• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[APP][XPOSED][6.0+] XPrivacyLua - Android privacy manager

Search This thread

kalshyre

New member
Nov 25, 2021
1
2
Hello,
First, thanks to the devs for these great tools that make privacy possible to more people :)

I am using XPL with the pro companion app, on a Samsung s9+ with custom ROM (Pie). I'm trying to prevent a specific app known to collect too much data to obtain - among other things - the MAC address of my device. I've enabled and restricted NetworkInterface.getHardwareAddress as well as most restrictions in XPL for this app.

The code of the app in question is obfuscated, so according to the FAQ restricting tracking will not work. Does that include the MAC address ? (it seems that enabling the hook above caused the tracking restriction box to be checked).
If not, how can I check that it works or if I need to also enable the 2 other hooks ? As mentioned in XPL's FAQ : "On Android 8 and higher, you should only protect NetworkInterface.getHardwareAddress, since WifiInfo.getMacAddress and BluetoothAdapter.getAddress are disabled. However, some manufacturers may override this behavior.

Maybe a silly question, but apart from checking boxes to enable restrictions for some apps and downloading/enabling hooks definition, is there anything else that must be done ? I read the readme file and the FAQ on Github and searched the forums, but am still in the dark about many things (noob here about smartphone things). Like in the pro app, what does the Collection : Privacy checkbox actually do ?

Thanks!

PS: quite sad to read about the ungrateful reviews, complaints that not all features are free, and low number of people using (according to M66B). What this app does is such a must for smartphone. Congrats to the dev.
 
  • Like
Reactions: TiTiB and ROO3VER

heartready

Senior Member
Nov 18, 2008
74
12
Samsung Galaxy S20
I've downloaded below hook from cloud:
getSimCountryIso
getSimOperatorName
getCelllocation
getNetworkCountryIso
getNetworkOperatorName
And in custome values, I got below fields:
CountryIso,
ISP
LAC,CID
MCC,MNC
I've set values for CountryIso and MCC,MNC, but when I launch the app, check the log, I found that:
getSimOperation can't get the right value I set in MCC,MNC, which getNetworkOperator got that.
getSimCountryIso got the value I set in CountryIso, but getNetworkCountryIso didn't
So how should I do to change these 4 hook to the value I set?
thanks,
 

dtrail1

Senior Member
Oct 7, 2011
4,803
7,866
Frankfurt
Hi, I've tried to find a solution, but even after trying to search this thread I'm not any smarter.

I've set the public.storage (via hook definitions) accidently for a wrong app any my device is now boot looping. I disabled xprivacylua via recovery, rebooted, tried to delete its data and enabled it again. I tried other things, but no matter if I install the module from scratch or whatever - it always keeps its settings and I just cannot enable it because it causes boot loop. So I also cannot open the xprivlua app to configure it.
Is there any way to either remove hook definitions via adb, recovery or reset xprivacylua settings outside of the app?

I suspect that it stores its configs in /data/system/xlua/xlua.db ? If I delete that file, will it reset everything? And is that the only way to resolve the issue or is there a way to delete a downloaded hook definition?

EDIT: Solved! I've backed up xlua.db, deleted it, rebooted and finally I was able to use my device again. Then I restored the xlua.db, stopped xlua apps, started them again, and all my work was back and I was able to properly config everything.

If someone else with a similar problems comes here, I hope it helps.
 
Last edited:

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
@Fif_ , can I ask you to take screenshots in Device Info HW? I'm very curious about your XPL setup. If there is any identifying data there, just sketch it.

Here they are:
Screenshot_20211128-153736.pngScreenshot_20211128-153741.pngScreenshot_20211128-153746.pngScreenshot_20211128-153753.pngScreenshot_20211128-153758.pngScreenshot_20211128-153809.pngScreenshot_20211128-153820.pngScreenshot_20211128-153825.pngScreenshot_20211128-153835.pngScreenshot_20211128-153839.pngScreenshot_20211128-153845.pngScreenshot_20211128-153916.pngScreenshot_20211128-154053.pngScreenshot_20211128-154059.png
 
Last edited:

