Android Privacy Mod - Basic (root)

Last updated : 19/8/2022

- Introduction -

- TWRP actions -

Optional : Deleting System Apps
Optional : NanoDroid modules
Gaining root access
Optional : Custom kernel
Returning to system

- System Actions #2 -

List of apps to be installed
Initial Action - Terminal
Terminal - Captive Portal
Terminal - NTP
Terminal - nutshell

- AFWall+ -

Initial Action - AFWall+
System-apps in AFWall+ & whether it should be blocked / not
Getting Captive portal to work with UID 1000 blocked
Finalizing step - AFWall+

- Hosts -

Initial action - AdAway
Setting up hosts sources
Finalizing step - AdAway


The root-dependent section for the PrivMod. Only follow this if you need root access.

TWRP actions

Boot to TWRP by whatever means provided to you, whether it's using the provided advanced reboot feature, or by holding down some buttons. Depending on the device, the buttons to press vary. Poco F1, as an example, boots to recovery by holding Power & Volume up.

For now, we're flashing things in TWRP. Order of action : Debloat (optional) (look at sysapps list) > NanoDroid zip(s) (optional) > Magisk > Custom Kernel (optional) > wipe Dalvik (& cache if available) > Reboot to system.

Optional : Deleting system apps

More information regarding this can be found in the System Apps list.

Optional : NanoDroid

Flash NanoDroid module zip(s) of your choice (microG / F-Droid) in TWRP. Keep in mind that NanoDroid modules can't be flashed on TWRP without rw access.

Don't flash F-Droid and/or microG module if using Lineage-microG, OmniROM microG, CalyxOS (microG via setup wizard, custom F-droid version prebuilt), DivestOS (prebuilt upstream F-Droid, but no support for microG), & /e/ (the last one doesn't have F-Droid) since it's prebuilt.

Gaining root access

For Magisk 22.0 & above users with TWRP < 3.5.1 : Don't forget to have another copy of Magisk.apk, & rename it to

Flash Magisk zip (or apk if using TWRP >= 3.5.1) in TWRP.

6/6/2023 late update : Starting with 26.0, Magisk drops support for custom recovery installation this guide uses; so use the official installation guide, which will require patching a boot image.

Optional : Custom kernel

Flash your custom kernel zip.

Custom kernels don't really grant any privacy boons, but might enhance performance and/or battery life. However, some custom kernels may also replace the default DNS with other provider (such as CloudFlare, the most common example), so watch out for that.

Returning to system

Wipe Dalvik (on A-only devices, wipe Dalvik & Cache), & reboot to system. Wiping Dalvik & Cache is important especially after flashing NanoDroid, as not doing so may prevent booting.

System Actions #2

Now that we're back in system, our first actions are to install our root apps, starting with terminal, AFWall+, SD Maid, & AdAway. If you have microG installed via NanoDroid, go to the microG section & set-up microG.

List of apps to be installed

You can install them later (after the terminal steps), but installing them at this step allows us to skip installing them in their step.

Initial action - Terminal emulator

Open the terminal app & type su. Root access should be granted if requested.

Terminal - Captive Portal

For the captive portal, you have 2 choices: to change the captive portal to a more trustworthy captive portal provider, or to disable them altogether.

For those who'd like to use captive portal, first read the captive portal provider list for more information. Then, use these commands:

  1. settings put global captive_portal_http_url "(your preferred captive portal provider's HTTP URL)"
  2. settings put global captive_portal_https_url "(your preferred captive portal provider's HTTPS URL)"
  3. settings put global captive_portal_fallback_url "(your preferred captive portal provider's fallback URL, or their HTTP/HTTPS URL)"
  4. settings put global captive_portal_other_fallback_urls "(your preferred captive portal provider's other fallback URL, or their HTTP/HTTPS URL)"
  5. reboot

Output example using Mike Kuketz' captive portal provider: (note : the https in the fallback url part can be ignored)

However, if you're confident that you won't use any Wi-Fi / mobile connections with captive portal, or refuse to use external services for internet connectivity checking, here are the commands:

  1. pm disable
  2. settings put global captive_portal_detection_enabled 0
  3. settings put global captive_portal_server localhost
  4. settings put global captive_portal_mode 0
  5. reboot

Output example:

If you're already using alternative captive portal & you would like to verify that the setting's applied, here's how :

  1. Gain su in terminal, as it's necessary to call service settings
  2. settings get global captive_portal_http_url (or, replace http_url with either https_url, fallback_url, or other_fallback_urls; depending on which one you'd like to check)
  3. Exit terminal app, no need to reboot here

Terminal - NTP

Gain su in terminal (preferably while changing captive portal provider). Afterwards, you have 2 choices : change the NTP provider to a more trustworthy one, or disable it.

