INTRODUCTION
There was a time where “enlightned” people used to make fun of guys like me:
paranoid, conspirationist, tin foil hat, ha ha ha!
The thing is that there has never been any conspiracy theory, it's a term invented by those in power to ridicule people exposing their treacheries.
A conspiracy is a plot aimed at overthrowing a king or a government so how could those in power make any conspiracy against the people, us, since we are not in power?
A theory is something that has not been proven and well, after the Snowden's revelations things have been made clear, so long for the “conspiracy theory”.
The enlightened stopped laughing and started to realise what's going on, and that their dear government and their beloved google were not such a nice bunch to say the least.
Nowadays more and more people wake up and understand that their phones are heartlily spied upon and data mined all the time, and I decided to write a tutorial about how to gain back one's privacy on one's phone.
Remember, Android has not been build with privacy in mind and everybody wants our data, cuz data means money and money has been driving, is driving and will be driving humanity for a long time.
In a way it's ok if one doesn't mind ads and spams, one has to bear in mind that nothing comes for free and the costs to develop an app like let's say what's app or to maintain a site like facebook are huge so the money has to come from somewhere (as some say, if it's free than you are the product).
Plus, one is allways free not to use them, but unfortunately one needs an OS (google), and one needs an oem to manufacture the phone.
Then comes power, it has been driving humanity for even longer than money.
As @CHEF-KOCH said, data means knowledge and knowledge means power. In the past it was a hard task to manually gather data about people and one can easily understand that the present huge data sum that's on the web is of very significative importance for the agencies.
So of course they pressure google, facebook, apple, microsoft and the others to get access to your data, from their point of view it makes sense.
I have nothing to hide but as a matter of principle I have allways tried my best to be in control, and I have to admit that it's fun and interesting too, one learns many things in the process.
paranoid, conspirationist, tin foil hat, ha ha ha!
The thing is that there has never been any conspiracy theory, it's a term invented by those in power to ridicule people exposing their treacheries.
A conspiracy is a plot aimed at overthrowing a king or a government so how could those in power make any conspiracy against the people, us, since we are not in power?
A theory is something that has not been proven and well, after the Snowden's revelations things have been made clear, so long for the “conspiracy theory”.
The enlightened stopped laughing and started to realise what's going on, and that their dear government and their beloved google were not such a nice bunch to say the least.
Nowadays more and more people wake up and understand that their phones are heartlily spied upon and data mined all the time, and I decided to write a tutorial about how to gain back one's privacy on one's phone.
Remember, Android has not been build with privacy in mind and everybody wants our data, cuz data means money and money has been driving, is driving and will be driving humanity for a long time.
In a way it's ok if one doesn't mind ads and spams, one has to bear in mind that nothing comes for free and the costs to develop an app like let's say what's app or to maintain a site like facebook are huge so the money has to come from somewhere (as some say, if it's free than you are the product).
Plus, one is allways free not to use them, but unfortunately one needs an OS (google), and one needs an oem to manufacture the phone.
Then comes power, it has been driving humanity for even longer than money.
As @CHEF-KOCH said, data means knowledge and knowledge means power. In the past it was a hard task to manually gather data about people and one can easily understand that the present huge data sum that's on the web is of very significative importance for the agencies.
So of course they pressure google, facebook, apple, microsoft and the others to get access to your data, from their point of view it makes sense.
I have nothing to hide but as a matter of principle I have allways tried my best to be in control, and I have to admit that it's fun and interesting too, one learns many things in the process.
I don't know everything (who does anyway?) and everyone is welcome to add some more infos on the subject, let's share our privacy settings!!!
Let's start, with a brand new phone...
I - THE BASICS
1 - Don't give your real name when you buy a new phone (it sounds obvious but many people don't even think about it), and pay in cash in order not to leave any traces.
2 - Second, don't give your real name when you buy a SIM.
3 - DO NOT put any SIM in the phone for now, DO NOT connect to the internet through WIFI, and put your phone in plane mode. You'll be able to connect after you're done and secure.
4 - Root and install Busybox, flash a custom recovery (I won't cover that part, search the forum and you'll find all what you need).
5 – Let the fun begin, uninstall as many stock apps as you can!
Don't think that installing a custom ROM like AOSP or CM would be any better than your stock ROM privacy wise, custom ROMs don't have OEM bloatware but when it comes to privacy, data mining and outrageous system apps' permissions they are exactly the same than stock ROMs.
Before you start your uninstalling job, download Aroma File manager from here:
http://xdaforums.com/showthread.php?t=1646108
Put it on your SD.
It will enable you, in case you get a bootloop, to push back from recovery the file (s) you removed that caused the bootloop, instead of restoring your backup and loosing all the work you did.
