Android Privacy Mod - Basic (root)

Last updated : 19/8/2022

Introduction

The root-dependent section for the PrivMod. Only follow this if you need root access.

TWRP actions

Boot to TWRP by whatever means provided to you, whether it's using the provided advanced reboot feature, or by holding down some buttons. Depending on the device, the buttons to press vary. Poco F1, as an example, boots to recovery by holding Power & Volume up.

For now, we're flashing things in TWRP. Order of action : Debloat (optional) (look at sysapps list) > NanoDroid zip(s) (optional) > Magisk > Custom Kernel (optional) > wipe Dalvik (& cache if available) > Reboot to system.

Optional : Deleting system apps

More information regarding this can be found in the System Apps list.

Optional : NanoDroid

Flash NanoDroid module zip(s) of your choice (microG / F-Droid) in TWRP. Keep in mind that NanoDroid modules can't be flashed on TWRP without rw access.

Don't flash F-Droid and/or microG module if using Lineage-microG, OmniROM microG, CalyxOS (microG via setup wizard, custom F-droid version prebuilt), DivestOS (prebuilt upstream F-Droid, but no support for microG), & /e/ (the last one doesn't have F-Droid) since it's prebuilt.

Gaining root access

For Magisk 22.0 & above users with TWRP < 3.5.1 : Don't forget to have another copy of Magisk.apk, & rename it to Magisk.zip.

Flash Magisk zip (or apk if using TWRP >= 3.5.1) in TWRP.

6/6/2023 late update : Starting with 26.0, Magisk drops support for custom recovery installation this guide uses; so use the official installation guide, which will require patching a boot image.

Optional : Custom kernel

Flash your custom kernel zip.

Custom kernels don't really grant any privacy boons, but might enhance performance and/or battery life. However, some custom kernels may also replace the default DNS with other provider (such as CloudFlare, the most common example), so watch out for that.

Returning to system

Wipe Dalvik (on A-only devices, wipe Dalvik & Cache), & reboot to system. Wiping Dalvik & Cache is important especially after flashing NanoDroid, as not doing so may prevent booting.

System Actions #2

Now that we're back in system, our first actions are to install our root apps, starting with terminal, AFWall+, SD Maid, & AdAway. If you have microG installed via NanoDroid, go to the microG section & set-up microG.

List of apps to be installed

You can install them later (after the terminal steps), but installing them at this step allows us to skip installing them in their step.

• Terminal emulator app : Should be installed now. Later steps will need them.
• AFWall+ : Can optionally be held back until the Terminal step is done.
• AdAway : Can optionally be held back until the Terminal step is done.
• Magisk (22.0 & above; regardless of apk / zip installation) : If you have installed Magisk 22.0 (and above), you'll also need to install the Magisk.apk.

Initial action - Terminal emulator

Open the terminal app & type su. Root access should be granted if requested.

Terminal - Captive Portal

For the captive portal, you have 2 choices: to change the captive portal to a more trustworthy captive portal provider, or to disable them altogether.

For those who'd like to use captive portal, first read the captive portal provider list for more information. Then, use these commands:

1. settings put global captive_portal_http_url "(your preferred captive portal provider's HTTP URL)"
2. settings put global captive_portal_https_url "(your preferred captive portal provider's HTTPS URL)"
3. settings put global captive_portal_fallback_url "(your preferred captive portal provider's fallback URL, or their HTTP/HTTPS URL)"
4. settings put global captive_portal_other_fallback_urls "(your preferred captive portal provider's other fallback URL, or their HTTP/HTTPS URL)"
5. reboot

Output example using Mike Kuketz' captive portal provider: (note : the https in the fallback url part can be ignored)

However, if you're confident that you won't use any Wi-Fi / mobile connections with captive portal, or refuse to use external services for internet connectivity checking, here are the commands:

1. pm disable com.android.captiveportallogin
2. settings put global captive_portal_detection_enabled 0
3. settings put global captive_portal_server localhost
4. settings put global captive_portal_mode 0
5. reboot

Output example:

If you're already using alternative captive portal & you would like to verify that the setting's applied, here's how :

1. Gain su in terminal, as it's necessary to call service settings
2. settings get global captive_portal_http_url (or, replace http_url with either https_url, fallback_url, or other_fallback_urls; depending on which one you'd like to check)
3. Exit terminal app, no need to reboot here

Terminal - NTP

Gain su in terminal (preferably while changing captive portal provider). Afterwards, you have 2 choices : change the NTP provider to a more trustworthy one, or disable it.

