111
Privacy Tips for the OnePlus 7 Pro

?

Do you have concerns about your privacy when you go online?

  1. Yes, Very Much So

    31 vote(s)
    51.7%
  2. Yes Somewhat

    18 vote(s)
    30.0%
  3. I'm Neutral About it

    5 vote(s)
    8.3%
  4. Not at All

    4 vote(s)
    6.7%
  5. What's a Privacy?

    2 vote(s)
    3.3%
  1. Texasaggie1
    US Brand Ambassador Sep 11, 2019

    Texasaggie1 , Sep 11, 2019 :
    Screen Shot 2019-09-12 at 5.17.07 PM.png
    Hey what's up y'all!?! I'm Randy and I'm a Brand Ambassador from Texas. Today I am going to talk about the OnePlus 7 Pro and some tips you can implement to optimize your own privacy on the device. I would love to hear the things you do to increase privacy while using your phone so share your ideas and let's keep this conversation interactive.

    The reality is we can never really be 100% private when online but let's get that percentage as high as we can. Here are some things I do. Some might be pretty obvious so let's get started.

    Tip #1
    Use Duckduckgo (DDG) - No matter which device I'm on, one of the first things I do is switch my default search from Google to Duckduckgo. DuckDuckGo is a great alternative to Google and they do not store any information about you. They craft their ads based on the search you just made. I read about it in an interview with the CEO of DuckDuckGo where he basically said they are making money not knowing anything about you and just basing ads on your search. :) Who would have thought that just basing ads off search alone would be very profitable and that a company doesn't need to know every little thing about you to make money off of you? I'm being a little facetious here but you get my point.

    Tip #2
    Use a VPN while browsing - my favorite browser is Opera. I talked about it in the Favorite Browsers post I did with John ( @jayanyway ). One of my favorite features of Opera is the free built-in vpn you can use while browsing. A VPN is a private connection to a server that hides your IP address. Opera allows you to use it 100% of the time while browsing or it can bypass the VPN when you are searching. That feature works great with DDG. The downside of this VPN is it only anomizes the browsing traffic from your device, not the traffic from your other apps. My next tip covers that.

    Tip #3
    Use a Full Device VPN, especially when on public WiFi - public Wi-Fi networks aren't always the safest place to be when you are online. You can mitigate some of this risk by using a VPN for all of the connections on your device. For this, I use Private Internet Access (PIA). I was able to purchase 3 years for about $75. The speeds are pretty good and I don't notice a huge battery drain on my device. Do you use a VPN on your phone? Which one is your favorite?

    Tip #4
    Use the Private DNS feature on the OnePlus 7 Pro - Android 9 & 10 support a feature called "Private DNS" which lets you set the DNS provider for your phone. DNS is the service that converts all of your traffic requests such as "yahoo.com" to a specific address the internet computers can understand. Normally DNS is provided by your ISP (mobile or wifi) and therefore your ISP sees all of your traffic. This feature lets you change that. Cloudflare has a very helpful blogpost on how to implement it. Some corporate firewalls block the port needed for this so if you can't get it at work reach out to your IT department. Most likely they will LOVE how you are thinking about privacy and would be thrilled to open the port needed to make it happen for you. Here it is on my phone:

    [​IMG]

    [​IMG]
    Note: Private DNS doesn't always work well with a full device VPN. So play around with it and see if it works with yours. It does work well with the Opera VPN though.

    Tip #5
    Consider using alternatives to some Google Apps - We all have a "love / hate" relationship with Google. They have brought so many great things to tech - Gmail, Google search, Chrome, Android. All of these products are some of the best products available in my opinion. But pretty much everything you do, they record. It's anonymous, so people don't see your data, but AI does which is kind of like a person always looking over your shoulder. Most of us are ok with that. It's good to be aware though and push back when we can. Consider these alternatives:
    *Chromium based browsers like Opera instead of Chrome
    *A paid email service instead of Gmail
    *Swiftkey keyboard instead of Gboard
    *DuckDuckGo instead of Google Search (see tip #1)

    Tip #6
    Disable Facebook apps (Facebook, messenger, etc) when not in use - I'm not comfortable leaving Facebook "on" all of the time. It's kind of a battery hog too. There is a way you can disable Facebook when you aren't using it, and just about any other app you have installed! You can do this using the Island App. The island app is a neat little program that takes advantage of the Android feature called "Android for Work." Basically you install the app and then you go into the settings and enable/create "island mode." It creates a separate "work" profile. You even get a work profile app store. You can install any app you want in this separate profile. Then when you are not using the apps in your work profile you can turn the entire profile off temporarily. Every app in work mode is then frozen until you turn it back on. The OnePlus launcher even has built-in support for a work profile. Check this out:

    [​IMG]

    That's my launcher btw. Once you enable the Work Profile, you can add a tile in the notification shade to toggle all of your work apps:

    [​IMG]

    Give it a try and let me know what you think!

    Thanks for sticking with this post all of the way to the end. Those are the ideas I have. Leave your ideas to optimize privacy in the comments below!

    Randy
    #NeverSettle
     

    #1
  2. hennes
    Lollipop Sep 14, 2019 at 3:33 AM

    Stickied Post
    hennes , Sep 14, 2019 at 3:33 AM :
    Sorry for answering so late, but I was in the hospital for 2 days, but thanks @luxuskamel for tagging me.

    I don't know if my comments here interest anyone at all but when it comes to ensuring privacy then it's not enough to exchange a few apps. You can either have privacy or you can't. One, we change our surf behavior a little, or we change a few apps, or we change a few parameters in the network interface, just don't prevent data from being extracted, stored and processed. Because if you close one place, there are enough other places where data is extracted. Data protection, or rather data economy, always means that it is hard work, and often also that you have to change what you are used to.

    So if you want to talk about privacy and data economy, if that really should be the case here, then the following points are a small part of what you should do.

    Basically, everything depends on the fact that I'm an advocate of central data structures and data silos that I do not control myself. The Internet is basically decentralized, some offer a Wiki and others an email server and others offer news. Also messenger, social media and pictures and much more is offered individually. But the individual providers are disappearing because the big players unite everything under one roof.