TWRP has a built in file manager that does the same, just make sure you have /system and /data mounted in the settings.
Uninstall gradually.
Start with the google apps and the OEM bloatware, reboot and see how it goes. If everything is ok then uninstall more stuff, again reboot and see how it goes, and keep on doing it until you feel it's ok.
You'll be wise, everytime you uninstall a bunch of apps, to copy them first on your SD and label it something like apps1, apps2 etc.
Now read carefully the folowing about safe to remove apps, in order you to know more precisely what can be done, and you will see that my phone works with only 10 system apps left.
(Tested on Samsung Mega I9200 XXUAMEE running JB 4.2.2)
I removed more than 150 system apks, and my Mega works like a charm.
You will notice that the google apks are missing, and that the contacts, video player, music player, file manager etc. are missing as well, I removed them because I don't like the way they spy on us and suck our private data. No worries, just keep on reading for some alternative apks...
IMPORTANT
1 - Before deleting any app do a Nandroid back up, and do a back up of your system/app folder (where all the system apps are) in case you want to reinstall a specific app later.
2 - If you decide to uninstall the filemanager apk, install first an alternative file manager, like let's say Ghost Commander, because if you don't then you won't have any app anymore to navigate to your files after having uninstalled the file manager.
Same story with the launcher, or you will get a bootloop.
3 - After you uninstalled all the apps do a cache and a dalvik cache wipe.
4 - Reboot and enjoy full speed and no lags, and 1% battery decrease every 10-12 hours when in stand by!!!
5 - Go to the data/data folder and erase the folders from the removed apps, or use SD Maid or whatever similar app to do it for you (you don't need to do it if you are on JB 4.2 or later since the system will take care of it for you when you reboot)..
IMPORTANT 2
Do not mess with system apps if you don't know what you are doing and if you don't know how to get back to the beginning in case things go wrong.
I won't take any responsability for any damage caused to your phone. All what I mention below has worked for me but once more, do not play with your system unless you know how to recover if things get out of control.
SAFE TO REMOVE APPS
Rather than giving a list of removed apps I will list here the apps I didn't remove, so that you can assume that any app that is not on the list is safe to remove. I do so because it's faster to list the remaining apps than the removed ones...
So, here are the apps I kept (I have to admit that it's a bit extreme, and you are of course not obliged to keep so few apps, but at least you'll know which ones are safe to remove):
-Default Container Service
-Fused Location
-Hybrid Radio (removable if radio is not your thing)
-Job Manager (the task manager)
-Package Access Helper
-Sec Phone
-Sec Settings
-Sec Settings Provider
-Sec Telephony Provider
-System UI
- Note -
If you delete the Media Provider apk you won't be able to change your ringtone and your notification tone anymore (not a big deal for me but I don't know for you), and you will be stucked with the default tones. To change them manually you'll have to open the res/raw folder in framework-res.apk and replace the default tones with your own, not a big deal.If you delete the camera then some third part cameras won't work, but A Better Camera does.
If you delete the MTP apk your device won't be detected by your computer anymore, use SG USB Mass Storage Enabler or something similar (only works on the external SD).
You can delete VPN Dialogs but then you won't have VPN access anymore.
ALTERNATIVE APPS
- Play Store:
F-Droid offers open source apps and you'll find almost all what you need there. If you can't live without apps from the pay store download them on your computer using Racoon (found in XDA's games and apps section).
- Launcher:
Holo Launcher HD (very low RAM consumption and plenty of customisation), or ADW (open source up to v 1.3.6 standalone, found on F-Droid), but install it before you uninstall your stock launcher!
- Keyboard:
I use a modded Xperia keyboard but there are many others (install it as a /system app otherwise you may have problems if you encrypt your phone). Beware of Swift and Touch Pad, they have many outrageous permissions and are difficult to restrict.
- SMS:
Text Secure (open source), up to v 1.0.6.
- Bluetooth:
if you use it for speakers or headphones keep it, but if you use it only to transfer files then uninstall it and use Fast File Transfer (it works without WIFI connection and it's MUCH faster than the Bluethooth) and/or any open source FTP app (like Swiftp for example, but such apps require an active internet connection) instead.
- Contacts:
before to uninstall it back up your contacts, then install any third part contacts app. As for me, I made a file with all my contacts in alphabetical order and copied it as a note in Clipnote apk (a clipboard manager), and when I need to call someone I just have to click on the phone number within the file and it opens in the dialer.
- Dialer:
since Logs Provider has been uninstalled you probably don't have any more dialer, just install any third part dialer that you like.
- Video:
VLC. (open source)
- File manager:
Ghost Commander (open source, dual panel mode, root browser and more).
- Music player:
I like Gone Mad Music Player but VLC does the trick too.