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
Thank you so much! I have very similar indicators, but a few points are still more "private" than mine, for example the most significant is the model of GPS-module. Anyway... Thanks again for the prompt reply.
This is probably a system property leaking.
Make sure you have shell restrictions enabled (ProcessBuilder* and Runtime.*, both Fif versions) as well as the two SystemProperties.get*/custom enabled and configured.
The shell restrictions won't let any commands through, it's a whitelist that's empty by default. Applications may require tweaking the whitelist regexp if they crash.
But the properties are a blacklist that needs to be configured, or the hooks won't block anything. Search this thread for sample configurations that I've posted. You may have to configure the properties blacklist for your device as well as the list of properties varies from model to model, android versions, etc.
 
  • Like
Reactions: ROO3VER
Aug 26, 2021
20
3
This is probably a system property leaking.
Make sure you have shell restrictions enabled (ProcessBuilder* and Runtime.*, both Fif versions) as well as the two SystemProperties.get*/custom enabled and configured.
The shell restrictions won't let any commands through, it's a whitelist that's empty by default. Applications may require tweaking the whitelist regexp if they crash.
But the properties are a blacklist that needs to be configured, or the hooks won't block anything. Search this thread for sample configurations that I've posted. You may have to configure the properties blacklist for your device as well as the list of properties varies from model to model, android versions, etc.
Yes, I have ProcessBuilder* and Runtime.* installed, both Fif versions, but SystemProperties.get*/custom was not installed and configured. Now I've done that by putting in the hooks from your last post:
bluetooth.fwversion gsm.operator.alpha gsm.operator.iso-country gsm.operator.numeric gsm.serial gsm.sim. gsm.version. net.bt.name net.dns net.hostname net.r_rmnet net.rmnet oem.device.imeicache oplib. persist.radio.bksim. persist.radio.ddssim. persist.service.bdroid.bdaddr persist.sys.version ro.board.platform ro.boot.bootloader ro.boot.pcba_number ro.boot.serialno ro.boot.veri ro.bootimage. ro.bootloader ro.build. ro.carrier ro.cm. ro.cmlegal ro.expect.recovery_id ro.modversion ro.recovery_id ro.expect_recovery_id ro.product.b ro.product.d ro.product.f ro.product.m ro.product.n ro.runtime.firstboot selinux.restorecon ro.vendor. ro.serialno wc_transport.stack_bdaddr

However, some parameters were indeed hidden, such as the platform, but the GPS still identifies. Thanks for the reply. I guess chasing privacy can be endless. I've learned that if an app really wants to identify me, it will do it no matter how hard I try. This app and hooks are the only solution to this kind of thing anyway
 

jason382

Member
Dec 4, 2021
7
0
Anybody knows how to implement this feature?

- whitelist specific domains/ips for an app. Log all internet or domain requests the app does.
(The old Xprivacy had this feature, but XprivacyLUA doesn't have it.)


I know the firewall NetGuard has exactly this feature, but I can't use it because it utilizes the android VPN connection. I would like it to have those features without using the android as local vpn, and instead use root as method (like in the old Xprivacy).

Anybody knows if this is possible (in any way), or if such a feature may be in the works again?


Sadly my Android 8 Oreo device does not correctly work with the old Xprivacy (else I would have just used the old Xprivacy instead of XprivacyLua).
With hopes to get the described feature work again, I also bought the XprivacyLua pro package and then added Hook definitions like InetAddress.getByName and similar (with the firewall examples from https://lua.xprivacy.eu/repo/). But those scripts don't really log anything like it used to (like with old Xprivacy you get to see a popup with every ip: port and/or domainname the app tries to connect to, and you can whitelist it and it dismisses all other connection attempts).
Tried so much but was not successful.

I really really hope that the developer adds such a feature again.
Or alternatively make the Netguard app utilize, instead of the local android vpn connection, root or similar (so the vpn connection spot is not blocked by the Netguard app).


Thank you
(I am happy to hear any solution, even a way to get the old Xprivacy working again on Android 8.1 Oreo)
 

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
Anybody knows how to implement this feature?

- whitelist specific domains/ips for an app. Log all internet or domain requests the app does.
The InetAddress.get*ByName (Fif version) hooks from the XPL hook repository implement a blacklist for domain lookups, as well as logging of DNS queries.
You could easily turn it into a whitelist.
But you'll need to maintain that list manually by examining log files.
 
