By default, most custom ROMs will still make connections to Google, even when it doesn't come with GApps. This guide is meant to mitigate that.
In a nutshell, here's a list of what we're doing :
And, for those who'd want a glance at the messy past of this article, here's the newer archive & old archive.
I am not responsible for any bricked device, loss of warranty, or any other problems as a result of following this guide. It's 100% your decision to do this, & I'm only providing the guide.
Other disclaimers include:
Here are some (probably outdated) references relating to this topic as a whole:
These are the necessary stuff. If you haven't obtained / downloaded them, please get them before even doing this.
If you don't want to run rooted, here's the extras you need:
Alternatively, if you are using root :
First off, clean flash your ROM. That way, you can be fully sure that you start with a clean base. Don't forget to backup whatever you can & want to before doing this though!
For the note, you're better off using ROMs without GApps. Having microG support (inbuilt / prebuilt) is a nice bonus, although not necessary (unless you really need to run apps that demand GMS). While you could use ROMs with GApps for this guide, there's always the chance of it having issues (and you also need to whitelist Google connections).
From here on out, don't connect to the internet, at least until the AdAway phase (if you're running rooted).
If you're using a Lineage-based ROM / CarbonROM, you will enter a Setup Wizard upon first boot.
You can set the time & date for your PDA, but you can breeze through the rest of the setup wizard, denying access to telemetry & location access as you go. You can change them later if you want to.
Reminder : Do NOT connect to the internet via any means yet.
Time : Enter Settings > System > Date & time. Disable [Use network-provided time]; [Use network-provided time zone]; & [Use locale default], and tune the time settings to match your area's time, if you haven't done so. We're disabling these options as they may trigger questionable connections to a NTP server. Sure, this is inconvienent (especially when you're travelling), & may not affect privacy that much, but you can at least not trust whatever NTP server your PDA's using to not spy on you.
Questionable apps (Intent Filter Verification Service, for example): Enter Settings > Apps & notifications > See all apps. On the 3 dot menu on the top-right corner, select Show system. Scroll down until you find "Intent Filter Verification Service" app, & select it. Force stop & Disable the app (if it can be disabled) (alternatively, you could deny its internet connections). . At this point, I'm unsure what effect this app has on privacy, as it doesn't have an official documentation. However, ladano claims it connects to Go-ogle & Amazon servers.
Telemetry : This part varies by ROMs, and some don't have it. Here's examples of the ROMs that have it & their locations:
Once you've found & select them, untick "enable reporting" (only if you didn't disable them in the setup wizard).
Accessed by entering Settings > Network & internet > Private DNS. Leaving it in Automatic will cause it to connect to random DoT providers.
To disable this, select "Off" & hit Save.
If you have a provider you can trust & you'd like to use their DoT services, select "Private DNS provider Hostname", type in the host name of your choice, & hit Save.
To check whether your PDA is encrypted / not, go to Settings > Security, and see the Encryption & credentials settings. It'll give you the state of its encryption.
References from my devices:
How to encrypt (only for devices / ROMs that do not encrypt by default & can encrypt):Disclaimer : Encryption used in this settings are FDE, which doesn't work in A11 & beyond. Consider this part outdated.
If you're installing microG as an user-app, you can't use location services, even with the backends activated. In order to do that, simply install microG & FakeStore apks from the file manager.
Alternatively, if you're using NanoDroid, skip this first. Then, after the TWRP stuff, return to this part & set microG up afterwards.
Skip if using Lineage-microG, OmniROM microG, & /e/ since it's prebuilt.
To set up microG, open microG Settings. Enter Self-Check & tap on "System grants signature spoofing permission" & "Play Store (Phonesky) has correct signature" to grant signature spoofing permission for microG & FakeStore respectively (microG 0.2.16 & later).
Boot to TWRP by whatever means you prefer to use, whether it's using the provided advanced reboot feature, or by holding down some buttons. Depending on the device, the buttons to press vary. Pocophone F1, as an example, boots to recovery by holding Power & Volume up.
What you're going to do in TWRP will vary on whether you need root access / not, so here's the links for either :
The step taken after dealing with Android's automatic connections.
First, let's kick off the cleanup step by setting up a lock screen, which can be done in Settings > Security > Screen lock. Then select either Pattern, PIN, or Password, & go to town. Optionally, you could also register your fingerprint after setting up a screen lock.
If your PDA uses FDE encryption (which doesn't apply to A11 & beyond, and certain devices before A11), you will also have a Secure start-up prompt that you can optionally enable. This will render TWRP unable to read your primary storage. As for those with FBE, applying a screen lock will also render TWRP unable to read your primary storage, but without the Secure start-up mechanism.
If USB debugging is not enabled, you can skip this step. Otherwise, disable it by going to Settings > System > Developer options & tap on Android debugging.
I recommend disabling USB debugging unless you have an absolutely good reason to enable it (maybe install a big game with OBB without root) & are fine with the consequences of leaving it enabled.Back to top