[CLOSED][APP][XPOSED][6.0+] XPrivacyLua - Android privacy manager [UNSUPPORTED]

Status
Not open for further replies.
Search This thread

CHEF-KOCH

Senior Member
Jan 2, 2012
451
237
Sure, but you were talking about merging, even later on. Which, as I said would be a huge technical hassle to do and later maintain.

With 'merging' I meant to use the existent product and integrate it into the 'new idea' sorry but there is or was a misunderstanding I guess. Tbh, it doesn't change the point it's possible, no matter if you want or dislike it. The point was, as said another one. I guess Marcel got this and it's not to criticize that there is a new module it's related to the 'give up thing'.



No, not if you don't just let any app do it. I covered this over on GitHub already.
That's not possible since we're on a rooted device, this can't be blocked. A real-world scenario is that you allowed a root app which abuses another injection or hooking methods in order to block Xposed itself or an explicit module.This can happen if a user allows a legimitate app which is maybe compromised, which is possible. I'm aware of the fact that you can restrict root apps with other root apps but for a normal user this seems unrealistic according to my research because malicious, manipulated packages, apps etc is still difficult to identify.




Yes and they try to, and then get circumvented again. It's the SafetyNet cat-and-mouse-game.

The thing is that user need root (as mentioned) and another framework which is a security hole by itself. This is not or not clearily mentioned or explained (in my eyes). But I do admit that I did not made a pull request in order to cover this topic myself, however I'm not the developer.



It wasn't a change in Android that made XPrivacy unstable and hard to maintain, but the design of the app itself.

Depending on the implementation, as mentioned a workaround would be to integrate certain advance functinality with a warning, but okay it's another philosphical thing not related to what I said.


you wrote your blog without asking things first

Marcel is offering his help and clarifications on something because you posted a blog post obviously before you knew everything and studied the source code, and you call it an "incredibly stupid argument"? Huh.

That is your assumption I knew the module already before I was in fact first Blog which reported about the module in a short review (which is outdated since the module got updated). However, the point here is that nobody needs any permission to write something no matter if it's right or wrong.



Aw, come on... We talked about this here many times. There's no need to do so. If you really really want it, there's even a custom hook for it... So saying "you can't" is wrong. XPL just won't unless you specifically ask it to.

Sadly it's FUD.



WhatsApp has access to all my contacts vs. WhatsApp thinks it has access to all my contacts but in reality it has none/only a few. Now, which version is better for your privacy? What is so hard to understand about this? I think you're getting a little hung up about the whole tracking/fingerprinting thing. That is not everything XPL is for.

You're clearly not as involved as I'm in security topics. Once you logged in into no matter which website or app you can't fake it's data as mentioned there is additional tracking + methods to bypass this. A real-world example is using IPv6 which stores and transmits your MAC address.



I already adressed this on GitHub as well; sharing a unique ID with a small subset of users is superior to sharing it with nobody. When the attacker knows what I use, he can do a little about it, but that can easily be voided by more hooks/modules. Do note that XPrivacyLua is meant to protect Privacy, not Security (hence the name). So we're not talking about malware but companies trying to spy on you through hidden stuff in their apps.

Incorrect, an attacker can Geoblock yor IP, location etc. Which means you are unable to use it's website or page, Xprivacy Lua won't address this since you can't put in your own data (last time I checked). Netflix is best example, which flags it's user which are behind a VPN this is done by blacklisting certain IP ranges typically used by VPN's. Xprivacy LUA doesn't bypass this.


I get more and more the impression that you're coming from a strong background about web security/privacy. But this is Android. This is different. XPL doesn't aim to protect against each and every way to fingerprint your device. It helps against the most common fingerprinting and tracking techniques, which is enough to get rid of the majority of it because most companies don't bother to use more advanced stuff. And it is mainly meant to be able to use apps that require your personal data without either breaking the app or giving it your data.

Android is an OS same like every other OS which doesn't magically do things differently, HTTPS is as secure or insecure as on Windows or Linux, speaking about it's protocol weaknesses or leaks. Right XPL doesn't claim it protect you against everything but I never said it, I said that in terms of privacy it doesn't help at all or only to reduce certain things which is again not clearly mentioned on the internet, people installing it in the hope to get more privacy which is according to my research definitely not correct.

Yes my background is that I contribute to Chrome and Tor project so I have credibility and over 30 years of knowledge and the reason I not coded any application or module like this because I see it as too complicated in order to deliver a 'privacy' solution or it takes more manpower, money time etc. since Android already in fact improved it's own defining mechanism.


