By default, most custom ROMs will still make connections to Google, even when it doesn't come with GApps. This guide is meant to mitigate that.
In a nutshell, here's a list of what we're doing :
For those who'd want a glance at the messy past of this article :
I am not responsible for any bricked device, loss of warranty, or any other problems as a result of following this guide. It's 100% your decision to follow this guide, & I'm only providing it.
Other disclaimers include:
These are the necessary stuff. If you haven't obtained / downloaded them, please get them before even doing this.
For optional extras :
First off, clean flash your ROM. That way, you can be fully sure that you start with a clean base. Don't forget to backup whatever you can & want to before doing this though!
For the note, you're better off using ROMs without GApps. Having microG support is a nice bonus, although not necessary (unless you really need to run apps that demand GMS). While you could use ROMs with GApps for this guide, there's always the chance of it having issues (and you also need to whitelist Google connections).
From here on out, don't connect to the internet, at least until you need it for AdAway.
Most custom ROMs nowadays will impose a setup wizard on first boot, for whatever reasons.
You can set the time & date for your device, but you can breeze through the rest of the setup wizard, denying access to telemetry & location access as you go. You can change them later if you want to.
Reminder : Do NOT connect to the internet via any means yet.
Time : Enter Settings > System > Date & time. Disable [Use network-provided time]; [Use network-provided time zone]; & [Use locale default], and tune the time settings to match your area's time, if you haven't done so. We're disabling these options as they may trigger questionable connections to a NTP server. Sure, this is inconvienent (especially when you're travelling), & may not affect privacy that much, but you can at least not trust whatever NTP server your device's using to not spy on you.
Telemetry : This part varies by ROMs, and some don't have it. Here's examples of the ROMs that have it & their locations:
Once you've found & select them, untick "enable reporting" (only if you didn't disable them in the setup wizard).
At this point, feel free to tune up the interface to your liking. Invert navbar (or change to gesture & vice versa), theme customizations, whatever (but not lockscreen security, we'll save them for later). Once you're done with the interface, let's move on to the next steps.
Accessed by entering Settings > Network & internet > Private DNS. Leaving it in Automatic will cause it to connect to random DoT providers.
To disable this, select "Off" & hit Save.
If you have a provider you can trust & you'd like to use their DoT services, select "Private DNS provider Hostname", type in the host name of your choice, & hit Save.
For added reference, I also have a list of usable Private DNS providers.
More on debloating & removeable bloat listed below.
A more detailed take on Android's automatic connections are listed & linked below.
A more detailed (albeit unfortunately incomplete) take on firewalling and/or network monitoring can be seen in this page.
A more detailed (albeit unfortunately incomplete) take on ad-blocking and/or hosts modifications can be seen in this page.
A more detailed (albeit unfortunately incomplete) take on rooting and its solutions can be seen in this page.
To check whether your device is encrypted / not, go to Settings > Security, and see the Encryption & credentials settings. It'll give you the state of its encryption.
How to encrypt (only for devices / ROMs that do not encrypt by default & can encrypt):
Disclaimer : Encryption used in this settings are FDE, which doesn't work beyond A11 (and/or devices released with A10 & beyond). Consider this part outdated.If you're installing microG as an user-app, you can't use location services, even with the backends activated. However, there's no risk of not being able to boot, unlike the injection approach. For this one, simply install microG & FakeStore apks from the file manager.
Alternatively, to inject microG from TWRP: (try at your own risk - user-app installation above is recommended over this shit, which is solely provided for completion)
Skip if using ROMs with prebuilt microG.
To set up microG (at least for Fate/GO), open microG Settings. Enter Self-Check & tap on "System grants signature spoofing permission" & "Play Store (Phonesky) has correct signature" to grant signature spoofing permission for microG & FakeStore respectively (microG 0.2.16 & later). I would also grant microG storage permissions, but that's about it - everything else stays disabled. Reboot afterwards.
The step taken after setting up your device to your liking.
First, let's kick off the cleanup step by setting up a lock screen, which can be done in Settings > Security > Screen lock. Then select either Pattern, PIN, or Password, & go to town setting them up. Optionally, you could also register your fingerprint after setting up a screen lock.
If your device uses FDE encryption (which doesn't apply to A11 & beyond, and devices released with A10 & beyond), you will also have a Secure start-up prompt that you can optionally enable. This will render TWRP unable to read your primary storage. As for those with FBE, applying a screen lock will also render TWRP unable to read your primary storage, but without the Secure start-up mechanism.
If USB debugging is already disabled, you can skip this step. Otherwise, disable it by going to Settings > System > Developer options & tap on Android debugging.
I recommend disabling USB debugging unless you have an absolutely good reason to enable it (maybe install a big game with OBB without root, or apply some nice commands) & are fine with the consequences of leaving it enabled.
Personally, I'd put this step on the "setup" phase, but seeing as some apps might require a bit of neutering after installation, might as well put it here.
To start, simply install any & all apps you feel necessary. If you want to follow my preferred apps, hop here.
For neutering, here's some of the things I do :