iPhone is thus an inherent threat because I can’t opt out of this data collection unless I disable Apple ID and all radio signals at all times which would render the phone useless. https://www.apple.com/legal/privacy/data/en/apple-id/

Anonymous phone

I need to find a phone that allows me to use it without any account and with services I know do not collect my data, because they don’t have the permission for it. Android as a base operating system, does allow for such a setup. But no phone on the market offers this setup out of the box. Any Android phone you buy will be bundled with Google Play Services and pre-installed vendor applications that have privileged permissions and collect troves of sensitive data.

https://arxiv.org/pdf/1904.05572.pdf

https://qz.com/1131515/google-collects-android-users-locations-even-when-location-services-are-disabled/

https://grapheneos.org/usage#sandboxed-google-play

Because Android is fundamentally open source, it allows for forks to freely form and distribute their versions of Android without any invasive services. https://source.android.com/There are many such forks available for free. But I want to choose one that maintains Android’s security model and keeps the best security practices for security updates. If you’ve followed this channel for a while you already know where this is going. It’s GrapheneOS.

GrapheneOS

GrapheneOS is a research project focused on mobile security that develops and maintains a hardened version of Android operating system. GrapheneOS has a far-reaching number of substantial improvements that altogether make up for the most secure mobile operating system for the end user.  https://grapheneos.org/features

GrapheneOS is only available on Pixel devices because they are the only phones that allow for users to install custom operating systems with a fully locked device state which is essential to maintaining Android’s security model. So as much as I dislike Google for their data collection practices, I am happily choosing one of their Pixel phones to completely erase Google out of my life. And this is how I do it. https://grapheneos.org/faq#supported-devices

One of the ways of obtaining a Pixel phone anonymously is to buy it in a physical store with cash, use the store’s WiFi to install security updates without creating a Google account and turning on an airplane mode once the updates are complete. Then I connect this Pixel to my other device and install GrapheneOS on it.

Device Anonymization

Device identifiers

Flashing GrapheneOS on my phone is going to take care of most of the privacy issues from the get-go. https://grapheneos.org/installBy default, GrapheneOS doesn’t have any Google apps or services and only collects my IP address for network checks and system updates. https://grapheneos.org/features#privacy-by-default

My phone’s serial number, IMEI or other hardware identifiers are gonna be inaccessible to any and all apps I install on my system. There is no Google account required for me to use this phone or install apps and updates.  https://grapheneos.org/faq#hardware-identifiers

https://source.android.com/devices/tech/config/device-identifiers

Location privacy

Because I want to keep this device as anonymous as possible, I do not even insert a SIM card at all and use the phone as a WiFi-only device. Even if I inserted an anonymous prepaid card, the phone’s carrier is gonna have access to my IMEI and there is no way around it on any phone. It’s how IMEIs work. Phone networks are also used for cell tower triangulation which can pinpoint your location even if you disable location services. https://tracki.com/pages/how-gps-tracker-works-and-cell-phone-tower-triangulation-accuracyI treat cellular network as untrusted and there is nothing that can be done to secure it. So I don’t use it. https://theintercept.com/2015/02/19/great-sim-heist/

Network privacy

GrapheneOS enables full MAC address randomization which makes my phone fully anonymous on any network. https://grapheneos.org/features#wifi-privacyTo protect my IP address, I use Orbot to route my whole device traffic through Tor. https://guardianproject.info/apps/org.torproject.android/Tor is an anonymous overlay network that does slow you down but it gives the most reasonable protection against traffic analysis attacks. It will prevent networks from tracking what websites and app servers you are connecting to. https://support.torproject.org/about/

But using Tor in specific locations can make me stick out from the crowd. So I enable Tor bridges to hide the fact I am connecting to the Tor network from my Internet Service Provider. https://tb-manual.torproject.org/bridges/

I put timers on my Bluetooth and WiFi connections and make sure they are only on when I absolutely need to use them. Keeping your Bluetooth and WiFi on all the time significantly exposes you to surveillance and hostile hotsposts. I make sure that Bluetooth and WiFi scanning is also off so that they can’t be used in the background for location tracking. https://medium.com/supplyframe-hardware/bluetooth-indoor-positioning-and-asset-tracking-solutions-8c78cae0a03

Usage anonymization

Network permission

GrapheneOS offers a unique network permission toggle that isn’t available on iOS or Android by default. This network permission allows me to disable network access to apps I don’t trust with my data but still want to use. It fully prevents apps from accessing the network without any leaks whatsoever.

This allows me to use a navigation map without compromising my location information. Let’s say I install OSMAnd to download maps into my phone to use for navigation later. OSMAnd is a free and open source map and navigation alternative I use instead of Google or Apple maps because it doesn’t collect my location information according to their privacy policy. But I don’t want to rely on their pinky promise only. So as along as I can revoke OSMAnd’s network access I can have that additional layer of security in case the company would one day decide they want to collect my GPS coordinates. That way I can rest assured my GPS location never leaves my device. https://grapheneos.org/features#network-permission-toggle

Sensor permission

GrapheneOS as the only OS on the market, offers a sensors permission toggle to prevent apps from inferring information about the phone from the device sensors. Sensor information is more sensitive than you might think since it contains information from your gyroscope, compass, accelerometer, thermometer and others. https://grapheneos.org/features#sensors-permission-toggleGyroscopes can also be used for ultrasonic cross-device transmission which sends bits of information to nearby audio beacons to track you. This tracking is completely permissionless on iPhones and Android phones but not on GrapheneOS since I can disable gyroscopes entirely. https://caslab.csl.yale.edu/publications/matyunin2018zeropermission.pdf https://www.zdnet.com/article/hundreds-of-apps-are-using-ultrasonic-sounds-to-track-your-ad-habits/

Downloading apps

How I download apps is just as important as the security properties of my phone itself. It matters where your apps are coming from and what data you give them access to.

