Android Hardening Guide

Hello everyone, I have started writing a guide about “hardening” Samsung Android (oneUI). I haven’t finished because I have yet to cover ADB options. In the meantime, let me know what you guys think of this. ( Sorry for the format, I wrote everything directly in my IDE)

"How to harden Googled Samsung Android - PG

While we recommend you buy a phone that is fully compatible with our two Android recommended OS (Graphene OS and Divest OS) , you might be unable to do so. This guide is for harm minimisation. It is primarly made for Samsung Android.

When setting up your phone, you will be asked wheter to login to both Google and Samsung accounts. We recommend you do not login at this stage, because you should only do so when you need it (more on this later).

For installing Apps, prefer Obtainium to install open-source apps, and Aurora to install proprietary apps. Note that without a Google acocunt, you will not be able to download apps from the Play Store but you will be able to update them and to get Play Protect certification. The Samsung Store is generally available without an account, but it does not support auto updates for apps. You will need to manually search for the apps to update. System apps will display updates in their Settings=>About section.

Unfortuantely, some privacy features need a login with a Samsung Account. This is the case of the “Secure Folder” option, which is a place to store files and app that will be fully sandboxed from the rest of the OS. Samsung do not support mulltiple user accounts.

Security and Privacy section
Lock screen
Enable only strong methods : 8 digits PIN code, password or fingerprint, if the later is compatible with your threat model.
Disable Extend Unlock, unless you have a wearable.
Secure lock settings
Put Autolock when screens turn off to Immidiately
(Lock instantly with Side key and Lock Network and security should already be enabled)
Enable Auto factory resest. This will reset your phone after 20 failled attempts, so do backup your phone.
Enable Show Lockdown option.
Lock screen customisation
Notifications to None or Icon only.
Widgets
(Disable as needed)
Apps safety
Enable Google Play Protect
(Disable improve detection)
If you are comfortable with McAfee, enable Apps Protection
Additional safety settings
Enable Update of Galaxy system apps
Disable “Make passwords visible”
(Enable encryption of SD card)
Check that you haven’t any suspicious certificates agent
Disable any admin app
Check if you need the trust agents
Privacy
Autorisations used in the last 24 hours
Change time to 7 days, and show sytem apps by clicking on the dots on the top right>
Then, remove unecessary permissions. While system apps are given full acess by default, it is possible to remove some of their permissions.

    Additional controls
        Enable clipboard access alert
    Other controls
        Samsung
            Disable sending of diagnostics data
        Google
            Disable personalisation service
            Android System Intelligence
                (Disable Keyboard suggestion, if necessary)
            Disable Health Connect
            Disable Google auto-fill
            Ads
                Confidentiality of ads
                    Disable Themes, Ads suggested by apps, and Ads Measurement
                    Delete your adversting ID, or regularly reset it (some apps will switch to hardware ID when ad ID is disabled)
            Use and diagnostics
                Disable

Applications
Samsung app settings
Disable “Special offers” in Galaxy Themes>
Default apps
Install privacy respecting browser, SMS and Phone app. For the later two, you can search in F-Droid.
Connectivity
(Disable NFC payments)

SIM manager
Other SIM settings
Safety of SIM card
Enable SIM PIN code locking. Before doing so, make sure you know your SIM recovery code, aka PUK.
Mobile Networks
Enable VolTE calls (4G). Standard calls, using 2G are very insecure, virtually any hackers can intercept calls.
(If your area don’t support 5G, disable it to reduce the attack surface, esp since 5G is a new technology, and prone to bleeding edge attacks.)
Data usage
(Data saving : will block apps from using data in background, with a certain usability cost. This is like setting the default to “block” for background connectivity)
Allowed network for apps : restrict any app , including a system app that don’t need comnectivity to Wi-Fi only or Data only.
Wifi/mobile data usage : check for any apps that shouldn’t send that much data and block it from sending background data.
More connectivity settings
Disable nearby devices scanning
Private DNS
(Input your DNS host , this will only allow connection trough this DNS alone, so make sure it is always accesible.)
Set to Auto
Battery
Background usage limits
Enable put unused apps to sleep
In Never auto sleeping, put critical and trusted apps
In Sleeping apps, put most apps
In Deep sleeping apps, put rarely used apps or very untrusted apps.

Device care
Auto optimisation : Auto restart : Enable Restart awhen needed and Restart on schedule and select everyday.
Software update : Auto download over Wi-Fi
Accesibility
Installed apps : check which apps that use this highly-priviliged permission.

This is all for standard settings.

Now we will use the Androis Debug Bridge (ADB).

1 Like