Database Info

Privacy sandbox for Android apps?

Hi all,
Here is my dilemma, I want to run an app X (e.g. Paper Toss) but it requires capability Y (e.g. my location or phone identity) that compromises my privacy and is not really needed for the core functionality of the app.
It would be great to be able to wrap the app with security wrapper that will allow me to control what actually signals it has access to and what other it just gets fake data (similar to Google Latitude that allows you to set an arbitrary fake location).
Any thought? How feasible it is to implement?
I would think that this is doable, at least with the AOSP based ROMs such as CM.

I would appreciate such a privacy-enchancing feature.

I'd like to see such a feature too. A lot of apps seem to ask for permissions that have nothing to do with the core functionality of the app. See the Wall Street Journal article on smart phone privacy (can't post a link yet) for examples.
I think it would be a good idea to suggest this to CM to see if they would include it. Would you be able to develop this?

Don't know if it is related to this thread or not but Android Police reports about similar upcoming feature of cyanogen
http://www.androidpolice.com/2011/0...rmissions-cue-mass-force-closing-as-a-result/

cm7 nightly 82 allows control (deny/allow/revoke)permissions for individual apps......this if what you're looking for..
Its the new feature mentioned in the post above this one

Cyanogen is the new Canonical - should we back a new ROM?

I’ve been a CyanogenMod user since CM6 for the HTC EVO. While I can’t claim to have contributed much directly to the community (I’m no developer and more of a sys admin kind of guy), I have installed CM on countless phones over the years - basically any friend or family member who sat their phone down long enough. As soon as it was available, I snagged a OnePlus One, and it’s still the phone I have today. While I was initially excited to see where the foundation of Cyanogen Inc. would take the project, I’ve become increasingly disappointed with the direction that things have gone (both CM and COS), and I think my next phone will likely be a Nexus device with stock Android. I’m fairly certain that this post won’t accomplish much (aside from starting a flame-war/trolling/what-have-you), but I thought I would post it just to see what might come of it.
What I initially loved about CM was the fact that it added a number of useful features to stock Android, it allowed a ton of functional customization, it seemed to be more efficient and stable, and it let me continue to update devices that manufacturers had artificially sunsetted. I was impressed by the fact that lead developers were more interested in code quality and security than by shiny features. Amidst the desire to make Android better, there was also a sense of perfectionism to CM as evidenced by the “don’t ask for ETAs” mantra - it would get done when it was ready, and I was always willing to wait.
When Cyanogen Inc. formed, I was curious to see how they planned to make money. I actually decided to be a bit bold, contacted Kirt and Steve via LinkedIn, and offered to share some of my ideas. One of my biggest suggestions was that they should do something to fill the gaping hole left by Blackberry. At that point (and even still today), no manufacturer had really been able to provide the enterprise-grade functionality provided by Blackberry and BES. MDM solutions were (and are) a double-edged sword that are really just a patch for the solution. Given the huge priority that Cyanogen placed on security, I thought it would be a good direction to take. I’ve sent a few other suggestions over the years (including attempting to get the OnePlus One on the shelves at Walmart when I worked at the corporate offices), but it never seemed to go anywhere.
Right now, when I wake my phone, I have a reminder that there is a system update ready for my OnePlus One that will install COS 13.1. This update adds “new mods for Cortana, OneNote, Microsoft Hyperlapse, Skype, and Twitter.” I have yet to hit install. My issue is far less that Cyanogen is working with Microsoft and more with the fact that the company, much like Canonical/Ubuntu, seems to have the not-invented-here syndrome. (Side note: here’s a great article from the Turnkey Linux team that serves as partial inspiration for this post https://www.turnkeylinux.org/blog/ubuntu-not-invented-here-syndrome). Instead of offering new and useful features, Cyanogen is reinventing wheels and cramming the OS full of things that aren’t really at the top of anyone’s list for issues that could be solved or features that could be added. The innovation just seems to be gone. Most of the features that were exclusive to CM and drew me to the project are now part of stock Android. It makes me wish Cyanogen had taken up Google on their $1B offer.
Here are a few examples. Who remembers when ADW was the stock launcher of CM? I do. In contrast, who actually uses Trebuchet? I think it’s a featureless piece of junk. No gestures? No ability to hide icons in the drawer? No useful functionality that really sets it apart from other launchers? Why develop something new just for the sake of doing it yourself when it only provides basic functionality? Right up there with it is the File Manager application. There are plenty of other more feature-rich applications on the market, and I frankly never use the app provided by Cyanogen because it isn’t nearly as functional as something like ES File Explorer.
