[TUTO] How To Secure Your Phone
- Thread starter unclefab
- Start date
I did it months ago in this very same thread: http://forum.xda-developers.com/showpost.php?p=65026893&postcount=294
---------- Post added at 03:03 PM ---------- Previous post was at 02:59 PM ----------
Your device will be more stable, BUT you won't have google services at all: all of them including Google Play...
@optimumpro
Thanks for sharing !
@iwanttoknow
You cam use MicroG instead of Google Services Framework. Search on XDA.
Thanks for sharing !
@iwanttoknow
You cam use MicroG instead of Google Services Framework. Search on XDA.
@unclefab - totally subscribed. I see we speak the same language. Privacy is basically being tyrannically raped, as Darlene put it! You idea is great and I see no reason why ppl so willingly trust those big companies out there and simply give away their data and privacy for nothing.
Last edited:
heheee, those lads at Google. Only Privacy Inspector is on the Play Store and Privacy Inspector is, as the app description says, the lite version of Privacy Blocker. Google surely knows know what to remove from the $hit Store Luckily there are alternatives ... thank God! The monopoly Google are exercising over ... nearly all of us is a $hit show.
Hm, has anyone else had problems with 'Privacy Blocker' and 'Permissions Denied Pro'? Not sure which one of these 2 apps it is, but after I installed the 2 of them my phone went a bit crazy. First apps such as TiBu were no longer granted root access and just kept hanging on a screen waiting for root access, never receiving it. Then also Nova Launcher got messed up, slow as hell and started also hanging. AFWall+ started crashing again and again, no matter how many times I rebooted. Nova Launcher wouldn't respond any longer to a double-tap-to-sleep/wake. All kinds of weird stuff. So I switched to the default home launcher and remedied the situation by uninstalling both apps and reinstalling (for now only) Nova. Either Privacy Blocker or Permissions Denied caused some havoc. I didn't tweak much in those apps. In P. Blocker I just scanned all my apps and performed a fix on 1 camera app, nothing else. In Permissions Denied I tweaked another 3rd party app ... I think it was an SMS reminder, but nothing related to SuperSU or TiBu or Nova Launcher. Very mysterious. Has anyone else had issues with those two apps and can they actually be trusted? What I have is 'Privacy Blocker v1.4.1' and 'Permissions-donate-v3,7-build32'. Share your experience pls.
Last edited:
Uninstall these apps and install XPrivacy. Remove SuperSU and install Phh's Superuser. You won't have any issues with them if you do things right.
Thanks for the reply! To install XPrivacy I think one needs to have the Xposed Framework on board, which I don't have. So for now an uninstall and staying away form those apps will do it.
How is Phh's Superuser superior to SuperSU. Just curious. Thought SuperSU is THE one!
Yes you need the power of Xposed but it's worth it.
Phh's Superuser is open source and not owned by an obscur company.
Erm, just to clarify ... do both Privacy Blocker nor Permissions Denied require Xposed or just one of them and which one in that case? In the OP there were also other nice-looking privacy apps that I wanted to try out but I'm guessing they too require Xposed.
I never used these apps but it seems Permissions Denied doesn't require Xposed. No idea for Privacy Blocker since I can't find it on Google Play.
Note that Permissions Denied hasn't been updated since June, 2013... Moreover, managing the permissions is not enough since apps can have access without asking for permission. I guess you don't have a real-time control, and so on... Better than nothing, though.
Read the Play Store descriptions. I think Xposed is always mentioned if it's a requirement.
Thank you for the reply, but that's sad
better than nothing yes, you are right, but what good is Permissions Denied if 'apps can have access without asking for permission'. If that's really the case then I don't see how Permissions Denied helps in any way, anyone is welcome to correct me. Just trying to get to the bottom of this.As to your guess if I have a real-time control ... as far as I dug into it, I came to some apps similar to Perm. Denied. Any other apps or ways to have the real-time control you mention are welcome to be thrown in to this discussion.
A real-time control is very important:Thank you for the reply, but that's sad
As to your guess if I have a real-time control ... as far as I dug into it, I came to some apps similar to Perm. Denied. Any other apps or ways to have the real-time control you mention are welcome to be thrown in to this discussion.
1. You install a crappy app
2. A few seconds after the installation, it will immediately have a look at your contacts. You don't have enough time to open Permissions Denied to block the access. Too late...
I don't know any other apps as XPrivacy to have a real-time control, sorry.
