Securing an Android Phone or Tablet (LineageOS)

8 min readApr 3, 2017

Corporations prioritize new sales and decreased costs over securing older Droidware. This leaves every Android OS user increasingly vulnerable to privacy violations by unsophisticated cybercriminals.

This article will help you install the latest version of Android 7 Nougat onto your device. You should be able to replicate the results regardless of the brand of your Android Phone, Tablet or TV. It is easy!

I confirmed in January 2020 that this guide still works for LineageOS 16 (Android 9 Pie) and LineageOS 17 (Android 10 Q)

I am “flashing” LineageOS onto my Android HTC One (M8) myself after not receiving any Android security updates from my device manufacturer for over 18 months. It takes about 60 minutes from start to finish to do.

About the Author

Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.

You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.

Why upgrade my Android OS?

This Android phone is running a stock Android 6.0 with “HTC Sense 7.0” and has been “fully updated” to December 2015 security patch levels.

It currently serves as an aid during Security Assessments and Awareness Demonstrations, so the multitude of code execution and privilege escalation bugs is less than ideal!

After upgrading to LineageOS, my About Phone page rewards me with Android 7.1.1 and March 2017 security patch levels.

Not only will HTC never update my device to Android 7 Nougat, but I also have to deal with pre-installed, unremovable Bloatware that monitors me! Upgrading to LineageOS allows me to receive security updates and gives me full control over my device.

Depending on your Android device’s hardware specifications and what you will be using it for, you could consider mirroring this guide with CopperheadOS which has better security features. The postmarketOS project is also worth checking out.

Security & Privacy on Android

There is no use trying to secure Android if you are not running an up-to-date version of the Operating System. At its core, Android is another (highly specialized) Linux distribution.

Beyond that, it is important to take into account that:

Most Android apps distributed via Google Play and F-Droid repositories are collecting telemetry data, and some are straight-up malicious
Your Wireless Service Provider is likely monitoring your every move to increase their profits by selling this information to advertisers

Here are my Android security & privacy tips:

Stay informed by subscribing to Android Security Bulletins. Explore the Android Security Awesome list, the SecMobi Wiki, and the Mobile Security Wiki’s Best Practices
Enable Privacy guard to make sure you control what newly installed apps have access to, regardless of what permissions an Android App “requires”
You can opt not to install any App Store: Manually download the .apk, scan it online, then push it to your /sdcard using ADB for maximum control and privacy.
Need the usability of Google Maps/Play Store? Attach this to a new ‘Google Account’ and limit their tracking using their Privacy Check and delete recorded activity. Keep their Security settings enabled. Browse the web with Brave
Run F-Droid instead — it has a large installable catalogue of free/open source Android apps. Keep “unknown sources” disabled if you are not using it.
To improve your privacy turn off Bluetooth, NFC and Location features. Don’t backup data to your Google or Dropbox accounts. Do not install Google Apps/Play Store (decreases usability!)
Install as few apps as you need. Take a moment to learn how to find an efficient and free Anti-malware solution for your Android device. Personally, I would never trust any banking apps
Encrypt your phone. Set a secure PIN or Password. Patterns and Biometrics are easier to bypass (or take by ‘legal’ force). Set up the SIM card lock
Disable Network notifications under your WiFi settings so you stay in control of what networks your device connects to. This prevents a few of the Man-in-the-Middle attacks possible.
Highly recommend unchecking “Make passwords visible” option. Capturing screen changes is easy and shoulder surfing is still effective over time
Enterprise System Administrators can connect users to an Exchange server and enable Remote Wipe, which erases everything but the data on the SD card. You can also enforce minimum password complexity
Maintain a cheap VPS with a privacy solution for your devices. Frequently updated projects are Streisand, Sovereign, and Algo. Allowing you to tunnel your traffic beyond your Wireless Service Provider and across malicious WiFi networks.

Above all, keep your Android devices up to date!

Flashing Android

As long as you have a tested backup of all your contacts and photos, and you make sure your devices will not run out of power during the process — you will be able to recover from almost every other worst-case scenario.

The first step to “flashing” an updated Android distribution onto your phone’s chips is to do a modicum of research. Lucky for you, the community is very active, and many have written about their particular experience for your device.

I found my device in the LineageOS supported hardware list and took a minute to search for tips and tricks of fellow device owners before downloading the latest Build for m8 from the official website.

Jan 2020 Update: LineageOS 16 / Android 9 is now formally supported by LineageOS projects and a custom Android 10 ROM is also available.

If your Android phone has never run a custom ROM, you will need to unlock your phone’s bootloader still. Anything stored on the mobile device will be erased.

Android Debug Bridge (ADB)

ADB is a development tool that allows your OS to talk to your Android device. Ensure you have the latest version of Android Debug Bridge set up on your preferred Operating System (OS).