Similarly (but more egregiously), is the Browser application. Show of hands: who uses the browser provided in AOSP? No? Me, neither. Be it Chrome, Firefox, Opera, or something else, no one uses the browser built into the ROM. Why did Cyanogen feel the need to create another browser that lacks functionality, is rarely updated for security patches like mainstream offerings, and is basically just another piece of lint on everyone's phones? I fail to see the innovation, there.
I initially loved the idea of having a Cyanogen Account because it was pre-Google Device Manager. However, now that Device Manager exists, I don’t see a reason to use my Cyanogen Account because there haven’t been any additional additions to the feature set. I emailed Kirt and Steve once about potentially folding the WebKey project into Cyanogen and linking it to the Cyanogen account. That would provide remote access, remote file management, a remote shell, and countless other features (most or all of which could be made to work without needing root if baked into the ROM). How much would that add to the ROM and set it apart from other offerings? Neither Google, Apple, Microsoft, or Blackberry have anything close, and it would be a game-changer.
The Themes engine. Alright, so some may disagree with me, here, but I don’t really care about theming my phone or my computer. For me, that was cool back when Compiz/Beryl were the hotness for Linux. Now, I’m more interested in function over form. Why spend so much time building this thing when there are actually useful additions that could be made to CM/COS?
In conjunction to this, there are a number of features provided by CM that are now part of AOSP and make me wonder why I'm still on CM/COS. Google has added permissions management. They have included tethering. The majority of Developer Options are baked in. They switched the whole tap/long press to turn on/off/open settings feature in the notification panel. There isn't much to set Cyanogen apart, anymore.
Instead of just complaining, I wanted to start a list of things that I really thought Cyanogen would have provided by now (or would have at least considered). Some of these would provide Cyanogen with a revenue stream so they wouldn't have to keep cozying up to Microsoft, something that I'm sure most of us would appreciate (does anyone actually use Cortana?) I’d be interested to hear what other features the community would like to see added to CM/COS:
WITHOUT root, implement NFC tag actions that are available with the screen off. For example, allow a user to unlock/wake their phone, turn certain settings on or off, switch to a different profile, or perform a set of pre-defined actions by tapping a NFC tag. Obviously, there would have to be some security mechanisms built in order to whitelist trusted tags so the functions can be used with the screen off, but I’ve always wanted to be able to set my phone down on a tag at my desk and have it automatically connect to my company’s WiFi, put my phone on vibrate, etc.
Partner with an existing developer or independently build parental controls into COS.
Add a login manager for public hotspots to accept terms and conditions on subsequent logins after the first connection (would need to use MAC address, GPS, or some other unique identifier since some companies use the same provider, e.g. Starbucks and McDonald's both use ATTWiFi as their network name but have different captive portals)
Make a Kiosk version for customers at coffee shops and the like.
Create a mobile pay kiosk version similar to the Chili’s tablets since Cyanogen is known for security.
Make a version tailored toward the elderly (lock certain features, provide a restricted set of capabilities that are easy to access, etc).
As previously mentioned, build in WebKey or similar functionality that is tied to a Cyanogen account.
Include Tor without needing root.
Allow the ability to modify DNS settings.
Develop AirPlay compatibility for the Cast feature.
Right now, I’m at the point that I was at with Ubuntu about five years ago. Canonical had “improved” Debian into a bloated nightmare complete with in-house developed projects such as Unity, Ubuntu One, the Ubuntu Software Center, Mir, and others that no one asked for or wanted. If Distrowatch rankings are to be believed, Debian (and Mint) is now more popular than Ubuntu, likely as a result of Canonical’s decisions.
This is not a call to arms but rather a suggestion. Perhaps it is time that the community creates, by way of analogy, a Cyanogen Mint. Maybe we need to go back to the foundation of AOSP just like many users have done by going back to Debian. For me, at least, Cyanogen isn’t satisfying the same needs that it did two years ago, and I’d like to have a mobile OS or ROM that does. There are a lot of custom ROMs out there like Paranoid Android, AOKP, and OmniROM, but they are incredibly fragmented in the devices that they support, and none of them have the level of backing that Cyanogen gained. Perhaps as a community, we need to consolidate our efforts, focus on a common project, and bring forth a high-functioning ROM that can fill the void that Cyanogen no longer does.