• Change : settings put global ntp_server (your NTP provider of choice)
• Disable : settings put global ntp_server about:blank

It is recommended to do this before typing in reboot in terminal / powershell, if only to streamline the work done.

Terminal - nutshell

In short, here's what we're doing:

1. Gain root access in terminal
2. Change captive portal provider / disable it
3. Change / disable network time servers
4. Reboot from terminal to apply the settings
5. (Optional) Check that the settings is applied via root terminal

AFWall+

If you haven't installed AFWall+ yet, please install it first.

Initial action - AFWall+

Open the AFWall+ app, & it'll immediately ask for root permission. Grant it. Then, to make it easier to block, select the 3 line menu on the right of the search button, and select "Block selected" option. Then, go to its settings menu by selecting the 3 dot button > Preferences.

In the Preferences section, enter UI preferences, untick "Enable notifications" & tick "Show UID for apps" & "Confirm AFWall+ disable". While these changes aren't essential, they kinda make the interface easier to play with. This UI preferences mods can be skipped.

To prevent data leak on boot, go to Preferences > Experimental and select "Startup directory path for script". Then, choose /data/adb/service.d (or /sbin/.magisk/img/.core/service.d/ if using Magisk < 20.4). Afterwards, tick "Fix startup data leak".

Also, in the Preferences > Rules/connectivity, check that IPv6 support is enabled. If not, enable it.

System-apps in AFWall+ & whether it should be blocked / not

• Android System / Fused Location (UID 1000)

The PDA will still finely connect to the network, even if this is blocked. While it's technically safe to block all of its connections, doing so will prevent captive portal from functioning (at least that's how it is in Pie). How to mitigate that is discussed in the next section.

If you're using network-based geolocation service, you might not want to block this. However, in my experience (with systemized microG, Mozilla UnifiedNLP, Nominatim), I blocked it & location services still works, though only on Wi-Fi.

• ADB - Android Debug Bridge (UID 1011)

Block if not using ADB over wireless connection.

• CaptivePortalLogin (UID 10130)

You can block connections for this, but only if you disabled captive portal in the terminal section. Otherwise, follow the next section.

• Clat (UID 1029)

No idea what this does, but I don't experience any errors blocking connections for this one. Found in A10 & A11.

• Intent Filter Verification Service (UID 10119 (10118 on A11))

Block all of its connections.

• ntp - Internet time servers (UID -14)

Block all of its connections, if you're not using automatic time adjustments.

• Phone Services / CACertApp / vendor.qti.iwlan (UID 1001)

You can safely block all of its connection if not using the PDA as a phone. If you plan on doing so, at least leave the mobile data unblocked.

• Print Service Recommendation Service (UID 10094)

I don't know who prints stuff from their PDA, but, for those who don't, block all of its connections (that is, if it's available & not removed).

Getting Captive portal to work with UID 1000 blocked

Skip this step if captive portal is disabled in the terminal step, or if you don't want to type in the scripts (only for A10 / A11). Again, I will refer to my captive portal provider list for more info in case you're not skipping this.

Tap the 3 dot button, & select Set custom script. Then, depending on your Android version & AFWall version, follow either of these:

Android 10 & 11; AFWall+ > 3.1.0 (optional & not necessary, just for completion's sake) :

• # iptables -A "afwall" -d (captive portal provider IP address) -p tcp --dport 80 -j ACCEPT
• # iptables -A "afwall" -d (captive portal provider IP address) -p tcp --dport 443 -j ACCEPT

Output example using /e/'s captive portal provider:

Android 9/Pie; AFWall 3.1.0 only (required) :

• $IPTABLES -A "afwall" -d (captive portal provider IP address) -p tcp --dport 80 -j ACCEPT
• $IPTABLES -A "afwall" -d (captive portal provider IP address) -p tcp --dport 443 -j ACCEPT

Output example using Mike Kuketz' captive portal provider:

Finalizing step - AFWall+

Finally, after selecting the apps you'd want to block & enabling the captive portal script (for those who use captive portal), we can finally enable AFWall+ by selecting Save (to save the app rules), then selecting Enable firewall from the 3 dot menu. Now, we wait & see if the iptables rule were applied correctly. If it stops in the middle of applying, you might want to check the custom script for any typos & such.