    Let's take Google, it offers everything from operating systems, calendars and data storage, up to services like SUPL, DNS and Co. and also APIs of all color up to tracking, everything, the same applies to Facebook, twitter, microsoft, amazon,apple and so one. Decentrally? No way, sometimes apart from the danger of propaganda, every provider undermines here the danger that he publishes things which are not right and he can move the opinion in different directions. Everyone collects an infinite amount of data about their users, and often the user doesn't even notice that data is being collected. Below I will write a small article about what you can do, when and where, to stop it a little and to save data. My remarks only scratch the surface, but it offers enough tools to move data sparingly through the net.

    But I'm warning you, a lot can't be done with Oxygen OS, because OnePlus has changed so much on the android system that it just doesn't work, so the most refers to Lineage OS. Furthermore I warn you, it is not a short text, so if you are really interested, you should take some time.

    Otherwise I wish you a lot of fun, and I say it again, this text doesn't claim to be complete and correct, so if you find errors or have more information, please correct it.

    1. Operating system
    If you really want to talk about privacy, then you should pay attention to the following things to really leave as few traces as possible, and that starts with the selected operating system, preferably Lineage would be to mention here, on the one hand because there are very good supports for OnePlus devices, but also because OnePlus has actually once started with the predecessor CyanogenMod on the OnePlus One. But also because rooting the device and or install another ROM does not affect the warranty. But also Oxygen OS can be made more privacy friendly under certain circumstances.

    1.1 Lineage OS
    https://lineageos.org/
    As operating system you can use Lineage without google apps.

    1.2. Oxygen OS
    You can also use Oxygen OS but you should uninstall the google apps, that means all google apps. You also have do delete facebook, twitter, and so on. How to do it I show here, (you don't need root to unsinstall system apps):

    1.2.1 Required tools

    1.2.1.1 Installing Android Platform Tools
    Linux download: https://dl.google.com/android/repository/platform-tools-latest-linux.zip
    Windows download: https://dl.google.com/android/repository/platform-tools-latest-windows.zip
    Mac download: https://dl.google.com/android/repository/platform-tools-latest-darwin.zip

    1.2.1.2 Unlock Developer Options
    Go to the settings -> About the phone -> click 9 times on build number

    1.2.1.3 Enable USB Debugging
    To do this, go to Settings, after you've done with 1.2.1.2, you'll find a new menu item called Developer Options, which you select, and then enable USB debugging there.

    1.2.1.4 Connecting the Smartphone to the PC via a cable

    1.2.2 Implementation
    With the unpacked platform tools and the program adb you can uninstall the programs.
    here is a small list of orders how to use it:

    The following command will show you all installed packages of your smartphone:
    Code:
    adb shell pm list packages
    
    With this command you can uninstall a package
    Code:
    adb shell pm uninstall --user 0 package.name
    
    package.name should be replaced with the packege name you want do deinstall.

    For example, if you want to remove the caller from google, it will look like this:
    Code:
    adb shell pm uninstall --user 0 com.google.android.calendar
    
    Of course you should already know which packages to uninstall and which not,
    so if you're interested, I'd be happy to pass it on.

    1.3 Other operating systems
    Yes there are also other operating systems, but the following require either very special hardware, and even a completely different know-how, because even there you have to make settings to be data economical. therefore only a small list of what is still offered, but without evaluation.

    1.3.1 Sailfish OS
    https://sailfishos.org/
    https://sailfishos.org/wiki/SailfishOS_Source

    1.3.2 Ubuntu Touch
    https://ubuntu-touch.io/de_DE/#
    For a OnePlus One device you can have a look here:
    devices.ubuntu-touch.io/device/bacon
    and I tested it years ago:
    https://forums.oneplus.com/threads/testing-ubuntu-touch.431394/#post-14609608

    1.4 Other devices

    1.4.1 Purism/Libreme

    1.4.2 PureOS
    https://puri.sm/

    2. Google Account
    Of course, removing all google apps also removes the need to create a google account, but as I will show below, this is not needed at all.

    3. Cloud and Sync
    In order not to deliver further data to google and other providers, you should avoid clouds. For this you can simply set up your own local cloud, there is enough software for it, some of which requires only a small RaspBerry PI (https://www.raspberrypi.org/), e.g. Nextcloud (https://nextcloud.com/)
    Installation NextCloud on Raspberry Pi: https://raspberrytips.com/install-nextcloud-raspberry-pi/

    3.1 Cloud Services

    3.1.1 Navigation
    OpenStreeMap
    See more at point 6.4.1

    3.1.2 eMail
    mailbox.org -> https://mailbox.org/de/
    Posteo -> https://posteo.de/de
    dismail.de -> https://dismail.de/
    disroot.org -> https://disroot.org/en

    All services offers DANE, SPF, DKIM amd Cipher-Suite (TLS)

    4. How to get apps
    Of course the google appstore is no longer supported if you uninstall it or if you don't have any google apps or google accounts at all. But also here there is a lot of help, especially apps that don't contain tracking (see 4.1). The preferred App Store would be F-Droid https://f-droid.org/

    4.1 Tracking
    Tracking in apps is becoming more and more popular, it is almost impossible to find a single app that doesn't have a tracker. There are apps that come with 40 or more trackers, where data is sent to the tracker platforms directly after the call, this starts with the operating system and the manufacturer being transmitted, and does not end with a unique ID and other sensitive data.
    Therefore it is recommended to get only apps from the F-Droid Store, because these apps do not contain trackers. Who wants to look around which trackers there are in which app, can do this here:
    https://reports.exodus-privacy.eu.org/en/
    https://search.appcensus.io/
    In the near future, an even more accurate service will be set up, with analyses and sent data, where you can also participate and help as a programmer:
    https://www.app-check.org/
    If you go to Exodus, you find here:
    https://reports.exodus-privacy.eu.org/en/reports/79102/
    Apps that have more than 40 trackers, everyone can see for themselves which companies are behind them just click on the tracker and read.

