Best practices for stealth on smartphone?

Hi,

What would be your recommendations regarding personal data on a smartphone and abusive individuals/authorities requesting to see all photos (and possibly more) on the phone?

I’m on Android and I can have multiple users/profiles on the device. I was thinking about having a main real but minimal profile, and a second profile which would be my actual day-to-day profile. When at risk, I’d switch back to the minimal profile, ready to delete the actual day-to-day profile, or just call it “test” and pretend I can’t unlock it.

But there has to be better ways? More invisible to the un-trained eyes, more convenient for the user?

Thank you.

IMO The best thing you can do is to keep your phone as clean as possible.

To make a start I would assume the “individual” has no physical access to your residence and the “Authority” is not your own government (prob. some random authority when you travel abroad). Let’s call them “Adversaries”

As you are ready to delete the main profile I would also assume you do not require much access to those files / images when you are on the go.

Lets say you try to protect your files from adversaries, I would suggest you get a NAS in your home and set a daily backup from your phone to the NAS, and use apps like automate to automatically clean up relevant directories say during midnight. You shall not enable remote access to your NAS via VPN or tailscale. It means you can only access those files when you are connected to the same local network as your NAS.

Reason I not suggesting cloud storage is it remains accessible as long as your phone stays online, not so good if you are being “forced” by adversaries.

Sure there is a chance that the adversaries might run your phone with forensic tools, then it depends on how robust your phone is, but otherwise it is very difficult for them to get anything out of it.


If the adversaries are not tech savy at all then prob. hiding the apps / files using 3rd party launcher would be enough.

1 Like

Using web app/web clients without using installed apps would be best. Couple this with private browsing mode and you can be harder to trace if you have VPNs as well.

I would not use any BigTech products because they can be “lawfully” forced to obey.

isnt this a good use case for a duress pin? whatever profile you use, if you are forced to open it under duress, use your duress PIN and wipe the phone. Other then that, have a short timer on the phone to auto reboot, if you aren’t able to wipe it, you at least want the phone in a BFU state.

I would not bank on a security through obscurity approach. This is not a good way to protect data. Instead backup your data to other secure sources and be willing to wipe your phone when needed.

I think it really depends on what your adversaries are.

If you facing government agencies, duress pin might not be a good idea as you might face extra charge for destroying evidence. If you are facing physical threats, then extreme physical violence should be expected. (of course if you prioritize the safety of other personnel over yourself then it is totally acceptable).

If you think you could withstand prolonged or enhanced interrogation, then latest iOS and grapheneOS have auto reboot timer so it should keep you safe (for a good while). But no one knows if they could withstand that (until they experienced one).

So the best approach might simply be don’t keep sensitive stuffs on your phone.

1 Like