With all the shit going on worldwide about safety and internet you really need 2 phones. Yes 2. Theres a reason for this. First you cannot keep everything secure on one device. Its impossible because you have different things to consider.
Apps that read from other apps.
Now in a given scenario lets say Bob has a Facebook profile, Instagram, likes google etc. Ok so maybe you need 3 phones… but seriously it depends on what you want. If you like social networks, then keep those on a separate device. Dont use that phone for anything but social networking. Download Orbot and keep it locked behind TOR thru the VPN settings at all time. Know that whatever you do on the social app is not connected to your contact list, calls, internet searches etc.You can keep this off a sim and maintain all traffic thru tor on wifi.
Now for your main device. This device should be rooted. I know the arguments people have about rooted/ not rooted etc. Claiming not rooted phones are not secure and all you need is a vpn. Bullshit. Lets say you have an un-rooted phone. Now you have a VPN and all service goes thru the VPN to “newyork-server”. That seems great huh? Not really. You send your emails to a source. The email server registers an IP address coming from “newyork-server”. Now "newyork-server claims it doesnt keep logs (no one can say for sure unless they are running the server, some places by law keep logs for X amount of days.)
Now “newyork-server” got your traffic going to say protonmail. it cant read it, but can see you access it. Now at the same time, it also saw traffic from your banking app. Other logins for apps etc. All the backdoor traffic no one sees but an unrooted device will ALWAYS send. Even if you block network content or have a disabled app.
Facebook bloatware has an average 4 different applications working behind the scenes. While you dont give access to facebook and have the main app disabled, the other apps are still working and collecting data. This is why its so important for Facebook and companies to pay phone companies to package the apps in the phone.
On this unrooted device you CAN put your Samourai wallet, Mycelium app, etc. All your cryptocurrencies. You dont want this on a rooted device because it can expose the wallet information to malicious apps.
BACK TO THE ROOT…
Ok this is where the magic happens. Because you have root now you can remove all the bloatware. You want to get Titanium Backup Pro do this. The very first thing you do is go to Backup/Restore and then go one by one deleting the bloatware and location apps. Then setup your encryption in the app and run a full backup of all system and user apps.
Next app you need is AFWALL+. This app is a network manager. From here you can go to preferences. Enable the VPN and then go back and only enable the apps you want to have access to the internet.
You will need to download the following:
(Whatever VPN services you will use) Emails etc.
Now you want to check your access rights to the internet. what forces them behind VPN only access. So these will never use your real IP address.You can basically lock everything behind VPN on AFwall except you need to give your VPNs access to wifi or the network.
You can now go to ORBOT and lock all the apps you want behind TOR only, there. So those apps wont access even behind the VPN and only access thru TOR. Your network system will now look something like this:
In this setup there is a VPN on the Wifi, then a seperate VPN on the device for some apps. Then TOR over that for only certain other apps.
Now I wont go too much into it but using root explorer you need to delete all gps and location files. These vary by device the location and sometimes its better to edit them instead of deleting them. So you go to edit, delete everything and save. Leaving a dead file but if another app is looking for the file to boot, its still there. An alternate method is to take your a phone to repair shop and pay them to burn out the gps hardware with the soldering iron. Physical damage is the best. same as they can destroy your external microphone (you can still talk with a plugged in headphone jack) and the face mounted camera- have them throw some glue or black marker over the camera and put it back in.
Now you want to use an IP widget to show your IP address at all times.
You can decide what apps you are comfortable using where but without having to worry about leaks, or being tracked as much.
Also on your social device, make sure to turn it off when not using and then check in later.
Getting pre-paid sim cards to confirm services and then disposing of them. Also never giving out your hardline numbers to anyone, Get voip numbers like Hush for most normal communication. Use Viber, Wire, Wickr to call between friends and family.
Stay away from Whatsapp and Signal for any communications.