Hi everybody!
I recently started looking for a browser to replace the stock one and I think I installed every possible option there is without giving much thought to the consequences - app permissions and possible violation of my privacy and misuse of my data.
So I found what I thought was a really nice and well-functioning browser called Ninesky from the Android market.
Luckily for me I did not get to use it for long, before I detected a strange pattern - Ninesky would automatically start itself upon boot, connect to a server in China, upload some data and receive some back and then just sit there and wait idly.
The server that it connects to belongs to a company called aBitCool, which is, according to Bloomberg, an ISP in China.
So I kill it off and after a while it's back, doing the same thing. I also noticed a similar behavior for Dolphin HD, except that it would send data just once very quickly after boot-up and then close itself and stay quiet. That led me to Google it a little, which in turn led me to an existing thread about Dolphin HD on this forum.
So here are my noob questions that I hope somebody can answer, please:
1. Can somebody take a look at Ninesky browser and let us all know what kind of data it is transmitting about its users upon boot and maybe even later on during the actual use of the browser? The list of permissions that Ninesky asks for is huge and that makes me a little worried. Also, Ninesky runs a "safety check" of every URL visited. I wonder what that really is.
2. Say it would try to steal information from its users - would it be possible for the app to somehow get access to my stored usernames and passwords from other programs (such as Gmail or Skype) or are these encrypted? I presume that if I were stupid enough to let Ninesky's password manager "remember" my usernames and passwords for certain websites then that information would be easily accessible to them.
3. Can an app with such permissions also function as a keylogger?
4. I can understand why folks here would write some apps on their own and share them with the rest of us. I can understand why a developer or a company would write an app and make one version available for "free" or as an ad supported one and/or offer a premium version for $$$. At the end of the day developers need to eat and pay their bills just like the rest of us and companies are (for the most part) profit-seeking institutions (unless they are GE or MS that have money to burn). That said - why for the love of god would anybody, other than an enthusiast, develop a browser, for which they will not ask for any $$ or won't even display any ads in it? Where is the catch? Now, I know that Opera and Firefox get money from Google to use it as their default search engine, but would this really apply for a few random Chinese companies? Where is the catch?
Thank you.
I was a big supporter of Ninesky but I uninstalled today. It does seem to be constantly running and transmitting data, though what data is being transmitted I don't know. LBE also kept notifying me that it was trying to obtain my location information even when I wasn't using it. I uninstalled it through the Market and left a one star review.
Drunk texted from my MIUI Thunderbolt.
I'm writing a review of about 13 different Android browsers, and came across Ninesky. Has anyone heard anything more about the privacy concerns and what data it might be transmitting?
well....if it keeps requesting the location even while its closed, thats not a good sign...
Not good. This needs addressing.
I have changed my review on Market also until we get some answers.
Cheers to the OP.
I agree. I think my review should come out tomorrow, hopefully the developer reaches out. It really is a decent browser.
Sent from my Transformer Prime TF201 using xda premium
´I'll leave you here my tests made since Monday with last versions of each app:
==|Boat 4.0.1|==
#Just after starting#
- Ask for GPS location
- 211.151.139.246 (China Network Information Center)
#When going to any website#
- IP from that website
--------------------------------------------------------
==|Dolphin HD 8.6.1|==:silly:
#Just after starting#
- 184.73.86.141 (AMAZON.COM - amazonaws.com - US)
- 65.52.32.12 (Microsoft Corp - US)
- 107.20.57.0 (AMAZON.COM - amazonaws.com - US)
and one more on this IP range type...
- 205.251.242.197 (AMAZON.COM - amazonaws.com - US)
- 205.251.242.165 (AMAZON.COM - amazonaws.com - US)
- 72.21.195.98 (AMAZON.COM - amazonaws.com - US)
#When going to any website#
- IP from that website
--------------------------------------------------------
==|Firefox 14.0.1|==
#Just after starting#
- No Ping
#When going to any website#
- 80.67.92.43 (AKAMAI TECHNOLOGIES US) *
- 93.184.219.20 (EdgeCast Networks - US) *
- IP from that website
* note: not always, most of the times just go to IP website we asked
--------------------------------------------------------
==|Opera 12.0.4|==:victory:
#Just after starting#
- No Ping
#When going to any website#
- IP from that website
note: DON'T use Opera Turbo or EVERY single info WILL pass through their servers...
--------------------------------------------------------
It's pretty obvious to me who are the most privacy oriented here...
STAY WAY FROM OPERA MINI AND DOLPHIN MINI AND ALL MINI VERSIONS. They process all info on their server first for speed.
Anyone researched Xscope or could research this browser?
If you explain how, I could do it myself!!
Sent from my GT-I9000 using xda premium
But the OP got it wrong with money burning by GE & MS. There's no such thing, its all business. Just to let you know, in the browser wars - Firefox was Google's first step into browsing. Then came Chrome.
For all privacy concerns, LBE Privacy Guard is a good option. Though its Korean, if am not wrong.
Well, finally there's options out there. Nobody is forcing us to download, install & use their apps.
Sent from my MT11i using Tapatalk 2
bombayboy said:
But the OP got it wrong with money burning by GE & MS. There's no such thing, its all business. Just to let you know, in the browser wars - Firefox was Google's first step into browsing. Then came Chrome.
For all privacy concerns, LBE Privacy Guard is a good option. Though its Korean, if am not wrong.
Well, finally there's options out there. Nobody is forcing us to download, install & use their apps.
Sent from my MT11i using Tapatalk 2
Click to expand...
Click to collapse
Agree with everything BUT Firefox was never connected to Google like Chrome. Firefox's current existence is owed almost exclusively to its search partnership with Google wherein Mozilla Corp receives a portion of ad revenue from Google queries initiated from Firefox's search bar. This revenue amounts to tens of millions of dollars. But Mozilla and Google Relations Strained Due to Chrome.
Firefox its independent and don't collect your data like Chrome/Google do...
sushidog said:
Agree with everything BUT Firefox was never connected to Google like Chrome. Firefox's current existence is owed almost exclusively to its search partnership with Google wherein Mozilla Corp receives a portion of ad revenue from Google queries initiated from Firefox's search bar. This revenue amounts to tens of millions of dollars. But Mozilla and Google Relations Strained Due to Chrome.
Firefox its independent and don't collect your data like Chrome/Google do...
Click to expand...
Click to collapse
Connected with reference to Google promoting & supporting Firefox before they decided to go with Chrome.
I still use Firefox, Aurora & Chrome
Sent from my MT11i using Tapatalk 2
If you're not paying it, you are the product being sold.
Remember this when downloading free apps which are not open source.
DnaPolymerase said:
If you're not paying it, you are the product being sold.
Remember this when downloading free apps which are not open source.
Click to expand...
Click to collapse
Like facebook which sells our data
Sent from my MT11i using Tapatalk 2
Calamitous with Ninesky
Hi,
I stumbled upon XDA Developers forum today and I was so grateful to find this write-up; it was the only honest review I could find of Ninesky. So, thank you.