About permissions:
• Android system permissions are completely useless. I did a quick test with two apps promoted on Google Play: New Airpush detector and Material Apps. Android system permissions didn't ask me anything when browsing into the apps! (that's normal for New Airpush detector though. Android system permissions don't manage Internet permissions
and the app is only requesting "a full network access" and "to view network connections").• However I noticed that AirPush Detector had access to these data: Identification / Internet / IPC / Phone / Shell / System (get installed package) / View.
This is more than Internet permissions, isn't it?
A real-time control is very important:
1. You install a crappy app
2. A few seconds after the installation, it will immediately have a look at your contacts. You don't have enough time to open Permissions Denied to block the access. Too late...
I don't know any other apps as XPrivacy to have a real-time control, sorry.
About permissions:
• Android system permissions are completely useless. I did a quick test with two apps promoted on Google Play: New Airpush detector and Material Apps. Android system permissions didn't ask me anything when browsing into the apps! (that's normal for New Airpush detector though. Android system permissions don't manage Internet permissions
• However I noticed that AirPush Detector had access to these data: Identification / Internet / IPC / Phone / Shell / System (get installed package) / View.
This is more than Internet permissions, isn't it?
Point taken! Thanks for dropping some knowledge. For ppl who don't have Xposed framework is there even any point in using Permissions Denied, if as you said 'apps can have access without asking for permission'? If not 'Permissions Denied' what else (non-Xposed) can we use then, if anything at all?
Permissions Denied can help in some situations. Most of reliable apps are asking permissions when they really need them. If I were you I would open Permissions Denied before opening a new installed/updated app. Of course, it will be more difficult to have a full control with apps that do not respect user privacy...
I always use Xposed so I have no idea for other solutions and I guess you do need Xposed for having such a feature. Others may have more ideas.
Thanks! Just a quick note about Privacy Blocker. As far as I researched I didn't see anywhere that it requires Xposed. So if that's really the case then it is really mysterious why either one of the 2 apps P.Denied or P.Blocker messed up my phone a bit.
And back to the topic. Yes, you're prolly right. Actually after installing an app and before opening it and giving it root access (for apps that need that) indeed it makes sense to quickly tweak the app's permissions in P.Denied, but as you said time might not be enough and it's strange that the app was last update in 2013. Thanks anyway for your good input in this discussion.
EDITED
Last edited:
Something got me back to this post of yours. SuperSU is from Chainfire. I thought Chainfire is a highly respected and trusted dev here on XDA. How come an app he develops is owned by an obscure company?
Ahhh I see.
Thanks for the update! If that's the case then can't we just use the last stable version/release which is presumably right before CCMT got involved? This will be similar to using uTorrent's v2.2.1 ... I guess ppl will have to find out which version it was and just stick to it. Ofc there's the alternative of using phh's SuperUser, which is being actively developed, but I just know some apps want SuperSU and am not sure if they'll be happy with phh's SuperUser.
Last edited:
The last version built by Chainfire is v2.78, available in the XDA thread.Ahhh I see.
Anyway, using Phh's Superuser seems a better idea:
• Open source (unlike the last version of Chainfire's SuperSU)
• Magisk (also open source) is mainly supporting Phh's superuser.
• You will need the next root solutions to bypass the new Android (security) features
• We more and more have to hide root to have working features/apps. Chanfire's suhide is also closed source.
• You have notifications from Google Play to update SuperSU app.
• It just works! Use the "full unroot" option from SuperSU app, reboot and flash Phh's superuser to try yourself. (don't forget the nandroid backup of course
)Similar threads
Top Liked Posts
-
There are no posts matching your filters.
-
43INTRODUCTION
I don't know everything (who does anyway?) and everyone is welcome to add some more infos on the subject, let's share our privacy settings!!!
Let's start, with a brand new phone...
I - THE BASICS
1 - Don't give your real name when you buy a new phone (it sounds obvious but many people don't even think about it), and pay in cash in order not to leave any traces.
2 - Second, don't give your real name when you buy a SIM.
3 - DO NOT put any SIM in the phone for now, DO NOT connect to the internet through WIFI, and put your phone in plane mode. You'll be able to connect after you're done and secure.
4 - Root and install Busybox, flash a custom recovery (I won't cover that part, search the forum and you'll find all what you need).
5 – Let the fun begin, uninstall as many stock apps as you can!
Don't think that installing a custom ROM like AOSP or CM would be any better than your stock ROM privacy wise, custom ROMs don't have OEM bloatware but when it comes to privacy, data mining and outrageous system apps' permissions they are exactly the same than stock ROMs.