- Browser:
Pale Moon for full desktop experience (it's open source and based on Firefox, but it has less permissions and no adds), Atlas or Lightning (open source) when I want to browse without leaving any cookies (I have changed its data/data/nextapp.atlas/databases' permissions to rx, rx, x (5, 5, 1) and I erased everything inside the folder, that way no cookies or history are recorded), Naked Browser to access my email.
Chrome? No thanks, the least google stuff I have in my phone the better I feel!!!
- Gallery:
Quick Pic.
- PDF reader:
Mantano or PDFReader (open source, found on F-Droid).
- Edit documents (doc., docx. etc.):
Office Suite or Kingsoft Office. Those apps need to be toroughly restricted, otherwise use a text editor like 920 Text Editor (open source, found on F-Droid).
- Gmail:
any email app will do, otherwise access gmail from Naked Browser or Atlas or Lightning, it's faster. Still, you'd better leave gmail and go for another email, just my two cents...
- Alarm:
Alarm Klock (open source, found on F-Droid).
- Google maps:
Rmaps (open source, found on F-Droid).
- Clipboard:
Clipnote.
- Calculator:
Arity (open source, found on F-Droid).
- Quick Notes:
Floating Stickies (open source, found on F-Droid).
- Html Viewer:
replacable by a third part html viewer or by most browsers as they can read html.
- Camera:
Open Cam (open source, found on F-Droid)
- Bonus:
Greenify (try it, it hybernates apps and saves juice, I'll explain about it later).
Done?
Cool, now go to post #3 and see what else can be erased...
- Note 2-
On KK there are more apps that can't be uninstalled, about 30 or something, pretty annoying and I guess that it doesn't get any better with Lollipop, thanks to google's efforts to strenghten its grip on Android and on us.As for me I came back to JB and you have to ask yourself whether you want to compromise your privacy to get the latest gimmick and the latest fancy color (that have anyway been made available on JB with Xposed modules) or whether you want to be safe.
There are small sacrifices to make and I think the game is worth the candle, but it's up to you...
You can read more on that topic in post #3
II – THE TOOLS
Now you need some tools, namely:- Xposed Installer:
http://repo.xposed.info/module/de.robv.android.xposed.installer
- Xprivacy:
http://repo.xposed.info/module/biz.bokhorst.xprivacy
- App Settings:
http://repo.xposed.info/module/de.robv.android.xposed.mods.appsettings
- AF+ Firewall:
https://f-droid.org/repository/browse/?fdfilter=af&fdid=dev.ukanth.ufirewall
- Network Log:
https://f-droid.org/repository/browse/?fdfilter=network+log&fdid=com.googlecode.networklog
- Greenify:
http://xdaforums.com/apps/greenify
- Blue Box Security Scanner (apps and vulnerabilities scanner)
- SQ Editor
- Rom Toolbox Lite (free) or Pro (paid)
- Privacy Blocker (paid)
- First
Open Privacy Blocker.
Scan all your third part apks one by one, and see their dirty little secrets. Then mod the ones you don't like, it's easy, just follow the onscreen instructions.
- Second
Open Rom Toolbox.
Block adds, prevent apps from auto starting and disable any receiver you don't like, and try some build.prop and kernel tweaks while you're at it (be careful).
- Third
Open Greenify.
Greenify everything, except the launcher, the System UI, the Package Access Helper (you could greenify it but it does nothing since that app is ungreenifiable) and the Keyboard. You can greenify Settings and Settings Storage too, but it will slow down Settings when you lauch it.
DO NOT greenify Xprivacy and AF+ Firewall since you need them to run in the background (don't worry, those apps have a very low RAM footprint).
Create a “hibernate now” shortcut on your home screen, and don't forget to use it regularly to hibernate your apps.
Note that you'll need the donate version to greenify system apps, but it doesn't cost much and it's a nice way to support the dev.
- Fourth
Install Xposed, Xprivacy and App Settings.
Enable Xprivacy and App Settings in Xposed's menu (under modules), reboot, and make a new backup cuz from now chances to get in a bootloop will increase and dependingwhat you've done it may not be Aroma File manager recoverable..
Open App Settings and disable the apps' perms you don't like (be careful with System UI as it may result in constant force close).
To give you an idea I have attached some examples of what can be restricted. You will notice that stock apps (like contacts, phone, CSC, settings etc.) are the most restricted, that's because they have the most outrageous perms. The apps in the list don't use the name they have in the play store but the packages' names (to find them go to data/app and check there).
Done? Now, open App Settings' menu and make a backup of your current settings.
Open Xprivacy and do the same, but first have a read at its documentation here:
https://github.com/M66B/XPrivacy#xprivacy
and at the following tutorial I wrote some months ago (it was for an old version of Xprivacy, but you'll get the idea) :
This page is about generic settings that work with more or less any app.