    4.1.2 Example of Swift-Key and Tracking
    Exodus sais about Swift-Key:
    https://reports.exodus-privacy.eu.org/en/reports/58578/
    that this app contains 3 trackers that send data to Adjust (Adjust), google (Google Analytics), and Microsoft/Bit Stadium (HockeyApp).

    After starting the app and without further interaction the Swiftkey server will be contacted to update the language packs.
    Code:
    GET /swiftkey/sksdk-3.0/sk-7.3.3/market/languagePacksSSL.json HTTP/1.1
    Host: jenson.api.swiftkey.com
    
    Cloudfront is then used for reloading the language packs
    Code:
    GET /FZE2wgDA...JJOEIM HTTP/1.1
    Host: d4kkhvu20wq9i.cloudfront.net
    
    Furthermore, a configuration file is loaded from OneDrive (Microsoft).
    Code:
    GET /mobile/ts_configuration.jwt HTTP/1.1
    Host: oneclient.sfx.ms
    
    Last but not least a connection to Hockey (Microsoft) will be established.
    Code:
    POST /v2/track HTTP/1.1
    Host: gate.hockeyapp.net
    <Encrypted stuff>
    
    In addition, of course, every request is sent with a user agent:
    Code:
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 8; OnePlus 3 Build/3.18.66)
    
    The app registers with the Android Cloud-to-Device Messaging service (C2DM) to receive push messages and the like. Among other things, the app transmits the following information to Google servers
    Code:
    Versionsnummer der App: 7.3.3.12
    Paketname der App: com.touchtype.swiftkey
    GCM-Version: 17785039
    
    So before you even interact with the app, a lot of data, from your IP, to your operating system and unique IDs, is sent to third parties.

    I didn't come up with the idea, but I tried it myself, the actual idea comes from here (Attention German page):
    https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
    By the way, this page is worth reading anyway, because it deals almost exclusively with data protection and IT security.

    4.2 Apps from the google Play Store
    If you absolutely still need apps that you can't find in F-Droid Store, you can get them with:

    Yalp Store -> https://f-droid.org/en/packages/com.github.yeriomin.yalpstore/

    or with

    Aurora Store -> https://f-droid.org/en/packages/com.aurora.store

    These apps download other Apps from the Play store, without the need of an google account.

    5. Browser
    Yes, even the browser is not always data protection friendly, because it constantly sends data to everything and everyone and the corresponding pages also query the data of a system. Who wants to know more, which traces and data he leaves, can have a look around here:
    https://amiunique.org/fp
    and who wants to have it detailed also
    http://uniquemachine.org/
    A nice PDF to Browser Fingerprint can be read here
    https://securehomes.esat.kuleuven.be/~gacar/sticky/the_web_never_forgets.pdf
    and canvas fingerprint is explained here:
    https://browserleaks.com/canvas#how-does-it-work

    Fact is, with the browser you leave an infinite amount of data that can be collected.
    But this also includes the social media buttons from Facebook, Twitter and co. Not that website operators use data protection friendly techniques like heise's (Attention: German page):

    https://www.heise.de/newsticker/mel...iche-Social-Media-Buttons-weiter-2466687.html

    In addition, you should use addons if possible. So if you use Firefox, the following AddOnds wouldn't be bad:
    uBlock Origin, uMatrix, CanvasBlocker, Decentraleyes, First Party Isolation, Neat URL, Skip Redirect, Smart Referer to name just a few that are essential. See point 5.1 for more information about tracking in Websites.

    5.1 Tracking in Websites
    Yes, tracking is also used in websites, uMatrix (https://addons.mozilla.org/de/firefox/addon/umatrix/) always shows you exactly which external third parties are involved, which access data every time you call them.
    Especially socialmedia buttons are a nuisance, because in addition to a possible app they also track on an infinite number of user pages. A blog once examined how many German news papers have installed the facebook button and found out that on three quarters of these pages the user is tracked by facebook (Attention German page):
    https://rufposten.de/blog/2019/06/03/facebook-tracker-auf-deutschen-medienseiten/

    5.2 Another Browser

    However, many people use a different browser that uses Tor to access websites, such as Orfox and of course the Tor client Orbot.
    More information OrFox: https://guardianproject.info/fdroid/
    More information Orbot: https://guardianproject.info/archive/orweb/
    In this situation i recomend using Tor Browser.
    https://blog.torproject.org/orfox-paved-way-tor-browser-android

    5.3 Search engine
    Yes, also the search engine is a point which should be mentioned. "Google it" is already a standard quotation, however google saves your search words and all they can get e.g. IP-Adfresse, screen dimension etc., (see also point 5 e.g. http://uniquemachine.org/ to see what all can be collected) but ther are enougth alternatives, you have to try it, and please dont stop using it after an hour or a day. It is important to know, that they didn't store any data. Here are some search engines:

    Metager -> https://metager.de/
    This service can also be accessed from the Tor network via a hidden service.
    https://metager.de/tor

    another search engine is

    Qwant -> https://www.qwant.com/
    which also offer a Javascript free version
    https://lite.qwant.com/

    Last but not least, there is

    Startpage -> https://www.startpage.com/

    Your search words will be anonymously submited as request to google and returns non-personalized results.

    Lots of you knows the search engine DuckDuckGo, but, why should you trust DuckDuckGo? If you value trust, why should you entrust your data to a search engine subject to the Patriot Act?

