How to best secure an insecure Android device?

My eyes are very sensitive to light and for that reason the vast majority of my time is spent using e-ink Android devices. The technology has improved over the years and the devices are now very usable. However all of the available devices are Chinese and use older versions of Android. Due to the fact that these devices need to accommodate the e-ink technology there is zero chance of alternate roms ever being available for them.

I understand the compromise I’m making as far as security and privacy goes but I’m forced to prioritize my eye health. That being the case I’d still like to do as much as I can to secure my devices.

Threat model-wise I am not overly concerned about the Chinese government in that I am not Chinese and never plan to travel there. But I do use my e-ink devices as primary devices which means using them for web browsing, email, messaging, banking, personal documents and using my password manager.

My current main device is the Hisense Hi Reader which is only used on wifi at home. It is running Android 10.

What I have done:

  • debloated it using adb as much as possible.
  • installed RethinkDNS for DNS and using the firewall blocking everything except my installed apps and any system apps that break my apps if blocked. I understand that if there is deep code in the OS that bypasses the Rethink VPN then this won’t stop that.
  • I don’t open PDFs on these devices due to potential risks. I’m also cautious with links I open and sites that I browse on the web.
  • installed my preferred keyboard and blocked its access to internet using ReThink firewall.

Any other suggesting for tightening up the security/ privacy?

Additional questions:
My current main device isn’t rootable but there are other devices that can be rooted. Would rooting allow me to secure things further and if so does that make sense or are the additional risks of a rooted device not worth it?

I feel that using a Hisense (major electronics company) is probably safer than smaller e-ink specialist companies (eg. Onyx Boox devices) because they have more to lose if spyware were found. But maybe I’m over thinking this?

Bottom line is I have no choice but to use these devices and want to simply be as private and secure as I can be. Any help is much appreciated.

1 Like

Hey there!
I’m not a security expert, but the worst thing about your device is lack of security updates, and I’m not sure what can fix that flaw.

Do not root a device, it’ll open your device for vulnerabilities much much more.

It’s recommended to avoid using internet on that device as much as you can. Block internet access for any app that doesn’t need it and keep the internet ONLY on apps you absolutely need to use everyday.

1 Like

There isn’t too much you can do as a user, but I’d strongly recommend using an updated browser.
Also ensure the Play Store or Aurora is available so that the stock Google WebView can be updated.

I don’t open PDFs

ANY and ALL files or connections can compromise your device, arbitrarily excluding a file type is silly.

Android 10

This means best case you’re running the 2023-02 ASB and the 2020-08 PSB, so six months and three years respectively of vulnerabilities that may impact you.

Would rooting allow me to secure things further

No.

Yes I’m using an up to date browser and use Aurora to update WebView.

OK. I was under the impression PDF’s were more likely to be a problem than say .epub or .mp3 files.

Thanks for your response.

Graphene has a secure PDF viewer app

rethinkdns dev here

My 2 cents:

  • If you’re on Android 10+, run Rethink with Block connections without VPN enabled (ref; not many other VPN-based firewalls support this mode, but Rethink does).
  • Always connect over WiFi (if possible, disable Mobile Data on your SIM card altogether) and use an external firewall (like Firewalla / PfSense / OpenSnitch running on a Raspberry Pi running as a hotspot) to monitor and block / allow your network traffic.
    • For the paranoid ones amongst us, it pays to block everything except what’s explicitly allowlisted (why?). Even though it takes time and patience to build such an allowlist (so your essential apps won’t break), it is definitely worth it.
    • Rethink supports a similar setting in-app called Isolate mode. When an app is put in Isolate mode, all connections from it are blocked by Rethink unless the domain / IP is explicitly allowlisted for that app.

As an ex-AOSP contributor, I can say that expecting total privacy with Smartphones is unfortunately a non-starter. Even if you flash privacy / security oriented ROMs (like Divest, Graphene, or Calyx), you’re still beholden to the opaque, non-Open Source blobs that pretty much dictate both the hardware and the OS of your Smartphone.

1 Like

Thanks very much ignoramous, that was exactly the sort of reply I was looking for. I’ll be looking into setting up an external firewall.

Sorry but this is a bad idea. @NewUser just use your e-ink for reading books whatever public data. Don’t do banking and email on it. Besides that being crazy slow that is just an unacceptable risk to me.

If you stick your head in the sand that’s on you.