24 KiB
Avoiding Google using Android
Nowadays, if we want to have privacy on Android we should avoid Google Services as their telemetry is really alarming. The most effective way would be to flash a clean ROM like LineageOS without gapps.
Unfortunately many people do not have the possibility to do so (non-unlockable phones) However all is not lost for these terminals.
It is possible to regain some of our privacy by disabling the aforementioned Services via ADB:
https://www.droidwin.com/remove-uninstall-bloatware-apps-from-android-via-adb-commands/
We will have to do the same even with the Play Store. Once we have crushed the Google applications we can download our apps, even the paid ones through the Aurora Store (by entering our Google account), which is available on F-Droid, another store where there are only open source apps.
We will try whenever possible to choose our popular apps from there. Download from Aurora Store:
https://f-droid.org/en/packages/com.aurora.store/
However, the ideal would be to start with a ROM already clean of these programs, and the most popular, with more terminals available is undoubtedly LineageOS.
The problem is that this ROM is not designed with the purpose of guaranteeing privacy, and maintains certain automatic connections with Google and Qualcomm by default. The moment we activate the wifi or data we will see the following:
-Ping to Google to see if we have internet connection. It is the so-called captive portal mode. The domains are:
www.google.com
connectivitycheck.gstatic.com
play.googleapis.com
If we disable them we will not be able to log into a public wifi. Besides, blocking play.googleapis.com Aurora Store will give an error downloading apps. Uncheck this for a while if you need it.
-Time servers, or NTP for the system time. Even if we uncheck automatic time in the System they will also connect to the internet as soon as we have connection. By default:
time.android.com/time3.android.com
time.google.com
-GPS servers. By default, Izatcloud. Even if GPS is disabled, it will automatically connect to the internet to download the Almanacs.
xtra1.gpsonextra.net
xtra2.gpsonextra.net
xtra3.gpsonextra.net
izatcloud.net
time.izatcloud.net
supl.google.com
-Connection with stats.lineageos.org for statistical purposes. Only the first time we connect to the internet.
Our main purpose will be that there will be no background or automatic connections of any kind every time we connect to the internet, be it to Google or anywhere else.
I do not consider MicroG as a good option because it makes many automatic connections to Google, and not only the system itself but because 90% of the apps we download from Aurora/Play Store will have trackers of the big G. Hence the need to always use F-Droid applications. I say this because many people think it is a good alternative, and unfortunately it is not, unless we use apps that do not require internet connection.
The exception to all this would supposedly be Replicant, which does not make any automatic connection at startup, but supports few devices. Another option would be GrapheneOs, which allows the change of the server for the captiveportalmode and also for NTP, leaving only the one related to Izatcloud (although the author plans to change it).
But back to LineageOS, which supports an infinite number of terminals, we will address this guide, compatible with Android 7-11
To prevent the computer from making unwanted connections while we prepare the system is highly recommended (but not essential) a computer that provides us with wifi with PiHole, router with domain blocking integrated in its options or with openwrt (and adblock), or a mobile with AdAway sharing data. All of them must have these domains blocked:
time.android.com
time1.android.com
time2.android.com
time3.android.com
time4.android.com
time.google.com
time1.google.com
time2.google.com
time3.google.com
time4.google.com
connectivitycheck.gstatic.com
hxtra1.gpsonextra.net
xtra2.gpsonextra.net
xtra3.gpsonextra.net
izatcloud.net
gpsonextra.net
time.izatcloud.net
xtrapath1.izatcloud.net
xtrapath2.izatcloud.net
xtrapath3.izatcloud.net
gtpma1.izatcloud.net
play.googleapis.com
supl.google.com
To alleviate the Google spying we will follow the following steps highlighting not to connect to the Internet until it is specifically marked. Similarly we will remove the Sim so that it does not take data in the configuration process.
Remember also that most of the apps do not need internet. We can remove it manually in Settings/Applications demarcating both Wifi, mobile and background. If the use is going to be sporadic we will allow it momentarily and then remove it again.
I will divide the guide into two sections, without and with root. The latter will be a bit more comprehensive and restrictive, but neither will have connections to Google or Qualcomm.
