127
Privacy Tips for the OnePlus 7 Pro

?

Do you have concerns about your privacy when you go online?

  1. Yes, Very Much So

    33 vote(s)
    50.0%
  2. Yes Somewhat

    20 vote(s)
    30.3%
  3. I'm Neutral About it

    7 vote(s)
    10.6%
  4. Not at All

    4 vote(s)
    6.1%
  5. What's a Privacy?

    2 vote(s)
    3.0%
  1. S1565335824418
    Cupcake Sep 14, 2019


    #81
    G_plusone likes this.
  2. hennes
    Lollipop Sep 14, 2019

    Stickied Post
    hennes , Sep 14, 2019 :
    Sorry for answering so late, but I was in the hospital for 2 days, but thanks @luxuskamel for tagging me.

    I don't know if my comments here interest anyone at all but when it comes to ensuring privacy then it's not enough to exchange a few apps. You can either have privacy or you can't. One, we change our surf behavior a little, or we change a few apps, or we change a few parameters in the network interface, just don't prevent data from being extracted, stored and processed. Because if you close one place, there are enough other places where data is extracted. Data protection, or rather data economy, always means that it is hard work, and often also that you have to change what you are used to.

    So if you want to talk about privacy and data economy, if that really should be the case here, then the following points are a small part of what you should do.

    Basically, everything depends on the fact that I'm an advocate of central data structures and data silos that I do not control myself. The Internet is basically decentralized, some offer a Wiki and others an email server and others offer news. Also messenger, social media and pictures and much more is offered individually. But the individual providers are disappearing because the big players unite everything under one roof.

    Let's take Google, it offers everything from operating systems, calendars and data storage, up to services like SUPL, DNS and Co. and also APIs of all color up to tracking, everything, the same applies to Facebook, twitter, microsoft, amazon,apple and so one. Decentrally? No way, sometimes apart from the danger of propaganda, every provider undermines here the danger that he publishes things which are not right and he can move the opinion in different directions. Everyone collects an infinite amount of data about their users, and often the user doesn't even notice that data is being collected. Below I will write a small article about what you can do, when and where, to stop it a little and to save data. My remarks only scratch the surface, but it offers enough tools to move data sparingly through the net.

    But I'm warning you, a lot can't be done with Oxygen OS, because OnePlus has changed so much on the android system that it just doesn't work, so the most refers to Lineage OS. Furthermore I warn you, it is not a short text, so if you are really interested, you should take some time.

    Otherwise I wish you a lot of fun, and I say it again, this text doesn't claim to be complete and correct, so if you find errors or have more information, please correct it.

    1. Operating system
    If you really want to talk about privacy, then you should pay attention to the following things to really leave as few traces as possible, and that starts with the selected operating system, preferably Lineage would be to mention here, on the one hand because there are very good supports for OnePlus devices, but also because OnePlus has actually once started with the predecessor CyanogenMod on the OnePlus One. But also because rooting the device and or install another ROM does not affect the warranty. But also Oxygen OS can be made more privacy friendly under certain circumstances.

    1.1 Lineage OS
    https://lineageos.org/
    As operating system you can use Lineage without google apps.

    1.2. Oxygen OS
    You can also use Oxygen OS but you should uninstall the google apps, that means all google apps. You also have do delete facebook, twitter, and so on. How to do it I show here, (you don't need root to unsinstall system apps):

    1.2.1 Required tools

    1.2.1.1 Installing Android Platform Tools
    Linux download: https://dl.google.com/android/repository/platform-tools-latest-linux.zip
    Windows download: https://dl.google.com/android/repository/platform-tools-latest-windows.zip
    Mac download: https://dl.google.com/android/repository/platform-tools-latest-darwin.zip

    1.2.1.2 Unlock Developer Options
    Go to the settings -> About the phone -> click 9 times on build number

    1.2.1.3 Enable USB Debugging
    To do this, go to Settings, after you've done with 1.2.1.2, you'll find a new menu item called Developer Options, which you select, and then enable USB debugging there.

    1.2.1.4 Connecting the Smartphone to the PC via a cable

    1.2.2 Implementation
    With the unpacked platform tools and the program adb you can uninstall the programs.
    here is a small list of orders how to use it:

    The following command will show you all installed packages of your smartphone:
    Code:
    adb shell pm list packages
    
    With this command you can uninstall a package
    Code:
    adb shell pm uninstall --user 0 package.name
    
    package.name should be replaced with the packege name you want do deinstall.

    For example, if you want to remove the caller from google, it will look like this:
    Code:
    adb shell pm uninstall --user 0 com.google.android.calendar
    
    Of course you should already know which packages to uninstall and which not,
    so if you're interested, I'd be happy to pass it on.

    1.3 Other operating systems
    Yes there are also other operating systems, but the following require either very special hardware, and even a completely different know-how, because even there you have to make settings to be data economical. therefore only a small list of what is still offered, but without evaluation.

    1.3.1 Sailfish OS
    https://sailfishos.org/
    https://sailfishos.org/wiki/SailfishOS_Source

    1.3.2 Ubuntu Touch
    https://ubuntu-touch.io/de_DE/#
    For a OnePlus One device you can have a look here:
    devices.ubuntu-touch.io/device/bacon
    and I tested it years ago:
    https://forums.oneplus.com/threads/testing-ubuntu-touch.431394/#post-14609608

    1.4 Other devices

    1.4.1 Purism/Libreme

    1.4.2 PureOS
    https://puri.sm/

    2. Google Account
    Of course, removing all google apps also removes the need to create a google account, but as I will show below, this is not needed at all.