I want to share an experience our family went through a few weeks ago. Perhaps it will answer some of your questions and alert some users out there of what this browser could do. We have an unfortunate incident happen to our child: My little boy received an android tablet for a gift this October. He was so eager downloading all the apps and games he could find, and in about a month, it was completely personalized. We regularly monitored his downloads, the games he played, and the apps he utilized.
Much to our regret, we really did not give much thought to the browsers he had installed. He had more than three at one point and Ninesky was always in the background. Sadly, whenever he would search for apps, we later discovered Ninesky directly linked him to several stores that was not common to Google or Firefox. Some of them had Anime icons (mostly innocent looking), nicely titled games for their tiles. Some apps were legitimate and very cool games; however, some apps were direct links to hard-core porn websites and a whole universe of filth (not excluding child-porn). They attached themselves to the tablet like trojans and was quite aggressive in linking the user to overseas app stores (inappropriate). Every time a game would be uploaded from one of these stores, it gives auto-access to these atrocious websites and videos. Because Ninsky always functioned in incognito--one of it's touted features--we almost had no access to the history or cookies when this browser was used. Almost anyway ... it took us hours (and some hacking) to track and identify what was really going on, the seeming source of it was this "sophisticated" browser.
So the catch may be that this browser has no advertisements because it plays host to several groups funding the porn industry. That's my suspicion anyway, based on what we went through.
I cannot begin to say how grieved we are that our son was exposed to all this, especially that we discovered it so much later. We thought we paid attention. That being said, he's back to playing with his remote control car outside, where life is a bit less complex.
More power to your forum and thanks again.
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
xenofont said:
Hi everybody!
I recently started looking for a browser to replace the stock one and I think I installed every possible option there is without giving much thought to the consequences - app permissions and possible violation of my privacy and misuse of my data.
So I found what I thought was a really nice and well-functioning browser called Ninesky from the Android market.
Luckily for me I did not get to use it for long, before I detected a strange pattern - Ninesky would automatically start itself upon boot, connect to a server in China, upload some data and receive some back and then just sit there and wait idly.
The server that it connects to belongs to a company called aBitCool, which is, according to Bloomberg, an ISP in China.
So I kill it off and after a while it's back, doing the same thing. I also noticed a similar behavior for Dolphin HD, except that it would send data just once very quickly after boot-up and then close itself and stay quiet. That led me to Google it a little, which in turn led me to an existing thread about Dolphin HD on this forum.
So here are my noob questions that I hope somebody can answer, please:
1. Can somebody take a look at Ninesky browser and let us all know what kind of data it is transmitting about its users upon boot and maybe even later on during the actual use of the browser? The list of permissions that Ninesky asks for is huge and that makes me a little worried. Also, Ninesky runs a "safety check" of every URL visited. I wonder what that really is.
2. Say it would try to steal information from its users - would it be possible for the app to somehow get access to my stored usernames and passwords from other programs (such as Gmail or Skype) or are these encrypted? I presume that if I were stupid enough to let Ninesky's password manager "remember" my usernames and passwords for certain websites then that information would be easily accessible to them.
3. Can an app with such permissions also function as a keylogger?
4. I can understand why folks here would write some apps on their own and share them with the rest of us. I can understand why a developer or a company would write an app and make one version available for "free" or as an ad supported one and/or offer a premium version for $$$. At the end of the day developers need to eat and pay their bills just like the rest of us and companies are (for the most part) profit-seeking institutions (unless they are GE or MS that have money to burn). That said - why for the love of god would anybody, other than an enthusiast, develop a browser, for which they will not ask for any $$ or won't even display any ads in it? Where is the catch? Now, I know that Opera and Firefox get money from Google to use it as their default search engine, but would this really apply for a few random Chinese companies? Where is the catch?
Thank you.
Click to expand...
Click to collapse
Ive been through the entire security forum. Must say till a little raw but it will mature hopefully. Still a lot of noobs talking and no serious dev talk. Im not a developer but I have done some research esp on encryption systems and keep myself updated with the loopholes in various apps. Until such time when they do join in I think it would be a good idea (esp if the higher-level know-its) would share their list of apps they use for their everyday functioning and especially how you currently protect yourself best against unwarranted attacks to the types other forums are talking about.
My list is:
K-9 mail : for email. I use APG with that though im still not convinced its worth it cause the keys would be a easy to 'reverse engineer' as you can easily detect the device you use to send the mail and thus an estimate of the computing power essentially showing them the narrow range of prime numbers in which the key could have been generated. But you would need to be a dedicated target for that. Plus its open-source and very popular.
Xprivacy: its good for apps with too many unnecessary permissions but it wont protect you against intruder attacks.
network connections: just switched over to this from wire shark. Still undergoing testing. But it tell you the current internet connections and seem promising. You can block the suspicious IPs using xposed framework called peerblock (look into the xposed mod index). Needless to say but I think blacklisting google would be perhaps make you life considerably old-fashioned esp if your plugging the google 'backdoor' access they provide to 'he-who-shall-not-be-named' organizations.
Browser: im using the native AOSP browser. Firefox would be a better alternative in my opinion to chrome or others. I wish we had chromium for android.
Quickpic: using it instead of the native gallery after i found that it was connecting to the internet.
Calander: using the native AOSP calander but deleted the calander sync cause i try to avoid relying on google too much. selectively Denied internet permission.
ES file manager: a very complete tool. root explorer with checksum built-in. denied internet permissions.
TextSecure : Using this for standard texting because it seems to offer more encryption that any other texting app at the moment. Plus its going to be the default messaging app in Cyanogen ROMs in the future. Offers One-Time-Pad system encryption which is encryption theoretically secure (what that means for the common man is that this encryption is the only one that has stood the test of time to be unbreakable of used properly. All other encryption systems rely on the fact that the decrypting systems used to 'crack' the encryption lag behind the algorithms. Lets hope the devs did implement it properly)
Remove Google from CM10+ ROMs : http://www.xda-developers.com/android/remove-the-google-from-cyanogenmod-with-freecygn/
"Not every user particularly cares for Google’s proprietary bits and its tendency to put them everywhere. As such, XDA Senior Member MaR-V-iN has created a script to clear out Google proprietary binaries from all CM10+ ROMs. Freecyngn disassembles the CyanogenMod settings app and replaces Google Analytics library with the free NoAnalytics. The whole process doesn’t break the Settings app, and turns your device into one that is Google-free"
Click to expand...
Click to collapse
Thanks to @SecUpwN for the site: www.prism-break.org As you will see by visiting this site its not secure but just a list of more open-source projects.
I dont use a lot of google products like gmail or chrome or maps but i would like to minus the uneasiness that i have using it. And i dont use public wifi at all. The great things in life are hardly ever free!
Needless to say but i use CM 10.1 since its well developed and open-source. Looking forward to omniROM by chainfire and other great devs. I do believe we need some serious stenographic programs for android because encryption alone is not the way to go. Maybe they will take this more seriously. This remains a work in progress. As always hit thanks if it helps.