Hosts

If you're using AdAway, install it if you haven't. Alternatively, if you have a PrivModded PDA, you could also use its hosts file.

A disclaimer : This phase will require you to rely on someone else's hosts lists. If you're not comfortable with this, replace the hosts sources with your own.

Initial action - AdAway

Open the AdAway app. If you're using AdAway 4.3.x; it'll ask for telemetry access on startup, which you can opt out of. Root access will be prompted once you enter Preferences.

If you're using AdAway 5.1.0 & above, it will ask for root / VPN access on the setup wizard. Grant it root access. Then, on the next step, it will attempt to download & apply the default hosts, which will fail if you haven't connected to the internet. This is fine, close & re-open the AdAway app, & you should be on the main user interface.

Either way, in Preferences (in AdAway 5.1.0 & above, Preferences > root-based ad blocker), tick "Enable IPv6"; change the Redirection IPv4 from 127.0.0.1 to 0.0.0.0 & Redirection IPv6 from ::1 to ::. If you're running AdAway >=5.1.0, you can also optionally disable automatic updates in Preferences > Automatic updates & unticking everything there. As for 4.3.x, automatic updates can be disabled by unticking Check for updates in Preferences.

Setting up hosts sources

Enter the Hosts sources section in AdAway. By default, AdAway will use these 3:

• https://adaway.org/hosts.txt
• https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext (probably dead & should be deleted)
• https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts - StevenBlack Unified Hosts (which will be replaced with the Unified + social variant)

These hosts are, by default, for blocking ads (StevenBlack Unified also blocks some big corpo telemetry). But, as this is meant to improve our privacy, let's add these hosts :

• https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/social/hosts - StevenBlack Unified Hosts + social (replaces the StevenBlack Unified Hosts)
This is the Unified + social variant of the StevenBlack hosts, which prevents all connections to common "social" media like Facebook & Twitter. You can also use the other variants as long as it also has the social additions. Personally, I use the Unified + gambling + social hosts, which I'll also link below.
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/gambling-social/hosts


• https://gitlab.com/Jorgu81/hosts/raw/master/Google/HostsGoogle
This blocks Google's Play Store, NTP, GPS, & captive portal URLs; Qualcomm's IZAT; Lineage, AdAway, & SD Maid's telemetry; & a minor set of trackers. If you're using Aurora Store, whitelist play.googleapis.com & connectivitycheck.android.com.


• https://gitlab.com/Jorgu81/hosts/raw/master/Mozilla/Mozilla
This blocks Mozilla's services, such as network location, telemetry, & Pocket for Firefox. May also cause Firefox (or any other Firefox-based browsers) add-ons to not update. If you're using Mozilla UnifiedNLP, whitelist location.services.mozilla.org.


• Optionally, you could use Energized, though it's one of the heaviest hosts possible. It blocks over 450,000 domains on the basic pack, for example.
• Also, here's a list of the optional ones that I personally use & you don't have to use if you don't want to :
• https://gitlab.com/Jorgu81/hosts/raw/master/Microsoft/Microsoft
Blocks connections to Microsoft. Might be unnecessary since Android doesn't generally have Microsoft telemetry (Android apps built by Microsoft may have those), but perhaps a nice addition if you don't want anyone connecting to Microsoft telemetry.


• https://gitlab.com/Jorgu81/hosts/raw/master/Microsoft/SpyMicrosoft
An additional blocking of Microsoft's spyware.

In order to simplify typing them in the future, create a backup. Open Preferences > Backup / restore block rules, then select Backup & browse to the folder where you want the backup to be. Afterwards, if you'd like to add the hosts above, you can simply use the Restore option, and select the adaway-backup.json. I also have a backup json at my Git releases.

Finalizing step - AdAway

After entering your hosts sources, connect to the internet. Then, return to the Home section in AdAway, and select "enable ad-blocking" (or the download button on Adaway 5.1.0 & above); & wait as the hosts are updated & applied. The more hosts used & the heavier they are, the longer the downloading & parsing will take.

Once completed, you will be prompted to reboot. Now, you can disable the internet again, & reboot to recovery to wipe Dalvik & cache, or just straight up reboot. Either way, this activates the hosts file.

Finished... mostly

For now, we're done in setting up our device to not trigger unwanted connections (and trigger only the ones that are wanted & necessary).

For the cleanups, head over to the clean-up section of the basic privacy hardening guide.

Android Privacy Hardening - Basic

Main Page