With all the shit going on worldwide about safety and internet you really need 2 phones. Yes 2. Theres a reason for this. First you cannot keep everything secure on one device. Its impossible because you have different things to consider.
Apps that read from other apps.
Now in a given scenario lets say Bob has a Facebook profile, Instagram, likes google etc. Ok so maybe you need 3 phones… but seriously it depends on what you want. If you like social networks, then keep those on a separate device. Dont use that phone for anything but social networking. Download Orbot and keep it locked behind TOR thru the VPN settings at all time. Know that whatever you do on the social app is not connected to your contact list, calls, internet searches etc.You can keep this off a sim and maintain all traffic thru tor on wifi.
Now for your main device. This device should be rooted. I know the arguments people have about rooted/ not rooted etc. Claiming not rooted phones are not secure and all you need is a vpn. Bullshit. Lets say you have an un-rooted phone. Now you have a VPN and all service goes thru the VPN to “newyork-server”. That seems great huh? Not really. You send your emails to a source. The email server registers an IP address coming from “newyork-server”. Now "newyork-server claims it doesnt keep logs (no one can say for sure unless they are running the server, some places by law keep logs for X amount of days.)
Now “newyork-server” got your traffic going to say protonmail. it cant read it, but can see you access it. Now at the same time, it also saw traffic from your banking app. Other logins for apps etc. All the backdoor traffic no one sees but an unrooted device will ALWAYS let you capture the data. Even if you block network content or have a disabled app.
Facebook bloatware has an average 4 different applications working behind the scenes. While you dont give access to facebook and have the main app disabled, the other apps are still working and collecting data. This is why its so important for Facebook and companies to pay phone companies to package the apps in the phone.
On this unrooted device you CAN put your Samourai wallet, Mycelium app, etc. All your cryptocurrencies. You dont want this on a rooted device because it can expose the wallet information to malicious apps.
BACK TO THE ROOT…
Ok this is where the magic happens. Because you have root now you can remove all the bloatware. You want to get Titanium Backup Pro do this. The very first thing you do is go to Backup/Restore and then go one by one deleting the bloatware and location apps. Then setup your encryption in the app and run a full backup of all system and user apps.
Next app you need is AFWALL+. This app is a network manager. From here you can go to preferences. Enable the VPN and then go back and only enable the apps you want to have access to the internet.
You will need to download the following:
(Whatever VPN services you will use) Emails etc.
Now you want to check your access rights to the internet. what forces them behind VPN only access. So these will never use your real IP address.You can basically lock everything behind VPN on AFwall except you need to give your VPNs access to wifi or the network.
You can now go to ORBOT and lock all the apps you want behind TOR only, there. So those apps wont access even behind the VPN and only access thru TOR. Your network system will now look something like this:
In this setup there is a VPN on the Wifi, then a seperate VPN on the device for some apps. Then TOR over that for only certain other apps.
Now I wont go too much into it but using root explorer you need to delete all gps and location files. These vary by device the location and sometimes its better to edit them instead of deleting them. So you go to edit, delete everything and save. Leaving a dead file but if another app is looking for the file to boot, its still there. An alternate method is to take your a phone to repair shop and pay them to burn out the gps hardware with the soldering iron. Physical damage is the best. same as they can destroy your external microphone (you can still talk with a plugged in headphone jack) and the face mounted camera- have them throw some glue or black marker over the camera and put it back in.
Now you want to use an IP widget to show your IP address at all times.
You can decide what apps you are comfortable using where but without having to worry about leaks, or being tracked as much.
Also on your social device, make sure to turn it off when not using and then check in later.
Getting pre-paid sim cards to confirm services and then disposing of them. Also never giving out your hardline numbers to anyone, Get voip numbers like Hush for most normal communication. Use Viber, Wire, Wickr to call between friends and family.
Stay away from Whatsapp and Signal for any communications.
EDIT: Deciding what to purchase
Phones are not sold rooted. And not all phones are capable of being rooted. Lets say you want to go buy one. Go look at the phones you like. At least choose 3-4 phones. Now you look for the model, baseband and software the phones are running. A good place online to buy unlocked phones (any sim carrier) is http://www.tigerdirect.com/applications/category/category_tlc.asp?CatId=5116
Go home and go to https://forum.xda-developers.com/
Search the forum for the type of phone and “rooted”. Read and see if it is possible to root the devices. Also It helps to make sure you can encrypt the device after root. Not all newer phones are capable of this.
There are way too many ways to root with kingo root, odin, etc. But the easiest for non technical people is http://www.kingoapp.com/ check their site for a list of supported devices.
Dont use the app, use the windows software. This is always best. Unfortunately Kingo doesnt always work on new devices and Odin /magisk is required to root with alot more steps.
If the above is too complicated to root your device then look on craigslist for a small repair shop that can root your device. It is best to set an appointment and do it while you wait. Just to make sure they dont install any malware on the device. Even youtube has tutorials to watch to root a device that are good.
Note there is a difference in rooted and unlocked. Both are needed. Rooted means you can access the root of the device and change/modify files. Unlocked means you can use any carrier like H20 or Simple Mobile.