CM is now for profit. It's CyanogenMOD Inc. Anyway, this is a pretty naive approach, IMHO. You want to keep something secret you can't tell technology about it. Check out "Schneier on Security."
where did you download "network connections" from?
@aejazhaq: See www.prism-break.org!
runwithme said:
where did you download "network connections" from?
Click to expand...
Click to collapse
I downloaded it when the dev was giving the pro version free for a limited time to XDA members. How ever its available on the play store...https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Yes i cam across that just a week ago. It seems to me as my knowledge progress' that the apps available are just to keep the selective data eg your mails private if you use APG with that. @pan.droid I think anything on your device is still as vulnerable as can be honestly and don't think, at least as of now that you can protect your data on you device with any satisfactory means, at least not yet. I'm interested in stenographic means more now than ever because I think encryption alone wont cut it esp keys generated on the phone; the prime numbers needed for a foreseeable future (3+ yrs) protection are elusive on the phone, perhaps the PC can do a better job, but again with its fallacies esp with emails being stored in the cloud permanently means that there's an expiration date on such material you choose to share. And given it lacks forward secrecy and anyone using PGP in emails is definitely shouting encrypted msgs being transmitted perhaps arousing more suspension and the subsequent package.
Thus I do agree the list is currently very naive but perhaps the best we can do at the moment. Thats why I'll leave people to share their opinions on this because this is perhaps an ongoing discussion.
I'm really interested in a contacts replacement. I hate the new style google version but I don't trust ANYTHING free from the app store. They all download your contacts!
You didn't mention AFWall+, the iptables firewall I consider instrumental in blocking most phone home attempts.
SecUpwN said:
@aejazhaq: See www.prism-break.org!
Click to expand...
Click to collapse
Actually, pretty great site!
pan.droid said:
Actually, pretty great site!
Click to expand...
Click to collapse
You're welcome. If you're interested in security projects, have a look!
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
pan.droid said:
I'd totally jump on board with that, but all I have is a WI-FI tablet, ATM. Great activist project for anyone serious about security.
Click to expand...
Click to collapse
Sadly, our project is missing real security enthusiasts and DEVELOPERS. Do you know anyone I should get in touch with?
I use "Keepass2Android Offline" to manage my passwords. This "offline" version removes Internet access permissions which I consider essential for security of my database.
Hi guys,
I'm starting this thread to discuss the "eelo" project and post news about it.
"eelo" is an initiative to release a global and appealing alternative to Apple, Google, ... with as much privacy as possible, with open-source as an ideal.
The eelo ROM is going to be forked form LineageOS and won't include anything from Google proprietary services.
eelo web-services will include email, search, online office... as a consistent, sustainable and global offering.
I've been thinking about this project for several years, and now I think most of the bricks for the project are available. They "just" need to be put together and polished as a consistent offer.
This is a non-profit project, in the public interest.
I'd love to read your your ideas/suggestions about eelo!
Cheers,
Gaël
Update: I'm posting here the "foundation" articles about eelo:
1/ Leaving Apple and Google : my “eelo odyssey” – Introduction
In 1998, I created Mandrake Linux, because I was both a Linux fan and didn’t like Windows on the desktop. It’s been a long time, and I’m very happy I’ve been one of the actors who contributed to make the Linux desktop possible, even though it didn’t completely succeed. Since then, the smartphone has emerged. And it’s now a “companion of life” for many of us. On my side, I’ve been using Apple iPhones exclusively, since 2007. The main reason behind this choice is that I like iOS. It covers my needs, it looks great and elegant, and I find it very intuitive to use.
Also, over the past years, I moved from my (Mandrake/Mandriva and then Ulteo) Linux desktop to MacOS. There has been a professionnal reason for that, since I often need XCode for building iOS applications. But also, it’s very convenient to use in conjunction with other Apple devices. I can get my text messages on MacOS, I can answer a call hand-free, I have my notes synced accross my devices.
But talking with friends this year, I realized that I had become lazy and that my data privacy had vanished.
Not only I wasn’t using Linux anymore as my main operating system, but I was also using a proprietary OS on my smartphone. And I was using Google more and more. Search of course, but also Google Mail, Google drive and Google docs. And Google Maps.
I’M DEFINITELY NOT HAPPY WITH THAT SITUATION.
I’m not happy of this situation because iOS is proprietary and I prefer Open Source Software. And Apple is getting crazy, with their latest products. Too expensive, not really exciting. It also has some design issues in my opinion. It has become a social act to buy an iPhone: “see, I can buy it”. Buying an iPhone has become a snob attitude and I hate that.
Also I’m not happy because Google has become too big and is tracking us by catching a lot of information about what we do. They want to know us as much as possible to sell advertizing.
Like millions others, I’VE BECOME A PRODUCT OF GOOGLE.
Last, I think that, in the long run, Apple, Google, Facebook etc. business models are harmful for our economical and social environments.
So I want to stop that. People are free to do what they want. They can choose to be volunteery slaves. But I do not want this situation for me anymore.
Reconquer my privacy
I want to reconquer my privacy. My data is MY data. And I want to use Open Source software as much as possible.
At the same time, what exists at the moment doesn’t exactly fit my needs: of course I don’t want to use stock Android. It’s Google everywhere and its default user interface is bad (my taste).
Also, I’d like to find good online tools such as office, email services etc. that don’t belong to Google.
And I’d like to have the same confort that I have with iOS and MacOS with synchronized services.
I know about a few initiatives, in particular “PureOS” is very interesting and appealing if you want a 100% pure-Free Software. But that is definitely not something I would use daily, at least not in its current state. I need something I could even recommend to my parents or my children. Something appealing, with guarantees for more privacy. Something that we could build in a reasonable amount of time, something that will get better and better over time.
So let’s build something new! “eelo”
My decision is taken: I’m going to build something new that will be open source (as much as possible) and very attractive. At least for me, but probably it could be attractive for a few others as well.
I’ve played with LineageOS for a few months and I think it’s the way to go. You can recompile it, improve it, fork it… and that’s what I’m going to do.
Some nice web services also seem to be viable alternatives to Google apps, so I’m going to explore that and possibly aggregate that into a single service. And offer guarantees to users of this new project.
This is an odyssey, this is a non-profit project
I call the project “eelo” because eels are small fish that can hide into the sea. That’s perfect for my quest of more privacy.
I want eelo to be a non-profit project “in the public interest”. I think operating systems and web services should be a common resource: as I explained a few year ago, this is infrastructure, like phone networks, rail tracks, roads…
Non-profit doesn’t mean nothing will be for sale. Probably some eelo smartphone will be for sale, and some premium services will be available for corporates. But profit won’t be the first focus of eelo.
Eelo will be for users first, for everyone who cares about their data privacy, for everyone who wants to use exciting products, for everyone who wants to join an exciting new project.
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
So… starting from now, I will periodically post my progresses to release an appealing alternative for the mobile and for web services.
Next time, I’ll show how LineageOS can be hacked, rebuilt and improved for eelo!
