My goal is to minimize the risk of zero-click exploit spyware on my phone, and after participating in a few discussions on this topic—where I mentioned only using three apps (Signal, Proton VPN, and Proton Mail) and considered various methods for obtaining them (e.g., Google Play Services, Obtainium, and app verification)—I arrived at a simplified approach and wanted to ask if you think it makes sense.
For Signal, rather than focusing on how to download and verify it, I’m considering using Accrescent to install Molly instead. From what I understand, Molly allows me to communicate with any Signal user, and since it’s available via Accrescent, I wouldn’t need to worry about updates or signature verification? The likelihood of a zero-click exploit would also remain very low, similar to Signal?
As for ProtonMail, I could simply log in through the browser instead of installing the app. And regarding the VPN, I noticed Accrescent also offers a VPN app, which could complete my setup.
Do you think this strategy makes sense for keeping my device secure?
Thank you very much for your time and input—I really appreciate it!
Are you or do you believe you are in active risk of this happening to you?
I do not think avoiding or mitigating the likelihood as you describe it with a zero click or a zero day is as simple as that.
Follow the best privacy and security practices, get GrapheneOS, harden it more or as much as possible (which will come at cost of being inconvenience) and only communicate with and through select apps.
Using the ProtonMail app should not be an issue. But the web is a perfectly fine way to go too I suppose.
I don’t recommend using the web app over the native app for zero clicks minimization as anything potentially malicious were to happen on the server serving the web app it’s bound to be disaster.
But you are right on the rest, It is not easy to not fall on zero clicks (if at all actually) or even, ever evolving sophisticated phishing attacks.
Thank you for your feedback and I am glad to hear the rest makes sense!
Do you have an approach on a good way to get email on the graphene os by any chance? Maybe there is a way graphene allows this that I am not aware of?
Most of what you mentioned does not make a significant difference for overall zero-click spyware prevention of a device. If you want and need that your only option is GrapheneOS.
+1 for what @GorujoCYsaid, you’re probably better off avoiding web apps and using the Android app instead. Aside from that I’d say you might be overthinking it. The steps you’re suggesting are unlikely to be of much help. Simply using GrapheneOS and a recommended method of obtaining apps will go a long way. The Play Store, Accrescent, Obtanium, and Aurora Store all have their own pros and cons, but try not to overthink it. The apps you need aren’t on Accrescent so to keep it simple I’d suggest Obtanium, which is probably the easiest and most secure method of installing APKs.
If you think you’re likely to be targeted, I’d focus more on other aspects of your phone’s privacy and security. For example, can you go without using a SIM/eSIM and basically use it like an iPod? If not, it’s best that you use a brand new Pixel on a pre-paid plan, all paid anonymously in cash. Never give out the number tied to that phone and stick to VOIP numbers if needed. If you’re trying to sign up for services which require a “real” number you can get a dumbphone dedicated for that purpose or there are some pricey “real” numbers you could pay for online. I think Michael Bazzel goes more in-depth on this in his mobile security guide, but that may have been deprecated recently.
Have you tried looking into how most zero-click attacks operate in real-world cases?
Even if you have the most secure setup in the world, there is a very likely chance that your work colleagues, friends, or family members can also become compromised. That’s why iOS’ Lockdown mode disables Shared Albums in the Photos app for example.
If you aren’t some high-risk journalist or activist (i.e. Edward Snowden or Jamal Khashoggi), you don’t need to worry about bugging your network to secure their devices. Regardless, focus more on obtaining a secondary device anonymously for dangerous activities like what other people mentioned in this discussion.
Thank you! I tried to download the proton mail apk with obtainium and I was able to do it - but then with app verifier I couldnt succesfully verify the signatures. I tried but didnt completely understand how - also with obtainimum I would also like to verify the sigs. I am going to try to find instructions on this - but if you know of some instrucctions on this please let me know. Many thanks!