  • Like
Reactions: TiTiB

Chiranz

Member
Sep 22, 2018
12
0
Xiaomi Mi A3
I'm using this for the first time and I have a query.
I restricted get location for Google maps in xprivacylua.
But when I open maps it's able to use location.
So does it mean the restrictions are not working?
 

nIMa_aZx

Member
Dec 15, 2012
39
6
Tehran
Hey, Does anybody know how to write a hook or use existing hooks in cloud to hook and limit getInstalledPackages names ? or at least give me a hint.
I mean I want to hook some packages names (except some packages) .
default behavior in XprivacyLua filter all packages names and returns nothing. I want to show some packages at least.
Thanks a lot.
 

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
Hey, Does anybody know how to write a hook or use existing hooks in cloud to hook and limit getInstalledPackages names ? or at least give me a hint.
I mean I want to hook some packages names (except some packages) .
default behavior in XprivacyLua filter all packages names and returns nothing. I want to show some packages at least.
Thanks a lot.
You'd need to modify the stock getInstalledPackages and getInstalledApplications hooks and filter the list returned.

I have a version of these hooks that optionally remove Chrome from the returned list (because some apps will always open chrome instead of giving the user a choice of browsers), but I didn't publish it to the repo.
I'd be willing to share them as a starting point, but you'll need to add in a bit of work to make them do what you want.
 

nIMa_aZx

Member
Dec 15, 2012
39
6
Tehran
You'd need to modify the stock getInstalledPackages and getInstalledApplications hooks and filter the list returned.

I have a version of these hooks that optionally remove Chrome from the returned list (because some apps will always open chrome instead of giving the user a choice of browsers), but I didn't publish it to the repo.
I'd be willing to share them as a starting point, but you'll need to add in a bit of work to make them do what you want.
Thank you for your attention. Share it if possible. I do Android programming. I'm familiar with Java and Kotlin and Smali codes. But I do not have the ability to code in LUA language yet.
This language is kind of high level for me.:D
I read document of it yesterday (https://www.lua.org/pil/contents.html) .
I have some ability to understand and make code changes. finally after modifying your code , if there is problem and possible for you, I will ask you for help in some cases and concepts.(y)
 

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
Thank you for your attention. Share it if possible. I do Android programming. I'm familiar with Java and Kotlin and Smali codes. But I do not have the ability to code in LUA language yet.
This language is kind of high level for me.:D
I read document of it yesterday (https://www.lua.org/pil/contents.html) .
I have some ability to understand and make code changes. finally after modifying your code , if there is problem and possible for you, I will ask you for help in some cases and concepts.(y)
OK then, its attached.
You'll need to import the hook definition json file. This will supersede all the app list related hooks:
  • ActivityManager.getRunningAppProcesses
  • ActivityManager.getRunningServices
  • PackageManager.getInstalledApplications
  • PackageManager.getInstalledPackages
  • PackageManager.getPackagesHoldingPermissions
  • PackageManager.getPreferredPackages
  • PackageManager.queryIntentActivities
  • PackageManager.queryIntentActivityOptions
  • PackageManager.queryIntentContentProviders
  • PackageManager.queryIntentServices
After importing the hooks, nothing will change by default: all returned lists of apps will be empty.
But the new hooks introduce a new "Custom value" in XPl Pro: "Only remove Chrome from package lists". If you set this value to yes, true or 1, then the hook behavior changes to filtering out chrome from the returned list.

I've never published this set of hooks because they're not privacy oriented and I'm likely to be the only person annoyed enough by apps that open chrome directly without offering the user to choose from the list of installed browsers.
Also note that contrarily to all my other hooks which are part of the Fif collection, these are in the default Privacy collection because I intend them to override the stock ones.
To restore XPL to it's default state, delete all the hooks listed above, that will revert them to the stock versions.
 