If you are interested in that odyssey, as a potential user or contributor, you can register at the eelo.io website.
Next part in this thread:
- 2/ eelo: the mobile OS
- 3/ eelo: web services
New post about eelo web services: "Leaving Apple and Google: my “eelo odyssey”. Part2: web services"
(URL removed per request from this forum mods)
leaglavud said:
New post about eelo web services:
Leaving Apple and Google: my “eelo odyssey”. Part2: web services
Click to expand...
Click to collapse
You write about a new launcher. Can we see the sources?
kurtn said:
You write about a new launcher. Can we see the sources?
We will release sources on GitHun and APK builds of eelo's BlissLauncher on F-droid and APKPure once we think its stable enough and compatible with common screen resolutions.
Click to expand...
Click to collapse
Great!
Please don't use XDA as a way to make money. This includes posting links to crowdfunding campaigns
Thread Cleaned
mark manning said:
Please don't use XDA as a way to make money. This includes posting links to crowdfunding campaigns
Thread Cleaned
Click to expand...
Click to collapse
Hello, I don't see where XDA forbids to post links to crowdfunding campaigns. Can you point me to the correct place in your terms of use?
leaglavud said:
Hello, I don't see where XDA forbids to post links to crowdfunding campaigns. Can you point me to the correct place in your terms of use?
Click to expand...
Click to collapse
No problem mate
13. Advertising and Income Generation
Commercial advertising, advertising referral links, pay-per-click links, all forms of crypto-mining and other income generating methods are forbidden. Do not use XDA-Developers as a means to make money
Click to expand...
Click to collapse
We're not "making money", we have a kickstarter campaign to support eelo, which is non-profit. That's quite different.
leaglavud said:
We're not "making money", we have a kickstarter campaign to support eelo, which is non-profit. That's quite different.
Click to expand...
Click to collapse
https://forum.xda-developers.com/showthread.php?t=3725368
On the thread above I have briefly explained why the crowdfunding / kickstarter threads are not allowed, as you can see, another user opened it up on the same topic.
No one is directly accusing you of trying to make money, no one said you're selling something and we actually appreciate the project initiative but "donate to us to make this happen" is not allowed as per quoted rule.
The funding goal is the amount of money that a creator needs to complete their project. Funding on Kickstarter is all-or-nothing. ... A creator is the person or team behind the project idea, working to bring it to life. Backers are folks who pledge money to join creators in bringing projects to life.
Click to expand...
Click to collapse
I don't really feel happy with keeping this conversation here but as long as you're the OP I feel obliged to do it .
There are hundreds of developers and project initiators around, what if everyone will ask for funding in order to sustain their plans?
The rules says clearly, present / develop the project and if anyone wants to donate is free to do so by freely hitting the donate button, there's no restrictions.
all moderators are illuminati? just 4 gk
:v
Amar 721 said:
all moderators are illuminati? just 4 gk
:v
Click to expand...
Click to collapse
No... I'm on the Darkside
xanthrax said:
No... I'm on the Darkside
Click to expand...
Click to collapse
what does that mean
dark side of the brightness
:v
Leaving Apple and Google: my “eelo odyssey”: the mobile OS
2/ Leaving Apple and Google: my “eelo odyssey”. Part1: the mobile OS
So I came out about my decision to leave Apple and Google. It’s a lifestyle choice to escape the tech giants that make me a product by privatizing my personal data .And I don’t like what Apple is doing now, Apple’s attitude, new iPhone and their price… It’s also an act of freedom for my children and all the people who will care: I want them to have a choice, and also a clear and informed view on how their choices can impact their life and their economical ecosystem as well. That’s what eelo is all about: offering a viable and attractive alternative to users for their digital life.
In this new post I’m going to describe what I was able to do so far on the mobile to get rid of Google and Apple, and what remains to do (spoiler: there’s a lot). In the next part I will explain what how things will need to be adressed on web services and draw a whole picture of the eelo project.
What’s wrong with default AOSP/LineageOS?
Talking about LineageOS, you might think “why do you want to hack something that is already mostly open source and works well?”
The answer is easy: the core of AOSP/LineageOS is usable, and performing well, but it’s not good enough for my needs: the design is not very attractive and there are tons of micro-details that can be showstoppers for a regular user. Also, unless you are a geek, LineageOS is not realistically usable if you don’t want google inside.
The design point
Regarding design, I know that some Android users like it, but I really dislike the default graphical user interface. I find it ugly: icons don’t look good, colors are sad, and I don’t like the launcher ergonomy and behaviour.
So at least we need a new launcher, and better icons. Default notifications don’t look very good either, and I’m not a big fan of the settings part. Compared to the rest of the UI it could be worse, but it’s still quite sad, with a single green color in LineageOS. I’d like something more appealing, and probably better organized.
“Good news”: you can find hundreds of custom launchers and icon themes in the Google Play Store. But either you have to pay for them, or you get free stuff with lots of ads and possibly scams. So not for me.
Bad news, good news
The bad news is that I’m new to Android development and I don’t consider myself a great developer. I can hack things, I can recompile and integrate stuff, but I don’t have enough practise to program a new launcher from scratch without spending weeks on it.
The good news is that I have found a very talendted full-stack developer who is interested in the project. We have agreed, as a first collaboration, to release a new launcher, new notification system and new “control center”.
First successes
I’ve choosen to test custom builds of LineageOS/eelo on a LeEco Le2. It’s a nice 5.5″ smartphone with a 1080×1920 pixel screen, 3GB RAM, 32GB storage, finger sensor in the back, and a 4K camera. It costs about 130€. Yes, that’s about $150. Yes.
Also I’m waiting for a Xiaomi Mi 5S. It’s got a smaller screen and I prefer smaller devices for my own usage. And I’ll probably give a try to the LG G6. (Want to suggest a device? tell me!)
After several weeks of work, we now have a new launcher! It still lacks a few features (such as uninstalling an application), but it’s already fully functional. On this video, you can see the “icon group” feature, and swiping between several launcher pages:
eelo BlissLauncher 1 from eelo on Vimeo.
On this one you can see the “docking icon” feature:
eelo BlissLauncher 2 from eelo on Vimeo.
We call it the “BlissLauncher” just because it’s a great launcher. And we also have a first new notification system and a new unlock screen:
Next time will be to have all that integrated by default in a new fresh build. And at the time of finishing this post, I already succeeded to flash a fresh build with the new launcher and the new notification system.
Getting rid of Google stuff completely
Now we have a better launcher for eelo, and I’m working with a great and very professional designer. He contributed a lot to the Mandrake Linux interface icons in the past, when we redefined all the user interface and all icons. Later he also contributed to first releases of Ulteo, when it was still a cloud-operating system project, and not a Citrix-alternative. We’re working together to redesign default application icons, some wallpapers, splashscreens, and also a first real eelo logo. On the long term, we will have to redesign the full user interface.
But what we want is not only something good-looking, attractive and easy to use. We want more privacy! And Google services are not compatible with my idea of privacy.
