Related
DroidWall in the marketplace allows full WiFi access to all apps.
Is it possible to code an application for Android (perhaps with root access) that can:
- deny all outbound data access per app basis
- specify the rules (ip-range/port-range) per app basis
Like a real alternative to a desktop software firewall?
Way too many apps are leaking all sorts of information (in plain text!) from the user account database to the Internet.
The android security makes me really scared to use the platform for anything requiring security. The privacy/security model is basically a swiss cheese that can be poked through by almost any app that just asks for certain rights at install time.
I'm hoping a firewall would be able to limit this issue, no?
I don't know about the other stuff you mentioned, but my version of DroidWall has a block/allow option for wifi and 3g, separately. It's the latest version from the market place, 1.4.2
Thanks, I just checked it out and it seems DroidWall indeed has a Wifi side blocking by app basis as well. I'm still testing though.
Ah, just tried it. Force closes on Galaxy S (rooted). Sigh.
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Toriko said:
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Click to expand...
Click to collapse
are you a thief?? :laugh:
Most of the permissions are for ads bases on location
Batcom2
xxXismakillXxx said:
are you a thief?? :laugh:
Click to expand...
Click to collapse
No, but I'm thinking about it. Seriously, have you ever wonder why you get web searches, translations and other services for free and yet the companies that handle the sites are billionaires? Because they sell your personal data and your commercial preferences to other companies without your permission. Think about it when you post your personal data on the web.
zelendel said:
Most of the permissions are for ads bases on location
Batcom2
Click to expand...
Click to collapse
I'm not so sure about that. However if I buy an ad free app , there shouldn't be any ads. And why an alarm clock need my phone id and can access my call log? It's fishy.
Toriko said:
I'd like to pone a privacy problem.
In Android ,installed apps require permissions to operate. Permissions to access the Phone Id (also the IMEI) or the position of the device or the access to your calls seem very common in most apps on the market.
Permission for the position seems ok for a Gps navigation program but also for an alarm clock? Where do they sent my data and what use they do?
I use LBE privacy guard but it is enough?
what do you think?
Click to expand...
Click to collapse
Rule of thumb: Every app that asks for unique device numbers, location and a backchannel does so because it contains advertisement. Advertisers simply love to track customers and find out as much as possible about them in order to deliver ads that actually result in a sale (contrary to popular belief, they don't do that just to annoy the crap out of everyone).
Personally, I don't use LBE privacy guard. I haven't seen the source and that pretty much means it is as much a blackbox as the apps, it is suppose to protect me from. For me, rooting and installing a firewall to simply block the backchannel does the trick.
If u filter out apps for their permissions, u will have nothing but the system apps left on the phone! even I used to check permissions b4 downloading at the beginning. Then as I downloaded a lot of apps i was lazy enough to give a dang to wat permissions the app wants! just see through the comments (reviews) to know if there are any issues with the app! That's it.! And nowadays the app developer tries to explain the reason for each permission the app asks for. So sooner all apps are gonna be explaining their permissions! (hopefully)
zelendel said:
Most of the permissions are for ads bases on location
Batcom2
Click to expand...
Click to collapse
This is true although some use it to collect app usage information for the purpose of improving the app. Unfortunately, it can be difficult to determine exactly why a particular permission is requested.
onyxbits said:
Personally, I don't use LBE privacy guard. I haven't seen the source and that pretty much means it is as much a blackbox as the apps, it is suppose to protect me from. For me, rooting and installing a firewall to simply block the backchannel does the trick.
Click to expand...
Click to collapse
Installing a firewall won't solve the problem, because you can't stop apps that need connection : together with the access to the net they send your data. LBE allows the access for the app but block the transmission of your id together with other data.
Anyway LBE also works as a firewall. There's another app that works the same way (Pdroid) but supports only Gingerbread.
Hey folks,
I recently installed NoRoot Firewall and found it really interesting to dis/allow network traffic without root. The app uses a local VPN to tunnel traffic and selective adjust the access. It needs permission for startup and networkaccess, the dev says it only needs this for rooting issues (see in-app explanation). The funny thing is, the app runs perfectly even without the INTERNET permission.