After a new app is installed restrict everything in Xprivacy. Open the app and check if it crashes or not.
If it doesn't it's fine, you're all set.
If it does, go back to Xprivacy and look for which data the app has tried to access by looking for categories that have a triangle next to them, and subcategories written in bold with numbers on the right (the first number is today's date, the four digits after the slash mean the last time the app tried to access that data). Unrestrict the data it has tried to access and see what happens, it should most likely bring your app back to life.
Some apps try to access data even if they don't really need it to work, which means that restricting it shouldn't be a problem (it's not because an app has tried to access this or that data that it needs it to function, and that's what Xprivacy is about).
Try selectively : restrict one subcategory, launch the app and see what happens. If it crashes or forces close it means that you shouldn't have restricted that subcategory, so just allow it again and go for the next one. If once opened the app doesn't crash and seems to have its basic functions working normally then you can go for more restrictions, but close the app first (not by hitting the back button, you need to really close/kill it, with a task killer or anything similar).
Back to Xprivacy, restrict one new subcategory's data access, launch the app again, see what happens and so on...
Usually, and as a rule of thumb, what causes apps to crash is restricting some subcategories in the Shell section (like "loadLibrary", "load", and sometimes "exec"), the Storage section (mainly "getExternalStorage", but it could be "sdcard" as well), and the System (installed apps) section. So look for the triangles and the subcategories in bold, because if it's ok to restrict a subcategory in let's say Accounts or Contacts even though you see it in bold, most of the time restricting such a subcategory in the Shell, Storage, and System sections will make the app force close, or at least prevent it from working normally.
Don't take my word for it though, in some cases it's possible to restrict even subcategories in bold in those three sections. But it's on a case by case basis, thus making it impossible to give a general rule. The only way to find out is to test by yourself...
Now let's see section by section.
The below settings are the ones I use for my phone and my tab, and you will probably notice that I'm a bit extreme and that I don't use some very popular apps. You are of course not obliged to be as restrictive as I am, but at least you will see what can be restricted and what can't be.
Accounts (Google, Facebook, etc) :
I don't want ANY app to know which accounts are registered on my phone so it's all restricted for all apps, even for the ones that try to access this data like Firefox (remember the triangle and the subcategories in bold?). Feel free to add whatever you think is relevant for people that use Facebook, Gmail, Google play, Yahoo or whatever similar app, as for me I can't since I don't use those apps.
Browser (bookmarks/history), Calendar, Calling (phone, SMS, MMS), Contacts, Dictionary (user), Email, Identification (device) :
those sections can be completely restricted (with all their subcategories), except for specific apps that need to access such data (but once more, always try to restrict first). Since I don't use such apps I can't tell anything about it, feel free to add some lines if you do.
Internet :
an app that needs internet shouldn't have it restricted, for obvious reasons. Most apps that need internet will work with only "inet" allowed, although some may need "isConnected" to be allowed as well.
Since version 1.7 more restrictions have been added, and I found out that besides "inet" some browsers may need "getAllByName", and/or “getbyName”, and/or “getActiveNetworkInfo” allowed.
Location (fine/coarse) :
I don't want ANY app to get my location so by me it's all restricted for all apps. Feel free to add whatever settings you have if you use apps that need to know one's location.
Media (audio, photo, video) :
the subcategories are pretty self explanatory, allow or restrict based on your apps. Restrict all for an app that doesn't need media access, allow "startRecording" and/or "setOutputFile" for a voice recorder, "takePicture" and/or "android.media.action.Image_Capture" for the camera etc., easy.
Messages (SMS, MMS) :
pretty self explanatory as well, all restricted for all apps, except SMS app.
On mine only "getAllMessagesFromIcc" and "VoiceMailContentProvider" have been restricted, I had to leave the three other ones allowed as my SMS app (Go SMS) crashes otherwise.
Network (addresses) :
all restricted, for all apps, except apps like FTP or Fast File Transfer (file transfer through WIFI). For those apps I left "getInetAddresses" and "getInterfaceAdresses" allowed. Some other similar apps may need "getScanResults" as well.
NFC :
all restricted, for all apps. If you use NFC you will have to find by yourself which one (s) can or can't be restricted but no biggie, there are only three subcategories.
Phone (ID, numbers, calls) :
all restricted, for all apps.
Shell (commands, superuser) :
root apps may or may not need "sh" and "su" allowed, look if they are in bold if an app crash. Same thing for "exec", "load", "loadLibrary" and "start" (root and non root apps alike), look if they are in bold but bear in mind that in some rare cases you still can restrict those subcategories even if you see them in bold (as said above).