Therefore, we don’t want Google Services. We don’t want Google play store. And we probably don’t want most of Google apps such as Calendar, Email etc.
Also, we probably don’t want Facebook either and some other so-called “free” services. This will be user’s choice to install them or not. I know that we cannot change the world in one iteration, this will be step by step.
Each of this point will need to be addressed in Eelo. We will need an independent application repository, an independent and secure email provider, an independent online drive, online office services… All that well integrated in eelo. In the user interest first.
First round without Google
The first time I was able to recompile and flash LineageOS, I soon had to install Google Play Store and Google Play Services to install common applications, or I could do pretty nothing.
But there are some alternative stores. For instance, F-Droid is a very successful APK application repository that provides only 100% open source software applications.
There are other alternative app stores for non-open source applications. For instance there is Aptoide. It provides most common applications such as Twitter, Waze etc. But unfortunately when I checked Aptoide APK packages signatures and sizes, I realized that they were not the same as on Google Play Store. I’m not sure to understand well the reasons behind this situation, at least for common applications, so I looked for other alternatives.
I found APKPure to be a great store for free applications. And trust me, a lot of applications are free! Actually, I realized that on my iPhone I had only free applications. And I know many people who are using only free applications. So APKPure is a great way to go if you don’t want to use Google Play Store and don’t need non-free applications. I checked many of their packages, and they are bit-to-bit identical to the ones available on Google Play Store. There are only official packages.
An alternative to APKPure is Yalp. Yalp is an open source application that is acting as a kind of anonymous proxy to Google Play Store, also providing only official APK packages.
So for applications, I’m now using both F-Droid and APKPure. That’s already very confortable, and I successfully tried dozens apps, including the most used apps (Facebook, Messenger, Twitter, Waze, Telegram, Skype, LinkedIn, Spotify…).
But I think we’d need an “eelo store” that would deliver both:
- official free applications like APKPure
- open source applications like in F-Droid
All that into a single, appealing and fast application, where users could check easily if an app is open source or not, where users could evaluate the application level of privacy, and where users could be able to report some scam issues. We definitely need to add this to the eelo roadmap.
Lovely Google Services
There is a feature that Google has created to jail users within their environment. That’s called “Google Services”. It’s a non-open source service that you have to install if you want to use Google Play Store, for instance. It’s also used by several applications. It provides services such as:
- analytics
- account authentication
- cloud messaging (notifications)
- drive
- geofancing
- maps API
- mobile ads
- games API
…
Developers of Android applications are not forced to use them, but obviously Google is doing their best effort to make them desirable as much as possible, if not mandatory for certain features.
The good news is that many common applications, the ones that everybody is using everyday, are not using Google Services, or they do not rely a lot on them. Probably a lot of developers don’t like to be jailed in a single ecosystem.
As far as I tried, the most problematic applications in this regard seem to be some games, such as Pokemon Go. This one doesn’t seem to be usable unless you have Google Play services installed.
The good news is that there is a nice project that is providing open-source alternatives to Google Services. It’s called MicroG, and eelo will probably integrate it.
Another “great idea” of Google is their SafetyNet Attestation API. It’s something that Android application developers can use to check if the user’s device is an official device that complies with Google’s environment. It examines the hardware, the software, checks wether the device is rooted or not. In the end this can be used to prevent to application to run if the environment doesn’t comply enough with Google’s rules. Fortunately, there is “Magisk” to circumvent this issue. We will probably need to integrate it by default in eelo as well.
What about web search?
Many parts of a modern operating system can lead to “Privacy indiscretions”. So far, I’ve talked about privacy issues that come from within the system.
But if you search for something on Google, it’s very likely that Google can determine that YOU are looking for something in particular. Even if you are not using a google account in you Chrome browser, they can track your IP for instance.
So we definitely need to provide a default search engine alternative to Google search. Probably that we don’t want Bing or Yahoo either, although it’s better to use various search engines so that each of them doesn’t know exactly everything about your searches and therefore cannot consolidate your private information efficiently. We have a few alternatives:
- the well-known DuckDuckGo: even though it heavily relies on Google Search results, it offers privacy guarantees that Google doesn’t offer.
- Qwant is a new search engine that is making big progresses and now has its own index and is offering guarantees on privacy
- there is also the fully open CommonSearch: project, but it’s not ready yet
So I’m considering offering both DuckDuckGo and Qwant as default search engines for eelo search and web browsers that will ship with eelo, while still offering Google (and others) as an option. It’s true that in some cases, it is still offering the best results.
And also…
There is a long list of Internet services that can track you, send and process your personal data in many ways. For instance, using a Gmail (or similar) email account is a great way for Google to learn a lot about you.
But also, some of you probably know about the very fast Google DNS resolver: 8.8.8.8 and 8.8.4.4. DNS resolvers are used all the time and by many applications. They convert domain names to IP addresses. And I say: DO NOT USE Google DNS resolvers. Each time your smartphone is looking for a domain name, Google knows about it and they can add this information to other information they know about you.
Instead, you can use 9.9.9.9 (or 2620:fe::fe IPv6) which is a fast public DNS resolver operated by a non-profit research institute that does not store your IP. And it be accessed throught a secure protocole (TLS).
Of course, it’s all the web-service ecosystem that we need to address. As I said earlier, eelo will provide a mobile system with better privacy, but also some web services such as an online office suite, some online storage etc. We will aggregate some existing web services, improve them if needed, or build new services if nothing is available.
Still, we will face one dark zone: low-level proprietary hardware drivers on smartphones. They are driving the camera, the GPS, various sensors… Hardware vendors do not provide source code for these drivers. And they are extremely difficult to rewrite unless doing some heavy and resource-consuming reverse-engineering. And of course, some of those “black box” drivers could possibly leak users’ private data.
Future options for eelo to address this issue will be to:
- partner with FairPhone or similar 100% open hardware projects
- audit low-level drivers to detect unappropriate behaviors
- design an eelo phone…
Join the eelo odyssey!
As you can see, eelo is a true odyssey. But I think that, maybe for the first time, all bricks are available to build a new, consistent, attractive, independent and mostly-free digital ecosystem that will be more respectful of users, and respect their privacy. And this could eventually challenge the advertizing model that is probably the source of this such bad and supposedly “free” model.
Again, eelo is a non-profit project, it’s a project in the public interest. Everyone who wants to join, please do!
There are many ways to contribute:
- say hello! ? having supporters help a lot
- contribute some ideas, some resources, what you are good at
- introduce us to people who can help
- talk about eelo, share eelo news and articles…
- offer a few mɃ to pay some servers
Also, I’ve started to work on a crowdfunding campaign for eelo, because some resources are needed to bootstrap this project correctly. I’m not sure exactly what this campaign will be able to offer in rewards, but I’m thinking about it. Anybody’s suggestions are welcome!
Next part: 3/ Leaving Apple and Google: my “eelo odyssey”: web services
Leaving Apple and Google: my “eelo odyssey”: web services
3/ Leaving Apple and Google: my “eelo odyssey”: web services
I’m leaving Apple and Google for those reasons and I’m putting this effort into a new project: “eelo“. For this project, one big part is the operating system, in particular the smartphone operating system. I started to work on this part with others, and had first results that make me feel that maybe my move to a better digital privacy is going to be easier than expected ?
