Hardening Android : Browsers

on under android
3 minute read

Hardening Android with Privacy-Focused Browsers

This is a quick post about my experience with browsers on Android. I’ll be showing off how I’ve configured my phone for daily usage. You might be gaining performance too!

I consider two major use-cases when it comes to opening links on my phone.

  1. Opening links from various apps without much prior knowledge of content.
    I want this to be as sandboxed as possible.
    To be explicit: I don’t want scripts to be able to read my cookies, so no pre-loaded cookies.
    No pre-loaded tabs either.
    Ideally, the browser called upon in this use-case must be disposable once content is seen. It is then removed from memory completely ♻️

  2. Opening pages that require persistent data.
    These include logged in accounts, pre-set forms, preferences, bookmarks, keeping tabs open. Basically, anything not a memesite/article/video/clickbait website, which is a big part of the content that y’all browse.

Here is what I’m currently going for. It’s likely not the meanest configuration, but I find that its a very good compromise between security and usability.

🔴 Keep in mind that I’m also running the “Hardened DNS” configuration I wrote about earlier.
I’ve tried this setup against OPSEC JavaScript & DNS fingerprinting tools, and I have to say its not bad at all 😎 .

fffocus Day to day browsing

I’ve downloaded Firefox Focus, and explicitly set it up as the default browser.
You can read about the the specifics on the Play Store page, but it’s basically the ideal solution to my sandboxed approach.
💡 If there is a link that you want to open outside of the sandboxed Firefox app, just share it to your persistent browser.
When closing Firefox, instead of leaving another open tab in the background when pressing back, it will remove all traces of the opened page from memory.
Neat 🔥

I’ve gone a step further and blocked all types of trackers (ad, analytics, social, ‘other content’). YMMV
There is a Send usage data option, but it’s turned off by default if I recall correctly.

bravebrowser When persistent data is required. Accounts, tabs etc…

For this I’ve tried several popular recommendations (hello /g/) and settled on using Brave browser.
Its great for keeping browsing clean without maintenance, while easily blocking or modifying it’s behavior according to your paranoia level. Some basics settings are worth changing like the default search engine (I recommend Startpage).
Tip: you’ll have to uncheck Send metrics in the Privacy options.

Privacy settings comparison

I though it would be interesting to include this for the reader’s pleasure. browsers_privacy_settings

A note on performance:
Not keeping the daily junk accumulated through the days in the form of tabs will have a nice impact on the overall device usage.

Enjoy 👍

Additional considerations on defaults:
When clicking on links, some applications (such as Instant Messaging apps) will sometimes use the Chrome browser as an in-line browser if no others are set as default.
So it’s basically opening the Chrome browser inside an application. The browser with all the other tabs and logged in accounts. And saved passwords. We don’t want that unless explicitly… wanted

Brave browser picture: By Source (WP:NFCC#4), Fair use

android, OPSEC, privacy, applications, malware, Firefox, Brave