Unfortunately, the app isn't open source, the dev is a ghost and it hasn't been audited for security flaws. Although on a German blog, a security specialist has partly audited it for 30 minutes using Wireshark and network analysis. This resulted in no unusual traffic and no manipulations (instead of Mobiwol firewall).
My concern is: Is the app able to manipulate the traffic, that's rooted through itself, to point it or copy it to another destination? I ask, because it even works without internet and wasn't manipulating traffic in the test I read. And if really sensitive data is routed through the app and it's possible to ship this data cloned to another place, it's really disturbing.
I hope someone is able to clarify the technical background.
Greetz
traceless said:
Hey folks,
I recently installed NoRoot Firewall and found it really interesting to dis/allow network traffic without root. The app uses a local VPN to tunnel traffic and selective adjust the access. It needs permission for startup and networkaccess, the dev says it only needs this for rooting issues (see in-app explanation). The funny thing is, the app runs perfectly even without the INTERNET permission.
Unfortunately, the app isn't open source, the dev is a ghost and it hasn't been audited for security flaws. Although on a German blog, a security specialist has partly audited it for 30 minutes using Wireshark and network analysis. This resulted in no unusual traffic and no manipulations (instead of Mobiwol firewall).
My concern is: Is the app able to manipulate the traffic, that's rooted through itself, to point it or copy it to another destination? I ask, because it even works without internet and wasn't manipulating traffic in the test I read. And if really sensitive data is routed through the app and it's possible to ship this data cloned to another place, it's really disturbing.
I hope someone is able to clarify the technical background.
Greetz
Click to expand...
Click to collapse
Has Droidwall been tested?
crobjam said:
Has Droidwall been tested?
Click to expand...
Click to collapse
Doesn't answer my question, but it's open source in contrast to NoRoot Firewall.
I use XPrivacy and it works OK without any additional bakdoors.
It has even more functions (blocking permissions for apps) for privacy protection.
Very good question OP.
This is a extremely useful app but I also would like to know about the possible risks involved.
One would assume that removing the internet access permission (thanks for that suggestion) would render the app harmless but I can't be sure...
EDIT: After removing the app's internet permission with APK Permission Remover I found that the app does run without any error message but it won't allow any app to connect to the internet whatsoever. Which I guess is totally logical since all connections are routed through NoRoot Firewall...
mp107 said:
I use XPrivacy and it works OK without any additional bakdoors.
It has even more functions (blocking permissions for apps) for privacy protection.
Click to expand...
Click to collapse
with the difference that you need root..
I'm looking for no root firewall, NetGuard (alpha) seems to be the alternative
http://forum.xda-developers.com/android/apps-games/app-netguard-root-firewall-t3233012
stpol77 said:
with the difference that you need root..
I'm looking for no root firewall, NetGuard (alpha) seems to be the alternative
http://forum.xda-developers.com/android/apps-games/app-netguard-root-firewall-t3233012
Click to expand...
Click to collapse
riesdepies said:
Very good question OP.
This is a extremely useful app but I also would like to know about the possible risks involved.
One would assume that removing the internet access permission (thanks for that suggestion) would render the app harmless but I can't be sure...
EDIT: After removing the app's internet permission with APK Permission Remover I found that the app does run without any error message but it won't allow any app to connect to the internet whatsoever. Which I guess is totally logical since all connections are routed through NoRoot Firewall...
Click to expand...
Click to collapse
Xprivacy cannot block Android system internet access, as that breaks your internet connection. Another limitation is that it cannot restrict android native apps. So, you need a real firewall to deal with that.
Noroot firewall is a horrible concept: your internet traffic is routed through some unknown server. Whatever you send though the internet is totally exposed to any kind of attacks/exploits. Plus, the issue of open source vs. close is totally irrelevant as applied to servers: so what if they open source their server? You will never know whether that server was built out of that open source.
The only solution is a real firewall.