But today, a smartphone without internet services would be like a car without gasoline. We need email, we need online storage, we need advanced online applications… Also people like to access our data from several places and devices. The operating system has turned global.
So eelo needs to provide tools that can be accessed from other places, such as a web browser, but probably also from other computers and operating systems: notes, messages, calendar… And of course, we want all this with full respect of the user’s privacy, and no ads.
Many services to address
We need to address a number of internet services and find good alternatives that we can put together into a consistent, intuitive, secure, sustainable and global eelo service.
Here is a scheme of the eelo global system as I have it in mind:
A web service review
– Email
Email means some postfix configuration on servers, with POP3 and IMAP, all with all access secured over TLS. Plus a webmail access (I’m considering to use Mailpile).
iRedMail can set up all that easily, with DKIM and SPF correct configuration, and will even make possible to offer custom domains for the eelo email service.
But if we want a private service, we’ll need security on servers, where emails are stored. That’s a key aspect and we need to apply the best practises for setting up a rock-solid secure server for storing email.
– Search / Maps
I’ve already talked a bit about search in my previous posts. DuckDuckGo and Qwant have become two excellent alternatives to Google/Bing/etc.
But I think we need to set up a generic wrapper for search, like search.eelo.io, and we’ll put whatever we consider to be good behind. That could be an aggregation service as well.
As for maps, there is an awesome and adorable project that is OpenStreetMaps. It’s growing and is catching more and more attention from users and medias as an real alternative to Google Maps.
It also now offers directions and there is a “street view” ongoing project.
We’ll have to integrate it as maps.eelo.io, probably with some customization and dedicated servers.
Of course, all these default settings will be integrated in the eelo ROM (the smartphone operating system).
– Office
We have two choices for a good and open-source Office alternative for online usage: LibreOffice/Collabora and OnlyOffice. My preference goes for OnlyOffice because it’s attractive, efficient and allows realtime online collaboration between several users on office documents.
I’ve used OnlyOffice on my servers for several weeks now, and beside a few glitches, it’s a fully viable alternative to Google Docs or Office365.
– Drive / notes / calendar
The “cloud storage” service is a big and key part of the project. It needs to be very carefully choosen and integrated because it’s going to be at the center of users’ digital life.
There are several projects that offer these features, such as cozy.io, OwnCloud and NextCloud. For now I have tested NextCloud successfully and I must say that it’s amazing!
You can easily set up a NextCloud client on your smartphone, and do the same on other PCs. Then you get all your content synchronized. Very convenient for pictures, documents, notes… I’ve tried on Linux (and Mac) and it works well.
The good news is that NextCloud can also serve a calendar that can be shared/accessed from various devices.
So for now, I’m going with NextCloud. I’m not sure about OwnCloud benefits over NextCloud. Any advice?
The first goal of eelo will be to offer a fully functional and secured implementation of OnlyOffice+NextCloud. As there is a debate about self-hosting, eelo will also provide the service as software instances that can be installed on a user’s server, in the cloud or at home, if they will so.
– Social / Messaging
Of course you are using Facebook. I do as well, not very often though. There is also Twitter. Facebook in particular is a real nightmare in term of users’ privacy. They know a lot about billions users. If you happened to do an advertizing campaign on Facebook, you probably noticed that you can target people categories. Age, gender, place of living, income, … There are dozens criterias that prove that they really know a lot about people.
So Facebook is something we should stop to use in favor of better alternatives. There is a good news: you can use Mastodon. It’s a decentralized social network. Without any central big brother who can use your data to fuel a business model.
The issue is that social networks have a greater value when you can find most of your friends/family there. Which is not the case yet on Mastodon, but in tech communities.
So we’ll keep an eye on Mastodon and see how eelo can interact with the project and possibly integrate it.
As for messaging, everyone will be able to use their messaging app of choice, but eelo will ship with Telegram by default. The reason is that Telegram is probably the most secure messaging app, and also the most respectful of user’s privacy. It also provides quality voice calls over IP. Last but not least, its client is open source (although the server infrastructure is not).
And also…
– ID / translations / …
We will need an identity provider at some point. It will be a central point for authentication. OpenID is an option, although it clearly lacks some momentum at the moment. Brainstorming is needed on this!
While it may be a more minor aspect we’ll also probably need a translation service, voice recognition service, speech service, video/voice streaming services… There are many initiatives in this field, but they are not a priority for now.
About eelo tokens
I’m thinking about releasing eelo tokens, based on Ethereum. It would be a way to get access to some eelo services, and also to thank contributors. Again, most eelo services will be free because it’s the only way to compete against the so-called “free” services from Google, etc., and it will remain in the public interest first. But selling some premium services, high-end eelo smartphones, consulting… will be part of the model to fuel the project and make possible the free services. I have the feeling that using eelo tokens could help a lot to ease service transactions between all the parties involved in eelo.
Next steps for eelo
As we’re continuing the work on the eelo custom ROM, new launcher, and integration of web services, I’m still listening to user’s suggestions about the project, ideas… Many people have already contacted me and hundreds have registered on the eelo landing page, that’s awesome ?
We’ll also probably have a separate eelo development branch for more advanced projects. Actually, I’ve been thinking a lot for a while to turn the smartphone into a conversational device – text or vocal – with conversational apps instead of legacy applications. But that’s cutting-edge development and won’t be available into eelo by default.
An eelo website is now available at eelo.io and we have a Kickstarter campaign that has already done more than 300% of its initial target. Watch the eelo campaign video.
We're recruiting developers!
- android developers
- LineageOS developers/ROM maintainers
- ...
Contact us at [email protected]
— Gaël (follow me on Twitter @gael_duval / on Mastodon @gael@mastodon.social)
This is old text. Where are the sources for the launcher?
A couple of random thoughts:
1: Eelo is an awful name. It sounds like something a baby would come out with, while learning to talk
2: As well as freeing yourself (ourselves) from the tentacles of Google and, if this is about privacy and freedom from tracking; it should aim to avoid using services based in any of the Five-Eyes Countries
Hence:
* Consider Wire (based in Switzerland) instead of Telegram.
* Quitter..no is a pretty full-featured replacement for Twitter. Running on GNUsocial and based in Norway
* Qwant in preference to DDG [France vs US -based]
* Jottacloud -also based in Norway, is a pretty good like-for-like replacement for Dropbox. Same kind of free/paid account tiers.
3: While we're being all 'European' about this (well, I am), can you make sure and use 'European English' in your documentation when you set up the website? Drives me mad when I see Europe-based companies using "color", "center", "...ize", etc.
4: In the same vein, make sure the website invites people to "Contact" you. There's a special place in hell reserved for anyone who uses that puke-inducing phrase 'Reach out"!
kurtn said:
Where are the sources for the launcher?
Click to expand...