In light of today's news about the layoffs at Cyanogen, thoughti might bump my thread to see if anyone would be interested in joining this conversation.

Privacy with Play Services

Hello all! I'm sure most of you are familiar with Google Play Services, the base of Google's Android framework and the brains behind all the Google things you do on your phone. Less of you, however, might also know that Play Services is notorious for being a beast of an application that no one truly knows the function of.
Below here is a rough explanation of Play Services from what I know about it. You can skip this if you already know and move on to the bread and butter of this post.
Play Services is proprietary software, meaning that its source code is not available to the public. All of Google's apps are proprietary like this as well. While developers like Chainfire have legitimate reasons to close off their app source code so others don't steal it, and so does Google, it is extra worrying from a company that makes a profit off of collecting userdata. Many people, including me, do not trust Google with our data, so we try to avoid their products as much as possible.
I thought that it would be nice to create a megathread of sorts with various users' suggestions on how to subvert the constant surveillance of Play Services, while also attempting to maintain the useful functionality of it. Below are some of the primary methods that I have thought of, and that I and some others have tried:
LineageOS/CyanogenMod Privacy Guard - If you are using LineageOS or any derivative thereof, you can go to Privacy Guard and deny certain permissions from Play Services. I and another user have denied permissions from Play Services without side effects, but your mileage may vary. @javelinanddart said on Reddit that Privacy Guard does indeed block permissions from Play Services and other system apps, so rest assured that Privacy Guard actually does something rather than being a placebo.
XPrivacyLua - This is an Xposed module that feeds false data to apps rather than blocking it entirely. I haven't tried this method myself, but the XDA post I linked above reports that XPrivacyLua works, even in tandem with Privacy Guard.
microG - microG is an open-source alternative to Play Services. It emulates many key functions of Play Services - push notifications, location services, etc - without the data collection running alongside such functionality. To clarify, this is a full replacement for Play Services, so you would flash a microG package instead of a GApps package. There are lots of bugs, though, even admitted by the developer. If you want to learn more, I suggest you visit the XDA thread for it, or view the implementation progress for various pieces of functionality.
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.

Thanks for thread.
My only reason to use custom ROM is because they are GApps-free. In nearly every other aspect stock ROMs are better. Phones without good custom ROM I simply setup without Google account and install f-droid and yalp stores.
Another idea:
Imagine: Google is not as evil as we think: there are many privacy related settings in your Google account. You can login with a web browser and try through all these settings - and hope.

Device is a Samsung i9305 with RR-N-v5.8.5-final, Magisk v16.0, XPosed, XPrivacyLua, microG (via NanoDroid). No genuine Google services; Google Play Store is the one and only Google application installed.
I hope it suits into this thread (thanks very much for creating it!), and I'd like to share my settings. Please refer to the screenshots; I think it's self-explaining where they where taken from.
Actually no restrictions to microG, only to Play Store.
Remarks: µG has no restrictions in the firewall (AFWall+ Donation Beta); Play Store only granted internet access via WiFi and VPN. Just for completeness; running a RaspberryPi in the home network with Pi-Hole installed and acting as the DNS-server in the network. Unless using the home network i.e. using a foreign WiFi network or mobile data, ALWAYS establishing my own secure VPN to my RaspberryPi (with PiVPN installed) via OpenVPN and again the Pi acting as the DNS-server. If interested in further details please refer to this thread.