Before you start your uninstalling job, download Aroma File manager from here:
http://forum.xda-developers.com/showthread.php?t=1646108
Put it on your SD.
It will enable you, in case you get a bootloop, to push back from recovery the file (s) you removed that caused the bootloop, instead of restoring your backup and loosing all the work you did.
TWRP has a built in file manager that does the same, just make sure you have /system and /data mounted in the settings.
Uninstall gradually.
Start with the google apps and the OEM bloatware, reboot and see how it goes. If everything is ok then uninstall more stuff, again reboot and see how it goes, and keep on doing it until you feel it's ok.
You'll be wise, everytime you uninstall a bunch of apps, to copy them first on your SD and label it something like apps1, apps2 etc.
Now read carefully the folowing about safe to remove apps, in order you to know more precisely what can be done, and you will see that my phone works with only 10 system apps left.
II – THE TOOLSNow you need some tools, namely:
- Xposed Installer:
http://repo.xposed.info/module/de.robv.android.xposed.installer
- Xprivacy:
http://repo.xposed.info/module/biz.bokhorst.xprivacy
- App Settings:
http://repo.xposed.info/module/de.robv.android.xposed.mods.appsettings
- AF+ Firewall:
https://f-droid.org/repository/browse/?fdfilter=af&fdid=dev.ukanth.ufirewall
- Network Log:
https://f-droid.org/repository/browse/?fdfilter=network+log&fdid=com.googlecode.networklog
- Greenify:
http://forum.xda-developers.com/apps/greenify
- Blue Box Security Scanner (apps and vulnerabilities scanner)
- SQ Editor
- Rom Toolbox Lite (free) or Pro (paid)
- Privacy Blocker (paid)
- First
Open Privacy Blocker.
Scan all your third part apks one by one, and see their dirty little secrets. Then mod the ones you don't like, it's easy, just follow the onscreen instructions.
- Second
Open Rom Toolbox.
Block adds, prevent apps from auto starting and disable any receiver you don't like, and try some build.prop and kernel tweaks while you're at it (be careful).
- Third
Open Greenify.
Greenify everything, except the launcher, the System UI, the Package Access Helper (you could greenify it but it does nothing since that app is ungreenifiable) and the Keyboard. You can greenify Settings and Settings Storage too, but it will slow down Settings when you lauch it.
DO NOT greenify Xprivacy and AF+ Firewall since you need them to run in the background (don't worry, those apps have a very low RAM footprint).
Create a “hibernate now” shortcut on your home screen, and don't forget to use it regularly to hibernate your apps.
Note that you'll need the donate version to greenify system apps, but it doesn't cost much and it's a nice way to support the dev.
- Fourth
Install Xposed, Xprivacy and App Settings.
Enable Xprivacy and App Settings in Xposed's menu (under modules), reboot, and make a new backup cuz from now chances to get in a bootloop will increase and dependingwhat you've done it may not be Aroma File manager recoverable..
Open App Settings and disable the apps' perms you don't like (be careful with System UI as it may result in constant force close).
To give you an idea I have attached some examples of what can be restricted. You will notice that stock apps (like contacts, phone, CSC, settings etc.) are the most restricted, that's because they have the most outrageous perms. The apps in the list don't use the name they have in the play store but the packages' names (to find them go to data/app and check there).
Done? Now, open App Settings' menu and make a backup of your current settings.
Open Xprivacy and do the same, but first have a read at its documentation here:
https://github.com/M66B/XPrivacy#xprivacy
and at the following tutorial I wrote some months ago (it was for an old version of Xprivacy, but you'll get the idea) :
Done with Xprivacy? Now, open its menu and backup its settings.
(To Be Continued)40(Continued From Last Post)
- Fifth
Open Blue Box Security scanner and let it scan for vulerabilities.
Most likely it will find some, patch them with Master Key and Fake ID Fix:
http://repo.xposed.info/module/tungstwenty.xposed.masterkeydualfix
http://repo.xposed.info/module/tungstwenty.xposed.fakeidfix
- Sixth
Get init.d support.
Make a script to disable some folders that are otherwise recreated each time the phone boots.
I give you the following as an example that works on Samsung 4.2.2 but you may have to edit it depending which phone you have and which ROM version you are on:
If you decide to use this script paste it in a good editor like Note Pad Plus. Then edit it if needed and don't forget to set the EOL conversion (found in the edit menu on the toolbar) to Unix/OSX format.