-WITHOUT ROOT
1.- Before installing/rooting/flashing we export our contacts in .vcf format and we will recover them later by importing the file from the Contacts application. If you want to synchronize later you can use, for example, DAVdroid in Nextcloud/Ownclowd. This file and our photos/videos we take them to the PC and vice versa, that is to say with the cable of all life. In the same way we download the apks of F-Droid, and the NetGuard firewall from the web of the aforementioned F-Droid store. We can place them on the microsd memory or on a USB OTG stick.
2.- Then we flash a LineageOs ROM, without gapps and without MicroG (because it generates too many connections with Google).
3.- Skip the wizard of the wizard and make sure NOT to establish/use data or wifi connection. Otherwise every time we install again there will be a massive sending of data to Google/Qualcomm servers. In its options we will uncheck Automatic Date/Time.
4.- The next step is to disable the captive portal mode. All Android phones send a ping to www.google.com to verify that the internet is working. We will do it through adb, whose minimum drivers for Windows can be downloaded here:
Or with the adb and fastboot packages on Linux distros.
The commands are as follows:
adb shell
settings put global captive_portal_detection 0
settings put global captive_portal_mode 0
reboot
If we want to change it for another one because we need it to log in to public networks it would be like this:
adb shell
settings put global captive_portal_https_url https://captiveportal.kuketz.de (German web)
or
settings put global captive_portal_https_url https://e.foundation/net_204/ (web of the creators of /e/ a de-Googled ROM)
reboot
5.- If we have Android Pie we change the private DNS (In Settings/Networks and internet/Advanced) from automatic to No and save. In its previous state generated data consumption. On the other hand, we will remove the internet access to the system app Phone. In the same way we will enter it as if we were going to call and we will click on the 3 dots at the top, next to Search contacts, then Settings and finally Search phone number. Uncheck all the options that appear enabled. Before executing this action you can change Google for Openstreetmaps.
6.- If we have a Nexus or a Pixel, try to disable these Google apps:
X Google enrollment (com.android.hotwordenrollment.xgoogle)
T Google enrollment (com.android.hotwordenrollment.tgoogle)
OK Google enrollment (com.android.hotwordenrollment.okgoogle)
Tycho/Project Fi (com.google.android.apps.tycho)
Google Connectivity Services (com.google.android.apps.gcs)
Carrier Services (com.google.android.ims)
7.- We install the firewall NetGuard. We will give access only to the apps that we are interested in even if it is in a momentary way so that it does not remain in the background sending data. Do not forget to allow the system application Updater. It is important to uncheck for updates by clicking on the 3 dots, Settings/Options/Check for updates. In the same way clicking in the 3 dots, Settings/Advanced options we will change the predetermined server www.google.com editing the content of "Validate in" for another one that we can make up, type wmm.ehfeyfefyuefyh.com. Now we are going to add some lists to block the NTP servers of Google (time.google.com and time.android.com) and those of Qualcomm (Izat, izatcloud.net) since in spite of blocking them in the firewall, disabling automatic date/time and using only the integrated GPS they will connect as soon as they get connection.
To do this we will go to the 3 dots as usual, Settings/Advanced Options and check Filter traffic. Make sure that "Block domain names" is also activated. Subsequently we will go to Settings/Security Copy and we will change manually writing the URL that appears for another one with the purpose of blocking these domains. Specifically the host that I have created for this purpose (and we can create our own having an account in GitLab): And finally we can connect to the internet, by clicking on Download hosts file.
The only "but" of this non-root configuration is the Multicast Listener Discovery that will make some local connections.
However, and given that Netguard only supports one list and in Android we cannot have more than one virtual VPN (already used by Netguard), if we need 2 or more hosts lists we would have to replace the firewall with Adaway in non-root mode (see Section root, section 7b) or personalDNSfilter.
8.- Once this step is done we can leave automatic date and time marked, since most of the sims update these values only with coverage and without internet (NITZ). Check, however, that it works with your company. If it doesn't, we can change the Google NTP server (time.android.com) for a different one via adb, like this: adb shell settings put global ntp_server addserverhere (https://www.ntppool.org/en/) It may be necessary to give permission in the firewall to these time servers (NTP). On the other hand, if you don't need this I strongly recommend changing it anyway in order to delete Google servers. This way; adb shell settings put global ntp_server about.blank
9.- Next we install the F-Droid store. This will be our only store. We are going to avoid Aurora Store because it generates too many connections with Google, but you can install/uninstall later if you need any app. However, if you need Aurora keep in mind that one of the most popular trackers is a must for downloading (clients3.google.com) so I recommend removing the Antigoogle list if you want any app. Then put it back and that's it.
10.- a) Tor Browser. To search for information generally. Fundamental not to enter personal data, log us into websites, banks, etc.. It is also essential not to touch their options and leave it as default or our fingerprint will be unique, ie, we will use it without add-ons, without configuring anything and half / fourth screen which is how it opens when we run it.
b) Iceraven browser (Fennec does not support all addons yet). Browsers: Qwant, SearX, Metager, Swisscows, runnaroo, etc.
https://github.com/fork-maintainers/iceraven-browser/releases
To add them to the browser you have to go to Settings/search and add the search engine manually (Add search engine). For example, for Qwant it would be like this: https://www.qwant.com/?q=%s
The reason why I have chosen this Firefox fork is because of its advanced about:config, unparalleled in Chromium derivatives. I'm waiting for Fenix and Fennec to be able to add all the add-ons. Besides the first one is loaded with trackers and only the Nightly version supports about:config. We can however use the second one but not all add-ons will be supported.
Unfortunately Iceraven makes some automatic connections. There are 3 ways to stop them. -In a "soft" way with the privacytools.io following recommendations.
With a user.js, which will only allow auto-updates of plugins and little else. In this way the configuration of the same will be automatic and deeper without having to go changing one by one the values as in the previous case. We will be able to add it to our browser in the following way: Assuming that the TWRP is in English we do the following:
-Click on Advanced
-File Manager
-Look for the path of user.js that we have downloaded and put inside the phone (for example inside the memory card, /scard/etc ...)
-Click on the file and click on Copy File.
-Click back and look for the Iceraven path, specifically data/data/io.github.forkmaintainers.iceraven/files/mozilla/[xxxxxxx].default. If we use Fennec it would be /data/data/org.mozilla.fennec_fdroid/files/mozilla/[xxxxxxx].default
-Once inside this path we click on the blue icon that will have appeared at the bottom right and that symbolizes Paste
-It will ask for confirmation. We drag the finger to the right (Swipe to confirm)
-Once done and without leaving the browser folder and look for the pref.js file.
-Select it by clicking on it and click on Delete.
-When we have finished we give to back several times until we can mark Reboot (restart).
-Done.
We reboot and we can use the browser.
Link to the user.js file:
https://git.nixnet.xyz/Narsil/mobile_user.js I recommend the first one. The less connections is so that it makes as few connections as possible and that implies that neither the addons are updated... *Important to do this before installing the addons or they can break.
-And for the most scrupulous with the automatic connections, killing all connection by means of another host list:
https://gitlab.com/Jorgu81/hosts/raw/master/Mozilla/Mozilla
To update the extensions it will be necessary to uninstall the old version and reinstall the new one. To check for actus we can perform this task once a month or so. We can also compare with the versions of Firefox for Pc.
https://addons.mozilla.org/firefox/
Regarding these I recommend the following to minimize our fingerprinting:
-uBlock Origin
-LocalCDN (or Decentraleyes in Fennec)
-Cookie AutoDelete
-Chameleon
-(Optional on AMOLED screens)Dark Reader or Dark Background and Light Text
uBlock Origin. If you want to avoid web crawling by Google we must block their domains with the aforementioned plugin.
In the lists I recommend checking all those that appear especially those that have to do with the Privacy section. Other 2 highly recommended to add are: https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/nocoin.txt https://www.i-dont-care-about-cookies.eu/abp/ (to remove the annoying notice of "accept cookies" that appears on every website). This procedure is done by going to the Filter List, at the bottom under Custom, check the Import box, copy the address and click on Apply changes.