Thanks for this.
I was considering asking for a forum section here devoted to privacy, but it doesn't seem like a popular subject here. (After all, most of the people who have already picked the most snoopery OS in the world could be assumed to be not particularly worried about privacy. ? )
I come from a different motivation: the hope that by using a somewhat hackable OS, one can theoretically modify it in ways to achieve one's objectives, including privacy. But the last few years have made it rather clear that the Big G is working determinedly to foil such efforts.
Lately that seems to take the form of pushing more and more essential services into the Gplay frameworks, and deprecating perfectly working things like GCM in favor of intertwining it with Firebase, which may saddle us with that analytics data vacuum in order to get another essential service, push notifications.
Re: revoking permissions from Gplay frameworks, I feel like Google's determination to get their hands on data by hook or by crook (eg their ignoring of user preferences to disable various radios and enabling them in the background anyway, to track location and such) means they will quite possibly circumvent these preferences at some point as well.
As I mentioned in another thread I've experienced various problems in the past when I tried to aggressively restrict perms on the Gplay services using CM/LOS Privacy Guard, but perhaps some of that came from choosing interactive restriction prompts rather than blanket revoking. I do know that so many essential services are tied-into the Gplay frameworks these days that blocking tons of perms will inevitably cause breakage of some things depending how you use your device.

Jrhotrod said:
...
There is nothing else that I know of, so if anybody knows of another viable method or can provide their own experiences with the above ones, your contributions would be appreciated by me and the rest of the privacy community.
Click to expand...
Click to collapse
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.

Oswald Boelcke said:
Due to your request above, please allow me to draw your attention to two threads by me. In these threads I tried about one and a half year ago to initially capture but also to update how I believe to have enhanced the battery duration, privacy and security of my GT-i9305 and how I went for a GApps-free device with microG.
Over the time until today, some of the described implementations, applications and measures became absolete or were replaced by others (e.g. using NanoDroid - or Nanomod as it was called in the beginning, since it has come out). Some changes occured due to the step from Marshmellow to Nougat or the non-availabilty of the official Xposed framework for Nougat in the very beginning. However, over all the time I've tried to maintain both threads updated and amended but currently not to much occuring on that frontline, probably because I've received a privacy status on our devices that obviously satisfies me in my personal opinion.
Click to expand...
Click to collapse
Wow, this is really great! Very high-quality thread.
Will add to OP later today

I apologise for the double post (original in my thread here) but I guess it also suits in this thread.
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
Looking around on Data Transparency Lab website http://datatransparencylab.org/ - they fund grants for research in privacy stuff.
...I found an app called AntMonitor, an academic research project that does a MITM SSL cert + local VPN to look at sensitive traffic - even that which is encrypted. https://play.google.com/store/apps/d...it2.anteatermo
Anyways, it shows some apps trying to send my gps coordinates even though it doesn't have Android permission. Like, my coordinates are actually attempting to be sent encrypted to a destination. XPrivacyLUA doesn't trigger so I can only assume they grab my coordinates in a way that circumvents the traditional Android permission model.
To test, just try the app and open a few apps. I think it's apps with the Facebook graph API that is maybe doing it.
If you like ANTMonitor another app that does an SSL cert+ VPN is Lumen Privacy Monitor- a project by Berkely, but it doesn't seem to detect raw coordinates like ANTMonitor does.
Click to expand...
Click to collapse
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.

Oswald Boelcke said:
Found the below quoted post by @jawz101 in the XPrivacyLua thread here. Pretty interesting, and therefore I like to share:
However, I suggest to also follow the discussion/conversation between jawz101 and M66B, which has developed after this post.
Click to expand...
Click to collapse
This is certainly an important discovery, thanks for the news.
Now for the sidenote that's 10x longer than the main comment. ?
One of the key issues I have with the various "privacy tools" is trying to figure out whether or not I trust all these entities that produce these diagnostic things to not be a solution worse than the problem when it comes to possessing and safeguarding my sensitive personal data.
It's getting to the point where I'm no longer enamored of giving *anyone* access to such stuff if I can help it, no matter *who* they are.
Even if they're not lying about their intentions and their commitment to security/privacy, there are still matters like carelessness/incompetence and targeted attacks to worry about.

