[CLOSED] XPrivacy - The ultimate, yet easy to use, privacy manager

Status
Not open for further replies.
Search This thread

frugihoyi

New member
Aug 23, 2012
1
0
While testing Xprivacy I denied the entire Media category for the Duolingo app, but the microphone still works whenever Duolingo asks me to speak a phrase. What's up with that?
Android 5.1.1
 
Last edited:

M66B

Recognized Developer
Aug 1, 2010
26,011
56,003

JohnC

Senior Member
May 5, 2007
697
182
Amazon Fire TV
Google Pixel 4a
weird issue

I have been using XPrivacy for years - GREAT app. I am currently using it on a Samsung S4 running 5.0.1.

As everyone knows, whenever you install a new app or update an existing one, XPrivacy adds a notification about the new/updated app in your drop-down notification panel (which allows you to jump right into that apps settings in Xprivacy).

But something weird is happening...

XPrivacy seems to randomly add "update" notifications for apps that I have NOT updated on my phone. My first thought was that maybe the playstore is automatically updating my apps, but that isn't the case because I disabled auto-update in the play store. And besides, when I go into playstore and select "My Apps and Games", it will list all the apps that have updates, and at the very bottom it will list the apps that I "recently" updated. But the app that Xprivacy says was recently updated is NOT listed in this "Recently updated" list.

So, in summary, I am seeing "Xprivacy app-updated" notifications for random apps that are already installed on my device but yet were NOT updated by me or the play store. So, I am real confused why xprivacy is generating these update notifications when the apps were NOT updated.

Any ideas anyone?
 

M66B

Recognized Developer
Aug 1, 2010
26,011
56,003
I have been using XPrivacy for years - GREAT app. I am currently using it on a Samsung S4 running 5.0.1.

As everyone knows, whenever you install a new app or update an existing one, XPrivacy adds a notification about the new/updated app in your drop-down notification panel (which allows you to jump right into that apps settings in Xprivacy).

But something weird is happening...

XPrivacy seems to randomly add "update" notifications for apps that I have NOT updated on my phone. My first thought was that maybe the playstore is automatically updating my apps, but that isn't the case because I disabled auto-update in the play store. And besides, when I go into playstore and select "My Apps and Games", it will list all the apps that have updates, and at the very bottom it will list the apps that I "recently" updated. But the app that Xprivacy says was recently updated is NOT listed in this "Recently updated" list.

So, in summary, I am seeing "Xprivacy app-updated" notifications for random apps that are already installed on my device but yet were NOT updated by me or the play store. So, I am real confused why xprivacy is generating these update notifications when the apps were NOT updated.

Any ideas anyone?
I have no idea and nobody has reported this before either.
 

Fif_

Senior Member
Jun 5, 2013
1,216
1,347
Google Nexus 10
Google Nexus 4
I've seen that for the last 5-6 months, google play "shadow updates" apks in the background even if you have updates turned off. By shadow updates I mean that the apk's checksums change, but the version stay the same. The apk contents also stays the same.
If you don't believe me, checksum /data/app/*.apk and see for yourself.
There has been times where these shadow updates would show up in the Play Store "Recently Updated" section.
It could well be that the PACKAGE_REPLACED intent would be fired in this instance.
I'm still seeing shadow updates almost daily and will be recording whether or not PACKAGE_REPLACED gets fired when that happens.
 

M66B

Recognized Developer
Aug 1, 2010
26,011
56,003
Are there still people using the classic version of XPrivacy? I am planning to end support and close this thread after Android Q has been released, unless there are a lot of objections. That would mean that there has been five years of support. Not many companies support their stuff this long ...
 

elsquare

Member
Dec 22, 2014
36
8
Are there still people using the classic version of XPrivacy? I am planning to end support and close this thread after Android Q has been released, unless there are a lot of objections. That would mean that there has been five years of support. Not many companies support their stuff this long ...
Me + Familie = 4 ;)
Overdue to upgrade our rock solid S4s to Oreo or Pie and XPL, I know... :(
 

mnjm9b

Senior Member
Apr 26, 2008
1,046
227
Are there still people using the classic version of XPrivacy? I am planning to end support and close this thread after Android Q has been released, unless there are a lot of objections. That would mean that there has been five years of support. Not many companies support their stuff this long ...