In order not to lose the configuration of the same after uninstalling/reinstalling we will do the following: Basically a copy of the configuration of our ublock origin (Backup to file). Then uninstall ublock. We go to the mozilla addons page and reinstall it. We enter ublock and click on Restore from the file we saved.
LocalCDN. (also open source, naturally) As we cannot block www.gstatic.com nor www.google.com because they break the webs that require captchas, to minimize the tracking of the first one we will install the extension (it also falsifies the cdns of the webs). Inside the options (the little wheel at the bottom) we will give to Advanced and we will look for the last entry, Generate the set of rules for your advertising blocker. There we will choose ublock and paste those domains inside ublock origin, in the My Rules section.
AutoDelete Cookie. Every time we close a tab in the browser will delete cookies from that site. It is highly recommended to set AutoClean enabled (with 1 second) and Notifications disabled. It is possible that we unlog out of the forum after a while, in which case we must add to the white list (m.forocoches.com).
Chameleon. Chameleon is a very complete tool loaded with many options to reduce our digital footprint. What interests us most is the ability to generate a different fingerprint every x time, otherwise we will always have the same one. We will leave the real profile. In the Options section, Injection, only the screen size should be checked, choosing 1920x1080. The other options should be marked by the changes of the user.js so we will not touch anything else. If some web gives error, we go to the section of White list, we give to Open in white list and we add this page.
With this we have finished the antifingerprinting configuration of Iceraven/Fennec.
-WITH ROOT
For this purpose we will install/flash Magisk. In settings we will check Systemless hosts and reboot.
1, 2 and 3.- Same as without root, but instead of downloading NetGuard we will change it for AfWall+ apks and add AdAway.
4.- It can be done in the same way or through the Android console.
In Development Options we will enable the local Terminal/Shell. Once done we look for the new app in the application drawer, we open it and to have root access we type:
su
Then we put:
settings put global captive_portal_mode 0
And finally: reboot (also in the terminal, because if we reboot manually it will be activated again)
However the captive portal mode is necessary to log in to public networks. If you need it, perform the previous steps changing the 0 for 1. Another option is to change the Google web for others like:
settings put global captive_portal_https_url https://captiveportal.kuketz.de (German web)
settings put global captive_portal_https_url https://e.foundation/net_204/ (web of the creators of /e/ a de-Googleized ROM)
5 and 6.- Idem.
7.- a) In this case we will now install the Afwall+ firewall.
We will give access only to the apps that we are interested in, even if only momentarily, removing it later if we do not want it to remain sucking data in the background. Let's not forget to allow the system application Update. However there is a "bug" in Android that produces another inevitable data leak for any Firewall. This occurs at system startup where the program is unable because it loads later, and the OS takes advantage to bypass the locks. In your experimental options there is one that controls this behavior. "To let us check the option, which by default will be grayed out, we must point out in the option immediately above "Startup directory path for script", the first one that appears /sbin/.core/img/.core/service.d. If this path does not appear we will choose instead the one that leaves us. On the other hand in its preferences, Rules/connectivity we will mark the compatibility with IPv6 to block the consumption of data due to the Multicast Listener Discovery.
b) We will install AdAway. Now we can connect via wifi to put the lists below and update it. After this it is important to reboot manually. In this way the sending of data will be less in case we do not have a PiHole or similar. In Android 10 it will probably be necessary to check Enable systemless mode (if it is not checked) so that it does not give us an error when applying the hosts. In the same way we will check Enable ipv6. We will block Google servers (time.google.com and time.android.com) and Qualcomm servers (Izat, izatcloud.net) because despite blocking them in the firewall, disabling automatic date/time and using only the integrated GPS will connect as soon as they get connection. When starting the app we will choose the root mode and in its preferences we will look for "iPv4 Redirection" and we will put 0.0.0.0.0 instead of 127.0.0.1, although the latter is not essential.
To simplify, we add the host that I have created for this purpose (and it is that we can create our own having an account in GitLab)
Logically we will mark Block and we will choose URL in Type.
We leave blank, without choosing, "Apply redirected hosts".
