mirror of
https://0xacab.org/anarsec/anarsec.guide.git
synced 2025-07-23 14:50:45 -04:00
md formatting
This commit is contained in:
anarsec
parent
0dc607247e
commit
b6bbc36b6f
8 changed files with 141 additions and 79 deletions
|
|
@ -46,6 +46,7 @@ Upon first booting Graphene, it will prompt you if you want to connect to Wi-Fi.
|
|||
# System navigation
|
||||
|
||||
By default, GrapheneOS uses [gesture navigation](https://grapheneos.org/usage#gesture-navigation). The essentials are:
|
||||
|
||||
* The bottom of the screen is a reserved touch zone for system navigation.
|
||||
* Swiping up from the navigation bar while removing your finger from the screen is the **Home** gesture.
|
||||
* Swiping up from the navigation bar while holding your finger on the screen before releasing is the **Recent Apps** gesture.
|
||||
|
|
@ -70,6 +71,7 @@ User profiles are a feature that allows you to compartmentalize your phone, simi
|
|||
The Owner user profile is the default profile which is there when you turn on the phone. Additional user profiles can be created. Each profile is [encrypted](/glossary/#encryption) using its own encryption key and cannot access the data of any other profiles. Even the device owner cannot view the data of other profiles without knowing their password. A shortcut to switch between different user profiles is present on the bottom of Quick Settings (accessible by swiping down from the top of the screen, twice). When you press **End session** on a profile, that profile's data is encrypted at rest.
|
||||
|
||||
We will now create a second user profile for all applications which don't require Google Play services:
|
||||
|
||||
* **Settings → System → Multiple users**, press **Add user**. You can name it Default, and press **Switch to Default**.
|
||||
* Set a [strong password](/posts/tails-best/#passwords) that is different from your Owner user profile password.
|
||||
* In the Default user profile, **Settings → Security → Screen lock settings → Lock after screen timout** can be set to 30 minutes to minimize how often you'll need to re-enter the password.
|
||||
|
|
@ -79,12 +81,15 @@ Later on, we will optionally create a third user profile for applications that r
|
|||
To reiterate, the user profiles and their purposes will be:
|
||||
|
||||
**1) Owner**
|
||||
|
||||
* Where applications are installed
|
||||
|
||||
**2) Default**
|
||||
|
||||
* Where applications are used
|
||||
|
||||
**3) Google (optional)**
|
||||
|
||||
* Where applications that require Google Play services are used
|
||||
|
||||
# How to Install Software
|
||||
|
|
@ -95,6 +100,7 @@ For installing additional software, avoid F-Droid due to its numerous [security
|
|||
The approach we will take is that all applications that are needed in any user profile will be installed into the Owner user profile, using Sandboxed Google Play. In the Owner user profile, all applications (except the VPN) will be disabled. The **Install available apps** feature will then be used to delegate apps to their needed profiles. Automatic updates in the Owner user profile will be applied in the secondary user profiles as well.
|
||||
|
||||
To install and configure Sandboxed Google Play:
|
||||
|
||||
* Within the Owner user profile, install Sandboxed Google Play by opening Apps and install Google Play services (this will also install Google Services Framework and the Google Play Store).
|
||||
* The Google Play Store requires a Google account to log in, but one with false info can be created for exclusive use with the Google Play Store.
|
||||
* Once installed and logged in, disable the advertising ID: **Settings → Apps → Sandboxed Google Play → Google Settings → Ads**, and select *Delete advertising ID*.
|
||||
|
|
@ -106,17 +112,18 @@ You can now install applications through the Google Play Store. The first applic
|
|||
Using the example of RiseupVPN, once it is installed, accept the 'Connection request' prompt. A green display will mean that the VPN is successfully connected. Navigate to **Advanced settings** in the RiseupVPN menu, click **Always-on VPN**, and follow the instructions. Moving forward, the VPN will automatically connect when you turn on your phone. Continue to install any other apps - for ideas, see [Encrypted Messaging for Anarchists](/posts/e2ee/).
|
||||
|
||||
Now we will delegate apps to their needed profiles:
|
||||
|
||||
* In the Owner profile, disable all applications other than the VPN: **Settings → Apps → [Example] → Disable**.