I have a few devices that I can't update due to lack of manufacturer support and an un-unlockable bootloader. so they are stuck on jellybean/kitkat. I keep them alive specifically because they have xprivacy/afwall on them. otherwise I would smash them with a hammer as they have no business connecting to my network with the outdated OS's security risks.

However, XP works flawlessly on these devices so as long as you keep it available to download, I would support your decision to lock thread and end support.
(although, I have backed up several apk versions already as well as source, so I don't care about the downloads too much anyway.)
 

M66B

Recognized Developer
Aug 1, 2010
26,011
56,003
I have a few devices that I can't update due to lack of manufacturer support and an un-unlockable bootloader. so they are stuck on jellybean/kitkat. I keep them alive specifically because they have xprivacy/afwall on them. otherwise I would smash them with a hammer as they have no business connecting to my network with the outdated OS's security risks.

However, XP works flawlessly on these devices so as long as you keep it available to download, I would support your decision to lock thread and end support.
(although, I have backed up several apk versions already as well as source, so I don't care about the downloads too much anyway.)
XPrivacy will keep being published in the Xposed repository and the source code will keep being published on GitHub.
 

mirizlivpor

Member
Apr 18, 2011
46
4
I've hesitated to upgrade my phone because of the risk of not being able to use XPrivacy and didn't even know that a newer version was out there. Made sure that my new phone could be rooted and XPosed can be installed on it just because I can't imagine using my phone without this module. I'm sure you've been praised thousands of times but I'll add to that anyway - simply the number one module ever.

I'd like to add that I've been getting messages about updated apps as well, although the auto updates are turned off.
 

mobileanimal

Senior Member
Jul 23, 2013
56
14
I'm still using it as XPrivacy as well. I've updated and compiled it for Oreo and have it working alongside XPrivacyLUA for the on demand privacy / security features that XPrivacyLUA can't do yet (DNS, clipboard access, View), GetAccounts with whitelisting, and randomization of fake data on boot.
 

M66B

Recognized Developer
Aug 1, 2010
26,011
56,003
I'm still using it as XPrivacy as well. I've updated and compiled it for Oreo and have it working alongside XPrivacyLUA for the on demand privacy / security features that XPrivacyLUA can't do yet (DNS, clipboard access, View), GetAccounts with whitelisting, and randomization of fake data on boot.
Be aware that some XPrivacy restrictions are known not to work on recent Android versions.

XPrivacyLua:

You can use custom hooks from the repository to block DNS. The clipboard can be restricted. Randomization, also on boot, is supported for a few values now. Edit: accounts are automatically whitelisted.
 
Last edited:
  • Like
Reactions: arianat01

arianat01

Senior Member
Feb 16, 2015
148
64
I'm still using it as XPrivacy as well. I've updated and compiled it for Oreo and have it working alongside XPrivacyLUA for the on demand privacy / security features that XPrivacyLUA can't do yet (DNS, clipboard access, View), GetAccounts with whitelisting, and randomization of fake data on boot.
You can do all of these by XprivacyLua, except on demand privacy. By XprivacyLua you can restrict anything without any crash.
Look at the XprivacyLua Pro hook definition.
 

mobileanimal

Senior Member
Jul 23, 2013
56
14
XPrivacyLUA is excellent, but the lack of on demand features in XPrivacyLUA leaves open massive privacy holes that makes still running XPrivacy essential. With XPrivacyLUA, one would have to log DNS queries by app, a task in itself, and also while potentially permitting the application to communicate out to undesirable hosts first before they can be blocked with XPrivacyLUA. As an example, many apps use and communicate with graph.facebook.com, crashlytics.com, along with many additional not necessarily well known services that will track users. Add on the fact that without the capability of randomization of identifying data by default per app at first access/run after install like XPrivacy can do, with someone running only XPrivacyLUA, these services can tie all the apps that someone is using together for tracking, an absolutely massive invasion of your privacy.