You want to do it directly from your phone?
Try 920 Text Editor app, it does the job fine (when you save a file set "Convert Line Break" to Unix/Android) :
http://920-text-editor.en.uptodown.com/android
Here's another init.d script, done with Pimp My Rom app (credits @Androguide.fr), to protect your phone from various MIM (Man In The Middle) attacks :
One more (credits @bazz77 – http://forum.xda-developers.com/showthread.php?p=40767777#post40767777 , do visit the thread as you will find infos about how to harden your system) :
- Seventh
Open AF+ and set it for WIFI, data, VPN and roaming.
I think using white list option (allow selected) is better than black list since newly installed apps are blocked by default.
Restrict all apps, including system apps, that don't need to have internet access, and restrict Linux kernel, Linux shell, Internet time servers, DHCP+DNS services, GPS and Media server.
Enable IPV6 support.
Now, make a script to block inbound and outbound unwanted connections, call it whatever you want (but don't forget to end it with the .sh extension, and to give it RWX, RX, RX (755) permissions), and put it in data/local or in data/data/dev.ukanth.ufirewall/app_bin.
Here's an example of such script :
If you decide to use this script paste it in a good editor like Note Pad Plus. Then add you own values and don't forget to set the EOL conversion (found in the edit menu on the toolbar) to Unix/OSX format.
If you want to do it directly from your device look back at part six, I've put a link to a Text Editor app.
Bear in mind that by using it you will prevent google from accessing your phone, so google related web sites (youtube, blogspot, google search, play store etc.) won't work anymore.
Now it's up to you, if you want google access you'll have to erase the lines under #google (both inbound and outbound).
If you want to check where an IP adress belongs go to :
http://whois.domaintools.com/ (I like this one the most cuz it shows you the IP range to block)
http://www.hcidata.info/host2ip.htm
Want more?
Check here (credits @ukanth and @CHEF-KOCH ) :
https://github.com/ukanth/afwall/wiki/CustomScripts
.
While you're at it change the DNS in the system/etc/resolv.config file to Open DNS or whatever you wish (if you don't use Open DNS then edit the beginning of this script accordingly), and do the same for system/etc/dhcpd/dhcpd-hooks/20-dns.conf.
Note to Kit Kat users, credits @Primokorn :
On Nexus 5 - Kitkat 4.4.4 - I do not have the first file (resolv.config). At the end, I downloaded an app called DNS forwarder by Evan He (read the description for more details especially the information for KitKat users).
OpenDNS has been successfully tested through this URL: https://store.opendns.com/settings/
To check whether you are using Open DNS or not you'll have to enable cookies.
If you still see unwanted connections despite the Firewall check posts #71 and #72, big thanks to @optimumpro for the tip!
To stop the DNS resolve of, and HTTP request to clients3.google.com on every connection to any Wifi Access Point open your android terminal and type :
su -c "settings put global captive_portal_server 127.0.0.1"
su -c "settings put global captive_portal_detection_enabled 0"
To stop the resolve/request for 2.android.pool.ntp.org on every boot (even with network time disabled) type :
su -c "settings put global ntp_server 127.0.0.1"
(credits https://blog.torproject.org/)
- Eighth
Install a good host file in system/etc, it will block adds and unwanted web sites.
Check this link about MoaAB (Mother of All Ad Blocking), credits to @BSDgeek_Jake :
http://forum.xda-developers.com/showthread.php?t=1916098
You can add the following web adresses to whatever host file you decide to use, I have hand picked them one by one (but as above, don't forget to set the EOL conversion to Unix/OSX format):
If you restrict all those adresses you won't be able to connect to facebook, twitter and any google service (including youtube, blogspot, google search, play store) anymore, so filter first and remove the web sites you want to be able to access.
- Ninth
Open Network Log and connect to the internet.
Check all your connections (long press on an IP to know which web site it refers to, or check with the web sites I mentionned in part 7), some are legit, some are not.
Block the unwanted stuff using either the host file, or the firewall script, or both.
There's an apk called Blockit! that can help you find host names for some stubborn web sites that can't be blocked using their IP, and whose host name can't be found otherwise (like apis.google.com, ajax.googleapis.com, www.googletagservices.com, fonts.googleapis.com, google-public-dns-a.google.com, just to name a few that I found thanks to BlockIt!).