Please stop listening to dopes who tell you not to root your device. They have an agenda: most of them are either advertisers, spooks or Google employees. The argument that a user doesn't know what he/she is doing and therefore should not have root is false: every known operating system on Earth (windows, mac, linux et al) provides root access/administrative rights to a user. So, how is that the same PC/MAC/Linux user all of a sudden becomes a dummy when it comes to a smart phone? The answer is he does not. But when he gets root, he can restrict advertising, spooking and spying by Google, carriers, advertisers and others.
optimumpro said:
Noroot firewall is a horrible concept: your internet traffic is routed through some unknown server. Whatever you send though the internet is totally exposed to any kind of attacks/exploits. Plus, the issue of open source vs. close is totally irrelevant as applied to servers: so what if they open source their server? You will never know whether that server was built out of that open source.
Click to expand...
Click to collapse
From what I understand, the concept of NoRoot Firewall isn't routing your traffic through an external server but using a local or virtual VPN as a firewall. The Android VPN service is only used to provide control over your connections. This was explained on their web page which now seems to have disappeared. The problem is that one shouldn't just take their word on this and that's why it is relevant that this program is not open source.
There's an interesting discussion on the subject here.
riesdepies said:
From what I understand, the concept of NoRoot Firewall isn't routing your traffic through an external server but using a local or virtual VPN as a firewall. The Android VPN service is only used to provide control over your connections. This was explained on their web page which now seems to have disappeared. The problem is that one shouldn't just take their word on this and that's why it is relevant that this program is not open source.
There's an interesting discussion on the subject here.
Click to expand...
Click to collapse
If that were so, then why would users complain that NoRoot Firewall is increasingly being blocked by various services? That surely indicates a unique IP address, which is different from your mobile/wifi IPs. Android local vpn won't create a separate external IP address. I bet if you go to what's my ip, you will find a curious IP address.
I am always amused by people saying I am looking for a no root app when it comes to security. You just can't secure a system without administrative rights. This is like saying I need protection for my car, which has a habit of swerving around, but do it without using a steering wheel.
optimumpro said:
If that were so, then why would users complain that NoRoot Firewall is increasingly being blocked by various services? That surely indicates a unique IP address, which is different from your mobile/wifi IPs. Android local vpn won't create a separate external IP address. I bet if you go to what's my ip, you will find a curious IP address.
Click to expand...
Click to collapse
I don't know where you read that 'NoRoot Firewall is increasingly being blocked by various services' but maybe it had to do with the fact that you can't use a VPN service while using NoRoot Firewall because it already uses the Android VPN functionality as a firewall.
I also verified my IP adress online and it does not change when I use NoRoot Firewall.
BTW, I am rooted because I like to have full control over my Android but I haven't come across a root firewall app with granular control like NoRoot Firewall. Do you have any suggestions?
I attached a screenshot of the app explaining itself and its permission.
stpol77 said:
with the difference that you need root..
I'm looking for no root firewall, NetGuard (alpha) seems to be the alternative
http://forum.xda-developers.com/android/apps-games/app-netguard-root-firewall-t3233012
Click to expand...
Click to collapse
NetGuard is open source and very easily audited or checked - no Internet access itself.
It isn't as granular as other firewalls, but it has no battery drain, since the VPN service is only used for sinkholing traffic. So for now it's an all or nothing way to block an individual app from network access. There's more details in the thread, and the source is quite readable too.
Its using Vpn so its a power consuming app
Can anyone suggest best root app for restricting internet traffic to apps over wifi/mobile data. And also works as a VPN. The same option is there is noroot firewall. but from somehow from the above discussion, it is not 100% secure.
optimumpro said:
Xprivacy cannot block Android system internet access, as that breaks your internet connection. Another limitation is that it cannot restrict android native apps. So, you need a real firewall to deal with that.
Noroot firewall is a horrible concept: your internet traffic is routed through some unknown server. Whatever you send though the internet is totally exposed to any kind of attacks/exploits. Plus, the issue of open source vs. close is totally irrelevant as applied to servers: so what if they open source their server? You will never know whether that server was built out of that open source.
The only solution is a real firewall.