For on-demand View access, there are many apps that force opening your web browser with a custom URL to track you. It’s essential to be able to view the URL that an app is opening before it’s allowed to open a potentially unwanted URL.

Access to the clipboard without one’s knowledge is obviously a huge privacy issue. I have seen 2 different apps try to read my clipboard without any interaction, with one of those apps being an app that I do need to copy/paste information into on occasion.

Also, I doubt very many users realize that most apps generate a unique tracking ID the first time an app is run, and it is saved permanently. From testing, this ID is frequently either a hash based on MAC address, Android ID, device name, etc. So, it’s essential that any fake data be randomized per app at boot time or access (optimally) by default before the app gets a change to run, so that you’ve created a unique ID just for that app that’s different than any other app. Feeding an app blank data can lead to the app generating and storing the same unique ID to track you every time since the blank data will be the same every time and generate the same hash.

The XPrivacyLUA model is that you only have the option to either completely trust or not trust specific privacy related permissions of an app. This in itself leaves open massive opportunities for privacy problems. The XPrivacy model lets you deal with potentially rogue and buggy apps with on demand access. A perfect example would be an issue similar to Apple’s recent Facetime eavesdropping bug where someone can call another user and eavesdrop without their knowledge. Let’s say this was an audio/video chat app for Android. With XPrivacyLUA one would have granted complete and permanent access to the microphone and camera for the app. With XPrivacy, one can on-demand give the app access to my camera/microphone as needed, so this type of exploit could be averted. Furthermore, who is to say that you should trust an app, developer, company, and all its employees to not access your device at any time for unscrupulous purposes? The same goes for storage access. Think about an app that you need to use to upload information or photos from storage on your device. What’s to say that there’s not an exploit in the app or there is not a rogue developer on the dev team that might lead to all the data on your storage device being uploaded without your knowledge?

Crashes from XPrivacy have been extremely, extremely rare, and have always been correctable with reviewing the XPrivacy log along with a logcat.

So, it’s absolutely essential that users heed these warnings and run both XPrivacy and XPrivacyLUA at the moment for optimal privacy and hopefully this serves as a warning to those that don’t.
 
Last edited:
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 1150
    ic_launcher.png
    XPrivacy

    After weeks of research, development and testing I proudly present the ultimate, yet easy to use, privacy manager: XPrivacy.

    XPrivacy can prevent applications from leaking privacy sensitive data. XPrivacy can restrict the categories of data an application can access. This is done by feeding an application with no or fake data. There are several data categories which can be restricted, for example contacts or location. For example, if you restrict access to contacts for an application, this will result in sending an empty contact list to the application. Similarly, restricting an application's access to your location will result in a set location being sent to the application.

    You can use the successor XPrivacyLua on Android 6.0 Marshmallow and later.

    Features

    • Simple to use
    • No need to patch anything (no source, no smali or anything else)
    • For any (stock) variant of Android version 4.0.3 - 6.0.1 (ICS, JellyBean, Lollipop, Marshmallow)
    • Newly installed applications are restricted by default
    • Displays data actually used by an application
    • Option to restrict on demand
    • Free and open source
    • Free from advertisements

    Read more on GitHub


    The download link is in the installation instructions

    You can also use the XPrivacy Installer as an aid to install XPrivacy.

    This forum is for questions only. See here for bug reports and feature requests.

    Please post messages related to privacy only.
    XPrivacy is not intended to make other application do things they are not supposed to do.


    There is only support for the latest official XPrivacy version.

    XPrivacy was a lot of work, so please support this project

    If you want to donate, see here for all options.

    Use at your own risk !




    The latest version from a while ago still works properly up to Android 6 Marshmallow, if Xposed works properly on your device
    (you can ignore any internal error report of XPrivacy, since these are known to be harmless)

    XDA:DevDB Information
    XPrivacy, Xposed for all devices (see above for details)

    Contributors
    M66B
    Source Code: https://github.com/M66B/XPrivacy

    Xposed Package Name: biz.bokhorst.xprivacy

    Version Information
    Status: No Longer Updated
    Current Stable Version: 3.6.19
    Stable Release Date: 2015-07-01

    Created 2014-08-03
    Last Updated 2018-02-08
    77
    "More than 250 Android Games Use Your Mic to Track What You’re Watching"
    https://www.xda-developers.com/android-apps-tracking-mic-always-listening/

    The above made me decide that we still need a decent privacy solution.