Okay, I'm done here, if you do not believe my words or not like my Blog it's your opinion but doesn't attack me or pretend you tried to contact me when I already debunked it. There is also no need to defend the module, it's not against Marcel's work it's against that the module simply doesn't deliver what (I think) deserves to get more attention, or not in his current state without to mention that there are some problems - and this is not incorrect.

Anyway, I wish you good luck with your program. I not waste my time with this anymore. If there are questions, please comment directly on my blog or if you think I do this because clickbait (which is not true) then use chats like Riot, GitHub etc. My statement that I pay everyone for research 1000$ dollars is still valid.
 

M66B

Recognized Developer
Aug 1, 2010
26,751
57,996
@CHEF-KOCH I don't need a research paper to know that when an app gets fake or no data it doesn't see the real data, which is what XPrivacyLua is all about.

You are also not consistent: root/Xposed is unsafe in your eyes and maybe that is even true to a certain extent, but where is the research to support that?

For me it all boils down to what I already said: assumptions and to add to that: misunderstanding (the need for a Bluetooth restriction and the XPrivacy/XPrivacyLua discussion for example).

In fact I did a lot of research to build XPrivacy and XPrivacyLua. I investigated big parts of the Android source code for this. So, I like to claim your $1000 reward as one of the few people who really did something to protect ones privacy on Android.
 
Last edited:

Namnodorel

Senior Member
Oct 26, 2015
379
287
That's not possible since we're on a rooted device, this can't be blocked. A real-world scenario is that you allowed a root app which abuses another injection or hooking methods in order to block Xposed itself or an explicit module.This can happen if a user allows a legimitate app which is maybe compromised, which is possible. I'm aware of the fact that you can restrict root apps with other root apps but for a normal user this seems unrealistic according to my research because malicious, manipulated packages, apps etc is still difficult to identify.
But then you have a completely different thread model. As I said, XPL is supposed to protect against normal apps spying on you through normal means, not malware that exploits root and/or Xposed functionalities. That is a security concern, not a privacy one.

Depending on the implementation, as mentioned a workaround would be to integrate certain advance functinality with a warning, but okay it's another philosphical thing not related to what I said.
The problem is that if it is a feature the app contains, then we (or rather, Marcel) also has to support it if it breaks anything, update it etc. which users will demand no matter if there is a warning or not.


You're clearly not as involved as I'm in security topics. Once you logged in into no matter which website or app you can't fake it's data as mentioned there is additional tracking + methods to bypass this. A real-world example is using IPv6 which stores and transmits your MAC address.
Yes, but that's a different concern. XPL isn't the holy grail to your privacy. It can't do magic. If you create an account on a website of some sort and log in, obviously the website will have the information you registered with. XPL can't change this and neither can any other existing tool.


Incorrect, an attacker can Geoblock yor IP, location etc. Which means you are unable to use it's website or page, Xprivacy Lua won't address this since you can't put in your own data (last time I checked). Netflix is best example, which flags it's user which are behind a VPN this is done by blacklisting certain IP ranges typically used by VPN's. Xprivacy LUA doesn't bypass this.
No, but why do you think it would? XPL also doesn't provide me with directions with how to get to my favourite restaurant, btu that's not a thing it ever claimed to do. It's designed to protect data that is on your device, and it's simply impossible for any app, Xposed or not, to hide the IP of your VPN to the websites you access. Again, you seem really into the idea of protecting against detection of IP address, protocol leaks etc. etc. but that is not what XPL is about.


Right XPL doesn't claim it protect you against everything but I never said it, I said that in terms of privacy it doesn't help at all or only to reduce certain things which is again not clearly mentioned on the internet, people installing it in the hope to get more privacy which is according to my research definitely not correct.
Saying that XPL "doesn't help at all" is wrong. It just doesn't help against the concerns _you_ are worried about right now. Because what you are worried about is mostly either out of scope, or straight out impossible for XPL to do. XPL does enhance your privacy by a lot, but it obviously doesn't cover anything or even attempts to do that, so don't judge it for not doing so. Maybe you don't agree on calling it a "Privacy Manager" because you say that privacy is much more than just what XPrivacyLua covers, but that doesn't make the app any less useful or good for privacy. It's simply a debate about wording.
 