Click to collapse
We will release sources on GitHub and APK builds of eelo's BlissLauncher on F-droid and APKPure once we think its stable enough and compatible with common screen resolutions.
xxxmadraxxx said:
A couple of random thoughts:
1: Eelo is an awful name. It sounds like something a baby would come out with, while learning to talk
Click to expand...
Click to collapse
That's not too bad for a just-born project.
2: As well as freeing yourself (ourselves) from the tentacles of Google and, if this is about privacy and freedom from tracking; it should aim to avoid using services based in any of the Five-Eyes Countries
Hence:
* Consider Wire (based in Switzerland) instead of Telegram.
* Quitter..no is a pretty full-featured replacement for Twitter. Running on GNUsocial and based in Norway
* Qwant in preference to DDG [France vs US -based]
* Jottacloud -also based in Norway, is a pretty good like-for-like replacement for Dropbox. Same kind of free/paid account tiers.
Click to expand...
Click to collapse
Thank you for your suggestions. Some of them were already considered actually!
3: While we're being all 'European' about this (well, I am), can you make sure and use 'European English' in your documentation when you set up the website? Drives me mad when I see Europe-based companies using "color", "center", "...ize", etc.
Click to expand...
Click to collapse
What would be your suggestion of wording for a project that is not specially "European" or "American", e.g. worldwide project?
4: In the same vein, make sure the website invites people to "Contact" you. There's a special place in hell reserved for anyone who uses that puke-inducing phrase 'Reach out"!
Click to expand...
Click to collapse
At eelo.io, we have "contact eelo" and "get in touch"
leaglavud said:
What would be your suggestion of wording for a project that is not specially "European" or "American", e.g. worldwide project?
Click to expand...
Click to collapse
Well. Call me a pedant if you like. But if you're offering a language option, you should use the official version of that language, not a regional dialect. As far as I can see, when people pick French, Spanish, Portuguese language options on a website, they're not then given Quebecoise, Mexican Spanish, Brasilian Portuguese... etc. But English speakers are nearly always served up American English --even on sites / by projects that are not based in the US. [Yes, I'm looking at you Ubuntu & Linux Mint!]
It may seem a trivially unimportant point. But, as well as the privacy and data-harvesting concerns, my interest in projects such as yours also stems from a wider worry about the Americanisation of the world, which is being driven by the overwhelming dominance of big American companies in the tech & media worlds. Not automatically defaulting to US English is just one more small gesture non-US-based projects can make towards offering an "alternate viewpoint".
Man, what an undertaking!
Personally, I think the main thing should be to focus on Power Users and Privacy Conscious users, not the masses. Not yet.
First make a 'beautiful' reliable OS according to your desires. Focus on making that the best & a real point of differentiation from what is out there already. Make it as useful and unique as possible. Make it run on the widest range of hardware possible, and as easily as possible. That should be enough of a challenge.
Don't worry about creating cloud services or bundling this-and-that yet. I think that is extremely unimportant to Power Users who will install what they prefer anyway, and use the hardware they prefer ( & can obtain easily or cheaply). It might be useful to sell one model with everything as you envisaged it but I think the main focus should be on testing with a wide variety of phone / tablet hardware available and making it work there.
My priorities go like this:
1. buy cheap Chinese hardware
2. root, remove as disable as much obvious spyware as possible
3. fulfil 95% of app needs from f-droid
4. fulfil 5% of app needs from Play Store using sites such as https://apps.evozi.com/apk-downloader/
5. use device
If you can make step 2 ( above) easy and painless on as much hardware as possible, then I think that would be the best focus of time and resources.
Hello all! I'm sure most of you are familiar with Google Play Services, the base of Google's Android framework and the brains behind all the Google things you do on your phone. Less of you, however, might also know that Play Services is notorious for being a beast of an application that no one truly knows the function of.
Below here is a rough explanation of Play Services from what I know about it. You can skip this if you already know and move on to the bread and butter of this post.
Play Services is proprietary software, meaning that its source code is not available to the public. All of Google's apps are proprietary like this as well. While developers like Chainfire have legitimate reasons to close off their app source code so others don't steal it, and so does Google, it is extra worrying from a company that makes a profit off of collecting userdata. Many people, including me, do not trust Google with our data, so we try to avoid their products as much as possible.
I thought that it would be nice to create a megathread of sorts with various users' suggestions on how to subvert the constant surveillance of Play Services, while also attempting to maintain the useful functionality of it. Below are some of the primary methods that I have thought of, and that I and some others have tried:
LineageOS/CyanogenMod Privacy Guard - If you are using LineageOS or any derivative thereof, you can go to Privacy Guard and deny certain permissions from Play Services. I and another user have denied permissions from Play Services without side effects, but your mileage may vary. @javelinanddart said on Reddit that Privacy Guard does indeed block permissions from Play Services and other system apps, so rest assured that Privacy Guard actually does something rather than being a placebo.
XPrivacyLua - This is an Xposed module that feeds false data to apps rather than blocking it entirely. I haven't tried this method myself, but the XDA post I linked above reports that XPrivacyLua works, even in tandem with Privacy Guard.
microG - microG is an open-source alternative to Play Services. It emulates many key functions of Play Services - push notifications, location services, etc - without the data collection running alongside such functionality. To clarify, this is a full replacement for Play Services, so you would flash a microG package instead of a GApps package. There are lots of bugs, though, even admitted by the developer. If you want to learn more, I suggest you visit the XDA thread for it, or view the implementation progress for various pieces of functionality.
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Thanks for thread.
My only reason to use custom ROM is because they are GApps-free. In nearly every other aspect stock ROMs are better. Phones without good custom ROM I simply setup without Google account and install f-droid and yalp stores.
Another idea:
Imagine: Google is not as evil as we think: there are many privacy related settings in your Google account. You can login with a web browser and try through all these settings - and hope.
Device is a Samsung i9305 with RR-N-v5.8.5-final, Magisk v16.0, XPosed, XPrivacyLua, microG (via NanoDroid). No genuine Google services; Google Play Store is the one and only Google application installed.
I hope it suits into this thread (thanks very much for creating it!), and I'd like to share my settings. Please refer to the screenshots; I think it's self-explaining where they where taken from.
Actually no restrictions to microG, only to Play Store.
Remarks: µG has no restrictions in the firewall (AFWall+ Donation Beta); Play Store only granted internet access via WiFi and VPN. Just for completeness; running a RaspberryPi in the home network with Pi-Hole installed and acting as the DNS-server in the network. Unless using the home network i.e. using a foreign WiFi network or mobile data, ALWAYS establishing my own secure VPN to my RaspberryPi (with PiVPN installed) via OpenVPN and again the Pi acting as the DNS-server. If interested in further details please refer to this thread.
Thanks for this.
I was considering asking for a forum section here devoted to privacy, but it doesn't seem like a popular subject here. (After all, most of the people who have already picked the most snoopery OS in the world could be assumed to be not particularly worried about privacy. ? )
I come from a different motivation: the hope that by using a somewhat hackable OS, one can theoretically modify it in ways to achieve one's objectives, including privacy. But the last few years have made it rather clear that the Big G is working determinedly to foil such efforts.