Please stop listening to dopes who tell you not to root your device. They have an agenda: most of them are either advertisers, spooks or Google employees. The argument that a user doesn't know what he/she is doing and therefore should not have root is false: every known operating system on Earth (windows, mac, linux et al) provides root access/administrative rights to a user. So, how is that the same PC/MAC/Linux user all of a sudden becomes a dummy when it comes to a smart phone? The answer is he does not. But when he gets root, he can restrict advertising, spooking and spying by Google, carriers, advertisers and others.
Click to expand...
Click to collapse
Some of us are just stuck with phones that are locked up tight and can't root to begin with. So I to am looking for a no-root solution. Before this phone I had all the others rooted, when it was an option. I came across this in a search because I just got a gopro, and the app creates a wifi connection between the gopro and the phone. Soooo, if I'm driving with the gopro, the phone, and all other apps think it's on wifi. So while I'm controlling the camera, other apps like Pandora, Amazon Music, and the sort search and search for a connection on that wifi network that's only between phone and camera, and won't resort to mobile data as long as that connection exists. Anyway, calm down.... not everyone has an agenda. Rooting is indeed relatively simple, but it's also equally simple for someone who missed one detail to ruin their phone. Anyone that ever asked me about it, I'd help them and give them a good "what you need to know" before I show them how to make sure they understand how important it is to read read read. If I get the impression they're a little impatient, or this kind of thing goes over their head, I discourage them from rooting. Just because I care and would hate for them to ruin an expensive device.
Hey folks,
I recently signed up in this forum, and I'm aware of it's professionalism. First, I was a simple observer because I wanted to try to understand the basics and it wasn't not a long time I discovered Android.
I installed NoRoot Firewall. My smartphone is rooted and I also installed LightningWall.
I blocked (with LightningWall) outgoing and inbound access concerning "NoRoot Firewall", and NoRoot Firewall is running fine.
Is it the good action to be sure that NoRoot Firewall doesn't export my data to an external server ?
Or it's not the good action because NoRoot Firewall uses a VPN ?
Sorry if my first post is too basic.
I hope someone is able to answer me.
Due to my recent installation of app Network Log, I have examined the I/O on the Net made by NoRoot FireWall.
It appears (by examining the log) that NoRoot FireWall is making I/O on the Net, but unfortunately I can't determine if those I/O are on behalf of applications crossing NoRoot FireWall (through Android VPN functionality), or for app NoRoot FireWall itself.
I don't know how to determine it.
If anybody has an idea.
iwanttoknow said:
Due to my recent installation of app Network Log, I have examined the I/O on the Net made by NoRoot FireWall.
It appears (by examining the log) that NoRoot FireWall is making I/O on the Net, but unfortunately I can't determine if those I/O are on behalf of applications crossing NoRoot FireWall (through Android VPN functionality), or for app NoRoot FireWall itself.
I don't know how to determine it.
If anybody has an idea.
Click to expand...
Click to collapse
guys,
maybe we could just block the noroot firewall app itself in the app list from using data/wifi.
it's running fine for me.
micmaccc said:
guys,
maybe we could just block the noroot firewall app itself in the app list from using data/wifi.
it's running fine for me.
Click to expand...
Click to collapse
Hi,
I blocked output of Noroot Firewall in the list of its controlled app.
I also blocked Noroot Firewall with LightningWall (input and output).
And I observed I/O made by Noroot Firewall in Internet, by using app NetworkLog (examining its log file).
I can't determine if I/O made by Noroot Firewall are really made by Noroot Firewall by itself, or for allowed app crossing Android VPN used by Noroot Firewall.
Is there a tool to determine it ?
Amusons-nous avant tout !
Hello. Please excuse the necro.
A few questions please:
I'm not a networking expert. I do not understand the difference between the pre- and post- filters. Does it need to be redundant, ie mirror the rules on both filters?
How do you know if it's incoming or outgoing?
Also, why is it that even if there is a rule blocking a domain, such as *.domain.comort, I still see a connection being requested?
micmaccc said:
guys,
maybe we could just block the noroot firewall app itself in the app list from using data/wifi.
it's running fine for me.
Click to expand...
Click to collapse
How do you do this? I always thought blocking NoRoot from within NoRoot didn't make sense. Do I need to install another FW?
fpjones3 said:
Hello. Please excuse the necro.