Next, on your Android device:

Open Settings > About > Software Information > More > then tap 7x on Build number. You will get a notification upon success
Go back to Settings > Developer Options > check the box for USB debugging. You will have to accept a warning

After you plug in your Android phone into your computer, open up a terminal/command prompt and run:

adb devices

You will need to authorize your computer by selecting ‘Always allow’ on your Android phone. Running the previous command again will now give you a different output.

Unlocking the Bootloader

A bootloader acts kind of like the BIOS/UEFI for your Android device. Unlocking it gives you full control over the device, a feature every Android OS developer requires.

Since I can interact with my Android phone from my command line using ADB, I can reboot into fastboot mode by running:

adb reboot bootloader

You can observe your Android’s screen, and confirm success by running:

fastboot devices

If this returns any error, try running the command as root/Admin.

I can obtain an unlock key to unlock my bootloader by visiting the HTCDev Bootloader Unlock website. If you are using a different brand, use a search engine to find your device manufacturer’s version.

The instructions on the HTCDev website are easy to follow along with, you can generate the required bootloader unlock token by running:

fastboot oem get_identifier_token

If your device is not on the supported devices list, you can find refuge in KingoRoot or SunShine. I prefer running binaries from “trusted” 3rd parties, always proceed with caution.

Custom Recovery Firmware

The next step is to replace the stock recovery options with the latest Team Win Recovery Project (TWRP) firmware. You can install the official TWRP Android App later to receive updates!

With the guidance of the HTC One M8 All Variants page, I downloaded the latest TWRP version for my device using my browser. Because downloads can get corrupted it is important to verify the integrity of the .img file.

The project provides an MD5 checksum and GPG signature for each release:

cat twrp-3.3.1-0-m8.img.md5 && md5 twrp-3.3.1-0-m8.img

curl -O https://dl.twrp.me/public.asc

gpg --import public.asc

gpg --verify twrp-3.3.1-0-m8.img.asc twrp-3.3.1-0-m8.img

On MacOS, these commands confirm the checksum matches and a “Good signature from TeamWin.” I can now proceed to flash the recovery image onto my device:

fastboot flash recovery twrp-3.3.1-0-m8.img

I will need to reboot my device into recovery to verify the successful installation of TWRP.

Using the Volume Up/Down keys to navigate, and the Power button to select, Power down your device
Once powered down, hold the Volume Down and Power button until HBOOT appears on the screen, then release the buttons
Navigate to RECOVERY and select it using the Power button

This confirms I have replaced the stock recovery with TWRP 3.3. Swipe to confirm you want to grant TWRP the power to modify your device.

Upgrading to LineageOS

Insert a 1GB+ Micro SDCard and reboot into your stock Android OS one last time. Format it there for removable storage and make sure you have downloaded the LineageOS install .zip and any optional packages you require.

Jan 2020 Update: I recommend installing LineageOS 16 — if installing LineageOS 17 you will want to Google the latest Unofficial image and grab an Android 10 compatible OpenGApps package.

Verify the checksum before pushing the Zip file to the Android device:

md5 lineage-14*.zip

adb push lineage-14*.zip /sdcard/

adb push open_gapps*.zip /sdcard/

adb push addonsu*.zip /sdcard/

Reboot into TWRP recovery using the discussed key sequence or run:

adb reboot recovery

If you already have the files on your sdcard and didn’t fully boot Android:

fastboot reboot recovery

I cannot stress the importance of backing up your existing system and storing it long-term. It can be difficult to find the exact stock Android ROM that is compatible with your phone.

In TWRP recovery:

Select Backup > Select Storage > Micro SDCard > Select System/Boot partitions > then Swipe to Backup
If you have the space on your SDCard, you could backup the Data partition as well (selected by default)

Next, we will want to format several partitions:

Select Wipe > Advanced Wipe > Select Cache, System, Data partitions > then Swipe to Wipe

Finally, we can install each of the Zip files from the TWRP home screen:

Select Install
Navigate to /sdcard/
Click on the lineage-14*.zip package
Swipe to confirm Flash

If you want to install the Google Apps package you can select “Add more Zips” or repeat above steps manually. Note that this choice will improve the usability of your Android device but decreases your privacy.

Jan 2020 Update: Accepting the offer to install the TWRP is not recommended!

I opted to “root” my device by installing the LineageOS ‘su’ package and install packages manually or via F-Droid instead. Rooting your device allows you to install packages like DNS66, AdAway, and ProxyDroid.

Reboot your droid

LineageOS is now installed, and after a two-minute deployment, you will be prompted to set up your device. Reward yourself by opening Settings and scrolling down to the About section.

Do you have any advice? Corrections or additions?

Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.

Click the ♡ to recommend this article.