    6. Services
    Yes, we have to talk about it, no matter if messenger, cloud or social media, all big providers are out to collect and use your data, not only facebook, google calendar or twitter, it goes so far that all central networks do exactly that, they collect data. But they don't collect them because they want to do something good for you, they collect them mainly because they don't want to offer this "free" service for free, but have to earn money, and what better way to earn money if you use the data for advertising purposes. No, also google does not sell your data perse to anyone, no, they collect it for themselves to tell others which advertising to deliver at what time. The logic does not necessarily take place with the advertiser but with google itself, they would be stupid if they would sell your data, because then the buyer could also act without google.
    Ok, let's start with some services that should be exchanged:

    6.1 WhatsApp
    Yes, everyone always says that this is not possible because all my acquaintances and "friends" are at WhatsApp. But, I counter that, and everyone should remember the word friend and think about what it is to a friend who does not accept to install another messenger to stay in touch with you, a friend. Personally, I am of the opinion that I can do without such friends.
    Ok, long story short, there are enough privacy friendly and also decentralized messengers, especially Conversations:

    https://conversations.im/
    https://f-droid.org/en/packages/eu.siacs.conversations/

    or/and Matrix

    https://matrix.org/
    https://f-droid.org/packages/im.vector.alpha/

    If you wanted to rate other messengers, you'd get something like that:

    Briar -> https://f-droid.org/de/packages/org.briarproject.briar.android/
    Open source, decentralized, only suitable for text messages, only for Android

    Delta Chat -> https://f-droid.org/de/packages/com.b44t.messenger/
    Open source, decentralized, only for Android

    Telegram -> https://f-droid.org/de/packages/org.telegram.messenger/
    Client: Open source, Server: proprietary, not decentralized

    Threema
    Client and server not open source, not decentralized

    KakaoTalk
    Includes 16 trackers
    https://reports.exodus-privacy.eu.org/en/reports/38224/
    Client and server not open source, not decentralized

    Jami:
    https://f-droid.org/de/packages/cx.ring/
    Open Source, decentralized, group chats are not possible

    Signal:
    Open Source, not decentralized.

    Silence -> https://f-droid.org/de/packages/org.smssecure.smssecure
    Open source, decentralized, SMS/MMS service are used thus the telephone number is bound

    TOX
    Open Source, decentralized, group chats are not possible with Android

    WhatsApp
    Client and server proprietary, not decentralized.

    As you can see there are a lot of messengers and much more and they always have their weaknesses here and there when it comes to privacy, the most popular service, WhatsApp, even comes off worst when you see the above and see the other disadvantages like linking the data with facebook and Instagram.

    6.2. Twitter
    For twitter there is also another platform where you can move around in a privacy friendly way, here would be

    Mastodon -> https://mastodon.social/about

    and an adnroid client
    Tusky -> https://f-droid.org/en/packages/com.keylesspalace.tusky/ zu nennen.

    6.3. Facebook
    Also for facebook, which is really collecting more and more data just like twitter, there is a suitable free data protection-friendly network, it is called

    Diaspora -> https://diasporafoundation.org/

    An Android client would be e.g.

    dandelion -> https://f-droid.org/packages/com.github.dfa.diaspora_android/

    But you have to be careful, because this app uses the Androids WebView component.

    6.4. Apps and Co.

    6.4.1 Navigation
    Google maps, well, has never been my case, not only because they collect data, but because I get annoyed by the penetrating fade-in of some crude privacy policy and the annoying Javascript, who ever searches with Javascript turned off for a place gets no result.
    Actually I use

    Osmnd -> https://f-droid.org/packages/net.osmand.plus/

    because it works offline as well as online, my second choice is actually

    Here WeGo -> https://wego.here.com/

    Annoying that facebook and co as a tracker are in here, but also for that I found a way, or found several ways to turn it off, more about that later. But it is also rarely used, Osmnd does his services almost everywhere very well.Here WeGo is only a fall back system, which can be used and the data collection keeps itself within limits or is not difficult to turn off. (See Point 12, 13, 14)

    6.4.2 Weather
    Well there are quite a lot of weather apps, there are for sailors and for planes or even for those who just want to know what to wear in the morning. I already worked 10 years ago with openweathermap https://openweathermap.org/ and wrote an app that shows the weather in several countries, of course tracker free, but the API guidelines of Openwethermap have changed so much, that a useful use would have been difficult for the end user. But on the same basis there are several apps that use this service. However i must say that this service, openweathermap, is not open source, and the data is subject to a certain restriction, so trust is appropriate here and in case of doubt maybe you should look out of the window in the morning and develop a feeling for the weather. As the saying goes, there is no bad weather only wrong clothes. ;)
    But the two apps are good, at least they are open source and don't send any more data to third parties.

    Weather Widget-> https://f-droid.org/en/packages/nl.implode.weer/

    and

    Forecast -> https://f-droid.org/en/packages/cz.martykan.forecastie/

    I could now enumerate countless apps that give a better and more privacy friendly impression, e.g.

    K9-Mail -> https://f-droid.org/packages/com.fsck.k9/

    RSS-Reader Feeder -> https://f-droid.org/packages/com.nononsenseapps.feeder/

    Kalender Etar -> https://f-droid.org/packages/ws.xsoh.etar/

    Or my absloluter favorite the picture gallery

    Simple Gallery Pro -> https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/

    but I want to leave it at that, in the F-Droid Store (https://f-droid.org) you can all browse yourselves, much more I want to go into other things how you can achieve even more privacy.

    7. Network
    There are several ways to protect your data, even if you have to deal with trackers and advertising banners. As I have already said for the browser, where uMatrix, uBlock Origin etc. can be used to prevent the browser from reloading unwanted things, there are other possibilities you should use.
    Here, for example, is something that I actually install before I even set up a sim card and a wlan, a firewall. I personally use

    AfWall+ -> https://f-droid.org/en/packages/dev.ukanth.ufirewall/

    but this only works if you have root privileges, but

    NetGuard -> https://f-droid.org/en/packages/eu.faircode.netguard/

    doesn't need root privileges and is useful for protecting your privacy.
    XPrivacy should not be missing either.

    7.1 VPN

    7.1.2 Open VPN
    OpenVPN for Android
    https://f-droid.org/packages/de.blinkt.openvpn/

    7.2 Tracking protection


    Blockada -> https://f-droid.org/en/packages/org.blokada.alarm/

    and

    Adaway -> https://f-droid.org/en/packages/org.adaway/

    You can find more information in point 11, 12, 13, 14

    8. Security
    There are so many things you have to watch out for if you want to get some security, it just stands and falls with the trackers, as I have already mentioned several times. Which benefit do i have, when a password manager, if it contains trackers that pass on my data? Nothing, so there is also a lot to consider here, because with the own security of the device the own data sovereignty stands or falls.

