Android Privacy Mod - Archive2

Last updated : 12/9/2023

Introduction

By default, most custom ROMs will still make connections to Google, even when it doesn't come with GApps. This guide is meant to mitigate that.

In a nutshell, here's a list of what we're doing :

• Tune up the settings to respect the user
• Add in hosts file that blocks trackers, through either TWRP and/or AdAway (with root access to save a VPN slot)
• Change the captive portal provider to a trustworthy one, through either ADB shell with PC (without root) or a terminal emulator app (with root)

And, for those who'd want a glance at the messy past of this article, here's the newer archive & old archive.

Disclaimer

I am not responsible for any bricked device, loss of warranty, or any other problems as a result of following this guide. It's 100% your decision to follow this guide, & I'm only providing it.

Other disclaimers include:

• Your device might be rooted by the end of this guide, or, more precisely, after all TWRP steps are done (if you opt to root).
• This guide assumes that the required files are in the external storage of choice (microSD / OTG)
• This guide assumes you have TWRP / TWRP-based recovery installed. You could always hotboot TWRP if it wasn't installed, but you'll also need a PC.
• You are assumed to have some knowledge of Android. If not, don't follow this guide (or perhaps follow, but search the internet for what you don't understand).
• If you are using anything that depends on SafetyNet (or any other form of tamper detection), do not expect it to work.
• This guide is not meant for anyone being targeted by bad actors (such as government agents, corpo stalkers, etc.), such as famous activists (like Snowden for example).
• This guide is only aimed at reducing unwanted connections in the operating system & program stack.

Reference

Here are some (probably outdated) references relating to this topic as a whole:

• Mission Impossible: Hardening Android for Security and Privacy
• Mission Improbable: Hardening Android for Security and Privacy
• MicroG on OP6

Requirements

These are the necessary stuff. If you haven't obtained / downloaded them, please get them before even doing this.

• A custom ROM, optionally with microG support - browse the ROM list if you're using Official builds.
• TWRP / TWRP based recovery (preferably with rw ability)
• NanoDroid modules, as required for your daily use
Generally, all you might need is the Bromite webview module (16/4/2022 Update : NanoDroid's Bromite webview module is severely outdated & upstream Bromite changed webview package name, making it incompatible with NanoDroid. Don't use NanoDroid-Bromite at the moment.). The F-Droid & microG package is a good addition if you're using any of them. I don't recommend using the full NanoDroid module unless you can modify its installation. By default it'll install various apps you might not want & remove apps you might want to keep.


• Custom kernel, if desired. I would also recommend reading my article about custom kernels.

If you don't want to run rooted, here's the extras you need:

• A computer with ADB installed
If you haven't set ADB up, you can follow the guide on XDA for setting up ADB.


• An USB cable to connect PDA & computer
• A custom hosts file, either from my Git repo or an already PrivModded PDA (preferably with root access)

Alternatively, if you are using root :

• Magisk
If you're using Magisk 22.0 & above, make a copy & rename its .apk extension to .zip. (if using TWRP < 3.5.1)


• Firewall app (AFWall+)
• Hosts Manager / adblocker (AdAway)
• Terminal emulator app
• I personally used Jackpal's terminal emulator for a while, up until August 2021 patch for A11. I no longer recommend it for A11 (and later) from now on, as using this breaks captive portal login (except for disabling it).
• Termux is recommended now, as it's more recent (last update in July 2021)

First step setup

First off, clean flash your ROM. That way, you can be fully sure that you start with a clean base. Don't forget to backup whatever you can & want to before doing this though!

For the note, you're better off using ROMs without GApps. Having microG support (inbuilt / prebuilt) is a nice bonus, although not necessary (unless you really need to run apps that demand GMS). While you could use ROMs with GApps for this guide, there's always the chance of it having issues (and you also need to whitelist Google connections).

From here on out, don't connect to the internet, at least until the AdAway phase (if you're running rooted).

Dealing with the setup wizard

If you're using a Lineage-based ROM / CarbonROM, you will enter a Setup Wizard upon first boot.

You can set the time & date for your PDA, but you can breeze through the rest of the setup wizard, denying access to telemetry & location access as you go. You can change them later if you want to.

Reminder : Do NOT connect to the internet via any means yet.

First step in settings

Time : Enter Settings > System > Date & time. Disable [Use network-provided time]; [Use network-provided time zone]; & [Use locale default], and tune the time settings to match your area's time, if you haven't done so. We're disabling these options as they may trigger questionable connections to a NTP server. Sure, this is inconvienent (especially when you're travelling), & may not affect privacy that much, but you can at least not trust whatever NTP server your PDA's using to not spy on you.

Questionable apps (Intent Filter Verification Service, for example): Enter Settings > Apps & notifications > See all apps. On the 3 dot menu on the top-right corner, select Show system. Scroll down until you find "Intent Filter Verification Service" app, & select it. Force stop & Disable the app (if it can be disabled) (alternatively, you could deny its internet connections). . At this point, I'm unsure what effect this app has on privacy, as it doesn't have an official documentation. However, ladano claims it connects to Go-ogle & Amazon servers.