Try selectively if like me you like to restrict just for the sake of it.
Storage (media, SD card) :
all restricted for all apps, except the ones that need to access data on the sdcard like media player, pdf reader etc.
Once more look for the subcategories in bold, and once more remember that this bold text doesn't necessarily mean that the app needs access to that data to be able to work. Generally apps that need sdcard access will need "getExternalStorageState", and/or "sdcard", and/or “media”, and/or “open” allowed, but surprinsigly sometimes they work even with some of those subcategories restricted. The "media" restriction is to prevent writing on the external sdcard, leaving it read only.
System (installed apps) :
all restricted, for all apps, except apps like Sidebar or Launcher that really need to know which apps are on the device. Those ones need some subcategories to be allowed and the bold text is sometimes your friend, but as usual, the fact that it's there doesn't mean that data access for this subcategory is really needed.
View (browser) :
restricted, for all apps. If you restrict it you have to know that it won't work anymore when you click on a link inside an app and want it to be opened in your favorite browser, and for this reason if you want to report an issue in Xprivacy you will need to have it unrestricted. You may have to enable “android.intent.action.View” to open files from your file manager
We are talking about user (installed) apps. For those apps, wrongly restricting something in Shell, Storage or System is not a big disaster, since at the most it will force close repetitively but still leave you enough time between two force closes to get back to Xprivacy.
When it comes to system (stock) apps it's another story, and restricting the wrong one (s) could result in a bootloop.
As said above, restricting those apps is potentially dangerous and you need some tools beforehand, in case something gets out of control. Most people do a Nandroid backup but hey, it takes forever to restore, and if your backup is a bit old the latest changes you made in your ROM will be lost.
Use Aroma File Manager instead (look for it in XDA, all credits to its developer amarullz), a very nice little zip that enables you to copy, paste, delete and change files' permissions from within CWMR.
TWRP can do the same, without Aroma FM.
If you get in a bootloop, all you have to do is to boot into recovery and install Aroma File Manager. Once done it will open by itself and then you can navigate to the folder where Xprivacy is installed (/data/app if it's installed as an user app, /system/app if it's installed as a system app) and delete it. Just to be on the safe side delete as well the Xprivacy .dex in /data/dalvik-cache. I'm not sure whether it's really needed or not, if you have a definitive answer about it you are welcome to edit this article.
Now you can reboot. Of course Xprivacy is gone, and so are its settings, but if you had backed it up (hopefully you had) using the pro key or Titanium Backup you are good.
I have tested the following settings on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus P6210 and Galaxy Mega I9200, but I don't see any reason why it shouldn't work on other Samsung ROMs.
My ROMs are skinned to the extreme and to the extent that I only have a few system apps left, which implies that I only can talk about those apps. My settings are a bit extreme as well, and you may want to allow more subcategories than I did depending on what you want to do with your device in terms of sharing, social networks, location access, contacts and the like, this article has only been meant as a guideline to show what can be restricted under extreme conditions.
Android System, Settings Storage, Settings, Wlan Test :
Particular care must be taken here, it's the most dangerous package and the most prone to cause bootloops.
Remember that the following settings work for sure on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus P6210 and galaxy Mega I9200, but on other devices no one knows before one tries. Have your Aroma File Manager ready, and go for it...
All categories and subcategories are restricted, except :
"getDetailedState", and "isConnected" in Internet (on my devices restricting "getDetailedState" ended up in a bootloop),
update as for Xprivacy version 3.5, allowed:
“Connectivity.getActiveNetworkInfo”, “Connectivity.getNetworkInfo”, “InetAddress.getByAddress”, “InetAddress.getByName”, “NetworkInfo.getDetailedState”, “NetworkInfo.getState”, “NetworkInfo.isConnected”, “NetworkInfo.isConnectedOrConnecting”, “Wifi.getConnectionInfo”,
"getScanResults" in Location (if I restrict it my devices can't see new WIFI networks anymore, but on other devices it can be restricted without that annoying side effect. In any case it won't cause a bootloop so just try),
"getConfiguredNetworks" in Network,
update as for Xprivacy version 3.5, allowed:
“NetworkInfo.getExtraInfo”, “Wifi.get.ConfiguredNetworks”, “Wifi.get.ConfiguredInfo”, "Wifi.getScanResults",
all the Shell subcategories. It worked with "sh" and "su" restricted but I decided to allow them again by fear that it could lead to instability. Android System is one of the core app in your device and AFAIK it can bypass such restrictions, so there's no point restricting them, plus that doing so could cause instabilities (but I may be wrong, if anyone knows better please correct me). Regarding "exec", "load", "loadLibrary" and "start", I didn't even try to restrict them, for the same reasons as above,
all the Storage subcategories. I used to have them restricted and everything was still working, except that it erased most of my /data/data folders' contents,
"getInstalledApplications", "getInstalledPackages", "getRunningAppProcesses", "queryIntentActivities", "queryIntentActivitiesOptions" and "queryIntentServices" in System.