@Exabyter: You're statement and expressed concerns are abolutely correct. Nothing to add except that I wouldn't limit it to "privacy tools" but especially include all applications that require root (and get it granted by the user) or all Magisk and Xposed modules. The latter should definitely concern.
My personal decision:
I'm not willing to trust anybody from the very beginning but I'm willing to trust single persons, groups or agencies. I've developed my own, private criteria, to which I stick but I've also admit the final decision isn't always based on rationality but also a lot on my feeling (in my stomage).
I don't held any confidential data on my device but privacy related ones, and I don't use my device for any kind of banking, shopping or payments.
I consider to use tools, modules and applications if their functionality rests within my defined specifications for the use of my device. Then I go for "the shopping tour" while I try to look into the details of the tools under closer examination, which includes where is it from, who's the developer etc.
I'll continue with the measures already described in one of my threads.

Oswald - I think we have largely similar stances on such things. In my case I will sometimes sway towards the pragmatic over the pedantic when the pedantic involves so many inconveniences that the tech becomes more of a burden than a help to me.
For example, I really don't like the idea of 3rd-parties keeping data pertaining to my daily geographic movements, but I also use several tools and services that by their nature rely on location data which could in some cases end up in the hands of parties I'd rather didn't have access to it. So I have to regularly weigh the apparent cost/benefit of such services and there are certainly some of them which have a high enough value to me that I willingly lower my default "protection level" in order to keep the other benefits of such tools/services.
Certainly microG is an important tool in that toolchest as it has a major disruptive impact on some of the most common ways Google and other parties snoop on users. But some of its imperfections also threaten to keep me from my ultimate goal of carrying a single phone which performs all the tasks I need to accomplish with it without undermining my privacy in a major way. (And ultimately, my freedom and agency as a citizen in a nominally and allegedly "free and democratic society", which is the actual "big picture" problem with privacy incursions in general IMHO)
I have spent several years now, with varying degrees of effort and success, trying to come up with a hardware/software solution to this problem, and I've never reached a point where I'm fully satisfied with the results. The fact that I am still carrying several mobile devices with me everyday is proof enough that I haven't achieved my objective in this regard and it gets tiring. As does all the time spent on venues such as XDA, researching, discussing and keeping-up with all the relevant issues, not to mention the large amount of time spent tinkering with HW/SW in order to keep all the special measures working. (And after we finally get things working more or less the way we want, we are faced with the particularly customized hardware wearing out, becoming unsupported, 3rd-party ROM and other compatible and necessary software being abandoned/deprecated, and so on and so forth.)
Truth to tell I'm a bit bitter about the amount of time/energy I have to spend to achieve something which should have been part of the mobile platforms in the first place. The current de-facto mobile platform duopoly certainly doesn't help matters.
---------- Post added at 03:39 PM ---------- Previous post was at 02:57 PM ----------
Now that I've gotten that philosophical rant out of the way ? ...
So as far as technical specifics:
microG of course is a big help as it either neuters or removes many troublesome anti-privacy vectors. For example, at the present time it does not support Firebase Analytics at all, which means (as far as I can tell) any app that expects to get telemetry on users via Firebase Analytics will not get anything if the app user's device is Gapps-free and using microG instead. (It remains to be seen if adding Firebase Cloud Messaging capability to microG will negate this presumed benefit. Cynics like myself are inclined to think one of Google's key objectives in deprecating Google Cloud Messaging and rolling push notification frameworks into Firebase instead was specifically to undermine the ability of users to avoid/circumvent Firebase Analytics)
XprivacyLUA looks interesting and is on my list to test. I found its predecessor Xprivacy to be an extremely tedious and labor-intensive option so I never seriously pursued it after my initial testing.
There are various tools I find handy to help get a sense of how dangerous certain apps may be to privacy. Here are a few:
AppBrain Ad Detector
https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector
Addons Detector
https://play.google.com/store/apps/details?id=com.denper.addonsdetector
Checkey (also on f-droid)
https://play.google.com/store/apps/details?id=info.guardianproject.checkey
Applications Info (also on f-droid)
https://play.google.com/store/apps/details?id=com.majeur.applicationsinfo
Permission Friendly Apps
https://play.google.com/store/apps/details?id=org.androidsoft.app.permission

anbox+microG: what is the current easiest approach?