    8.1 Password manager
    KeePass D X -> https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
    Should actually be self-explanatory, PINs passwords and Co. we have plenty, a proper administration with sufficiently good protection should be mandatory to prevent identity theft. Good passwords and good pins are essential to keep your data safe. (See also point 11.10)

    8.2. OpenPGP
    OpenKeychain -> https://f-droid.org/en/packages/org.sufficientlysecure.keychain/
    Is an encryption app that also uses by K9-Mail to send encrypted emails or Conversations to send encrypted messages.

    8.3. Brute-Force-Protection
    Wrong PIN Shutdown -> https://f-droid.org/packages/org.nuntius35.wrongpinshutdown/
    Yes also brute force attacks can occur, especially Android has its problems here, because I can enter the PIN as often as I want, of course there is a time delay, but only for 30 seconds. WrongPINShutdown goes much further, it restarts the device and after x entries it reboots, you have 50 attempts, a message appears that after the next 9 unsuccessful attempts the data on the system will be deleted.

    9. Root
    Yes, we have to talk again about why root rights are always acknowledged with the statement that it would be too insecure. It's true, however, that when dealing responsibly, the opposite happens. With Magisk, AddonSU you are asked much more if you let an app execute the su command (substitute user) or not. So apps don't just have root rights just because the smartphone is rooted. Furthermore there are other stumbling blocks, like google SafetyNet service which was made to recognize root to warn the app provider. Netflix, Snapchat, Banking-Apps and Co. refuse their service if the SafetyNet-Check fails.
    But AddonSU creates some files "/system/bin/su" or "/system/xbin/su", so the SafetyNet-Check hits and the apps that query them then refuse their service. And that's where Magisk comes in. It provides a system root, Safty net passes, and Magisk-Hide can hide root access from apps, and it also provides extensions to import host files from AdAway even though dm-verify is active.

    So if you prefer to get your apps from the F-Droid Store like I do, you can use AddonSU because it offers little code and therefore little attack surface. To e.g. get the Hosts file from an AdBlocker you just have to disable dm-verify, here I show you how:

    Code:
    adb root
    adb disable-verity
    ...
    adb reboot
    adb root
    adb shell
    mount -o remount,rw /
    mount -o remount,rw /vendor
    
    To reactivate it, the following must be entered:

    Code:
    adb root
    adb enable-verity
    
    If you prefer to use Magisk because you get apps from the Playstore and want to use banking apps, you should use Magisk.
    I'm not going to give any instructions on how to install Magisk here, but there are countless pages on the net. It's just about which program you need to recover data economically and the control over your data.

    10. Sandboxing
    Shelter -> https://f-droid.org/en/packages/net.typeblog.shelter/
    With Shelter you can separate private data from business content or apps. The work profile is a specially isolated area, in which data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker, apps cannot access data that is located in the normal environment - but they can access all data from apps that are also located or locked in the shelter.
    For example, you could lock WhatsApp in the bunker and the app could not access the normal contacts but only the contacts that are also stored in the bunker. But also apps that start background processes can be frozen, you could theoretically install the same app twice on the same device.


    11. Sensors, modems and others
    Ok, everything we had so far is quite easy to understand, and everyone can actually change it by themselves.
    From now on it goes a bit deeper into the system and some things will surely surprise one or the other.
    Again and again, of course, common sense is needed. Those who leave their GPS switched on, although they don't need it, collect data that can also be sent if necessary. There are enough apps that collect GPS data and create whole motion profiles to counteract this you have to pay attention to some things:

    11.1 Location options
    You also have to be careful about locating possibilities,
    WLAN and GPS as well as NFC and Bluetooth are used to perform tracking. Whenever possible, you should therefore switch off these chips, firstly because it prevents tracking, and secondly because it saves power, which is not necessarily a bad disadvantage. That's also the reason why I'm like the device Libreme 5 (https://puri.sm/products/librem-5/) of Purism, which I mentioned in 1.4.1, because it has hardware switches to make the chips like the modem and GPS completely powerless.

    11.1.1 Activate only on demand
    So the first thing is to activate GPS only on demand

    11.2 Disabling WLAN and Bluetooth
    Switching off in the status bar does not mean that no WLANs and Bluetooth beacons are collected, android of course collects this information further. Only after switching off both functions in the
    Settings -> Location -> Hamburger Menu -> Search
    you can disable "WLAN search" and "Bluetooth search".

    11.3 Disabling WLAN Tracking
    More and more often we can notices that shops and cities count and recognize passers-by with a WLAN tracker, because by querying the WLAN interface the unique MAC address of the device is usually sent. If it is stored by the trackers, and you pass another WLAN tracker, they can create a motion profile, calculate times between the two points and generally recognize a person if he or she reappears at another time. This is quite controversial from a privacy point of view, because when we talk about Europe and the DSVGO, the user has to be informed and in addition the user, as the person to be tracked, has to agree to the data being stored.
    Therefore you should deactivate the WLAN interface when you leave the house, but if you like to forget this or if it is too complicated for you, you can use tools like

    WiFi Automatic -> https://f-droid.org/en/packages/de.j4velin.wifiAutoOff/

    or

    WiFi-Manager -> https://f-droid.org/de/packages/org.secuso.privacyfriendlywifimanager/

    Lineage also offers its own solution. They all have one thing in common, they switch off the WLAN if you leave your WLAN or predefined WLAN, but the disadvantage should not be forgotten to mention that when you arrive at home, you have to switch on the WLAN again, otherwise the mobile data will be used.