You can restrict those subcategories though, but if you do so the Application Manager in your device's Settings won't show your apps, and your keyboard (s) may not pop up.
If you use a Lock Screen that requires Device Administrator to be enabled you may have to allow "queryBroadcastReceivers".
Update as for Xprivacy version 3.5:
Overlay and Sensors categories, I let them all alowed.
Camera :
All categories and subcategories restricted, except :
"loadLibrary" in Shell,
"getExternalStorageState" and "sdcard" in Storage.
Certificate Installer :
All categories and subcategories restricted.
*'''com.sec.android.FlashBarService (Multi Windows Bar) :'''
All categories and subcategories restricted, except :
"queryIntentActivities" in System.
Contacts, Contacts Storage, Logs Provider :
All categories and subcategories restricted, except :
the whole Contacts section,
"loadLibrary" in Shell.
If you want to import/export your contacts list you will have to allow "sdcard" in Storage, but once it's done you can restrict it again.
Package Access Helper :
All categories and subcategories restricted, except :
"sdcard" in Storage.
Package Installer :
All categories and subcategories restricted, except :
"sdcard" in Storage.
Phone, Dialer Storage, Sim Toolkit, CSC :
All categories and subcategories restricted.
If the Phone app crashes the first time you run it after you restricted everything, just allow the bold subcategories in the Phone (ID, Numbers, Calls) section. In my case it was "getSubscriberID" and "TelephonyProvider", and the app actually crashed when I disabled plane mode for the first time (I had installed Xprivacy while in plane mode). Once everything was back to normal I restricted again the two above mentioned subcategories and everything has been fine ever since.
System UI :
All categories and subcategories restricted, except :
"isConnected" in Internet (this one is actually restrictable, but if you do so the WIFI icon won't show up anymore when you are connected), Inet.Address.getByAddress,
"getExternalStorageState" in Storage,
"getRecentTasks", "getRunningTasks" and "queryIntentActivities" in System.
Task Manager :
All categories and subcategories restricted, except :
"getRunningAppProcesses" and "getRunningTasks" in System.
USER APPS
After a new app is installed restrict everything in Xprivacy. Open the app and check if it crashes or not.
If it doesn't it's fine, you're all set.
If it does, go back to Xprivacy and look for which data the app has tried to access by looking for categories that have a triangle next to them, and subcategories written in bold with numbers on the right (the first number is today's date, the four digits after the slash mean the last time the app tried to access that data). Unrestrict the data it has tried to access and see what happens, it should most likely bring your app back to life.
BUT!
Some apps try to access data even if they don't really need it to work, which means that restricting it shouldn't be a problem (it's not because an app has tried to access this or that data that it needs it to function, and that's what Xprivacy is about).
Try selectively : restrict one subcategory, launch the app and see what happens. If it crashes or forces close it means that you shouldn't have restricted that subcategory, so just allow it again and go for the next one. If once opened the app doesn't crash and seems to have its basic functions working normally then you can go for more restrictions, but close the app first (not by hitting the back button, you need to really close/kill it, with a task killer or anything similar).
Back to Xprivacy, restrict one new subcategory's data access, launch the app again, see what happens and so on...
Usually, and as a rule of thumb, what causes apps to crash is restricting some subcategories in the Shell section (like "loadLibrary", "load", and sometimes "exec"), the Storage section (mainly "getExternalStorage", but it could be "sdcard" as well), and the System (installed apps) section. So look for the triangles and the subcategories in bold, because if it's ok to restrict a subcategory in let's say Accounts or Contacts even though you see it in bold, most of the time restricting such a subcategory in the Shell, Storage, and System sections will make the app force close, or at least prevent it from working normally.
Don't take my word for it though, in some cases it's possible to restrict even subcategories in bold in those three sections. But it's on a case by case basis, thus making it impossible to give a general rule. The only way to find out is to test by yourself...
Now let's see section by section.
The below settings are the ones I use for my phone and my tab, and you will probably notice that I'm a bit extreme and that I don't use some very popular apps. You are of course not obliged to be as restrictive as I am, but at least you will see what can be restricted and what can't be.
Accounts (Google, Facebook, etc) :
I don't want ANY app to know which accounts are registered on my phone so it's all restricted for all apps, even for the ones that try to access this data like Firefox (remember the triangle and the subcategories in bold?). Feel free to add whatever you think is relevant for people that use Facebook, Gmail, Google play, Yahoo or whatever similar app, as for me I can't since I don't use those apps.
