Android Privacy Mod - Basic (no root)

In constant WIP.

- Introduction -

- TWRP actions -

Optional : Deleting System Apps
Copy/pasting hosts
Optional : NanoDroid modules
Optional : Custom kernel
Returning to system

- System Actions #2 -

Initial Action - Terminal
Terminal - Captive Portal Management


The no-root section for the PrivMod, for those who don't need / want to have root access.

TWRP actions

If you haven't booted to TWRP yet (by the pre-cleanup phase you should be), boot to TWRP via whatever means available, whether it's using the provided advanced reboot feature, or by holding down some buttons.

Optional : Deleting system apps

More information regarding this can be found in the System Apps list.

Copy/pasting hosts

You can get my hosts from here : Git Releases

Alternatively, the hosts can be obtained by copy-pasting from a PrivModded PDA.

Actions for the already PrivModded PDA (if you have one):

Actions for the PDA about to be PrivModded:

Optional : NanoDroid

Flash NanoDroid module zip(s) of your choice (microG / F-Droid / Bromite) in TWRP. Keep in mind that NanoDroid modules can't be flashed on TWRP without rw access.

Don't flash F-Droid and/or microG module if using either Lineage-microG, OmniROM microG, or /e/ (the last one doesn't have F-Droid) since it's prebuilt.

Optional : Custom kernel

Flash your custom kernel zip in TWRP.

Custom kernels don't really grant any privacy boons, but might enhance performance and/or battery life. However, some custom kernels may also replace the default DNS with other provider (such as CloudFlare), so watch out for that.

Returning to system

Wipe Dalvik (on A-only devices, wipe Dalvik & Cache), & select Reboot System.

System Actions #2

Now that we're back in system, our first actions are to enable USB debugging, by going to Settings > System > Developer options & tapping on Android debugging to enable it. If you have microG installed via NanoDroid, go to the microG section & set-up microG.

If you haven't enabled Developer options yet, go to Settings > About phone & tap on the Build number until a toast saying development settings has appeared.

Initial action - Terminal

Connect the PDA to your PC, & open terminal / powershell in the PC (for powershell, navigate to the folder with adb/fastboot binaries, press Shift & right click, & Open PowerShell window here). Then, type adb devices & press Enter, which should prompt your PDA to accept USB debugging requests - accept it. Afterwards, your PC should recognize your PDA as an ADB device in the terminal / powershell.

Terminal - Captive Portal Management

Gain adb shell access in the terminal / powershell. Afterwards, you have 2 choices: to change the captive portal to a more trustworthy captive portal provider, or to disable them altogether.

For those who'd like to use captive portal, first read the captive portal provider list for more information. Then, use these commands:

  1. settings put global captive_portal_http_url "(your preferred captive portal provider's HTTP URL)"
  2. settings put global captive_portal_https_url "(your preferred captive portal provider's HTTPS URL)"
  3. settings put global captive_portal_fallback_url "(your preferred captive portal provider's fallback URL, or their HTTP/HTTPS URL)"
  4. settings put global captive_portal_other_fallback_urls "(your preferred captive portal provider's other fallback URL, or their HTTP/HTTPS URL)"
  5. reboot

However, if you're confident that you won't use any Wi-Fi / mobile connections with captive portal, or refuse to use external services for internet connectivity checking, here are the commands:

  1. pm disable
  2. settings put global captive_portal_detection_enabled 0
  3. settings put global captive_portal_server localhost
  4. settings put global captive_portal_mode 0
  5. reboot

In short, here's what we're doing:

  1. Use adb devices command to recognize adb device
  2. Gain adb shell access in terminal / powershell
  3. Change captive portal provider / disable them altogether
  4. Reboot from terminal / powershell to apply the settings

If you're using alternative captive portal & you would like to verify that the setting's applied, here's how :

  1. Gain su in terminal, as it's necessary to call service settings
  2. settings get global captive_portal_http_url (or, replace http_url with either https_url, fallback_url, or other_fallback_urls; depending on which one you'd like to check)
  3. Exit terminal app, no need to reboot here

Finished... mostly

For now, we're done in setting up our device to not trigger unwanted connections (and trigger only the ones that are wanted & necessary).

For the cleanups, head over to the clean-up section of the basic privacy hardening guide.

Back to top

Android Privacy Hardening - Basic

Main Page