The most anonymous way to install apps on your system is through F-Droid or by downloading APK files from the web. If you’re routing your device traffic through Tor, this method can give you strong anonymity, but it significantly increases your risk of installing malicious or broken apps and thus should not be recommended.

The most secure way to install apps on your phone is through the platform’s official app repository. This is gonna be Google Play Store on Android and App Store on iOS.

However, it is impossible to download apps on an iPhone without a phone number. And both Google and Apple will collect your app list or even app usage if you use their stores to manage your apps.

https://support.apple.com/en-us/HT204053

https://support.google.com/accounts/answer/27441?hl=en

But GrapheneOS and even Android allows you to mitigate this data collection to a large extent.

User profiles

The best way to prevent Google from linking your app usage to your identity is to create a new user profile on GrapheneOS and use it to install fully sandboxed Google Play Store. That way, Google will not have access to your device identifiers even if you have to give them your phone number during account creation. You can keep this profile to isolate apps that need your identity, such as your banking or personal social media apps, from your main anonymous profile. Android allows you to create up to 4 and GrapheneOS up to 16 user profiles.  https://grapheneos.org/features#improved-user-profiles

https://grapheneos.org/usage#sandboxed-google-play

https://source.android.com/security/encryption/file-based

https://grapheneos.org/faq#encryption

Main profile

I maintain multiple profiles depending on the use to compartmentalize my daily usage which I want to keep anonymous, from uses that necessitate my identity and uses that have an increased threat model. My main profile is always treated as anonymous and I create new profiles on case-by-case basis to address different threat models.

When I go outside for a workout with my friends… who am I kidding. When I go outside for a workout by myself, I switch to a guest mode that only hasaccess to default Android apps and none of my sensitive data. In case someone snatches my phone as I am pulling my pathetic self up on a bar, they wouldn’t have access to my other profiles as they would be encrypted at rest with my lockscreen passcode.

I don’t use biometrics for my lockscreen to avoid having fingerprints used against my consent.

Work profile

If there is a work app your asshole, also referred to as your employer, wants you to install on your phone, you can tell them to go choke on something thick and hard. If that doesn’t work, you can create a new user profile to install a work app onso that you don’t have to give in your personal accounts to communicate with your boss. This is how I isolate invasive apps from my main anonymous profile.

Social media profile

Social media apps can’t be trusted. They require extensive permissions for mundane features just so that they can snatch more of your private data. This isn’t just what you post on social media. It’s also your phone book, usage data from other apps, and cross-platform tracking for ads. https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html

https://www.nytimes.com/2018/06/04/technology/facebook-device-partnerships.html

Both stock Android and iOS allow you to disable basic ad identifiers, but this is not gonna be enough to stop advertisers from tracking you.

https://www.reuters.com/article/google-apple-int/google-to-stop-using-apple-tool-to-track-iphone-users-avoiding-new-pop-up-warning-idUSKBN29W1VM

The most private method of using social media apps is to contain them in a separate user profile which you can only do on Android and GrapheneOS. Don’t keep your phone book or private files in this profile. Only keep your social media content on it and nothing else.

Burner profiles

Because grapheneOS allows me to use so up to 16 different profiles, I can setup multiple ephemeral profiles that can only serve a single purpose, and purge them once I no longer need them. I don’t use social media apps but I know plenty of mundane apps use social media tracking SDKs in their code and sell my data to advertisers.

https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636

https://www.cnet.com/tech/services-and-software/facebook-receives-personal-info-like-your-heart-rate-from-popular-apps/

I treat every app I can’t vet as untrusted and put it in a separate profile for the duration of my use. I don’t want these apps to access my work or anonymous data. They can only stay confined in their own profile where they can’t access anything.

End

Properly anonymizing your phone can significantly increase your digital security and physical safety. This isn’t the only or an exhaustive way. Everyone should tinker their setup according to their needs. Sharing our setups to an extent can help us all make improvements.

Surveillance is becoming more and more powerful and so should our defense against it.

Comments

Disabling JavaScript as much as possible can help too. Running apps with as few permissions as feasible and opting for known privacy alternatives might be a good step too. You can work with what you already have and transition to a more secure setup when that option is open to you, Best of luck!

The Hated One

Usually I just never carry my phone and I leave it off most of the time, but reading about geofencing and that paper about permissionless exfiltration for the purpose of tracking really grossed me out. Usually I'm nice and insulated in the bubble of a desktop running libre software, but I think you've motivated me to flash the phone with a superior OS, though I do not own a Pixel phone unfortunately :(

Matthew

Thank you, Peter!!

The Hated One

That, was both informative and fun. Probably gave me the biggest laugh that I had all day, and quite possibly the most interesting read as well. Always like the great research.

Peter


More Creators