Browser (bookmarks/history), Calendar, Calling (phone, SMS, MMS), Contacts, Dictionary (user), Email, Identification (device) :
those sections can be completely restricted (with all their subcategories), except for specific apps that need to access such data (but once more, always try to restrict first). Since I don't use such apps I can't tell anything about it, feel free to add some lines if you do.
Internet :
an app that needs internet shouldn't have it restricted, for obvious reasons. Most apps that need internet will work with only "inet" allowed, although some may need "isConnected" to be allowed as well.
Since version 1.7 more restrictions have been added, and I found out that besides "inet" some browsers may need "getAllByName", and/or “getbyName”, and/or “getActiveNetworkInfo” allowed.
Location (fine/coarse) :
I don't want ANY app to get my location so by me it's all restricted for all apps. Feel free to add whatever settings you have if you use apps that need to know one's location.
Media (audio, photo, video) :
the subcategories are pretty self explanatory, allow or restrict based on your apps. Restrict all for an app that doesn't need media access, allow "startRecording" and/or "setOutputFile" for a voice recorder, "takePicture" and/or "android.media.action.Image_Capture" for the camera etc., easy.
Messages (SMS, MMS) :
pretty self explanatory as well, all restricted for all apps, except SMS app.
On mine only "getAllMessagesFromIcc" and "VoiceMailContentProvider" have been restricted, I had to leave the three other ones allowed as my SMS app (Go SMS) crashes otherwise.
Network (addresses) :
all restricted, for all apps, except apps like FTP or Fast File Transfer (file transfer through WIFI). For those apps I left "getInetAddresses" and "getInterfaceAdresses" allowed. Some other similar apps may need "getScanResults" as well.
NFC :
all restricted, for all apps. If you use NFC you will have to find by yourself which one (s) can or can't be restricted but no biggie, there are only three subcategories.
Phone (ID, numbers, calls) :
all restricted, for all apps.
Shell (commands, superuser) :
root apps may or may not need "sh" and "su" allowed, look if they are in bold if an app crash. Same thing for "exec", "load", "loadLibrary" and "start" (root and non root apps alike), look if they are in bold but bear in mind that in some rare cases you still can restrict those subcategories even if you see them in bold (as said above).
Try selectively if like me you like to restrict just for the sake of it.
Storage (media, SD card) :
all restricted for all apps, except the ones that need to access data on the sdcard like media player, pdf reader etc.
Once more look for the subcategories in bold, and once more remember that this bold text doesn't necessarily mean that the app needs access to that data to be able to work. Generally apps that need sdcard access will need "getExternalStorageState", and/or "sdcard", and/or “media”, and/or “open” allowed, but surprinsigly sometimes they work even with some of those subcategories restricted. The "media" restriction is to prevent writing on the external sdcard, leaving it read only.
System (installed apps) :
all restricted, for all apps, except apps like Sidebar or Launcher that really need to know which apps are on the device. Those ones need some subcategories to be allowed and the bold text is sometimes your friend, but as usual, the fact that it's there doesn't mean that data access for this subcategory is really needed.
View (browser) :
restricted, for all apps. If you restrict it you have to know that it won't work anymore when you click on a link inside an app and want it to be opened in your favorite browser, and for this reason if you want to report an issue in Xprivacy you will need to have it unrestricted. You may have to enable “android.intent.action.View” to open files from your file manager
CAUTION!
We are talking about user (installed) apps. For those apps, wrongly restricting something in Shell, Storage or System is not a big disaster, since at the most it will force close repetitively but still leave you enough time between two force closes to get back to Xprivacy.
When it comes to system (stock) apps it's another story, and restricting the wrong one (s) could result in a bootloop.
SYSTEM APPS
As said above, restricting those apps is potentially dangerous and you need some tools beforehand, in case something gets out of control. Most people do a Nandroid backup but hey, it takes forever to restore, and if your backup is a bit old the latest changes you made in your ROM will be lost.
Use Aroma File Manager instead (look for it in XDA, all credits to its developer amarullz), a very nice little zip that enables you to copy, paste, delete and change files' permissions from within CWMR.
TWRP can do the same, without Aroma FM.
If you get in a bootloop, all you have to do is to boot into recovery and install Aroma File Manager. Once done it will open by itself and then you can navigate to the folder where Xprivacy is installed (/data/app if it's installed as an user app, /system/app if it's installed as a system app) and delete it. Just to be on the safe side delete as well the Xprivacy .dex in /data/dalvik-cache. I'm not sure whether it's really needed or not, if you have a definitive answer about it you are welcome to edit this article.
Now you can reboot. Of course Xprivacy is gone, and so are its settings, but if you had backed it up (hopefully you had) using the pro key or Titanium Backup you are good.
