From b9c6ad0781f7ec38f3621403bc6bccc5ff959ee5 Mon Sep 17 00:00:00 2001 From: Jorgu81 Date: Sat, 1 May 2021 12:47:42 +0000 Subject: [PATCH] Update README.md --- Google/README.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/Google/README.md b/Google/README.md index 4a94d7c..5a4da73 100644 --- a/Google/README.md +++ b/Google/README.md @@ -120,16 +120,20 @@ I will divide the guide into two sections, without and with root. The latter wil 1.- Before installing/rooting/flashing we export our contacts in .vcf format and we will recover them later by importing the file from the Contacts application. If you want to synchronize later you can use, for example, DAVdroid in Nextcloud/Ownclowd. This file and our photos/videos we take them to the PC and vice versa, that is to say with the cable of all life. In the same way we download the apks of F-Droid, and the NetGuard firewall from the web of the aforementioned F-Droid store. We can place them on the microsd memory or on a USB OTG stick. + Then we flash a LineageOs ROM, without gapps and without MicroG (because it generates too many connections with Google). + 3.- Skip the wizard of the wizard and make sure NOT to establish/use data or wifi connection. Otherwise every time we install again there will be a massive sending of data to Google/Qualcomm servers. In its options we will uncheck Automatic Date/Time. + The next step is to disable the captive portal mode. All Android phones send a ping to www.google.com to verify that the internet is working. We will do it through adb, whose minimum drivers for Windows can be downloaded here: https://adb.clockworkmod.com/ + Or with the adb and fastboot packages on Linux distros. The commands are as follows: @@ -151,28 +155,34 @@ adb shell settings put global captive_portal_https_url https://e.foundation/net_ reboot + 5.- If we have Android Pie we change the private DNS (In Settings/Networks and internet/Advanced) from automatic to No and save. In its previous state generated data consumption. On the other hand, we will remove the internet access to the system app Phone. In the same way we will enter it as if we were going to call and we will click on the 3 dots at the top, next to Search contacts, then Settings and finally Search phone number. Uncheck all the options that appear enabled. Before executing this action you can change Google for Openstreetmaps. + Disable "Intent Filter Verification" a system application that makes connections with Google (play.googleapis.com) and Amazon to supposedly "secure" them. We force it to stop and disable it without consequence. To make it appear in the list of applications, click on the 3 dots, Show System. + 7.- We install the firewall NetGuard. We will give access only to the apps that we are interested in even if it is in a momentary way so that it does not remain in the background sending data. Do not forget to allow the system application Updater. It is important to uncheck for updates by clicking on the 3 dots, Settings/Options/Check for updates. In the same way clicking in the 3 dots, Settings/Advanced options we will change the predetermined server www.google.com editing the content of "Validate in" for another one that we can make up, type wmm.ehfeyfefyuefyh.com. Now we are going to add some lists to block the NTP servers of Google (time.google.com and time.android.com) and those of Qualcomm (Izat, izatcloud.net) since in spite of blocking them in the firewall, disabling automatic date/time and using only the integrated GPS they will connect as soon as they get connection. + To do this we will go to the 3 dots as usual, Settings/Advanced Options and check Filter traffic. Make sure that "Block domain names" is also activated. Subsequently we will go to Settings/Security Copy and we will change manually writing the URL that appears for another one with the purpose of blocking these domains. Specifically the host that I have created for this purpose (and we can create our own having an account in GitLab): -HostsGoogle And finally we can connect to the internet, by clicking on Download hosts file. + The only "but" of this non-root configuration is the Multicast Listener Discovery that will make some local connections. + However, and given that Netguard only supports one list and in Android we cannot have more than one virtual VPN (already used by Netguard), if we need 2 or more hosts lists we would have to replace the firewall with Adaway in non-root mode (see Section root, section 7b) or personalDNSfilter. + 8.- Once this step is done we can leave automatic date and time marked, since most of the sims update these values only with coverage and without internet (NITZ). Check, however, that it works with your company. If it doesn't, we can change the Google NTP server (time.android.com) for a different one via adb, like this: adb shell settings put global ntp_server addserverhere (https://www.ntppool.org/en/) It may be necessary to give permission in the firewall to these time servers (NTP). @@ -274,10 +284,13 @@ With this we have finished the antifingerprinting configuration of Iceraven/Fenn -WITH ROOT For this purpose we will install/flash Magisk. In settings we will check Systemless hosts and reboot. + 1, 2 and 3.- Same as without root, but instead of downloading NetGuard we will change it for AfWall+ apks and add AdAway. + 4.- It can be done in the same way or through the Android console. + In Development Options we will enable the local Terminal/Shell. Once done we look for the new app in the application drawer, we open it and to have root access we type: su @@ -292,8 +305,10 @@ However the captive portal mode is necessary to log in to public networks. If yo settings put global captive_portal_https_url https://captiveportal.kuketz.de (German web) settings put global captive_portal_https_url https://e.foundation/net_204/ (web of the creators of /e/ a de-Googleized ROM) + 5 and 6.- Idem. + 7.- a) In this case we will now install the Afwall+ firewall. @@ -302,6 +317,7 @@ However there is a "bug" in Android that produces another inevitable data leak f In your experimental options there is one that controls this behavior. "To let us check the option, which by default will be grayed out, we must point out in the option immediately above "Startup directory path for script", the first one that appears /sbin/.core/img/.core/service.d. If this path does not appear we will choose instead the one that leaves us. On the other hand in its preferences, Rules/connectivity we will mark the compatibility with IPv6 to block the consumption of data due to the Multicast Listener Discovery. + b) We will install AdAway. Now we can connect via wifi to put the lists below and update it. After this it is important to reboot manually. In this way the sending of data will be less in case we do not have a PiHole or similar. In Android 10 it will probably be necessary to check Enable systemless mode (if it is not checked) so that it does not give us an error when applying the hosts. In the same way we will check Enable ipv6. We will block Google servers (time.google.com and time.android.com) and Qualcomm servers (Izat, izatcloud.net) because despite blocking them in the firewall, disabling automatic date/time and using only the integrated GPS will connect as soon as they get connection. @@ -319,6 +335,7 @@ To do so, we will enter Blacklist, add time.android.com and click on Apply (inte That's it. It will no longer connect to that site. If we use Fennec it could also appear "dynamicua.cdn.mozilla.net" and it would be advisable to add it in the same way. + 8.- Idem. Or we can use the Terminal again like this. su @@ -329,6 +346,7 @@ reboot It may be necessary to give permission in the firewall to the above mentioned time servers (NTP). + 9 and 10.- Idem. 11.- App Manager (or even MyAndroidTools) and AppWarden. @@ -353,14 +371,18 @@ However by removing certain trackers/loggers we could make the applications more With this we have finished the initial configuration to avoid, as far as possible, spying on our system. + + ## Common bugs -Gps takes time to connect. Something logical considering that it only uses the integrated device. Normally it usually takes 1-2 minutes, then it works fine. To speed up the connection with the satellites I recommend the SatStat program (from F-Droid, of course) and once it has triangulated we can return to the program with which we need the use of GPS that after the previous step will be instantaneous. + -At startup/restart the automatic date and time will be disabled. It would be desirable, although messy, to change the values manually. + -The apps take time to establish connection, sometimes a minute or more (or even some apps don't do it at all). The culprit is AdAway and its host lists. One of its disadvantages, if not the most important. If the time is excessive you can momentarily disable their lists by leaving the default "host" file.