    At this moment I have a fully functional proof of concept where Xposed hooks can be defined in JSON (text) files and can be applied to any app at runtime. The hook code can be written in LUA script. This means that hooks can be added without updating the Xposed module (for now called XLua).

    To test XLua I have defined two hooks to fake the device location and applied them to the GPS status app. The result is that GPS status reports a fake location.

    I will start with built-in privacy related hooks, but in the near future there might be a repository where you can download hook definitions from.

    There is a lot more to tell about this, but I want to keep it brief for now. You are free to ask questions, but don't ask when it will be ready.

    I wish you a happy and private new year.
    67
    Due to too many bad experiences I will not be active on XDA anymore, which means that this will be my very last XDA comment. However, this doesn't mean I don't follow the XDA XPrivacy and NetGuard threads anymore and that development will be stopped. XPrivacy will be updated when critical bugs are found only (which didn't happen in more than a year). NetGuard will be maintained as well and new features might be added occasionally.

    If you check my post count, you can see that I have been very supportive and that more than likely all mayor questions have been answered already. So, if you have a question, use the XDA search and you'll likely find an answer. If that fails, then other XDA members might be able to answer your question.

    So, my last word: goodbye.
    65
    After almost nine months since the initial release and after 85 experimental, test and beta releases since the last stable release, I have just made available stable version 2.0.

    The main changes since the last stable version 1.11 are:

    • Replaced XML settings files by a privacy service and privacy a database
      - Increased speed, stability and security
      - Allows for new features formerly not possible, like:
    • Added on demand restricting
      - XPrivacy will ask to allow/deny on actual function usage
    • Added white and black listing for files, IP addresses, domain names, commands, libraries and URLs
      - White and black listing on demand are available to anyone
      - White/black list management from the user interface requires a Pro license
      - Clearing restrictions will clear white/black lists too
    • Added parameters to usage data (option) (only Pro license)
    • Added a service to migrate settings, upgrade and randomize
    • Added sorting and extended filtering
    • Added multiple select and batch operations to set, reset, import and export restrictions
    • Added a series of new restrictions and improved existing restrictions
    • Added template for functions
    • Added user defined dangerous functions
    • Added in application documentation for all functions
    • Added switch to disable restrictions for each application
      - Allows for disabling restrictions, without taking away the ability to edit restrictions
    • Support for multiple users (if your device supports this)
    • XPrivacy became one of the Open Source Rookies of 2013
    • The number of crowd sourced restrictions is more than 5 million now
    • Donations are accepted in Bitcoins now too
    If you want to know all changes since the last stable version, you'll need to read the changelog, but be prepared: it is a long list.

    Read here about how to upgrade:
    https://github.com/M66B/XPrivacy#upgrading

    After handling over 1500 bug reports and feature requests and more than 5000 commits, I guess XPrivacy is pretty feature complete and bug free now. As I have said before, I don't want to continue working almost full time on this project, which doesn't mean reported bugs will not be addressed and also not that XPrivacy will not be updated for the next Android releases. It just means that no new big features will be added anymore. Since the core feature of XPrivacy is to protect your privacy, new restrictions will be added when requested.

    XPrivacy was really a lot of work, so thanks or donations are appreciated.

    If you think something should be written about this greatly enhanced version of XPrivacy on the XDA portal, you might want to use Tip us?.
    56
    IF an Xposed version for Android 7 Nougat will be released, I MIGHT consider developing a paid only, slimmed down version of XPrivacy to protect your most privacy sensitive data, like contacts, calendars and location. We can discuss about what should be included. However, there would be no support to prevent tracking, so no restriction of device IDs, IP addresses, etc, since this is a lost battle anyway.

    Would there be interest in this?