Attachments

  • XManager_package_filter.json.zip
    1.9 KB · Views: 8

nIMa_aZx

Member
Dec 15, 2012
39
6
Tehran
OK then, its attached.
You'll need to import the hook definition json file. This will supersede all the app list related hooks:
  • ActivityManager.getRunningAppProcesses
  • ActivityManager.getRunningServices
  • PackageManager.getInstalledApplications
  • PackageManager.getInstalledPackages
  • PackageManager.getPackagesHoldingPermissions
  • PackageManager.getPreferredPackages
  • PackageManager.queryIntentActivities
  • PackageManager.queryIntentActivityOptions
  • PackageManager.queryIntentContentProviders
  • PackageManager.queryIntentServices
After importing the hooks, nothing will change by default: all returned lists of apps will be empty.
But the new hooks introduce a new "Custom value" in XPl Pro: "Only remove Chrome from package lists". If you set this value to yes, true or 1, then the hook behavior changes to filtering out chrome from the returned list.

I've never published this set of hooks because they're not privacy oriented and I'm likely to be the only person annoyed enough by apps that open chrome directly without offering the user to choose from the list of installed browsers.
Also note that contrarily to all my other hooks which are part of the Fif collection, these are in the default Privacy collection because I intend them to override the stock ones.
To restore XPL to it's default state, delete all the hooks listed above, that will revert them to the stock versions.

thank you very much. I enjoyed your knowledge and writings. I do not know much about this application (xprivacy) yet and I do not know some concepts like difference between fif and privacy.
But I was able to run your script correctly. First I try to study all the basic concepts of the LUA programming language. Then I try to change your code so that several programs are removed from the list instead of one Chrome program.

As I understand it, X-Privacy hooks up all system functions at the operating system level. Am I wrong ?
I researched about mocking GPS location before. In Android programming, I know there are 2 methods.
Method 1- we use two functions, isMock() or isFromMockProvider,() to check the position of the phone. both return true if location is mocked. they are called from "android.location.Location"
is it possible to hook the results of these two functions in XPrivacy?
or hooking "checking developer options" status to off ?

I guess Some xposed modules do this.

method 2 , we can check if there are other apps in the device, which are using android.permission.ACCESS_MOCK_LOCATION (Location Spoofing Apps)

Java:
public static boolean areThereMockPermissionApps(Context context) {
    int count = 0;

    PackageManager pm = context.getPackageManager();
    List<ApplicationInfo> packages =
        pm.getInstalledApplications(PackageManager.GET_META_DATA);

    for (ApplicationInfo applicationInfo : packages) {
        try {
            PackageInfo packageInfo = pm.getPackageInfo(applicationInfo.packageName,
                                                        PackageManager.GET_PERMISSIONS);

            // Get Permissions
            String[] requestedPermissions = packageInfo.requestedPermissions;

            if (requestedPermissions != null) {
                for (int i = 0; i < requestedPermissions.length; i++) {
                    if (requestedPermissions[i]
                        .equals("android.permission.ACCESS_MOCK_LOCATION")
                        && !applicationInfo.packageName.equals(context.getPackageName())) {
                        count++;
                    }
                }
            }
        } catch (NameNotFoundException e) {
            Log.e("Got exception " , e.getMessage());
        }
    }

    if (count > 0)
        return true;
    return false;
}

As you may have noticed before, Method 2 can be easily bypassed with a few changes, such as the script you programmed. I'm right?

there might be other ways like IP, trilateration bts (don't know it is allowed or not without permission) or something else. But these 2 methods are most straightforward.

Thanks for your time
 

Fif_

Senior Member
Jun 5, 2013
1,164
1,248
Google Nexus 10
Google Nexus 4
As I understand it, X-Privacy hooks up all system functions at the operating system level. Am I wrong ?
XPL hooks up functions at the JVM level, not at the OS level.
I researched about mocking GPS location before. In Android programming, I know there are 2 methods.
Method 1- we use two functions, isMock() or isFromMockProvider,() to check the position of the phone. both return true if location is mocked. they are called from "android.location.Location"
is it possible to hook the results of these two functions in XPrivacy?
or hooking "checking developer options" status to off ?
You should be able to hook either.
I do not understand how location mocking is related to your initial problem (filtering lists of apps returned by PackageManager).
Please stay on-topic, this is not a forum for general Xposed discussion.
 

nIMa_aZx

Member
Dec 15, 2012
39
6
Tehran
XPL hooks up functions at the JVM level, not at the OS level.