I would like to use anbox (in postmarketos) together with microG (for supporting apps which depend on Google Play Services). What would be the easiest way to add signature spoofing to anbox image? This was discussed briefly here: https://github.com/anbox/anbox/issues/27 but nothing definitive (the last post https://github.com/anbox/anbox/issues/27#issuecomment-863918130 goes into the most detail but finish). I am a bit lost with all the smali/baksmali/haystack/tingle plus different android version and so on; some of the tools have not been updated for years and I would like to see what would be the current best approach. Ideally, including the UI for allowing signature spoofing as an extra special permission granted to certain apps, though predefined set of apps allowed to spoof (microG) is sufficient as well.
If this is somehow not feasible, building anbox (android.img) on my own is also an option, in which case pointers to patches to the source code would be very welcome.
On the normal phone, I was lucky I could install microG+LineageOS pre-built.
Thanks for help!

How is my privacy with CalyxOs?

Hello all,
I have been more privacy conscious for an extended period of time now. I use CalyxOs because I still need some apps, both work and personal that do not work in GrapheneOs. However, the last one I have a question regarding the collection of data by Big Tech and I am wondering to what extent I am about my privacy and if I am not taking too much actions for nothing? After all, I see a lot of videos and tutorials about degoogled phones. I understand that with degoogled phones combined with minimizing apps (and especially not installing google apps) it becomes more difficult for the Big Tech to get a full profile than with a stock os. So this means that I take all kinds of precautions that make me put more effort, like not using a lot of easy apps anymore, in device (now Pixel 4) much less good specs than e.g. Galaxy S21 etc. My question now is, to what extent do I actually protect my privacy this way? Some examples: I no longer use Gmail but Protonmail, but many of my recipients still use Gmail, so my mail "comes anyway" to Gmail. Conversations via Whatsapp, but also Signal or Session or Briar etc. are at my friends/family on a stock android. But then the conversations are also not private like on a CalyxOs right? So in short, what my question is, do these efforts and sacrifices of ease of use still have any use if all the two way interactions don't guarantee my privacy anyway?
I'm no expert and maybe someone can help me clarify the privacy process?
Thank you!

I recommend the following:
Use a custom Rom without any google stuff. There is either
1.) LineageOS for the Pixel4 _WITHOUT_ any "gapps", "mindthegapps", "microg" and whatever their names are.
2.) CalyxOS WITHOUT "microg" - make sure to switch off the checkbox during installtion.
3.) GrapheneOS
I only have experience with #1 & #2, i am using ~95 Apps and i discovered only one which refused to run without the socalled "PlayServices" and this is the "Flightradar24"
Some other ideas:
- use a personal firewall like NetGuard Pro or the built in one in CalyxOS and restrict as much as possible network access for ALL apps.
- use a dedicated contact app (i use "simple contacts" from FDroid) to separate private contacts from the "standard" contact app which can be read by Telegram or Whatsapp.
- extract the native Pixel4 camera app and sideload it onto your custom rom based phone and restrict network access of it to have all features of the good original Pixel Cam app.
- Do not use the google search engine, use "DuckDuckGo" or one of the other alternatives.
- check that you _do not use_ the google DNS servers (8.8.8.8) use another one like "digitalcourage" - check "duckduckgo" for trustworthy dns servers
- lock for the actual version of the "Privacy Handbook" there is a very good one but its in german language, not sure if there is a similar one in english
- regarding gmail: tell people that you _do not send_ mail to google mail. "gimme another mail adress plaese, i dont want to have the contents of my mail scanned by google POINT!"
In other words: Avoid as much as possible from "BigTech", use open source alternatives. Support Open Source projects. Use a privacy friendly mail provider, in DE they are cheap ~ 1,- €/month you have the privacy and a ad free WebGUI and you support their business.
The other side of the medal: Stay away from the Web/Internet/modern technology but this isn't a solution
Thats my 2 cents