About one year ago I found out that my kernel was connecting to some google related IPs and to google's DNS (eventhough I had set the phone to use Open DNS in the resolv.conf file, eventhough I had removed over 150 system apps and eventhough I was already using AF+Firewall, App Settings and Xprivacy), and that my android system was calling home (read "at google's central office in Mountain View, California") everytime I connected (note that my phone had never been linked to any google account whatsoever).
From that day that I started to gather informations about host files and firewall scripts...
- Tenth
Open SQ Editor, and have a look at your apps' databases.
If you find anythig you dislike, erase it (it's located in data/data/yourappname/databases).
Some files, like google analytics or gaClientid, reappear once the app is reopened again, in this case you have to set their perms to 000 and fully erase their content (like this the files are still there and don't get recreated, but they are inactive).
You may have to suppress the write permissions on the folder that contains those files (use you file manager), ie something like rx, rx, x (5, 5, 1).
Some other potentially unwanted files could be in data/data/yourappname/files or in data/data/yourappname/shared_prefs, if that's the case do as above.
III - ADVANCED- I'll deliberately stay vague on those matters, only people that know what they are doing should mess with that kind of stuff. -
1- Decompile some of your system apps and some of your jars, and track lines refering to specific websites and DNS.
For a starter have a look at SecSystem.apk, framework.jar and framework2.jar...
2 - Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.
Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.?
And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number in sys?
Those are ids specific to your device and of course they identify you, that's what they are meant for!
An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your serial_number which means, and experts please correct me if I am wrong, that everytime you connect on the WIFI your serial_number gets sent.
You want to change it manually?
Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to the original value.:cyclops:
I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY restrictively configured"), those ids leaks or not, but since I like to have more than one protection layer I've edited all of them.
Some ids are easily changed using the setprop command (with an android terminal) or the setpropex command (I've attached it at the end of this post, unzip it and depending your configuration put it in system/bin or system/xbin, and chmod it rwx, rx, rx or 7, 5, 5. Credits @goroh_kun -- http://forum.xda-developers.com/showthread.php?t=1201657 ). Then make an init.d script like:
#!/system/bin/sh
/system/xbin/setpropex ro.boot.serialno 1
/system/xbin/setpropex ro.serialno 1
echo 1 > /sys/devices/virtual/android_usb/android0/iSerial
echo 1 > /sys/devices/cpaccess/cpaccess0/cp_rw
echo 00000001 > /sys/devices/platform/wcnss_wlan.0/serial_number
(the last one will take care of the WIFI's serial_number I spoke about few lines above),
some will require editing in the efs folder (potentially dangerous, so back it up first!), and some will require boot.img tweaks, but I won't explain any further since as written above only people knowing what they do should play with that stuff.
IV – BASEBAND ISOLATIONThat's an important subject and here's an interesting link to start with :
https://blog.torproject.org/blog/mis...ty-and-privacy
You can uninstall STK.apk, LogsProvider.apk, CSC.apk, SecContacts.apk, SecContactsProvider.apk, SecPhone.apk and SecTelephonyProvider.apk altogether, problem solved, your phone isn't a phone anymore (obviously) but a WIFI only device.
Or, you can buy a WIFI only device and save some money compared to a GSM device.
As for me I solved the matter by uninstalling STK.apk, LogsProvider.apk, CSC.apk, SecContacts.apk and SecContactsProvider.apk, and by chmoding SecPhone.apk's and SecTelephonyProvider.apk's permissions to 000 in order to completely disables them (which is not the case when one freeze them, or when one uses the pm command, the apps are ineffective in the way that the user can't use them but they are on nevertheless). Then, I made a chmod 644/000 script to enable/disable them, done!
Of course it's not very practical, and if one only uses one's phone to call one's mum or one's girlfriend/boyfriend there's no need to turn to such extreme safety measures.
But if one lives in a rogue country and if one could be put in danger because of one's phone then it's something that one has to consider.
Otherwise, if you don't want anyone to know that you are using that phone then use a public phone, because whatever we do our provider allways knows who we are calling, for how long etc., everytime we use the phone functions, and AFAIK there's no way to prevent that. Except maybe by using those apps that encrypt communications but I can't comment on that since I don't use my phone to call or to text.
Well, the thing is that if security really matters you shouldn't have a GSM device but a WIFi only device, or a GSM device where STK.apk, LogsProvider.apk, CSC.apk, SecContacts.apk, SecContactsProvider.apk, SecPhone.apk and SecTelephonyProvider.apk have been uninstalled, the above link leading to Tor project's blog explains well why.