Unfortunately AdAway treats certain Android connections as necessary and will not block them even if we put them in a host list. It must then have a kind of white list (in addition to the own one in the program). Because of this, it will not block "time.android.com" even if this domain is included in the previous lists as I said before. To do so, we will enter Blacklist, add time.android.com and click on Apply (internet connection required). That's it. It will no longer connect to that site.
If we use Fennec it could also appear "dynamicua.cdn.mozilla.net" and it would be advisable to add it in the same way.
8.- Idem. Or we can use the Terminal again like this.
su
settings put global ntp_server europe.pool.ntp.org (or whatever we want)
reboot
It may be necessary to give permission in the firewall to the above mentioned time servers (NTP). On the other hand, if you don't need this I strongly recommend changing it anyway in order to delete Google servers. This way; settings put global ntp_server about.blank
9 and 10.- Idem.
11.- App Manager (or even MyAndroidTools) and AppWarden. With the first ones we are going to freeze system apps and even suppress tracking permissions of apps, specifically those related to Google. These are boot (autostart), analytics, tracking, firebase and in general those that refer to Google. If the apps contain any of them, we will remove them. I recommend to do it in Services and/or receivers since in the others it could cause an erratic behavior of the app.
When we open App Manager will ask us for root and access to usage data, which we will grant. Clicking on the applications we will give Disable to freeze and Force Stop to kill them.
In the same way and for security reasons in old sims we will disable the system application "SIM Services". As before, Disable and Force Stop.
If we are only interested in the trackers we can skip the above and look at AppWarden (root required) Download from XDA (is in the process of admission in F-Droid) When we run it and use it will ask for superuser permissions (Magisk) and access to use as above. We will give to allow in both cases. Once we run it we will give Scan now. When it finishes View Report and we will see a circle with the trackers and loggers (by default marking the trackers, but below the circle we can see the loggers by clicking on it) Clicking on the colored sections, which mark each tracker or logger will tell us the apps that contain it. We click on these apps and we give to Trackers and / or loggers and when it finishes the scan at the bottom will appear Components. Pressing it will let us uncheck the trackers and loggers. We will repeat these processes until we finish deactivating all the ones that it leaves us. Of those that may appear I recommend disabling Mozilla Telemetry of Fennec/Fenix/Firefox/IceCat/Tor. Acra on the other hand is used for statistical data of crashes in apps like AdAway, F-Droid or NewPipe, so it is recommended to disable Mozilla Telemetry of Fennec/Fenix/Firefox/IceCat/Tor. Acra on the other hand serves for statistical data of crashes in apps like AdAway, F-Droid or NewPipe so it is up to us to disable them or not. Others like slf4j-timber, present in many of the previous apps, still can not be unchecked.
This program can also scan and disable everything you find at once if we click at the top left, then Lab and Nuke It! You can ask for permissions such as access to mobile files that we will grant, although this feature is still experimental.
However by removing certain trackers/loggers we could make the applications more unstable and it is possible that they may close from time to time. Although for me, personally, it makes up for it.
With this we have finished the initial configuration to avoid, as far as possible, spying on our system.
Common bugs
-Gps takes time to connect. Something logical considering that it only uses the integrated device. Normally it usually takes 1-2 minutes, then it works fine. To speed up the connection with the satellites I recommend the SatStat program (from F-Droid, of course) and once it has triangulated we can return to the program with which we need the use of GPS that after the previous step will be instantaneous.
-At startup/restart the automatic date and time will be disabled. It would be desirable, although messy, to change the values manually.
-The apps take time to establish connection, sometimes a minute or more (or even some apps don't do it at all). The culprit is AdAway and its host lists. One of its disadvantages, if not the most important. If the time is excessive you can momentarily disable their lists by leaving the default "host" file.
-Aurora Store does not work. Connectivitycheck.android.com and play.googleapis.com connections are common in trackers and specially the second one that is an automatic connection of the captive portal mode. It's also requiered for downloading apps with Aurora.
-Signal does not work either. With a no-gapps ROM this program needs recaptcha to verify you're human. Disable again Google host.