M66B

Recognized Developer
Aug 1, 2010
26,751
57,996
... It's simply a debate about wording.
Exactly my thought, that is why I asked for constructive contributions. But he is "done here", so don't expect anything useful. I guess it is better to leave it like this.

I like to say that I am quite content about XPrivacyLua. It is well structured and organized and does exactly what it should do. Using Lua for hook definitions was not the simplest solution, but looking back it was a good choice. XPrivacyLua might very well be my best Android "app" so far.
 

iwanttoknow

Senior Member
Jun 21, 2016
523
105
I am not an expert but I can say what I want about privacy.

To mitigate security issues I use security solutions.

To protect my privacy when using Android applications I WANT that certain data don't go outside on servers without my consent, simply. It's just what I want. From my point of view it's not a security issue.

BTW I am surprised to see that it was not a debate until the creation of XPrivacyLua, and yet XPrivacy was already proposing the same thing. Why XPrivacyLua would be a problem and not XPrivacy ? I don't understand and IWANTTOKNOW why :)

I am neither for nor against anyone or anything in this debate. I am just trying to understand the points of view that are exchanged.
 

Namnodorel

Senior Member
Oct 26, 2015
379
287
I am neither for nor against anyone or anything in this debate. I am just trying to understand the points of view that are exchanged.
Mind you I was part of this argument, so take my response with a grain of salt ;) As far as I understood, CHEF-KOCH believes that XPL claims to be a solution that makes any Android device more secure and protects your privacy fully. Since this is obviously not true (XPL does not contain any fixes for eg. exloits in the system), he sees XPL as a "attack surface reducing" tool at best, but more as completely pointless. I have tried to explain that that is a wrong expectation, but either he has not understood what I wrote or I missed an important connection between what I and he said, which lead to essentially repeating the same arguments and responses over and over again. ¯\_(ツ)_/¯
 

landwinwand

Senior Member
Nov 27, 2011
199
13
Can lua chance useragent ?
I use xprivacy on lineage os 14 and works
Under compatible mode.
If lua can do same as xprivacy por more
I leave xprivacy for lua if i got same or more.
Thank for this privacy app
Bye
:)
 
  • Like
Reactions: ozzie5564

maybeme2

Senior Member
Aug 28, 2015
2,336
750
Google Pixel 5
Moto G 5G
I am running lineage 14.1 with microG on my nexus 5. In addition I also installed the patched version of the playstore, plus xposed, xprivacylua, and some other xposed modules.

When a lineageos update appears and I install that update, the playstore disappears after the update and xposed modules need to be reselected and the phone rebooted to activate them. This happens despite the existence of an apparently correct system/addon.d folder contaning several files which should in theory allow persistence of the installed playstore.

As I try to figure out why this is happening everytime I install a lineageos update I wonder if it might be something I restricted in xprivacylua that might be blocking the persistence of the patched playstore. Is there something I might have done with xprivacylua that could be the cause? I didn't use it on any system apps.

What should I look for in xprivacylua that 'might' be blocking the playstore persistence? Or would xposed or xprivacylua have nothing to do with this and I should look elsewhere for the cause.

Just trying to solve the mystery.

Thanks.
 

M66B

Recognized Developer
Aug 1, 2010
26,751
57,996
Can lua chance useragent ?
I use xprivacy on lineage os 14 and works
Under compatible mode.
If lua can do same as xprivacy por more
I leave xprivacy for lua if i got same or more.
Thank for this privacy app
Bye
:)
See here for a full comparison with XPrivacy:
https://github.com/M66B/XPrivacyLua/blob/master/XPRIVACY.md

If you are using Android 6 or later you can better switch anyway because XPrivacy was never updated for recent Android versions.
 

M66B

Recognized Developer
Aug 1, 2010
26,751
57,996
I am running lineage 14.1 with microG on my nexus 5. In addition I also installed the patched version of the playstore, plus xposed, xprivacylua, and some other xposed modules.

When a lineageos update appears and I install that update, the playstore disappears after the update and xposed modules need to be reselected and the phone rebooted to activate them. This happens despite the existence of an apparently correct system/addon.d folder contaning several files which should in theory allow persistence of the installed playstore.

As I try to figure out why this is happening everytime I install a lineageos update I wonder if it might be something I restricted in xprivacylua that might be blocking the persistence of the patched playstore. Is there something I might have done with xprivacylua that could be the cause? I didn't use it on any system apps.