One more thing, have you ever heard about IMSI catcher AKA fake cell towers? Here's a very interesting project that deals with it :
http://forum.xda-developers.com/showthread.php?t=1422969
Oh yeah, you may like that one too :
http://www.wired.com/2014/10/verizons-perma-cookie/
ANDROID 5.0 (Lollipop)
Xposed is not yet compatible with ART, so no Xprivacy and no App Settings.
App Settings can be replaced by Permissions Denied Pro (paid), but make sure it's Lollipop compatible :
https://play.google.com/store/apps/details?id=com.stericson.permissions.donate&hl=en
Sorry for the play store link but that's the only non warez site I found about that app. If you want to purchase it you don't need to go through the play store though, just contact its dev and pay him with Pay Pal :
[email protected]
It's a powerfull app so before to start using it read its FAQ (when in the app swipe to the right until you get to it) and remember that you have to unlock permissions before you flash a new OS. Otherwise you may have a powerful bootloop, it happened to me once and believe me it wasn't funny.
You can use the settings examples I put for App Settings (in the second chapter part 4) since Permissions Denied works more or less the same way.
It's a bit more tricky, if doable at all, to replace Xprivacy. Have a look at Donkey Guard, its dev said that he will make it Cydia substrate compatible but I'm not sure he managed :
http://forum.xda-developers.com/xposed/modules/app-donkeyguard-security-management-t2831556
Alternatively, see if Pdroid is Lollipop compatible but AFAIK it isn't.
As for me I'll stay away from Lollipop, at least for now...
A FEW WORDS ABOUT COMMON SENSEStick to older Android versions, like 4.1 or 4.2.
From 4.2 google has strengthned its grip on Android, and added some very unpleasant stuff.
In 4.2 it added FusedLocation.apk, to know better where you are, basically a spying app eventhough google calls it an “enhancement”.
That apk can neither be uninstalled nor be frozen (or well, it actually can but then the phone doesn't boot), but fortunately its receivers can be desactivated with Rom Toolbox and it can be greenified.
In Kit Kat it got worse, you will understand by yourself when you start uninstalling system apps and/or when you have a look at what's inside the system folder.
As I already said in the first chapter, you have to ask yourself whether you want to compromise your privacy to get the latest gimmick and the latest fancy color (that have anyway been made available on JB with Xposed modules) or whether you want to be safe.
Forget about Kit Kat, I think the game is worth the candle but it's up to you...
Do not trust too much encryption and do not store sensitive data in your phone. If you have sensitive data keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.
Do not link your phone with any account, and don't use apps like facebook, twitter etc... Access those web sites from your browser , and greenify your browser once done.
Use Tor to secure your IP, your operator will know that you use Tor but it won't know anything else.
Depending what you do, where you live or travel and who you are you may consider to have two phones, a secured one for your sensitive activities, and an insecure one to call mum.
Do not update your apps blindly, not all updates bring improvements. Sometimes they add more permissions and/or adds, sometimes the app got sold to a company and policies have changed, you see what I mean. So before you update make a backup of the current app's version, in case you want to get back to it later.
CREDITS AND THANKS
@rovo89 for Xposed, respect!
@M66B for the Xprivacy, respect!
@Tungstwenty for App Settings, Master Key Dual Fix, Fake ID Fix, respect!
@Chainfire for Super Su, respect!
@ukanth for AF+Firewall, respect!
@oasisfeng for Greenify, respect!
@THE Tor Project Team, respect!
@f-droid, respect!
@all the XDA people writing tutorials and sharing their knowledge, respect!
Did I forget anyone? If that's the case be insured that it was absolutely unintentionnal, send me a PM and I'll fix it
Last but not least, all those devs and groups have spent days, if not weeks or even months, coding, writing, tweaking, modding, in a word working, for us to enjoy better security on our devices.
They did it for free, in a materialistic, greedy and selfish world where gratuitousness and altruism are an oddity, so the least we can do is to support them.
Please consider sending them a donation, or buying the pro version/license of their app (s), we are talking about a few dollars which is not much compared to what they have given, are giving, and will give to us.
Remember that we are nothing, or let's say not much, without them!!!
Thanks in advance for them...
LINKS
http://repo.xposed.info/module/de.robv.android.xposed.installer]
https://github.com/M66B/XPrivacy#xprivacy
https://f-droid.org/repository/browse/
https://github.com/ukanth/afwall
http://forum.xda-developers.com/apps/greenify
https://www.torproject.org/
https://blog.torproject.org/
https://guardianproject.info/
https://prism-break.org/en/
CONCLUSIONThat's all what I can remember for now and that's it, my phone works fine...
An additional plus is that while in standby battery decrease is only 1% every 10-12 hours, it doesn't hurt
If all of the above has been done I don't think that anyone can get much data out of your phone, but I'm no security expert and I'd like to hear what the big guys on this forum have to say on that matter....
Feel free to add any settings, tips and tricks you have, thanks in advance:good:22Posts can't be more than 30000 words long, and since both post #1 and post #2 have reached that limit I have to put the last updates to OP here.
Sorry for the mess:silly:.
(Continued from the end of 'Safe To remove Apps" in Chapter I)
Before to proceed copy your system/etc/permissions, system/framework and system/lib somewhere safe, make sure you have aroma file manager ready at hand, and that you have a backup of your system.
Safe to remove jars in system/framework :
Safe to remove xmls in system/etc/permissions :
Safe to remove files in system/lib :
Miscellaneous :
Special cases
Safe to remove applets
Disable NFC and Bluetooth
Disable auto start on boot and receivers
Upgrading to later Android versions?
ADDITIONAL LINKS
Wanna read more? Here are two interesting projects you may like (thanks @Froschohnenamen for reminding me of those).
Pri-Fy from @Chainfire, the great master of root:
http://forum.xda-developers.com/showthread.php?t=2631512
NOGAPPS, or how to replace google proprietary stuff with some open source equivalents:
http://forum.xda-developers.com/showthread.php?t=1715375
WIP:
- safe to remove system/framework jars (done),
- safe to remove system/etc/permissions xmls (done),
- safe to remove system/libs (done),
- safe to remove stuff in system/bin and system/xbin (done),
- annihilate bluethooth and nfc (done),
- search the baseband/modem for privacy leaks (started, but still a long way to go). That one will be a hard task, I'm new in that field and most of it is closed. Any help will be very much appreciated, thanks in advance!!!
- 2-3 things more5Interestingly, after much testing, I have found that scunlon firewall cannot prevent kernel from contacting Google and several other servers when your phone is active. Initially, afwall did not work either. Neither did multiple scripts, various entries in hosts file or adaway work. They all were fine blocking regular apps, but not the kernel. Only when I went into afwall settings and chose builtin iptables, as opposed to system ones, I got the result, i.e., the firewall successfully blocked kernel pings and outgoing pockets. Apparently iptables binary used in Android (I have Kitkat) has been altered to allow kernel phoning home. I have set afwall to report dropped packets and it started showing kernel's activities as blocked. Congratulations, Google. You have done it again. By the way, my network monitoring app showed curious webservers belonging to Google and several other "security" companies in the US, UK, Canada and Australia all members of the 5 eyes bunch...
Even when using afwall's builtin iptables, the most that can be done is preventing outgoing kernel activity. The firewall cannot block incoming pings. I am looking at 2 possibilities to go around that: one, try to put firewall's iptables binary in the rom or redirect all scripts to afwall's iptables.
@unclefab What are your thoughts?5@ Primokorn:
oh, strange, that line break must have come when I copied the script, sorry about that, I go edit OP.
Funny that an error in the script can paralyse su access, good to know!
@silentvisitor:
you know, anyone can learn that, one only needs some time and patience...
Yep, true, the addresses I put in OP are only addresses I hadn't found in the host files I checked.
I didn't copy my whole host file here since it's pretty long and since posts are limited in length.
Some host files weight as much as 15 mb, and it could definitely speed down devices with low specs.
To avoid this, and since one probably doesn't need such a big file, one can use a lighter file (mine weights about 750 kb) and make use of Network Log, as explained in OP, to manually block addresses specific to one's device.
Oh yeah, just now I remember of another app called Block it!, I add it to OP.
Talking about OP, here are the latest additions I put in there :
There's an apk called "Block it!" that can help you find host names for some stubborn web sites that can't be blocked using their IP, and whose host name can't be found otherwise AFAIK (like apis.google.com, ajax.googleapis.com, www.googletagservices.com, fonts.googleapis.com, google-public-dns-a.google.com, just to name a few that I found thanks to Block it!).
Here's another init.d script done with Pimp My Rom app (credits @Androguide.fr), to protect your phone from various MIM (Man In The Middle) attacks :
#!/system/bin/sh
### Pimp my Rom : Block Redirects
busybox sysctl -e -w net.ipv4.conf.all.accept_redirects=0;
busybox sysctl -e -w net.ipv4.conf.default.accept_redirects=0;
busybox sysctl -e -w net.ipv4.conf.all.secure_redirects=0;
busybox sysctl -e -w net.ipv4.conf.default.secure_redirects=0;
### Pimp my Rom : Block Source-Routing
busybox sysctl -e -w net.ipv4.conf.default.accept_source_route=0;
busybox sysctl -e -w net.ipv4.conf.all.accept_source_route=0;
### Pimp my Rom : IPv4 Tweaks
busybox sysctl -e -w net.ipv4.tcp_timestamps=0;
busybox sysctl -e -w net.ipv4.tcp_sack=1;
busybox sysctl -e -w net.ipv4.tcp_fack=1;
busybox sysctl -e -w net.ipv4.tcp_congestion_control=cubic;
busybox sysctl -e -w net.ipv4.tcp_window_scaling=1;
### Pimp my Rom : Avoid Time-Wait
busybox sysctl -e -w net.ipv4.tcp_tw_recycle=1;
busybox sysctl -e -w net.ipv4.tcp_tw_reuse=1;
### Pimp my Rom : Protection against SYN Attacks
busybox sysctl -e -w net.ipv4.tcp_syncookies=1;
busybox sysctl -e -w net.ipv4.conf.all.rp_filter=1;
busybox sysctl -e -w net.ipv4.conf.default.rp_filter=1;
busybox sysctl -e -w net.ipv4.tcp_synack_retries=2;
busybox sysctl -e -w net.ipv4.tcp_syn_retries=2;
busybox sysctl -e -w net.ipv4.tcp_max_syn_backlog=1024;
busybox sysctl -e -w net.ipv4.tcp_max_tw_buckets=16384;
busybox sysctl -e -w net.ipv4.icmp_echo_ignore_all=1;
busybox sysctl -e -w net.ipv4.icmp_ignore_bogus_error_responses=1;
busybox sysctl -e -w net.ipv4.tcp_no_metrics_save=1;
busybox sysctl -e -w net.ipv4.tcp_fin_timeout=15;
busybox sysctl -e -w net.ipv4.tcp_keepalive_intvl=30;
busybox sysctl -e -w net.ipv4.tcp_keepalive_probes=5;
busybox sysctl -e -w net.ipv4.tcp_keepalive_time=1800;
busybox sysctl -e -w net.ipv4.ip_forward=0;
CREDITS AND THANKS
@rovo89 for Xposed, respect! @M66B for the Xprivacy, respect!
@Tungstwenty for App Settings, Master Key Dual Fix and Fake ID Fix, respect! @Chainfire for Super Su, respect!
@ukanth for AF+Firewall, respect! @oasisfeng for Greenify, respect!
@THE Tor Project Team, respect! @f-droid, respect! @all the XDA people writing tutorials and sharing their knowledge, respect!
Did I forget anyone? If that's the case be insured that it was absolutely unintentionnal, send me a PM and I'll fix it...
Last but not least, all those guys have spent days, if not weeks or even months, coding, writing, tweaking, modding, in a word working, for us to enjoy better security on our devices.
They did it for free, in a materialistic, greedy and selfish world where gratuitousness and altruism are an oddity, so the least we can do is to support them.
Please consider sending them a donation, or buying the pro version/license of their apps, we are talking about a few dollars which is not much compared to what they have given, are giving, and will give to us.
Remember that we are nothing, or let's say not much, without them!!!
Thanks in advance for them..
LINKS
http://repo.xposed.info/module/de.robv.android.xposed.installer
http://repo.xposed.info/module/biz.bokhorst.xprivacy
https://github.com/M66B/XPrivacy#xprivacy
http://repo.xposed.info/module/de.robv.android.xposed.mods.appsettings
http://repo.xposed.info/module/tungstwenty.xposed.masterkeydualfix
http://repo.xposed.info/module/tungstwenty.xposed.fakeidfix
http://forum.xda-developers.com/apps/greenify
https://f-droid.org/repository/browse/?fdfilter=af&fdid=dev.ukanth.ufirewall
https://github.com/ukanth/afwall
https://f-droid.org/repository/browse/?fdfilter=network+log&fdid=com.googlecode.networklog
http://forum.xda-developers.com/apps/greenify
https://www.torproject.org/
https://blog.torproject.org/
https://guardianproject.info/
https://prism-break.org/en/