It is recommended to do this before typing in reboot in terminal / powershell, if only to streamline the work done.

Terminal - nutshell

In short, here's what we're doing:

  1. Gain root access in terminal
  2. Change captive portal provider / disable it
  3. Change / disable network time servers
  4. Reboot from terminal to apply the settings
  5. (Optional) Check that the settings is applied via root terminal


If you haven't installed AFWall+ yet, please install it first.

Initial action - AFWall+

Open the AFWall+ app, & it'll immediately ask for root permission. Grant it. Then, to make it easier to block, select the 3 line menu on the right of the search button, and select "Block selected" option. Then, go to its settings menu by selecting the 3 dot button > Preferences.

In the Preferences section, enter UI preferences, untick "Enable notifications" & tick "Show UID for apps" & "Confirm AFWall+ disable". While these changes aren't essential, they kinda make the interface easier to play with. This UI preferences mods can be skipped.

To prevent data leak on boot, go to Preferences > Experimental and select "Startup directory path for script". Then, choose /data/adb/service.d (or /sbin/.magisk/img/.core/service.d/ if using Magisk < 20.4). Afterwards, tick "Fix startup data leak".

Also, in the Preferences > Rules/connectivity, check that IPv6 support is enabled. If not, enable it.

System-apps in AFWall+ & whether it should be blocked / not

Getting Captive portal to work with UID 1000 blocked

Skip this step if captive portal is disabled in the terminal step, or if you don't want to type in the scripts (only for A10 / A11). Again, I will refer to my captive portal provider list for more info in case you're not skipping this.

Tap the 3 dot button, & select Set custom script. Then, depending on your Android version & AFWall version, follow either of these:

Android 10 & 11; AFWall+ > 3.1.0 (optional & not necessary, just for completion's sake) :

Output example using /e/'s captive portal provider:

Android 9/Pie; AFWall 3.1.0 only (required) :

Output example using Mike Kuketz' captive portal provider:

Finalizing step - AFWall+

Finally, after selecting the apps you'd want to block & enabling the captive portal script (for those who use captive portal), we can finally enable AFWall+ by selecting Save (to save the app rules), then selecting Enable firewall from the 3 dot menu. Now, we wait & see if the iptables rule were applied correctly. If it stops in the middle of applying, you might want to check the custom script for any typos & such.


If you're using AdAway, install it if you haven't. Alternatively, if you have a PrivModded PDA, you could also use its hosts file.

A disclaimer : This phase will require you to rely on someone else's hosts lists. If you're not comfortable with this, replace the hosts sources with your own.

Initial action - AdAway

Open the AdAway app. If you're using AdAway 4.3.x; it'll ask for telemetry access on startup, which you can opt out of. Root access will be prompted once you enter Preferences.

If you're using AdAway 5.1.0 & above, it will ask for root / VPN access on the setup wizard. Grant it root access. Then, on the next step, it will attempt to download & apply the default hosts, which will fail if you haven't connected to the internet. This is fine, close & re-open the AdAway app, & you should be on the main user interface.

Either way, in Preferences (in AdAway 5.1.0 & above, Preferences > root-based ad blocker), tick "Enable IPv6"; change the Redirection IPv4 from to & Redirection IPv6 from ::1 to ::. If you're running AdAway >=5.1.0, you can also optionally disable automatic updates in Preferences > Automatic updates & unticking everything there. As for 4.3.x, automatic updates can be disabled by unticking Check for updates in Preferences.

Setting up hosts sources

Enter the Hosts sources section in AdAway. By default, AdAway will use these 3:

These hosts are, by default, for blocking ads (StevenBlack Unified also blocks some big corpo telemetry). But, as this is meant to improve our privacy, let's add these hosts :

In order to simplify typing them in the future, create a backup. Open Preferences > Backup / restore block rules, then select Backup & browse to the folder where you want the backup to be. Afterwards, if you'd like to add the hosts above, you can simply use the Restore option, and select the adaway-backup.json. I also have a backup json at my Git releases.

Finalizing step - AdAway

After entering your hosts sources, connect to the internet. Then, return to the Home section in AdAway, and select "enable ad-blocking" (or the download button on Adaway 5.1.0 & above); & wait as the hosts are updated & applied. The more hosts used & the heavier they are, the longer the downloading & parsing will take.

Once completed, you will be prompted to reboot. Now, you can disable the internet again, & reboot to recovery to wipe Dalvik & cache, or just straight up reboot. Either way, this activates the hosts file.

Finished... mostly

For now, we're done in setting up our device to not trigger unwanted connections (and trigger only the ones that are wanted & necessary).

For the cleanups, head over to the clean-up section of the basic privacy hardening guide.

Back to top

Android Privacy Hardening - Basic

Main Page