What should I look for in xprivacylua that 'might' be blocking the playstore persistence? Or would xposed or xprivacylua have nothing to do with this and I should look elsewhere for the cause.

Just trying to solve the mystery.

Thanks.
I don't think this is being caused by XPrivacyLua.
 
  • Like
Reactions: maybeme2

Primokorn

Senior Member
Nov 17, 2012
11,554
7,749
OnePlus 8 Pro
For the records, XPrivacyLua has been submitted to privacytools.io but it's closed now.
https://github.com/privacytoolsIO/privacytools.io/issues/399#event-1562646535
@M66B I don't have time to read and argue about the pros and cons of your Android projects. What I see is that you are the most dedicated dev that I have ever seen and we should be grateful. Period.
If someone has something better to offer to the community then share and we will discuss. It's very easy to complain but it's very hard to create something useful.

Thank you.
 

M66B

Recognized Developer
Aug 1, 2010
26,751
57,996
For the records, XPrivacyLua has been submitted to privacytools.io but it's closed now.
https://github.com/privacytoolsIO/privacytools.io/issues/399#event-1562646535
@M66B I don't have time to read and argue about the pros and cons of your Android projects. What I see is that you are the most dedicated dev that I have ever seen and we should be grateful. Period.
If someone has something better to offer to the community then share and we will discuss. It's very easy to complain but it's very hard to create something useful.

Thank you.
Let them wait for a research paper or the perfect privacy solution, while we protect our privacy as good as we can.

Nobody ever picked XPrivacy up where I left it, so I don't think there will be anything better than XPrivacyLua anytime soon.

Some people only have ideas, but don't produce anything concrete in reality.
 

mark_at

Senior Member
Feb 25, 2018
311
98
Innsbruck
Let them wait for a research paper or the perfect privacy solution, while we protect our privacy as good as we can.

Nobody ever picked XPrivacy up where I left it, so I don't think there will be anything better than XPrivacyLua anytime soon.

Some people only have ideas, but don't produce anything concrete in reality.

That is why I told you to ignore that guy!

Nothing to offer, no solutions, no ideas ... just complaining and not even understanding what Xprivacy should be!

No proper research ... that is a complete waste of time!
 

jj_pietro

New member
Apr 9, 2018
1
1
For the records, XPrivacyLua has been submitted to privacytools.io but it's closed now.
github com/privacytoolsIO/privacytools.io/issues/399#event-1562646535
@M66B I don't have time to read and argue about the pros and cons of your Android projects. What I see is that you are the most dedicated dev that I have ever seen and we should be grateful. Period.
If someone has something better to offer to the community then share and we will discuss. It's very easy to complain but it's very hard to create something useful.

Thank you.
Hi, I closed the issue on privacytoolsIO github only because XPrivacyLua has already been added to the site. github com/privacytoolsIO/privacytools.io/pull/400
 
  • Like
Reactions: beeshyams

sinner822

Senior Member
Marcel. Just remember. Many of the crybabies are actually in the business of stealing info. Thus the reason for trying to discourage you. I guess you could take it as a badge of honor. Your work is effective. And it is showing. Don't fall for the tactics
 

bond32

Senior Member
Jun 26, 2010
1,173
245
Franklin
I just purchased the log feature. I haven't purchased an app in years... What a fantastic feature. I appreciate all the development and hope to see things continue or maintained.
 
  • Like
Reactions: OSheden
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 319
    XPrivacyLua

    banner_play_store.png


    Really simple to use privacy manager for Android 6.0 Marshmallow and later (successor of XPrivacy).

    Revoking Android permissions from apps often let apps crash or malfunction. XPrivacyLua solves this by feeding apps fake data instead of real data.

    Features:

    • Simple to use
    • Manage any user or system app
    • Extensible
    • Multi-user support
    • Free and open source

    See here for all details, including installation instructions and download link.

    Please read the frequently asked questions before asking a question.

    This XDA thread is about using the latest version of XPrivacyLua. Off topic comments are allowed as long they are related to XPrivacyLua and are in the general interest of the followers of this thread, but anything not related to privacy is not allowed.

    If XPrivacyLua doesn't work and/or when "module not running or updated" is shown, this is almost always caused by an Xposed problem.

    Discussions about purchases are not allowed here, please contact me via here instead.

    XPrivacyLua is being maintained and community supported, but new features won't be added anymore.

    Custom hook definitions will always be part of XPrivacyLua, but there will be community support only. This means that I won't respond to questions about defining custom hooks anymore. See this thread for the reasons.