I have tested the following settings on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus P6210 and Galaxy Mega I9200, but I don't see any reason why it shouldn't work on other Samsung ROMs.
My ROMs are skinned to the extreme and to the extent that I only have a few system apps left, which implies that I only can talk about those apps. My settings are a bit extreme as well, and you may want to allow more subcategories than I did depending on what you want to do with your device in terms of sharing, social networks, location access, contacts and the like, this article has only been meant as a guideline to show what can be restricted under extreme conditions.
Android System, Settings Storage, Settings, Wlan Test :
Particular care must be taken here, it's the most dangerous package and the most prone to cause bootloops.
Remember that the following settings work for sure on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus P6210 and galaxy Mega I9200, but on other devices no one knows before one tries. Have your Aroma File Manager ready, and go for it...
All categories and subcategories are restricted, except :
"getDetailedState", and "isConnected" in Internet (on my devices restricting "getDetailedState" ended up in a bootloop),
update as for Xprivacy version 3.5, allowed:
“Connectivity.getActiveNetworkInfo”, “Connectivity.getNetworkInfo”, “InetAddress.getByAddress”, “InetAddress.getByName”, “NetworkInfo.getDetailedState”, “NetworkInfo.getState”, “NetworkInfo.isConnected”, “NetworkInfo.isConnectedOrConnecting”, “Wifi.getConnectionInfo”,
"getScanResults" in Location (if I restrict it my devices can't see new WIFI networks anymore, but on other devices it can be restricted without that annoying side effect. In any case it won't cause a bootloop so just try),
"getConfiguredNetworks" in Network,
update as for Xprivacy version 3.5, allowed:
“NetworkInfo.getExtraInfo”, “Wifi.get.ConfiguredNetworks”, “Wifi.get.ConfiguredInfo”, "Wifi.getScanResults",
all the Shell subcategories. It worked with "sh" and "su" restricted but I decided to allow them again by fear that it could lead to instability. Android System is one of the core app in your device and AFAIK it can bypass such restrictions, so there's no point restricting them, plus that doing so could cause instabilities (but I may be wrong, if anyone knows better please correct me). Regarding "exec", "load", "loadLibrary" and "start", I didn't even try to restrict them, for the same reasons as above,
all the Storage subcategories. I used to have them restricted and everything was still working, except that it erased most of my /data/data folders' contents,
"getInstalledApplications", "getInstalledPackages", "getRunningAppProcesses", "queryIntentActivities", "queryIntentActivitiesOptions" and "queryIntentServices" in System.
You can restrict those subcategories though, but if you do so the Application Manager in your device's Settings won't show your apps, and your keyboard (s) may not pop up.
If you use a Lock Screen that requires Device Administrator to be enabled you may have to allow "queryBroadcastReceivers".
Update as for Xprivacy version 3.5:
Overlay and Sensors categories, I let them all alowed.
Camera :
All categories and subcategories restricted, except :
"loadLibrary" in Shell,
"getExternalStorageState" and "sdcard" in Storage.
Certificate Installer :
All categories and subcategories restricted.
*'''com.sec.android.FlashBarService (Multi Windows Bar) :'''
All categories and subcategories restricted, except :
"queryIntentActivities" in System.
Contacts, Contacts Storage, Logs Provider :
All categories and subcategories restricted, except :
the whole Contacts section,
"loadLibrary" in Shell.
If you want to import/export your contacts list you will have to allow "sdcard" in Storage, but once it's done you can restrict it again.
Package Access Helper :
All categories and subcategories restricted, except :
"sdcard" in Storage.
Package Installer :
All categories and subcategories restricted, except :
"sdcard" in Storage.
Phone, Dialer Storage, Sim Toolkit, CSC :
All categories and subcategories restricted.
If the Phone app crashes the first time you run it after you restricted everything, just allow the bold subcategories in the Phone (ID, Numbers, Calls) section. In my case it was "getSubscriberID" and "TelephonyProvider", and the app actually crashed when I disabled plane mode for the first time (I had installed Xprivacy while in plane mode). Once everything was back to normal I restricted again the two above mentioned subcategories and everything has been fine ever since.
System UI :
All categories and subcategories restricted, except :
"isConnected" in Internet (this one is actually restrictable, but if you do so the WIFI icon won't show up anymore when you are connected), Inet.Address.getByAddress,
"getExternalStorageState" in Storage,
"getRecentTasks", "getRunningTasks" and "queryIntentActivities" in System.
Task Manager :
All categories and subcategories restricted, except :
"getRunningAppProcesses" and "getRunningTasks" in System.
Done with Xprivacy? Now, open its menu and backup its settings.
(To Be Continued)
Last edited: