Mobile Device Best Practices
Earlier, I talked about some settings to help reduce the data collection on your phone and improve your mobile device’s security. I also briefly touched on replacement apps and habits. In this sub-section, I want to expand on that and talk about some additional practices to further improve your mobile privacy and security.
The biggest thing you can do with your phone is consider your metadata. The biggest habit you can change is just to not have your phone around as often as possible and to use it as little as possible. Classic non-smart alarm clocks are only $10 at Target, and you can charge your phone in another room. When going out with friends, leave your phone at home. Little things like this can add up.
Second, consider what you do on your phone. For example, try to send emails and do web browsing from your computer rather than your phone. You have significantly more control over your computer’s data collection than your phone’s.
Third, try to keep your phone as clean of apps and data as possible. Apps are a potential risk, both in terms of the data they could be collecting and the malware they could be hiding. The less apps you have, the better off you are. Most tasks we do on demand can wait until we get to a more controlled desktop environment. Of course this doesn’t mean you can never have anything on your phone, just make sure you’ve weighed the risks and really need it. Where possible, consider using Progressive Web Apps (PWAs) instead of regular apps. These are - to oversimplify it - web pages you can bookmark to your phone’s home page. In most cases they behave exactly like a normal app with identical or slightly less functionality, but they will have significantly less access to the data on your phone than a normal app would, making the much more private and secure than a normal app.
If you must download an app, on Android consider using F-Droid or Aurora Store. F-Droid is an app store featuring only open source apps while Aurora is a proxy for the Google Play store allowing you to download apps without a Google account and without Google tracking your download (please note that it will not remove any in-app tracking).
A more advanced step is to get a phone that’s not in your name. Rather than buying a phone on credit - which ties it back to your true identity via a credit check - you can buy a phone up front in cash, then get a pay-as-you-go or prepaid plan. In addition to offering more privacy, these plans are often much less expensive. Be aware that metadata such as location at home every night means your identity can be determined, but this strategy can still offer a lot of defense against public records, doxxing, and stalking.
I strongly urge anyone privacy-oriented to stop using your SIM number and instead use Voice-over-IP for all non-encrypted communications. This is a large subject, and as such I have dedicated an entire page to explaining this, and I encourage you to check it out if you’re interested.
Restart your phone at least once per week. Phones are typically much more stable than an average computer, and such we can and often do run them for weeks or even months at a time without ever thinking of restarting them. Most malware, except the most advanced kind, cannot withstand a simple restart. While it is unlikely that you’ll get malware if you have good online habits, it only takes a few minutes to restart and it’s worth the caution.
Finally, for those desiring maximum privacy, I encourage you to consider flashing a custom Android operating system (or ROM) onto your phone. This is a more advanced technique that falls outside the scope of this website, but I can at least point you in a starting direction. Unarguably the most private and secure ROM is GrapheneOS, which places a heavy emphasis on security by hardening the Android kernel it’s based on, sandboxing Google Play services for security and usability, and proxying many of the required connections through their servers to hide your data from Google. A common alternative to Graphene is CalyxOS, which focuses more heavily on incorporating open-source projects into the device but does not make any significant security improvements the way Graphene does. I do not recommend any other custom operating systems or Linux phones. Be aware that some apps may not work as expected on “degoogled” phones like these. I recommend visiting Techlore’s Plexus project to see if the apps you need are compatible on custom ROMs.
If you do decide to use a custom Android OS, it is recommended that you install it yourself. This is the best way to ensure the device is secure and the software hasn’t been tampered with between the developer and your device. If you are uncomfortable doing so and prefer to buy pre-flashed devices, Nitrokey sells phones pre-installed with Graphene. You can buy a pre-installed version of Calyx by becoming a member of the Calyx Institute, however be aware that at this time they are only offering the Pixel 7a model (the latest series is the 9/8a).