Android Privacy Mod - Basic (no root)

Last updated : 16/4/2022

- Introduction -

- TWRP actions -

Optional : Deleting System Apps
Copy/pasting hosts
Optional : NanoDroid modules
Optional : Custom kernel
Returning to system

- System Actions #2 -

Initial Action - Terminal
Terminal - Captive Portal Management
Terminal - NTP
Terminal - nutshell

Introduction

The no-root section for the PrivMod, for those who don't need / want to have root access (but still rely on TWRP).

TWRP actions

If you haven't booted to TWRP yet (by the pre-cleanup phase you should be), boot to TWRP via whatever means available, whether it's using the provided advanced reboot feature, or by holding down some buttons.

Optional : Deleting system apps

More information regarding this can be found in the System Apps list.

Copy/pasting hosts

You can get my hosts from the Git Releases. Alternatively, you may also use hosts copy/pasted from a PrivModded PDA, or your own customized hosts file.

Actions for the already PrivModded PDA (if you have one):

Actions for the PDA about to be PrivModded:

Optional : NanoDroid

Flash NanoDroid module zip(s) of your choice (microG / F-Droid) in TWRP. Keep in mind that NanoDroid modules can't be flashed on TWRP without rw access.

Don't flash F-Droid and/or microG module if using Lineage-microG, OmniROM microG, CalyxOS (microG via setup wizard, custom F-droid version prebuilt), DivestOS (prebuilt upstream F-Droid, but no support for microG), & /e/ (the last one doesn't have F-Droid) since it's prebuilt.

Optional : Custom kernel

Flash your custom kernel zip in TWRP.

Custom kernels don't really grant any privacy boons, but might enhance performance and/or battery life. However, some custom kernels may also replace the default DNS with other provider (such as CloudFlare), so watch out for that.

Returning to system

Wipe Dalvik (on A-only devices, wipe Dalvik & Cache), & select Reboot System.

System Actions #2

Now that we're back in system, our first actions are to enable USB debugging, by going to Settings > System > Developer options & tapping on Android debugging to enable it. If you have microG installed via NanoDroid, go to the microG section & set-up microG.

If you haven't enabled Developer options yet, go to Settings > About phone & tap on the Build number until a toast saying development settings are enabled.

Initial action - Terminal

Plug the PDA to your PC, & open terminal / powershell / commandprompt in the PC (for powershell / commandprompt, navigate to the folder with adb/fastboot binaries, press Shift & right click, & Open PowerShell window here). Then, type adb devices & press Enter, which should prompt your PDA to accept USB debugging requests - accept it. Afterwards, your PC should recognize your PDA as an ADB device in the terminal / powershell.

Terminal - Captive Portal Management

Gain adb shell access in the terminal / powershell. Afterwards, you have 2 choices: to change the captive portal to a more trustworthy captive portal provider, or to disable them altogether.

For those who'd like to use captive portal, first read the captive portal provider list for more information. Then, use these commands:

  1. settings put global captive_portal_http_url "(your preferred captive portal provider's HTTP URL)"
  2. settings put global captive_portal_https_url "(your preferred captive portal provider's HTTPS URL)"
  3. settings put global captive_portal_fallback_url "(your preferred captive portal provider's fallback URL, or their HTTP/HTTPS URL)"
  4. settings put global captive_portal_other_fallback_urls "(your preferred captive portal provider's other fallback URL, or their HTTP/HTTPS URL)"
  5. reboot

However, if you're confident that you won't use any Wi-Fi / mobile connections with captive portal, or refuse to use external services for internet connectivity checking, here are the commands:

  1. pm disable com.android.captiveportallogin
  2. settings put global captive_portal_detection_enabled 0
  3. settings put global captive_portal_server localhost
  4. settings put global captive_portal_mode 0
  5. reboot

If you're using alternative captive portal & you would like to verify that the setting's applied, here's how :

  1. Enter adb shell in terminal / powershell, as it's necessary to call service settings
  2. settings get global captive_portal_http_url (or, replace http_url with either https_url, fallback_url, or other_fallback_urls; depending on which one you'd like to check)
  3. Exit shell with exit command, no reboot necessary

Terminal - NTP

Gain adb shell access in terminal / powershell (preferably while changing captive portal provider). Afterwards, you have 2 choices : change the NTP provider to a more trustworthy one, or disable it.

It is recommended to do this before typing in reboot in terminal / powershell, if only to streamline the work done.

Terminal - nutshell

In short, here's what we're doing:

  1. Plug PDA to PC
  2. Use adb devices command to recognize adb device
  3. Gain adb shell access in terminal / powershell
  4. Change captive portal provider / disable them altogether
  5. Change / disable network time servers
  6. Reboot from terminal / powershell to apply the settings
  7. (Optional) Check that the settings is applied via ADB shell
  8. Unplug PDA to PC once any and all USB debugging business is done

Finished... mostly

For now, we're done in setting up our device to not trigger unwanted connections (and trigger only the ones that are wanted & necessary).

For the cleanups, head over to the clean-up section of the basic privacy hardening guide.

Back to top

Android Privacy Hardening - Basic

Main Page