A few questions please:
I'm not a networking expert. I do not understand the difference between the pre- and post- filters. Does it need to be redundant, ie mirror the rules on both filters?
How do you know if it's incoming or outgoing?
Also, why is it that even if there is a rule blocking a domain, such as *.domain.comort, I still see a connection being requested?
How do you do this? I always thought blocking NoRoot from within NoRoot didn't make sense. Do I need to install another FW?
Click to expand...
Click to collapse
Install another FW dosen't make sense, because all traffic through NoRoot. The another FW can't recognize the network access by apps.
---------- Post added at 07:14 AM ---------- Previous post was at 06:58 AM ----------
iwanttoknow said:
Hey folks,
I recently signed up in this forum, and I'm aware of it's professionalism. First, I was a simple observer because I wanted to try to understand the basics and it wasn't not a long time I discovered Android.
I installed NoRoot Firewall. My smartphone is rooted and I also installed LightningWall.
I blocked (with LightningWall) outgoing and inbound access concerning "NoRoot Firewall", and NoRoot Firewall is running fine.
Is it the good action to be sure that NoRoot Firewall doesn't export my data to an external server ?
Or it's not the good action because NoRoot Firewall uses a VPN ?
Sorry if my first post is too basic.
I hope someone is able to answer me.
Click to expand...
Click to collapse
You can think of it as a router on the network.
Until a few months ago I used LBE to prevent apps from giving away my privacy. Since the language updates stopped working, I searched for an alternative and found XPRIVACY. It seems very power, so I even bought the licence for automated community blocking suggestions for apps.
Unfortunately it turns out that XPRIVACY is not very good in the sense of usability. It quite often happens that apps stop working, because the community provided suggestions are far to restrictive and it is quite complicated to find the source of the problem. Then on every update I am asked again for configuring the privacy settings of an app. I finally gave up and just removed any restrictions on apps which I could not get working. Obviously not a good solution.
Now I am looking for an alternative. I already discovery Cyanogenmods integrated "Privacy Settings". The main thing I am missing here is blocking of access to device-ID and IMEI. Is there a way to add this? Or can someone point me to an alternative, easier to handle privacy solution? I should be one which would also allow to restrict google apps on the rom.
Samba
Hi,
I also faced many problems with Xprivacy. I tried Donkey Guard, but main feature I miss there is sorting via access right (e.g. list all apps who want to read contacts).
So now I try LBE, it seems rather straight forward.
The language issue can be solved to a certain (for me sufficient) extent by installing the Xposed Module LBE Security Master.
I am a brand new owner of a OP 8. First thing I did was flash it to OOS 11, then installed Magisk. The phone is now up and running and rooted.
I am coming from a galaxy S5 that I have owned and used for more than 7 years, and for most of that time it has been running Lineage OS. I am used to the control that Lineage gives me, and I would expect that I could exercise the same degree of control with a rooted OOS.
But, this appears to not be true.
On the S5, I had 3C System Tuner Pro which is now an obsolete app, so I have replaced it with the current variant; 3C All-In-One toolbox. This package should allow me to control which apps start at boot, but it seems I cannot turn any of the apps off; when I uncheck them, the app fails to actually remove them from the startup list.
Also, I expect the 3C tool to allow me to uninstall pretty much any app, but there are a lot of google apps that I just can't remove.
I also use greenify (the paid version) and mostly it seems to be working OK, except that I cannot seem to access system apps from it, which makes it very hard for me to shut down things that I don't want running.
I also use afwall (the paid version) and it seems to work as expected. Which is good.
My focus is security and privacy, and my mantra is: "on android, the app that is not running is the app that is not spying". Thus, I want everything that is not needed to satisfy my purposes to not be running, and I only want apps running when *I* say that they can run.
Now, my S5 was running Lineage 17.1 which is android 9. I did not update it past that. And now I am running android 11, and I note that there is a lot of new hardware-based validation in android 11. So possibly I can't remove some things without disabling this validation (which I would prefer not to do). But even if I can't remove, I can disable (which, fortunately, I AM able to do). But I should be able to remove things from the startup list so they don't get started automatically at boot time. Right now, the way it works is they all start, then greenify shuts them down (and that isn't always completely reliable). I need more to make this phone genuinely secure and private.
So.
Does anyone here know how I could gain the capability to remove apps (including system apps) from the startup list and have it stick? Does anyone know what I need to do to get greenify to recognize system apps so I can shut them down when they are not needed, or failing that, can anyone steer me to a different app than greenify that will do that?
Perhaps I would gain by adding the xposed framework? I have not used it in a very long time (since I move to lineage) and I recall it being a bit of a pain.
I suppose I could move to Lineage from OOS, but I would prefer to not do that because of the camera software. This device seems to have a fine camera and not a lot of bloatware, so I would much prefer to stay with OOS for as long as the device is supported by the manufacturer.
But I do insist on being able to completely control it, and disabling apps that I can't stop from running is a much bigger hammer than I would like to use; some of those apps I might actually want to use from time to time.
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
jiml8 said:
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
Click to expand...
Click to collapse
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
optimumpro said:
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
Click to expand...
Click to collapse
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
jiml8 said:
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
Click to expand...
Click to collapse
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
optimumpro said:
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
Click to expand...
Click to collapse
I don't really program Android, though I am a kernel developer in both Linux and Freebsd. I also am one of the principal architects of a network infrastructure appliance that is getting a lot of attention in the industry.
So, while I do not know android in detail at a low level, I know linux thoroughly and I am fully equipped to completely monitor and control what access that android (or any other computer) has to any network. And that has been my dilemma; I can see what my device is doing and I am determined to stop it.
I agree with you about vanilla Android, absent all the google stuff. It is just linux with a different desktop on it, and the connections it makes to google are just for network management functions; the network device I have built also contacts google (and a few others) for network maintenance only and not any information transfer.
Unfortunately, the google apps infrastructure is required for some things that I use the phone for. Google maps is required by both Uber and Lyft; without Maps, I can't use those apps - and there are times when I am traveling where I really need to be able to use those apps.
Also, unfortunately, the company I am contracted to (where I am part-owner) for which I have built this network appliance makes heavy use of google tools. I have not been able to convince my partners to move away from google, and they can outvote me.
I have to allow Meet, and Chat to run on my device; I don't have a practical alternative. So I have spent a lot of time determining exactly which google components are the minimum required to allow those apps to run, and I have disabled or blocked or restricted permissions for all other google components - and both greenify and afwall play key roles in this activity.
With my old Galaxy S5, I just would install the smallest google package that supported Maps onto my Lineage OS on that device, but on this OnePlus 8, I have elected to stick with OOS for as long as it receives updates. So, tying google's hands is a lot more work.
My monitoring tells me I have it now as good as it will be. There are a few connections to google, as expected, but the frequency of those connections is not high and very little data is being transferred in either direction. I believe most of the traffic is administrative. The only thing I have not yet checked is whether there is any DoH or DoTLS traffic. My IOT VLAN watches for and blocks such traffic (my IOT VLAN exists to isolate and completely control my Android TV), and I have connected the phone to the IOT VLAN for a short while to see if any DoH/DoTLS was detected and none was - but I really need to connect it to that VLAN for an extended period.
I do root around in the phone's databases (which reveals what Google is doing, and Google can't stop that...) and the result is that I know Google is not doing much.
So, it isn't perfect. I would be much happier if the company would move away from google. But it is as good as its going to get, and I don't believe google is sneaking anything by me; I would have detected it. I do block a LOT of google URIs.
Also, as far as google open-sourcing their spying machine...that, quite explicitly, is the purpose of Android. It is open-sourced spyware for google.
They open-sourced it partly because they had to (the gnu licensing ties their hands) and partly to gain acceptance; its open source nature is why it is now the dominant architecture. It greatly reduces development costs for device manufacturers while providing a standardized framework upon which they can build.
Those of us who put in the effort to exploit that open-source nature to stop the spying are a small fraction of the total marketplace, and google can easily tolerate us.
Android has increased google's reach and ability to collect data about individuals to an enormous extent. From the standpoint of knowing everything about everybody (which is google's explicit goal) it is an enormous win for them.