I am increasingly conscious of security and privacy. I don’t want my data or telemetry being sent to google or Facebook, and I want to make sure my device is encrypted and not readable by anyone other than me.
Is there a standard go-to guide on securing an android device with these types of goals in mind? Is true privacy possible without having to install Graphene?
AFAIK, there’s two types of “secure” when it comes to Android:
(I guess a third “secure” would be 'Secure against exploits", but that’s outside the scope of my advice).
It’s not impossible to be both types of secure, but it is difficult. The main reason both is hard is because to achieve #2, you have to unlock the bootloader which leaves you open to #1 since re-locking it after installing a good custom ROM will prevent the device from working (or brick it at worst).
Achieving #2 is sufficient for me since I don’t keep a lot of sensitive data on it, and that sounds like what you’re asking.
On my phones that support it, I do unlock bootloader, install LineageOS without GApps, and make sure I have root available. I run few apps, but the ones I do all come from FDroid (or Aurora Store in a pinch).
On phones where I can’t unlock the bootloader, my options are much more limited. Typically I’ll disable all the Google and carrier services (including Play Services) and disable and replace all the stock apps with ones from F-Droid.
If my phone is physically compromised and the bootloader is unlocked, my hope is that storage encryption would make it a “non-issue”. Yes, they could wipe the device and delete my data then resell the phone, but at that point all they’ve stolen is a $300 phone with maybe $80 resale value and not my entire identity