--[ Making Your Pocket Spook Less Spooky: Upgrading the Privacy of Android Smartphones

$ getent passwd mmilchak
├─ name: MAJ Neil Milchak
└── org: 780th MI BDE

Neil is a software developer with the 780th MI BDE, a longtime AvengerCon volunteer, and is an OSINT, online privacy, and Android OS enthusiast. He holds a bachelor's of science in electrical engineering from the United States Military Academy and a masters of computer science from the Georgia Institute of Technology.


Today, the privacy and security risks and consequences of using smartphones are numerous1 2 3. Many smartphone users are either unaware of the privacy risks inherent to using smartphones with default settings and common applications, or have resigned themselves to the apparent unavoidable compromise of privacy in exchange for the convenience of a modern lifestyle and the ability to seamlessly communicate with friends and family. But is that loss of privacy really unavoidable? In this workshop, I will provide an overview of the Android operating system, the common ways that smartphone activity can be tracked, how you can analyze Android applications for privacy and security risks, and how you can configure Android devices to better respect your privacy without sacrificing all of the conveniences of the smartphone.

This podcast episode provides a excellent primer for some of the topics that we will be talking about and implementing in the workshop: https://soundcloud.com/user-98066669/176-privacy-crash-course-03-mobile-devices

  • Part 0: Android Operating System Crash Course
    • Android Runtime (ART)
    • Boot process and boot security features
    • File system
    • Android apps and permissions model
  • Part 0 Lab A: Setup and interacting with your Android VM or phone
    • Genymotion or AVD Android virtual machines
    • Using the Android Debug Bridge (ADB) interface _ Part 0 Lab B: Android Hello World
    • Intro to Android Studio
    • Building and installing custom applications on your phone
  • Part 1: Threat landscape and privacy risks
    • Online Advertising and Data Economy
    • Advertising and Telemetry SDKs
    • Preinstalled system applications
    • Google Services Framework and Play Services
    • Location and Geolocation Services
    • Privacy risks of common apps
    • Cellular network and cellular provider privacy risks
  • Part 1 Lab: Analyzing and modifying Android apps (Android RE crash course)
    • Automated scanning apps and tools
    • Analyzing app network traffic
    • Decompiling APKs
    • Modifying and recompiling APKs
    • Creating a trojaned APK
  • Part 2: Setting up and using your privacy-improved Android phone
    • App store alternatives (F-Droid, Aurora)
    • Screening and verifying non-Play Store apps
    • Phone and SMS service through VoIP and XMPP
    • Privacy-focused messaging applications
    • Disabling nosy preinstalled system applications
    • VPNs
    • Cloud storage/ file syncronization
    • Multiple User Profiles
    • Other privacy-enhancing user behaviors and OPSEC tips
  • Part 2 Exercises
    • Installing and configuring F-Droid and Aurora store
    • ProtonVPN setup
    • Disabling/reenabling applications over ADB
    • Setting up/using multiple user profiles
  • Part 3: Android Open Source Project / Custom "ROMs"
    • AOSP Overview
    • Lineage OS Features and Drawbacks
    • CalyxOS Features and Drawbacks
    • GrapheneOS Features and Drawbacks
    • Backing up device contacts, messages, photos, and other files
  • Part 3 Exercises (hardware required)
    • Backing up device contacts, messages, photos, and other files
    • Unlocking device bootloader
    • Running custom recovery
    • Install AOSP image (Lineage OS/Calyx OS/Graphene OS) to system partition
    • Boot phone into AOSP image (Lineage OS/Calyx OS/Graphene OS)

Depending on student interest and possession of compatible Android phones, I plan to stick around after the end of the workshop to help students who want to install an AOSP-based image. Feel free to reach out during the main event as well!

  1. https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
  2. https://www.cnet.com/news/geofence-warrants-how-police-can-use-protesters-phones-against-them/
  3. https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html
  • Student knowledge prerequisites

    No prior technoical experience with Android is required; prior user experience with Android is highly recommended.

    Basic Linux command line knowledge and experience using virtual machines with Oracle Virtualbox is highly recommended.

  • Student resources requirements

    • Laptop computer (required)

      Students must bring a laptop that is capable of running at least two virtual machines. A system with least 8 GB of RAM will be required; 16+ GB RAM is recommended. Using a Linux or Windows host operating system is recommended if available, but Macs are also fine (just know that the instructor won't be able to troubleshoot issues on Mac hosts as effectively).

    • Required software:

      • Oracle Virtualbox 6.1. Virtualbox is required for using Genymotion.
      • Genymotion Personal Edition (you will need to create a free account).

      Prior to the workshop, the instructor will send setup instructions for student systems and provide a link to download the course VM.

    • Android phone (optional)

      Students are also highly encouraged but not required to to bring a hardware Android device that they are willing to experiment on (make sure to back up any data you want to save!). Devices that are compatible with LineageOS, CalyxOS, or GrapheneOS are ideal. Feel free to ask the instructor about your device and how to back up your data before the workshop!