    11.4 Deactivating AGPS
    Another point is that AGPS (Assisted GPS), android contacts the google server (supl.google.com) to get data from SUPL (Secure User Plane Location). This means that google also collects data here, because in this case the IMEI number of the device is also transmitted. The combination of the IMSI number with the radio cell ID enables google or other SUPL server operators to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request.
    The definition of the SUPL servers is either defined in the file
    /etc/system/gps.conf
    or
    /vendor/etc/gps.conf
    But it can also happen, e.g. with Oxygen OS, that these are commented out, if so, then a fallback to the google SUPL server is used. The required lines concern the SUPL data:

    Code:
    SUPL_HOST=supl.host.com or IP
    SUPL_PORT=7275 <oder anderer>
    
    The question is whether you really need AGPS or do not use this feature to be data efficient.
    Of course there are other SUPL servers as well:

    supl.vodafone.com -> Germany, Hosting: vodafon
    supl.sonyericsson.com -> Irland, Hosting: Amazon
    agpss.orange.fr -> France, Hosting: orange
    supl.qxwz.com -> China, Hosting: unbekannt
    agps.supl.telstra.com -> Australia, Hosting: telstra

    Important: It doesn't matter if you select "High accuracy", "Energy saving mode", or "Only device" for the GPS determination, an AGPS request is always made. If you want to prevent this, you have to edit the above file and insert or replace the following entries:

    Code:
    SUPL_HOST=localhost
    SUPL_PORT=7275
    
    Only by setting localhost it is prevented that an AGPS request is made online to google servers, because now the request goes directly to the own device and nothing happens, if you have set "Only device" in the options, it takes a bit longer until the position is found, but as long as the IMSI of the device is sent along, although it is not needed at all, this is the only workaround to be data efficient.

    11.5 How to Deactivate a Phone Number Search
    The phone app unfortunately has a built-in search function that not only searches locally for phone numbers but also searches the input online at google, so whoever searches for a name, passes the search to google, this applies to names as well as numbers or what you just enter. This procedure should of course be deactivated or at least changed to data protection friendly services.
    Unfortunately it is not possible to disable this behavior with Oxygen, but if you use lineage, you can change it in the search options.

    11.6 Deactivating the NFC interface
    If you want to do it exactly, you can deactivate NFC if you don't need it, because tracking can also be done here. Each interface has unique parameters and these parameters are stored and evaluated. If the phone is not used for a longer period of time, you should even consider switching on the flight mode.

    11.7 Changing DNS Settings WLAN
    If you are assign 8.8.8.8 or 8.8.4.4 as DNS server, you can be sure that google gets the data here as well. However, this can also be switched off with data protection-friendly DNS servers. For this you have to change the DNS server either in your WLAN installations or at the router.

    Here are some data friendly DNS servers:

    digitalcourage -> https://digitalcourage.de/support/zensurfreier-dns-server

    or

    SecureDns -> https://securedns.eu/ both support DNSSEC

    For digitalcourage the unencrypted variant, Port 53, could be reached with the following IP addresses,
    IPv4: 46.182.19.48, IPv6: 2a02:2970:1002::18
    Via DNS over TLS it is host: dns2.digitalcourage.de, Port: 853
    Further information can be found on the corresponding pages.

    11.8 DNS Settings Mobile (Provider) Network

    If you use Android 9 or higher you can simply activate DNS over TLS here:
    Settings -> Network & Internet -> Advanced -> Private DNS
    Select the hostname of the private DNS provider and then enter the address of the servers, see 11.7 for an example.

    You can also enter the settings in AFWall+ with a custom script, but then the requests are not encrypted.

    Code:
    $IPTABLES -t nat -I OUTPUT -o rmnet+ -p tcp --dport 53 -j DNAT --to-destination 85.214.20.141:53
    $IPTABLES -t nat -I OUTPUT -o rmnet+ -p udp --dport 53 -j DNAT --to-destination 85.214.20.141:53
    
    But you can also solve it with a VPN tunnel. Here, for example, a solution of a RaspBerry Pi with

    WireGard -> https://www.wireguard.com/

    is a good choice.
    Advantage: You can also install Pi-Hole on the RaspBerry PI see point 12.
    I actually prefer the last variant, because PiHole is important to me, but also because it works really good.
    Ok, my configuration is a little bigger and more mature, but that's because that's my job, too.

    11.9 Captive Portal
    If you have always wondered what the cross on the WLAN connection icon in the status bar means, you should know that this triggers the Captive Portal Check. The Captive Portal Check checks whether your device can actually reach the Internet or whether it is only connected via WLAN. This often happens in WLANs and access points where a portal is presented by having to unlock access to the Internet using an access code, e.g. in a hotel.
    The Captive Portal Check is performed by android as follows, the device sends a request to the address connectivitycheck.gstatic.com, this address belongs to goggle. Such a request transmits the public IP address and information about it, the time of the request and which browser is currently used. The server then acknowledges it with the HTTP response code 204 so that the Android system knows that an Internet connection exists.

    11.9.1 Switching off
    Disabling only works if you have root privileges.
    A local terminal on an Android device is required, e.g.

    Termux -> https://f-droid.org/packages/com.termux/

    should be recommended. Now you have to enter the following in the console:

    Android 7.x
    Code:
    su
    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0
    
    reboot
    
    Android 8.x, 9.x
    Code:
    su
    su
    pm disable com.android.captiveportallogin
    
    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0
    
    reboot
    
    11.9.2 Switching to another server

    Android 7.x
    Code:
    adb shell 'settings put global captive_portal_http_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_https_url "https://captiveportal.<domain>.<tld>"'
    
    Android 8.x und 9.x
    Code:
    adb shell 'settings put global captive_portal_http_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_https_url "https://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.<domain>.<tld>"'
    
    <domain>.<tld> should be changed into a real server adresse.

    Check if everything was done correctly
    Code:
    adb shell 'settings get global captive_portal_https_url'
    
    11.9.3 Installing your own Captive Check service
    If you have your own server, a small RaspBerry Pi and nginx is sufficient.
    In nginx you have to enter the following in the configuration:
    Code:
    server {
      listen  80;
      server_name  captiveportal.<domain>.<tld>;
      root  /var/www/sites/captiveportal.<domain>.<tld>;
    
      access_log off;
      error_log off;
    
      include /etc/nginx/conf/headers.conf;
      add_header Content-Security-Policy "default-src 'none'";
    
      location / {
      location ^~ /.well-known/acme-challenge {
      default_type text/plain;
      }
      location = /.well-known/acme-challenge/ {
      return 444;
      }
      # CAPTIVE PORTAL RESPONSE
      location / {
      return 204;
      }
      }
    }
    
    server {
      listen  443 ssl;
      server_name  captiveportal.<domain>.<tld>;
      root  /var/www/sites/captiveportal.<domain>.<tld>;
    
      access_log off;
      error_log off;
    
      include /etc/nginx/conf/headers-ssl.conf;
      add_header Content-Security-Policy "default-src 'none'";
    
      ssl  on;
      ssl_certificate  /etc/ssl/certs/captiveportal.<domain>_ecdsa.pem;
      ssl_certificate_key  /etc/ssl/private/captiveportal.<domain>_ecdsa.key;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_stapling_file /etc/ssl/certs/captiveportal.<domain>_ocspresponse.der;
    
      # CAPTIVE PORTAL RESPONSE
      location / {
      return 204;
      }
    }
    
    <domain>.<tld> should be changed into a real server adresse.
    For more information how to set up nginx Server please refere to the internet.

    11.9.4 Using AFWall+ Settings/Other Server
    You could release the item "User Feedback, OPSkin, com.qti.service.colorservice, ..." in the AfWall+, but that would mean that all other services there would also be allowed to release. But AFWall+ also offers a possibility for a user-defined skipt, there you enter the following:

    Code:
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp -j ACCEPT
    
    or detailed:

    Code:
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp --dport 80 -j ACCEPT
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp --dport 443 -j ACCEPT
    
    11.10 Device Encryption
    All manufacturers use device encryption for their devices, but if you choose lineage, it is possible that the device is not encrypted here. It is crucial that you activate it and or ask the maintainer why it does not work if it cannot be activated.
    Whoever has a device encryption should also assign a password or a PIN, otherwise the protection is weak or ineffective.
    Since there is no Bruteforce protection in Android, see also point 8.3. a good password or pin is essential.
    4 digit pins have 10^4 (10000) possible combinations, a Brutforce attack needs about 5000 attempts to guess the pin. Android pauses for 30 seconds after 5 attempts. This means that 5000 tests take 150000 seconds or slightly more than 41 hours. An 8 digit PIN takes almost 48 years. A pattern is not to be recommended because it is not complex enough and has less possibilities for compination. Often you can already see on a display what the pattern is like because the swiping gestures leave fat deposits that you can see on the screen. The longer the PIN or password the better, of course you have to remember it.

    12. PiHole
    https://pi-hole.net/
    Well, to protect us from advertising trackers and Co. who also collect data, since every delivered advertising block also has the IP data of the caller including all header data, you can take a Raspberry Pi and equip it with the PI-Hole Server. Therefore a Pi-Hole is also called DNS-Sinkhole. But that's not all, because advertisers and others only get to see a small part of our data, but a DNS server always gets to see our requests and can thus create a very unique profile of our surfing behavior. Therefore a combination of PiHole and DNS server e.g. Ubound (see point 13) and a VPN PiVPN (see point 14) is a great combination.
    I will spare myself the setup/installation, both on a Raspberry PI, as well as on the Android device, because there are innumerable websites that already deal with this topic. Above all of course Pi-hole itself
    https://pi-hole.net/
    but also here
    https://blog.cryptoaustralia.org.au/instructions-for-setting-up-pi-hole/
    you can find a instruction.

    13. Ubound
    https://www.nlnetlabs.nl/projects/unbound/about/
    With Ubound you get and install a validating, recursive, caching DNS resolver.
    This will enable you to answer DNS requests on your own and not have to trust any other provider to make a mess of your data. I save myself the installation here also because it would exceed the frame of this text by far, and because there are simply innumerable pages in the net, which have occupied themselves with it, one would be e.g. these here
    https://blog.webernetz.net/dnssec-validation-with-unbound-on-a-raspberry/

    14. PiVPN
    http://www.pivpn.io/
    In order to be able to use the two services mentioned above while not at home and or on mobile data connection, a PiVPN is available, which can also be used to route data traffic directly home via the RaspBerry PI and thus PiHole (see point 12) and Ubound (see point 13). PiVPN is a collection of shellscripten that converts the Raspberry PI into a VPN server using OpenVPN.
    Of course, the Internet connection of the RaspBerry Pi is just as important as many people use this service on the RaspBerry Pi. Basically, however, it is better to reduce your data track considerably than to deliver your data faster by faster calls/surfing/<whatever>.

    15. Finish
    As I have already described in the introduction, this only cracks on one surface and is certainly not fully saturated, but it should show that data is collected with every poop.
    Katharina Nocun once tried to get her data from amazon, what came out was more than frightening. The greatest statement she made was that after you've evaluated your data, you see how broken your sleep rhythm is. You can find more information here (Attention German page)
    https://www.heise.de/newsticker/mel...um-reissenden-Amazon-Clickstream-4260031.html
    Normaly i would linke her to
    https://invidio.us/watch?v=4zjkBX0INxs
    But for those who want to have englisch subtitles you can use this link to listen to her presentation and follow it with English subtitles:


    I have said that all this is not complete, I have left out the IoT (Internet of Things) section completely here, but I want to mention it anyway, because here everything is tracked too and everyone has to be cheap, the software is limited to the most necessary and security is usually not capitalized. If you buy so-called intelligent illuminants, it can happen that they are hacked, more about that you can read here:
    http://www.dhanjani.com/docs/Hacking Lighbulbs Hue Dhanjani 2013.pdf
    or even hidden microphones in switch sockets or undocumented web frontends that broadcast passwords in plain text into the world: (Attention German side)
    https://www.heise.de/newsticker/mel...fone-und-unsichere-Web-Frontends-3673101.html
    but also manufacturers who are supposed to be big, like Google aka Nest for example, install a Micro without anyone knowing neither the manufacturer nor the user (Attention German site)
    https://www.heise.de/newsticker/mel...-Mikrofon-von-dem-niemand-wusste-4313669.html
    If you want to search for IoT Devices you can use Shodan (https://www.shodan.io/) and you will see and find Device which provides really personal Date.
    I don't want to start with assistants like Alexa, Siri, google, Cortona etc. where data is collected and processed. I also don't want to talk about automobiles that are all online now, that record driving behavior, that even have sleep tracking and send it all to the cloud. If I wrote about it here, I could make a book out of it and it would have countless subsequent books, because it doesn't stop, data is the raw material everyone wants to have, in my opinion we should make their lives as hard as it is possible to get them, not because you want to annoy them, but solely out of self-preservation instinct. Edward Snowden once said:
    "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    There is even a nice article about it at wikipedia: Nothing to hide argument
    German Wikipedia page: https://de.wikipedia.org/wiki/Nichts-zu-verbergen-Argument
    English Wikipedia Seite: https://en.wikipedia.org/wiki/Nothing_to_hide_argument

    Okay, whoever's made it this far, I really pay my respects. But one thing may still be said, data protection does not stop with implementing things and keeping it that way, data protection means being active, always on guard, adapting to the circumstances and registering and counteracting changes.

