Hardening Android - Basic


Android has some in-built telemetry that can't be disabled. Here, we try to disable them as much as we could. And that telemetry is independent of the other telemetry some ROMs implement (that one you can opt out).

Warning : Requires a custom ROM (Pie works best here) - preferably with microG support, TWRP / TWRP-based recovery, unlocked bootloader, and a sense of responsibility. I'm not responsible for any trouble that occurs while following this guide. Also, this guide assumes that you have installed TWRP on your PDA, so warranty is probably / definitely void.

Also, for microG users, SafetyNet fails.

  1. Read some reference
  2. Here's some:

  3. Preps
  4. Get:

    For those who don't use LineageOS microG, here's what to get (can also be obtained in microG F-Droid repo / its own site):

    However, for those who'd rather flash zips in TWRP, there's Nanodroid.

  5. Installing / Flashing the custom ROM
  6. Refer to my list or XDA's list for which ROM has signature spoofing / microG support. If your ROM lacks signature support, backup your files, and flash one of the ROMs in the list. Adding spoofing support to ROMs that don't support it may pose additional risks, but can be done with tingle / haystack if your ROM is NOT ODEXED. Also, Xposed users can use this. From here on out, do NOT connect to any forms of internet whether it's Wi-Fi, or 3/4/5G.

    For additional references, here's my guide.

    06/02/2020 additional note: Android 10 ROMs may have issues in mounting /vendor in recovery. Also, A-only partitioned devices running Q will be system-as-root.

  7. Encryption
  8. Charge your PDA to at least 80%, and keep it plugged in. Then, in system, head to Settings > Security & location > Encryption & credentials. Select Encrypt Phone, and follow the instructions. It's important to do this before flashing Magisk, as MagiskSU may face issues if encryption is done AFTER Magisk is installed. Can be skipped if:

    If you're stuck in the "encrypting device" screen with no clear countdown, as long as you can reboot to recovery, do so. Then, format data, reboot recovery once more - and clean flash your ROM again.

  9. MagiskSU
  10. After verifying that the ROM boots and/or encrypted it, reboot to TWRP recovery. Browse to the storage path you put your Magisk zip in, and flash it. Wipe dalvik & cache, and reboot to system. Optionally, a custom kernel can be flashed immediately after Magisk, or in another TWRP reboot.

    In addition, NanoDroid modules can be flashed before Magisk.

  11. Disable / Edit Captive Portal Login
  12. If you're sure that you can live without logging in to Wi-Fi (Android 7 can skip pm disable & captive portal detection):

    However, if you can only use login-based Wi-Fi, you may set it to connect elsewhere for connectivity check. Do be noted that if this method is used, blocking Android System in AFWall+ results in no internet access state despite being able to use internet services. However, there's a workaround in the AFWall+ section.

    Here's an example for Kuketz' captive portal:

  13. Private DNS (Android 9 & probably above)
  14. Go to Settings>Network & Internet, and toggle Advanced to gain access to Private DNS. Select it, and select off. Leaving it in Automatic requires you to be absolutely sure that you can trust the random provider. Same goes for the manually enterable "private DNS provider hostname" part, only that instead of random providers, you select your own provider.

  15. App Ops / Privacy Guard
  16. Also known as the advanced permission manager. Here's a guide on how to access it:

    If App Ops / Privacy Guard is built into the ROM:

    If App Ops / Privacy Guard is not built into the ROM (or if it's built-in, but a shortcut's nice to have):

  17. Intent Filter
  18. In Settings > Apps > See all apps , find Intent Filter Verification Service and disable it, as it'll trigger questionable connections to "verify" intent. Personally, I'm not too sure about this, but as it lacks a proper documentation - might as well disable it.

    While disabling, look at the "Data Usage", to determine whether internet access can be controlled separately from AFWall+.

    Ideally, it should look like this:

    But, in some cases, it'll look like this; which isn't ideal:

  19. Disable / Debloat
  20. For debloating, there are a few methods.

    Regardless, a reference may be necessary. Here's one for the Oneplus 7, and/or one for Oneplus 6. What works for them may / may not work for other PDAs, so take that as you will. Though, for the aforementioned Oneplus PDA owners, the references here are actually debloating scripts for them, flashable in recovery.

  21. Add modules (Optional)
  22. Reboot to TWRP (only if you haven't rebooted to system after debloating), browse to the storage path where your Magisk modules are placed in, and flash the NanoDroid modules (if said module haven't been flashed before Magisk), as well as whatever additional modules you're adding. Wipe dalvik & cache, and reboot to system. However, do be noted that using even a single Magisk module (or NanoDroid Module in Magisk mode) will get AdAway to activate its "Enable Systemless Hosts" settings - regardless of the activation of Magisk's own systemless hosts module.

  23. SDMaid
  24. Install SDMaid, and grant its required permissions (root access, storage access, usage access - all done just by getting in settings). Optionally, its telemetry service can be disabled by getting to Settings>General Settings>Bug Reporting & disabling everything there. Preferably installed in the Disable / Debloat phase.

    Receiver blocking for apps : Open SD Maid, enter AppControl. Then select an app, and select Receiver Manager. Select the 3 dots button on the top right, and tick the "Other" box. Then, disable the unacceptable receivers. May require some tinkering, as disabling some receivers may cause issues.

  25. MyAndroidTools
  26. Install MyAndroidTools, and grant its required permissions (storage access & root access, usage access optional). Its telemetry can be disabled by selecting the 3 dots on the top-right seection & ticking Close crash report.

  27. Per-App Internet access blocking
  28. Spyware client blocking
  29. Hosts used:


  30. microG (optional, for those who needs Play Service)
  31. Can be installed as user-app with some compromises (refer to this), or as system-app (can also be done via Nanodroid). Regardless, may be usable even without internet access. I haven't faced any issues doing so, but your mileage may vary.

    Can be ignored if using something like LineageOS microG - it's pre-installed. Also, if you can / had no choice but to live with OG Goolag Services privacy issues, it's a skip.

    Full details are available at GitHub or the official site. Or, for the more nutshelled version, head to the Keywords section.

With this, we gain the basic ability to improve privacy on rooted Android phones, even if only a bit.

Optional : Terminal - microG permission

This step should only be done if you have installed microG & you can't give microG and/or FakeStore spoofing access from the GUI.

In the terminal, gain root access. Then, enter these commands:

  1. Fake Store : pm grant com.android.vending android.permission.FAKE_PACKAGE_SIGNATURE
  2. Will be needed, since FakeStore can't get spoofing access without GUI / terminal.

  3. microG Core : pm grant com.google.android.gms android.permission.FAKE_PACKAGE_SIGNATURE
  4. Since microG has its own interface, this shouldn't be needed. Just placing this here for completion.

Main Page