Lately that seems to take the form of pushing more and more essential services into the Gplay frameworks, and deprecating perfectly working things like GCM in favor of intertwining it with Firebase, which may saddle us with that analytics data vacuum in order to get another essential service, push notifications.
Re: revoking permissions from Gplay frameworks, I feel like Google's determination to get their hands on data by hook or by crook (eg their ignoring of user preferences to disable various radios and enabling them in the background anyway, to track location and such) means they will quite possibly circumvent these preferences at some point as well.
As I mentioned in another thread I've experienced various problems in the past when I tried to aggressively restrict perms on the Gplay services using CM/LOS Privacy Guard, but perhaps some of that came from choosing interactive restriction prompts rather than blanket revoking. I do know that so many essential services are tied-into the Gplay frameworks these days that blocking tons of perms will inevitably cause breakage of some things depending how you use your device.
Jrhotrod said:
...
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Click to expand...
Click to collapse
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Oswald Boelcke said:
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Click to expand...
Click to collapse
Wow, this is really great! Very high-quality thread.
Will add to OP later today
I apologise for the double post (original in my thread here) but I guess it also suits in this thread.
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
Looking around on Data Transparency Lab website http://datatransparencylab.org/ - they fund grants for research in privacy stuff.
...I found an app called AntMonitor, an academic research project that does a MITM SSL cert + local VPN to look at sensitive traffic - even that which is encrypted. https://play.google.com/store/apps/d...it2.anteatermo
Anyways, it shows some apps trying to send my gps coordinates even though it doesn't have Android permission. Like, my coordinates are actually attempting to be sent encrypted to a destination. XPrivacyLUA doesn't trigger so I can only assume they grab my coordinates in a way that circumvents the traditional Android permission model.
To test, just try the app and open a few apps. I think it's apps with the Facebook graph API that is maybe doing it.
If you like ANTMonitor another app that does an SSL cert+ VPN is Lumen Privacy Monitor- a project by Berkely, but it doesn't seem to detect raw coordinates like ANTMonitor does.
Click to expand...
Click to collapse
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Oswald Boelcke said:
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Click to expand...
Click to collapse
This is certainly an important discovery, thanks for the news.
Now for the sidenote that's 10x longer than the main comment. ?
One of the key issues I have with the various "privacy tools" is trying to figure out whether or not I trust all these entities that produce these diagnostic things to not be a solution worse than the problem when it comes to possessing and safeguarding my sensitive personal data.
It's getting to the point where I'm no longer enamored of giving *anyone* access to such stuff if I can help it, no matter *who* they are.
Even if they're not lying about their intentions and their commitment to security/privacy, there are still matters like carelessness/incompetence and targeted attacks to worry about.
@Exabyter: You're statement and expressed concerns are abolutely correct. Nothing to add except that I wouldn't limit it to "privacy tools" but especially include all applications that require root (and get it granted by the user) or all Magisk and Xposed modules. The latter should definitely concern.
My personal decision:
I'm not willing to trust anybody from the very beginning but I'm willing to trust single persons, groups or agencies. I've developed my own, private criteria, to which I stick but I've also admit the final decision isn't always based on rationality but also a lot on my feeling (in my stomage).
I don't held any confidential data on my device but privacy related ones, and I don't use my device for any kind of banking, shopping or payments.
I consider to use tools, modules and applications if their functionality rests within my defined specifications for the use of my device. Then I go for "the shopping tour" while I try to look into the details of the tools under closer examination, which includes where is it from, who's the developer etc.
I'll continue with the measures already described in one of my threads.
Oswald - I think we have largely similar stances on such things. In my case I will sometimes sway towards the pragmatic over the pedantic when the pedantic involves so many inconveniences that the tech becomes more of a burden than a help to me.
For example, I really don't like the idea of 3rd-parties keeping data pertaining to my daily geographic movements, but I also use several tools and services that by their nature rely on location data which could in some cases end up in the hands of parties I'd rather didn't have access to it. So I have to regularly weigh the apparent cost/benefit of such services and there are certainly some of them which have a high enough value to me that I willingly lower my default "protection level" in order to keep the other benefits of such tools/services.
Certainly microG is an important tool in that toolchest as it has a major disruptive impact on some of the most common ways Google and other parties snoop on users. But some of its imperfections also threaten to keep me from my ultimate goal of carrying a single phone which performs all the tasks I need to accomplish with it without undermining my privacy in a major way. (And ultimately, my freedom and agency as a citizen in a nominally and allegedly "free and democratic society", which is the actual "big picture" problem with privacy incursions in general IMHO)
I have spent several years now, with varying degrees of effort and success, trying to come up with a hardware/software solution to this problem, and I've never reached a point where I'm fully satisfied with the results. The fact that I am still carrying several mobile devices with me everyday is proof enough that I haven't achieved my objective in this regard and it gets tiring. As does all the time spent on venues such as XDA, researching, discussing and keeping-up with all the relevant issues, not to mention the large amount of time spent tinkering with HW/SW in order to keep all the special measures working. (And after we finally get things working more or less the way we want, we are faced with the particularly customized hardware wearing out, becoming unsupported, 3rd-party ROM and other compatible and necessary software being abandoned/deprecated, and so on and so forth.)
Truth to tell I'm a bit bitter about the amount of time/energy I have to spend to achieve something which should have been part of the mobile platforms in the first place. The current de-facto mobile platform duopoly certainly doesn't help matters.
---------- Post added at 03:39 PM ---------- Previous post was at 02:57 PM ----------
Now that I've gotten that philosophical rant out of the way ? ...
So as far as technical specifics:
microG of course is a big help as it either neuters or removes many troublesome anti-privacy vectors. For example, at the present time it does not support Firebase Analytics at all, which means (as far as I can tell) any app that expects to get telemetry on users via Firebase Analytics will not get anything if the app user's device is Gapps-free and using microG instead. (It remains to be seen if adding Firebase Cloud Messaging capability to microG will negate this presumed benefit. Cynics like myself are inclined to think one of Google's key objectives in deprecating Google Cloud Messaging and rolling push notification frameworks into Firebase instead was specifically to undermine the ability of users to avoid/circumvent Firebase Analytics)
XprivacyLUA looks interesting and is on my list to test. I found its predecessor Xprivacy to be an extremely tedious and labor-intensive option so I never seriously pursued it after my initial testing.
There are various tools I find handy to help get a sense of how dangerous certain apps may be to privacy. Here are a few:
AppBrain Ad Detector
https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector
Addons Detector
https://play.google.com/store/apps/details?id=com.denper.addonsdetector
Checkey (also on f-droid)
https://play.google.com/store/apps/details?id=info.guardianproject.checkey
Applications Info (also on f-droid)
https://play.google.com/store/apps/details?id=com.majeur.applicationsinfo
Permission Friendly Apps
https://play.google.com/store/apps/details?id=org.androidsoft.app.permission