    With this in mind, thank you for listening!
     

    #82
  3. luxuskamel
    Lollipop Sep 11, 2019

    luxuskamel , Sep 11, 2019 :
    Bad Link ;)
    I use the Brave Browser. Its build by the creator of JavaScript (Brendan Eich) and its amazing: I feel like its the most secure browser, no matter which device you are using :)
    https://brave.com

    Wow that seems complicated. I don't use facebook at all, but I use Twitter only in my browser. For Instagram I installed Firefox (or any other second browser) so that it cant share cookies, webstorage etc. I then added the Instagram webpage as WebApp to my homescreen.

    You mean SwiftKey? I use that too, but make sure to disable all internet access, they had bad press: https://www.androidauthority.com/swiftkey-suspends-service-data-leak-706680/
     

    #2
  4. luxuskamel
    Lollipop Sep 11, 2019

    luxuskamel , Sep 11, 2019 :
    I rarely use VPN, but sometimes you just dont feel save in that public wifi, or the flixbus blocks youtube etc..
    If you have a Fritz!Box router you can enable VPN so you can connect from anywhere and surf through the Fritz!Boxs internet access.
    My University offers VPN access, I guess we're not the only one, so check that with yours :)

    Didn't know about this setting yet, thanks a lot

    BTW @hennes here's a thread for you :D
     

    #3
    superplus, script, woSch and 6 others like this.
  5. Texasaggie1
    US Brand Ambassador Sep 11, 2019

    Texasaggie1 , Sep 11, 2019 :
    Link fixed. Swiftkey name fixed. Thanks man!

    I like Brave browser a lot. I am thisclose to switching to it as my main browser. We had a ton of great feedback in our browsers post and I've been trying all of those out.

    There is a learning curve for Island but to me it's worth it. Advanced users can use it to disable ANY app on their phone. Dangerous but amazing.

     
    Last edited: Sep 11, 2019

    #4
  6. G_plusone
    Marshmallow Sep 11, 2019


    #5
  7. Texasaggie1
    US Brand Ambassador Sep 11, 2019


    #6
  8. shapz
    Froyo Sep 11, 2019

    shapz , Sep 11, 2019 :
    [e]1f604[/e] G_plusone put it very ironically.....there really isn't much privacy on today's web TBH is there.
     

    #7
  9. G_plusone
    Marshmallow Sep 11, 2019

    G_plusone , Sep 11, 2019 :
    Indeed, there isn't much privacy nowadays on the interweb
     

    #8
    C1547395744403 likes this.
  10. Y1537540350852
    Froyo Sep 11, 2019


    #9
    Texasaggie1 likes this.
  11. Texasaggie1
    US Brand Ambassador Sep 11, 2019

    Texasaggie1 , Sep 11, 2019 :
    it's true
     

    #10
  12. C1547395744403
    Eclair Sep 11, 2019


    #11
    Texasaggie1 likes this.
  13. C1547395744403
    Eclair Sep 11, 2019


    #12
    shapz, G_plusone and Texasaggie1 like this.
  14. Insert cool name
    Froyo Sep 11, 2019


    #13
    JmVdv and G_plusone like this.
  15. Texasaggie1
    US Brand Ambassador Sep 11, 2019

    Texasaggie1 , Sep 11, 2019 :
    I'm using the latest public beta as my daily driver and I love it. a few glitches here and there but nothing major
     

    #14
    buntycubal and C1547395744403 like this.
  16. Bobbie63
    Marshmallow Sep 11, 2019

    Bobbie63 , Sep 11, 2019 :
    I'm afraid this doesn't work this way. It's nice to use the possibility of the VPN server of your Fitz! Box to acces your home network but accessing the internet through your Fitz! Box will use the IP address given by your provider I think
     

    #15
  17. dinbandhukumar
    Honeycomb Sep 11, 2019

    dinbandhukumar , Sep 11, 2019 :
    I was not aware about work profile thank u for the update and I don't use public WiFi at any where I always prefer my mobile data all the time. [e]1f60a[/e][e]1f60a[/e]
    for VPN things I use opera browser Integrated with VPN and AdBlocker.
     

    #16
    Texasaggie1 likes this.
  18. dinbandhukumar
    Honeycomb Sep 11, 2019

    dinbandhukumar , Sep 11, 2019 :
    I don't think my office IT admin People will give the access for this
    1568231905555.jpg
    I don't think work profile is much useful.
    Normal mode is the best.
     

    #17
    Texasaggie1 likes this.
  19. Texasaggie1
    US Brand Ambassador Sep 11, 2019

    Texasaggie1 , Sep 11, 2019 :
    if you already have a work profile, you can't use the island app. Otherwise you have to use the Island App to create the work profile.
     

    #18
    buntycubal and dinbandhukumar like this.
  20. G.Reagon
    Froyo Sep 12, 2019 at 2:47 AM

    G.Reagon , Sep 12, 2019 at 2:47 AM :
    Let's be honest, if you want to protect yourself from Google's prying eye and data mining, you shouldn't have bought an Android phone to begin with.
     

    #19
  21. Howrd4
    Cupcake Sep 12, 2019 at 3:11 AM

    Howrd4 , Sep 12, 2019 at 3:11 AM :
    I downloaded SwiftKey Keyboard tonight and I got a warning that the app may collect personal data. Any thoughts?
     

    #20
    Texasaggie1 likes this.