    If you value your privacy, please consider to support this project with a donation or by purchasing pro features.


    XPrivacyLua is not a permission manager, but a privacy manager. XPrivacyLua doesn't block things and doesn't revoke permissions, but does replace real data by fake data. This means you can grant Android permissions to an app and still let XPrivacyLua prevent the app from seeing privacy sensitive data. Revoking permissions can result in an app refusing to work and/or to crash. However, replacing real by fake data generally doesn't let an app crash.

    Currently restrictions are quite crude because they mostly replace real data by no data. For example restricting the contacts app from getting contacts will result in an empty contact list. In the near future it might be made possible to select the data an app may see, for example just one group of contacts.

    About feature requests and bug reports:

    The goal is to have a tool that can properly protect the privacy of many in the near future. However, it isn't paid work, so I do whatever I like whenever I like it.

    You can request features in this XDA forum. I will read them, but I will not respond to them and they might or might not be implemented. If I know for sure something will not be implemented, I will let you know.

    You can report any problem you have here. There will be no issue tracker on GitHub.

    For now I have decided to not implement restrictions that are useful to prevent tracking only. There are simply too many data items that can be used for tracking and it would take too much time to develop restrictions for all these data items.

    The basic idea is to restrict only things that 'define' you, so which contacts you have, where you are, which apps you use, etc.

    Maybe we can widen the definition of things that the core of XPL covers to "What defines you, and what can be used to spie on you"? This would include camera/audio, but not tracking.

    XPrivacyLua is pretty feature complete and will be maintained and supported and when there is a need new hook definitions will be added to better protect your privacy. For the rest this FAQ applies:

    https://github.com/M66B/XPrivacyLua/blob/master/FAQ.md#FAQ4

    As said before, development will also depend on Xposed development, which is just minimal unfortunately.

    XDA thanks and donations are appreciated.

    XPrivacyLua is supported with Xposed only. There is no support for VirtualXposed and TaiChi.
    68
    I have just released beta version 0.5 in the Xposed repository.

    The XPrivacyLua framework and user interface seems to be stable enough to call this a beta release.

    Besides several bug fixes and improvements two new restrictions were added:
    • Read account name, which mostly holds your e-mail address and will be replace by 'privacy@private.com' when restricted
    • Read clipboard, which will be replaced by the text 'Private' when restricted

    Furthermore the ability to restrict Android system (be careful!) and to restrict system apps was added. It is possible to restrict all of these individually (XPrivacy could not do that).

    Be sure to take a look at the help page in the app again (use the ?-icon), since there were some useful hints added.

    If you appreciate what I am building here, please let me know by means of an XDA thanks and/or a donation, so that I don't get the feeling 'What am I doing this for?'.
    59
    I have just released alpha version 0.12 in the Xposed repository.

    This version has been redesigned for Android Oreo compatibility. The user interface and the restrictions work properly for me, but be aware that a lot has been changed on the inside ("it is bigger on the inside", lol), also for earlier Android versions. There is one thing I know of that needs improving and that is that the user interface might be updated too often with a lot of restrictions, which might cause delays and hangs. I will look into this tomorrow.

    This change was necessary, but it was a lot of work, so XDA thanks and donations are appreciated.
    56
    I have just released beta version 0.25 in the Xposed repository.

    Changelog:

    With this release XPrivacyLua restriction's can be compared with XPrivacy's. There are now over 100 restriction definitions!

    XDA thanks and donations are appreciated.
    53
    @CHEF-KOCH You have been given enough time to respond here. Now I just think it is pretty cowardly to write critical about XPrivacyLua, but not to tell what can actually be improved, especially because you were invited to do so.

    I still like to hear how XPrivacyLua can be improved, but I don't want to hear what is wrong with XPrivacyLua. You'll need to keep the scope of XPrivacyLua in mind (in short: privacy, not security), see the opening post and previous discussions about this for more information.

    Also, if you really know better, I like to see an original work from your hands to prove that. Actions speak louder than words.

    As it is now, you are discouraging one of the few people in the world who really did something substantial to improve privacy on Android. And don't go talking about VPNs, TOR, etc because your private information, like your contacts, will still leak.

    I also think you are pretty ungrateful for what I did so far.

    To others: if you see someone reference one of his blogs, please reference this comment in response.

    Edit: if you agree with this, please add an XDA thanks to this comment, so it will show up in the right column as a reference for others.