You should be able to hook either.
I do not understand how location mocking is related to your initial problem (filtering lists of apps returned by PackageManager).
Please stay on-topic, this is not a forum for general Xposed discussion.

thanks. You are right. I just wanted to make sure how powerful Xprivacy could be.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 13
    Marcel, we certainly look into each report - and if required we do the necessary. And it's not only me but many others like @andybones @Logix @Macusercom @mrjuniork @TNSMANI; I just can't name them all.

    Very personal remark: As a long time user of your fantastic applications I'd be extremely sorry to see if this projects ends. But it's certainly your and ony your call.
    I know there are many moderators, but it is mostly you moderating this thread, at least it seems like that.

    I have no plans to end the project at this moment. Although there are not many people using XPrivacyLua, it is still useful for the ones using it.
    10
    Please don't close this thread because the majority of post are privacy related, and if it is closed it would make it much, much more difficult to discuss appropriate matters of this very helpful app.
    You are right of course, and the thread won't be closed.
    6
    If you are concerned about this, feel free to report questionable comments yourself. A moderator, like @Oswald Boelcke will look into it and will probably do the necessary things.
    Marcel, we certainly look into each report - and if required we do the necessary. And it's not only me but many others like @andybones @Logix @Macusercom @mrjuniork @TNSMANI; I just can't name them all.

    Very personal remark: As a long time user of your fantastic applications I'd be extremely sorry to see if this projects ends. But it's certainly your and ony your call.
    5
    Moderator Announcement

    Thread has been cleaned on request of the threadowner @M66B
    The OP doesn't accept any post that is not related to privacy. Please accept Marcel's decision and stance. And please be aware that in case of recurrence, I'm going to withdraw write permission for this thread from the affected account. Thanks for your understanding and cooperation.

    Regards
    Oswald Boelcke
    Senior Moderator
    Thanks, Oswald.

    In addition: the reason that discussions about cheating, hacking, etc are not allowed is to prevent problems for the project, like a DMCA request for the GitHub project, etc.
    4
    Moderator Announcement

    Thread has been cleaned on request of the threadowner @M66B
    The OP doesn't accept any post that is not related to privacy. Please accept Marcel's decision and stance. And please be aware that in case of recurrence, I'm going to withdraw write permission for this thread from the affected account. Thanks for your understanding and cooperation.

    Regards
    Oswald Boelcke
    Senior Moderator
  • 305
    XPrivacyLua

    banner_play_store.png


    Really simple to use privacy manager for Android 6.0 Marshmallow and later (successor of XPrivacy).

    Revoking Android permissions from apps often let apps crash or malfunction. XPrivacyLua solves this by feeding apps fake data instead of real data.

    Features:

    • Simple to use
    • Manage any user or system app
    • Extensible
    • Multi-user support
    • Free and open source

    See here for all details, including installation instructions and download link.

    Please read the frequently asked questions before asking a question.

    This XDA thread is about using the latest version of XPrivacyLua. Off topic comments are allowed as long they are related to XPrivacyLua and are in the general interest of the followers of this thread, but anything not related to privacy is not allowed.

    If XPrivacyLua doesn't work and/or when "module not running or updated" is shown, this is almost always caused by an Xposed problem.

    Discussions about purchases are not allowed here, please contact me via here instead.

    XPrivacyLua is being maintained and supported, but new features won't be added anymore.

    Custom hook definitions will always be part of XPrivacyLua, but there will be community support only. This means that I won't respond to questions about defining custom hooks anymore. See this thread for the reasons.

    If you value your privacy, please consider to support this project with a donation or by purchasing pro features.

    XPrivacyLua is not a permission manager, but a privacy manager. XPrivacyLua doesn't block things and doesn't revoke permissions, but does replace real data by fake data. This means you can grant Android permissions to an app and still let XPrivacyLua prevent the app from seeing privacy sensitive data. Revoking permissions can result in an app refusing to work and/or to crash. However, replacing real by fake data generally doesn't let an app crash.

    Currently restrictions are quite crude because they mostly replace real data by no data. For example restricting the contacts app from getting contacts will result in an empty contact list. In the near future it might be made possible to select the data an app may see, for example just one group of contacts.

    About feature requests and bug reports:

    The goal is to have a tool that can properly protect the privacy of many in the near future. However, it isn't paid work, so I do whatever I like whenever I like it.

    You can request features in this XDA forum. I will read them, but I will not respond to them and they might or might not be implemented. If I know for sure something will not be implemented, I will let you know.

    You can report any problem you have here. There will be no issue tracker on GitHub.

    For now I have decided to not implement restrictions that are useful to prevent tracking only. There are simply too many data items that can be used for tracking and it would take too much time to develop restrictions for all these data items.

    The basic idea is to restrict only things that 'define' you, so which contacts you have, where you are, which apps you use, etc.

    Maybe we can widen the definition of things that the core of XPL covers to "What defines you, and what can be used to spie on you"? This would include camera/audio, but not tracking.

    XPrivacyLua is pretty feature complete and will be maintained and supported and when there is a need new hook definitions will be added to better protect your privacy. For the rest this FAQ applies:

    https://github.com/M66B/XPrivacyLua/blob/master/FAQ.md#FAQ4

    As said before, development will also depend on Xposed development, which is just minimal unfortunately.

    XDA thanks and donations are appreciated.

    XPrivacyLua is supported with Xposed only. There is no support for VirtualXposed and TaiChi.


    XDA:DevDB Information
    XPrivacyLua, Xposed for all devices (see above for details)

    Contributors
    M66B
    Source Code: https://github.com/M66B/XPrivacyLua

    Xposed Package Name: eu.faircode.xlua

    Version Information
    Status:
    Beta

    Created 2018-01-05
    Last Updated 2020-03-10
    68
    I have just released beta version 0.5 in the Xposed repository.

    The XPrivacyLua framework and user interface seems to be stable enough to call this a beta release.

    Besides several bug fixes and improvements two new restrictions were added:
    • Read account name, which mostly holds your e-mail address and will be replace by '[email protected]' when restricted
    • Read clipboard, which will be replaced by the text 'Private' when restricted

    Furthermore the ability to restrict Android system (be careful!) and to restrict system apps was added. It is possible to restrict all of these individually (XPrivacy could not do that).

    Be sure to take a look at the help page in the app again (use the ?-icon), since there were some useful hints added.

    If you appreciate what I am building here, please let me know by means of an XDA thanks and/or a donation, so that I don't get the feeling 'What am I doing this for?'.
    59
    I have just released alpha version 0.12 in the Xposed repository.

    This version has been redesigned for Android Oreo compatibility. The user interface and the restrictions work properly for me, but be aware that a lot has been changed on the inside ("it is bigger on the inside", lol), also for earlier Android versions. There is one thing I know of that needs improving and that is that the user interface might be updated too often with a lot of restrictions, which might cause delays and hangs. I will look into this tomorrow.

    This change was necessary, but it was a lot of work, so XDA thanks and donations are appreciated.
    56
    I have just released beta version 0.25 in the Xposed repository.

    Changelog:

    With this release XPrivacyLua restriction's can be compared with XPrivacy's. There are now over 100 restriction definitions!

    XDA thanks and donations are appreciated.
    53
    @CHEF-KOCH You have been given enough time to respond here. Now I just think it is pretty cowardly to write critical about XPrivacyLua, but not to tell what can actually be improved, especially because you were invited to do so.

    I still like to hear how XPrivacyLua can be improved, but I don't want to hear what is wrong with XPrivacyLua. You'll need to keep the scope of XPrivacyLua in mind (in short: privacy, not security), see the opening post and previous discussions about this for more information.

    Also, if you really know better, I like to see an original work from your hands to prove that. Actions speak louder than words.

    As it is now, you are discouraging one of the few people in the world who really did something substantial to improve privacy on Android. And don't go talking about VPNs, TOR, etc because your private information, like your contacts, will still leak.

    I also think you are pretty ungrateful for what I did so far.

    To others: if you see someone reference one of his blogs, please reference this comment in response.

    Edit: if you agree with this, please add an XDA thanks to this comment, so it will show up in the right column as a reference for others.