Telemetry : This part varies by ROMs, and some don't have it. Here's examples of the ROMs that have it & their locations:

• LineageOS : Settings > Security & location (Pie) / Privacy (A10,A11) > Trust > LineageOS statistics
• CarbonROM : Settings > Carbon Fibers > Privacy (Pie)
• Arrow OS : Settings > Privacy > ArrowOS stats (A10, A11)
• Baikal OS : Settings > Baikal Extras > About > Statistics (A10)

Once you've found & select them, untick "enable reporting" (only if you didn't disable them in the setup wizard).

Private DNS

Accessed by entering Settings > Network & internet > Private DNS. Leaving it in Automatic will cause it to connect to random DoT providers.

To disable this, select "Off" & hit Save.

If you have a provider you can trust & you'd like to use their DoT services, select "Private DNS provider Hostname", type in the host name of your choice, & hit Save.

For added reference, I also have a list of usable Private DNS providers.

Probably optional : Full Disk Encryption (ignore if FDE isn't supported)

To check whether your PDA is encrypted / not, go to Settings > Security, and see the Encryption & credentials settings. It'll give you the state of its encryption.

References from my devices:

• Pixel XL : Skip this step, as the device self-encrypts on 1st system boot. Uses FBE encryption.
• Zenfone 6 : Same as Pixel XL.
• Poco X3(N / P) : Similar to Pixel XL & Zenfone 6, unless you flashed a decrypted vendor / encryption disabler.
• Poco F1 (Pie / A10 AOSP) : You can safely encrypt it, if it isn't encrypted on 1st boot, which some ROMs do.
• Poco F1 (A11 (and beyond) AOSP) : There are either ROMs that force-encrypt on 1st boot (for example, Arrow & POSP) or ROMs that can't encrypt without using a flashable zip (like crDroid, Havoc, Fluid). Skip this step.
• Mi A1 : Same as Poco F1, but ROMs do not force encrypt on 1st boot.
• OnePlus 3(T) : Same as Poco F1. A11 is not tested yet.
• LG V30 : If running AOSP Pie & beyond, skip this step. Encryption is broken (definite for Pie, not sure for A10; but moot for A11 & beyond as FDE isn't supported).

How to encrypt (only for devices / ROMs that do not encrypt by default & can encrypt):

• Charge your PDA to at least 80%, but don't plug off yet.
• Go to Settings > Security > Encryption & credentials.
• Select Encrypt phone, & follow the prompts given.
• Wait for it to encrypt. If it takes longer than 1 hour (that's the longest time I'm willing to wait for encryption), reboot to recovery, format data, & clean flash your ROM. Then, redo every setup you've done except for encryption.
• If it boots to system, you can go ahead & unplug the PDA while you verify that the PDA is indeed encrypted by entering Settings > Security & seeing the Encryption & credential settings.

Optional : microG

If you're installing microG as an user-app, you can't use location services, even with the backends activated. In order to do that, simply install microG & FakeStore apks from the file manager.

Alternatively, if you're using NanoDroid, skip this first. Then, after the TWRP stuff, return to this part & set microG up afterwards.

Skip if using Lineage-microG, OmniROM microG, & /e/ since it's prebuilt.

To set up microG, open microG Settings. Enter Self-Check & tap on "System grants signature spoofing permission" & "Play Store (Phonesky) has correct signature" to grant signature spoofing permission for microG & FakeStore respectively (microG 0.2.16 & later).

TWRP actions

Boot to TWRP by whatever means you prefer to use, whether it's using the provided advanced reboot feature, or by holding down some buttons. Depending on the device, the buttons to press vary. Pocophone F1, as an example, boots to recovery by holding Power & Volume up.

What you're going to do in TWRP will vary on whether you need root access / not, so here's the links for either :

• No root
• With root

Cleanup

The step taken after dealing with Android's automatic connections.

Lock Screen

First, let's kick off the cleanup step by setting up a lock screen, which can be done in Settings > Security > Screen lock. Then select either Pattern, PIN, or Password, & go to town. Optionally, you could also register your fingerprint after setting up a screen lock.

If your PDA uses FDE encryption (which doesn't apply to A11 & beyond, and certain devices before A11), you will also have a Secure start-up prompt that you can optionally enable. This will render TWRP unable to read your primary storage. As for those with FBE, applying a screen lock will also render TWRP unable to read your primary storage, but without the Secure start-up mechanism.

Dealing with USB debugging

If USB debugging is not enabled, you can skip this step. Otherwise, disable it by going to Settings > System > Developer options & tap on Android debugging.

I recommend disabling USB debugging unless you have an absolutely good reason to enable it (maybe install a big game with OBB without root) & are fine with the consequences of leaving it enabled.

Main Page