|
||||
* To install Riseup VPN (or any other app) in the Default user profile: **Settings → System → Multiple users → Default → Install available apps**, then select Riseup VPN.
|
||||
|
||||
#### Software That Isn't On the Play Store
|
||||
## Software That Isn't On the Play Store
|
||||
Some apps aren't on the Play Store, either because they are in development or they don't want users to have to interact with Google. The Play Store can be used to update apps, but when you download individual .apk files you will need to remember to update them yourself (there are exceptions, for example Signal is designed to self-update). [Obtainium](https://github.com/ImranR98/Obtainium) is an app to keep track of what apks need to be updated, and is available on the [GitHub Releases page](https://github.com/ImranR98/Obtainium/releases); `app-arm64-v8a-release.apk` of the latest release is what you want (arm64-v8a is the processor architecture). If you need apps that aren't on the Play Store, install Obtainium into the Owner user profile (and don't disable it). Use the same process of installing apps into the Owner user profile but through Obtainium, then disabling them and delegating them to their needed profiles. Unfortunately, apps acquired through Obtainium require manual updates - it will notify you when one is needed.
|
||||
|
||||
As an example of how to use Obtainium, Molly-FOSS is a hardened version of Signal with [no Google software](https://github.com/mollyim/mollyim-android#free-and-open-source), and is available from [Github Releases](https://github.com/mollyim/mollyim-android/releases). In Obtanium press **Add App**, then copy the Github Releases URL. Obtanium can install the app, and when there is a new version you will get a system notification and an update icon will be present beside it, at which point you must manually update it.
|
||||
|
||||
Cwtch is not yet present on the Google Play Store, and can be added to Obtainium by entering the [Download page URL](https://cwtch.im/download/).
|
||||
|
||||
#### Software That Requires Google Play Services
|
||||
## Software That Requires Google Play Services
|
||||
If there is an app you would like to use that requires Google Play services, create a specific user profile for it from the Owner user profile; you can name it Google. This is also a good solution for isolating any app you need to use that isn't [open-source](/glossary/#open-source) or reputable. If you create a Google user profile, you will need to install and configure Sandboxed Google Play in it.
|
||||
|
||||
Many [banking apps](https://grapheneos.org/usage#banking-apps) will require Sandboxed Google Play. However, banking can simply be accessed through a computer to avoid needing this Google user profile.
|
||||
|
|
@ -132,6 +139,7 @@ Perhaps you want to use [Tor](/glossary/#tor-network) from a smartphone. However
|
|||
Applications like Cwtch and Briar have Tor built in, and should not be used through a VPN like Orbot.
|
||||
|
||||
# Recommended Settings and Habits
|
||||
|
||||
* **Settings → Security → Auto reboot:** 8 hours [Owner user profile]
|
||||
* Auto reboot when no profile has been unlocked for several hours will put the device fully at rest again, where [Full Disk Encryption](/glossary/#full-disk-encryption-fde) is most effective. It will at minimum reboot overnight if you forget to turn it off. In the event of [malware](/glossary/#malware) compromise of the device, Verified Boot will prevent and revert changes to the operating system files upon rebooting the device. If police ever manage to obtain your phone when it is in a lock-screen state, this setting will return it to effective encryption even if they keep it powered on.
|
||||
* Keep the Global Toggles for Bluetooth, location services, the camera, and the microphone disabled when not in use. Apps cannot use disabled features (even if granted individual permission) until re-enabled.
|
||||
|
|
@ -150,6 +158,7 @@ GrapheneOS currently provides Seedvault as a backup solution, but it's not very
|
|||
|
||||
# Password Management
|
||||
If you feel you need a password manager, [KeePassDX](https://www.privacyguides.org/en/passwords/#keepassdx-android) is a good option. However, most app credentials can be kept on KeePassXC on a computer as they don't need to be entered regularly. The set up described in this guide requires memorizing two passwords:
|
||||
|
||||
1) The Owner user profile (boot password)
|
||||
2) The Default user profile
|
||||
3) (Optional) Apps like [Cwtch](/posts/e2ee/#cwtch) and [Molly](/posts/e2ee/#signal) have their own passwords.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue