Related
DroidWall in the marketplace allows full WiFi access to all apps.
Is it possible to code an application for Android (perhaps with root access) that can:
- deny all outbound data access per app basis
- specify the rules (ip-range/port-range) per app basis
Like a real alternative to a desktop software firewall?
Way too many apps are leaking all sorts of information (in plain text!) from the user account database to the Internet.
The android security makes me really scared to use the platform for anything requiring security. The privacy/security model is basically a swiss cheese that can be poked through by almost any app that just asks for certain rights at install time.
I'm hoping a firewall would be able to limit this issue, no?
I don't know about the other stuff you mentioned, but my version of DroidWall has a block/allow option for wifi and 3g, separately. It's the latest version from the market place, 1.4.2
Thanks, I just checked it out and it seems DroidWall indeed has a Wifi side blocking by app basis as well. I'm still testing though.
Ah, just tried it. Force closes on Galaxy S (rooted). Sigh.
First, my apologize for poor engish
Please allow me to introduce LBE Privacy Guard, a small app wrote by myself. This app enhances Android permission system and protects your privacy.
LBE Privacy Guard works just like Windows UAC, it intercept vital actions (like send SMS, call phones) and requests to access sensitive data(SMS conversation, contacts, phone location, IMEI, IMSI, etc) from apps, then prompt for your confirmation. Unless explicit permit, such actions and request will be rejected.
LBE Privacy Guard also has a low-level firewall, supports per-app control like droidwall, but not require netfilter/iptables so it works on pre-froyo devices and faster than droidwall because it doesn't filter packets.
So why I wrote this app? Because android permission system sucks, it's very hard for average user to understand the meaning of each permission, there is also no way to track the behavior of installed app and no way to control the permission of installed app(except uninstallation).
I hope my app could bring dynamic permission control and real-time track for installed apps. So you can figure out which app is stealing your privacy and block it before your privacy stolen.
LBE Privacy Guard is now on official Android Market, you can get it from
https://market.android.com/details?id=com.lbe.security
This app requires a ROOTed phone, works on Android 2.0 and above (not tested on Android 3.0 and 3.1)
For any questions, feel free to send mail to [email protected], any comments are welcomed You can also check our website at http://www.lbesec.com (Chinese only)
Sounds great, definitly the first app I am going to install after s-off my IS
Been playing with this for the last few hours - looks amazing!
Question how does it "reject"?
Does it send fake information or does it ignore the request?
Thanks!
I definitely ythink this or something similar should be default in android, keep up the good work.
Sent from my SGH-I897 using XDA Premium App
Sounds amazing to me..
Keep on rolling mate!!!
Sent from my GT-P1000T using XDA App
LBE Privacy Guard v2 is available, check http://forum.xda-developers.com/showthread.php?p=18948472#post18948472 for more information.
----------
First, my apologize for poor engish
Please allow me to introduce LBE Privacy Guard, a small app wrote by myself. This app enhances Android permission system and protects your privacy.
LBE Privacy Guard works just like Windows UAC, it intercept vital actions (like send SMS, call phones) and requests to access sensitive data(SMS conversation, contacts, phone location, IMEI, IMSI, etc) from apps, then prompt for your confirmation. Unless explicit permit, such actions and request will be rejected.
LBE Privacy Guard also has a low-level firewall, supports per-app control like droidwall, but not require netfilter/iptables so it works on pre-froyo devices and faster than droidwall because it doesn't filter packets.
So why I wrote this app? Because android permission system sucks, it's very hard for average user to understand the meaning of each permission, there is also no way to track the behavior of installed app and no way to control the permission of installed app(except uninstallation).
I hope my app could bring dynamic permission control and real-time track for installed apps. So you can figure out which app is stealing your privacy and block it before your privacy stolen.
Requirements
**NEEDS ROOT**
Works on Android 2.0 and above.
Tested on various devices and firmwares, but not tested on Android 3.0 and 3.1 devices.
Current Features
1. Block unwanted send SMS / call phone operation
2. Block unwanted access to phone location, contacts, SMS/MMS conversation database, IMEI/IMSI/ICCID/phone number.
3. Integrated low-level firewall, no netfilter/iptables required, works on pre-froyo devices
Market Link
https://market.android.com/details?id=com.lbe.security
Contact us
For any questions, feel free to send mail to [email protected], any comments are welcomed.
You can also check our website at http://www.lbesec.com (Chinese only)
Screenshots
Good application, Thank you
im gonna give this a look. will report back if any issues
Been waiting for an app that watches local permissions.
Can you tell me what exactly is "low-level firewall." How can it filter network traffic if it does not make use of iptables?
Looks promising. Will give it a test ride for a few days.
Sent from my Legend using XDA App
good app
Sent from my Desire HD using XDA App
crashed after a reboot. will re-install and do another test run later as it would not start the security service when i rebooted my phone.
This is great app... works very well on 2.3.4. Thanks for this wonderful app...
from my desire using xda
traumatism said:
crashed after a reboot. will re-install and do another test run later as it would not start the security service when i rebooted my phone.
Click to expand...
Click to collapse
hi traumatism, i would appreciate if you could tell me your phone model, and the ROM you are using.
It looks like LBE Privacy Guard has some problems to obtain ROOT privilege during auto start process.
Installing now, this looks interesting. I'll report any issues tomorrow.
Thank you.
edit: absolutely no issues, this app is awesome!
I was looking for something like this for the longest time... especially since my kernel doesn't support iptables. Installing now.
I am gob smacked, this application is brilliant!
Had it installed for around 2 hours now, no issues at all, works perfectly fine after reboot, doesn't appear to slow down phone or have any performance impact.
This should be included in Android by default!
Running it on HTC Inspire 4G with CM7.0.3
Great app. my first impression is good. looks like you've did a good job .. Thx happy
First look is great. Thank you. It is exactly what I am looking for
asicman said:
Been waiting for an app that watches local permissions.
Can you tell me what exactly is "low-level firewall." How can it filter network traffic if it does not make use of iptables?
Click to expand...
Click to collapse
The "low-level firewall" does not filter packets, instead it removes network related supplemental groups of certain process. Without such supplemental groups, socket syscall will fail with EPERM, so the application will not be able to access network.
This solution neither require netfilter kernel module / iptables binaries, nor filter packets, it's faster. but it can't distinguish 3G and WIFI connections.
I love this idea! I haven't updated "att Mark the Spot" in months because they requested access to everything. The first thing was trust my root apps, sms, gmail & voice apps, then I blocked my phone ID from ALL apps. (would've been nice to have a "reject all" option there.) My question is, are there any legitimate reasons for an app to request my IMEI? Are there any potential negatives to blocking my IMEI from ALL apps?
Edit: I also experienced the force close on reboot, but LBE started right back up on its own. Atrix 4.1.83
eoc, are you planning to release the source code?
Hi guys,
I am a little confused by this app. Can it allow me to stop the imei sending to my carrier when I connect to the network? They are trying to reduce the amount of data included in my plan if im not using an phone!
n3man said:
Hi guys,
I am a little confused by this app. Can it allow me to stop the imei sending to my carrier when I connect to the network? They are trying to reduce the amount of data included in my plan if im not using an phone!
Click to expand...
Click to collapse
No., It will only block apps and not the communication between your device and the carrier which is impossible on GSM networks.
Is anybody experiencing problems with blocked apps? Like fc or anything similar.
Sent from my LeeDroid Desire HD using laggy Tapatalk
What can it do?
============
Are you concerned with certain apps required permissions? Then this app is for you!
Base on your settings, this app will automatically turn OFF location and network connections when it detects that certain apps are running, thus leaving the apps no chance of leaking your data. After the apps finish running, pull down notification bar and you'll easily turn network and location services back on.
It works on both non-rooted and rooted devices.
Alternatively, this app can be used as an ad-blocker or data saver.
Performance Impact
===============
With over 300 apps monitored, on average the app utilizes less than 4% of CPU on a Nexus One.
There is no noticeable impact on battery life.
Required Permissions
===============
Access to GPS and coarse location are for probing the location service settings.
Create bluetooth connections and bluetooth administration are for probing Bluetooth status and controlling bluetooth adapter.
Change Wi-Fi state is for controlling Wifi adapter.
Changelog
================
1.0
App published to Android Market after major usability improvements and critical bug fixes.
1.1
Major update
- App names are sorted
- Some performance improvements
- UI usability improvements
1.2
Minor update
- Option to hide notification when service is running
- User interface tweaks
- Removed all log messages
Please download from Android Market:
https://market.android.com/details?id=net.houzuo.android.privacyprotector
Major update
- Usability enhancements
- Critical bugs fixed
- Overall performance improvements and smaller memory footprint
houzuoguo said:
Changelog
================
App published to Android Market after major usability improvements and critical bug fixes.
Click to expand...
Click to collapse
A link will be helpful
Fantastic app one again, sir! I've posted it to the XDA front page.
willverduzco said:
Fantastic app one again, sir! I've posted it to the XDA front page.
Click to expand...
Click to collapse
Thank you very much
Looks useful! Even though I'm rooted, I'm hesitant to install apps that require root because of the obvious security issues. So non-root security apps are important.
I have a question though, will it block access for apps that run in the background, such as code run via Broadcast Receivers? If not, perhaps it could warn the user in such a case, because a malicious program could easily gather or transmit data in the background.
Elemris said:
Looks useful! Even though I'm rooted, I'm hesitant to install apps that require root because of the obvious security issues. So non-root security apps are important.
I have a question though, will it block access for apps that run in the background, such as code run via Broadcast Receivers? If not, perhaps it could warn the user in such a case, because a malicious program could easily gather or transmit data in the background.
Click to expand...
Click to collapse
Thank you
The app only monitors the current foreground process (the one that is dominating screen).
I'd suggest that, if an app runs a background service and raises a privacy concern, it is better disabled by other ways (uninstall, etc.)
There are two reasons why background services shall not be affected by the app:
- Background services may run a long time, thus disabling network or location services could cause much inconvenience.
- To disable location services, Privacy Protector will forward user to Location Settings page. Currently, if user decides not to take action to the settings and do not run the app, s/he can go back to home screen by clicking home button. However if Privacy Protector keeps forwarding user to Location Settings because a background service is running, it may be very inconvenient and could possibly annoy the user.
Thanks, that makes a lot of sense.
I guess many users aren't even aware that apps can run hidden in the background, let alone know how to detect background services. So I'm thinking about a warning to the user along the lines of "hey, you're blocking your 'Unhappy Avians' app, but Privacy Protector detected that app may run in the background, outside of our protection. If you're concerned, you may want to uninstall Unhappy Avians".
Elemris said:
Thanks, that makes a lot of sense.
I guess many users aren't even aware that apps can run hidden in the background, let alone know how to detect background services. So I'm thinking about a warning to the user along the lines of "hey, you're blocking your 'Unhappy Avians' app, but Privacy Protector detected that app may run in the background, outside of our protection. If you're concerned, you may want to uninstall Unhappy Avians".
Click to expand...
Click to collapse
that sounds like a good idea! thank you!
Is it possible to get version of Privacy Protector that can run on Android 2.1 and less?
Is it independent of iptables?
p.s. App list must be sorted alphabetically
5[Strogino] said:
Is it possible to get version of Privacy Protector that can run on Android 2.1 and less?
Is it independent of iptables?
Click to expand...
Click to collapse
The app only uses features of Android API, it does not rely on iptables.
It has been tested on my Nexus One with Android 2.2 and 2.3 roms, I wasn't able to test it on 2.1 rom because I had difficulty to find one.
I've attached an APK which should be compatible with Android 1.6, but I'm unable to test it. Please give it a try.
for further updates.. can u hide the top icon?
thx.. great app
What's about more harder function - to block access only chosen apps?
If I want use Skype and deny App X, your app will turn connection off. But i don't want lose whole connection.
Has anyone tested this on Galaxy S2 please?
Thank you
5[Strogino] said:
What's about more harder function - to block access only chosen apps?
If I want use Skype and deny App X, your app will turn connection off. But i don't want lose whole connection.
Click to expand...
Click to collapse
That behaviour would only be feasible to implement on a rooted device
NTOP said:
Has anyone tested this on Galaxy S2 please?
Thank you
Click to expand...
Click to collapse
The top device which contributes to the 1200+ downloads is Galaxy S2. There has been 4 crash reports in total (the app occasionally crashes after loading apps.. I'm still investigating) but none of them came from S2.
Major update pushed to Android Market
Changelog
- App names are sorted
- Some performance improvements
- UI usability improvements
A minor update
- Option to hide notification when service is running
- User interface tweaks
- Removed all log messages
wifi access
Would it be possible to distinguish between data and wifi (like Droidwall)?
The phone it's installed on, has a bad chip and shouldn't be rooted, but I'd like some apps to only have access to wifi, and other apps have access to both data and wifi.
Does not work on Nexus 4 with Jelly Bean
I ticked the LOC box next to Facebook app, saved, enabled... then opened Facebook app and posted a status. My location was right there in the status post
I am a brand new owner of a OP 8. First thing I did was flash it to OOS 11, then installed Magisk. The phone is now up and running and rooted.
I am coming from a galaxy S5 that I have owned and used for more than 7 years, and for most of that time it has been running Lineage OS. I am used to the control that Lineage gives me, and I would expect that I could exercise the same degree of control with a rooted OOS.
But, this appears to not be true.
On the S5, I had 3C System Tuner Pro which is now an obsolete app, so I have replaced it with the current variant; 3C All-In-One toolbox. This package should allow me to control which apps start at boot, but it seems I cannot turn any of the apps off; when I uncheck them, the app fails to actually remove them from the startup list.
Also, I expect the 3C tool to allow me to uninstall pretty much any app, but there are a lot of google apps that I just can't remove.
I also use greenify (the paid version) and mostly it seems to be working OK, except that I cannot seem to access system apps from it, which makes it very hard for me to shut down things that I don't want running.
I also use afwall (the paid version) and it seems to work as expected. Which is good.
My focus is security and privacy, and my mantra is: "on android, the app that is not running is the app that is not spying". Thus, I want everything that is not needed to satisfy my purposes to not be running, and I only want apps running when *I* say that they can run.
Now, my S5 was running Lineage 17.1 which is android 9. I did not update it past that. And now I am running android 11, and I note that there is a lot of new hardware-based validation in android 11. So possibly I can't remove some things without disabling this validation (which I would prefer not to do). But even if I can't remove, I can disable (which, fortunately, I AM able to do). But I should be able to remove things from the startup list so they don't get started automatically at boot time. Right now, the way it works is they all start, then greenify shuts them down (and that isn't always completely reliable). I need more to make this phone genuinely secure and private.
So.
Does anyone here know how I could gain the capability to remove apps (including system apps) from the startup list and have it stick? Does anyone know what I need to do to get greenify to recognize system apps so I can shut them down when they are not needed, or failing that, can anyone steer me to a different app than greenify that will do that?
Perhaps I would gain by adding the xposed framework? I have not used it in a very long time (since I move to lineage) and I recall it being a bit of a pain.
I suppose I could move to Lineage from OOS, but I would prefer to not do that because of the camera software. This device seems to have a fine camera and not a lot of bloatware, so I would much prefer to stay with OOS for as long as the device is supported by the manufacturer.
But I do insist on being able to completely control it, and disabling apps that I can't stop from running is a much bigger hammer than I would like to use; some of those apps I might actually want to use from time to time.
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
jiml8 said:
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
Click to expand...
Click to collapse
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
optimumpro said:
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
Click to expand...
Click to collapse
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
jiml8 said:
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
Click to expand...
Click to collapse
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
optimumpro said:
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
Click to expand...
Click to collapse
I don't really program Android, though I am a kernel developer in both Linux and Freebsd. I also am one of the principal architects of a network infrastructure appliance that is getting a lot of attention in the industry.
So, while I do not know android in detail at a low level, I know linux thoroughly and I am fully equipped to completely monitor and control what access that android (or any other computer) has to any network. And that has been my dilemma; I can see what my device is doing and I am determined to stop it.
I agree with you about vanilla Android, absent all the google stuff. It is just linux with a different desktop on it, and the connections it makes to google are just for network management functions; the network device I have built also contacts google (and a few others) for network maintenance only and not any information transfer.
Unfortunately, the google apps infrastructure is required for some things that I use the phone for. Google maps is required by both Uber and Lyft; without Maps, I can't use those apps - and there are times when I am traveling where I really need to be able to use those apps.
Also, unfortunately, the company I am contracted to (where I am part-owner) for which I have built this network appliance makes heavy use of google tools. I have not been able to convince my partners to move away from google, and they can outvote me.
I have to allow Meet, and Chat to run on my device; I don't have a practical alternative. So I have spent a lot of time determining exactly which google components are the minimum required to allow those apps to run, and I have disabled or blocked or restricted permissions for all other google components - and both greenify and afwall play key roles in this activity.
With my old Galaxy S5, I just would install the smallest google package that supported Maps onto my Lineage OS on that device, but on this OnePlus 8, I have elected to stick with OOS for as long as it receives updates. So, tying google's hands is a lot more work.
My monitoring tells me I have it now as good as it will be. There are a few connections to google, as expected, but the frequency of those connections is not high and very little data is being transferred in either direction. I believe most of the traffic is administrative. The only thing I have not yet checked is whether there is any DoH or DoTLS traffic. My IOT VLAN watches for and blocks such traffic (my IOT VLAN exists to isolate and completely control my Android TV), and I have connected the phone to the IOT VLAN for a short while to see if any DoH/DoTLS was detected and none was - but I really need to connect it to that VLAN for an extended period.
I do root around in the phone's databases (which reveals what Google is doing, and Google can't stop that...) and the result is that I know Google is not doing much.
So, it isn't perfect. I would be much happier if the company would move away from google. But it is as good as its going to get, and I don't believe google is sneaking anything by me; I would have detected it. I do block a LOT of google URIs.
Also, as far as google open-sourcing their spying machine...that, quite explicitly, is the purpose of Android. It is open-sourced spyware for google.
They open-sourced it partly because they had to (the gnu licensing ties their hands) and partly to gain acceptance; its open source nature is why it is now the dominant architecture. It greatly reduces development costs for device manufacturers while providing a standardized framework upon which they can build.
Those of us who put in the effort to exploit that open-source nature to stop the spying are a small fraction of the total marketplace, and google can easily tolerate us.
Android has increased google's reach and ability to collect data about individuals to an enormous extent. From the standpoint of knowing everything about everybody (which is google's explicit goal) it is an enormous win for them.