    3. Cloud and Sync
    In order not to deliver further data to google and other providers, you should avoid clouds. For this you can simply set up your own local cloud, there is enough software for it, some of which requires only a small RaspBerry PI (https://www.raspberrypi.org/), e.g. Nextcloud (https://nextcloud.com/)
    Installation NextCloud on Raspberry Pi: https://raspberrytips.com/install-nextcloud-raspberry-pi/

    3.1 Cloud Services

    3.1.1 Navigation
    OpenStreeMap
    See more at point 6.4.1

    3.1.2 eMail
    mailbox.org -> https://mailbox.org/de/
    Posteo -> https://posteo.de/de
    dismail.de -> https://dismail.de/
    disroot.org -> https://disroot.org/en

    All services offers DANE, SPF, DKIM amd Cipher-Suite (TLS)

    4. How to get apps
    Of course the google appstore is no longer supported if you uninstall it or if you don't have any google apps or google accounts at all. But also here there is a lot of help, especially apps that don't contain tracking (see 4.1). The preferred App Store would be F-Droid https://f-droid.org/

    4.1 Tracking
    Tracking in apps is becoming more and more popular, it is almost impossible to find a single app that doesn't have a tracker. There are apps that come with 40 or more trackers, where data is sent to the tracker platforms directly after the call, this starts with the operating system and the manufacturer being transmitted, and does not end with a unique ID and other sensitive data.
    Therefore it is recommended to get only apps from the F-Droid Store, because these apps do not contain trackers. Who wants to look around which trackers there are in which app, can do this here:
    https://reports.exodus-privacy.eu.org/en/
    https://search.appcensus.io/
    In the near future, an even more accurate service will be set up, with analyses and sent data, where you can also participate and help as a programmer:
    https://www.app-check.org/
    If you go to Exodus, you find here:
    https://reports.exodus-privacy.eu.org/en/reports/79102/
    Apps that have more than 40 trackers, everyone can see for themselves which companies are behind them just click on the tracker and read.

    4.1.2 Example of Swift-Key and Tracking
    Exodus sais about Swift-Key:
    https://reports.exodus-privacy.eu.org/en/reports/58578/
    that this app contains 3 trackers that send data to Adjust (Adjust), google (Google Analytics), and Microsoft/Bit Stadium (HockeyApp).

    After starting the app and without further interaction the Swiftkey server will be contacted to update the language packs.
    Code:
    GET /swiftkey/sksdk-3.0/sk-7.3.3/market/languagePacksSSL.json HTTP/1.1
    Host: jenson.api.swiftkey.com
    
    Cloudfront is then used for reloading the language packs
    Code:
    GET /FZE2wgDA...JJOEIM HTTP/1.1
    Host: d4kkhvu20wq9i.cloudfront.net
    
    Furthermore, a configuration file is loaded from OneDrive (Microsoft).
    Code:
    GET /mobile/ts_configuration.jwt HTTP/1.1
    Host: oneclient.sfx.ms
    
    Last but not least a connection to Hockey (Microsoft) will be established.
    Code:
    POST /v2/track HTTP/1.1
    Host: gate.hockeyapp.net
    <Encrypted stuff>
    
    In addition, of course, every request is sent with a user agent:
    Code:
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 8; OnePlus 3 Build/3.18.66)
    
    The app registers with the Android Cloud-to-Device Messaging service (C2DM) to receive push messages and the like. Among other things, the app transmits the following information to Google servers
    Code:
    Versionsnummer der App: 7.3.3.12
    Paketname der App: com.touchtype.swiftkey
    GCM-Version: 17785039
    
    So before you even interact with the app, a lot of data, from your IP, to your operating system and unique IDs, is sent to third parties.

    I didn't come up with the idea, but I tried it myself, the actual idea comes from here (Attention German page):
    https://www.kuketz-blog.de/swiftkey-blackbox-mit-dauerhaftem-tracking/
    By the way, this page is worth reading anyway, because it deals almost exclusively with data protection and IT security.

    4.2 Apps from the google Play Store
    If you absolutely still need apps that you can't find in F-Droid Store, you can get them with:

    Yalp Store -> https://f-droid.org/en/packages/com.github.yeriomin.yalpstore/

    or with

    Aurora Store -> https://f-droid.org/en/packages/com.aurora.store

    These apps download other Apps from the Play store, without the need of an google account.

    5. Browser
    Yes, even the browser is not always data protection friendly, because it constantly sends data to everything and everyone and the corresponding pages also query the data of a system. Who wants to know more, which traces and data he leaves, can have a look around here:
    https://amiunique.org/fp
    and who wants to have it detailed also
    http://uniquemachine.org/
    A nice PDF to Browser Fingerprint can be read here
    https://securehomes.esat.kuleuven.be/~gacar/sticky/the_web_never_forgets.pdf
    and canvas fingerprint is explained here:
    https://browserleaks.com/canvas#how-does-it-work

    Fact is, with the browser you leave an infinite amount of data that can be collected.
    But this also includes the social media buttons from Facebook, Twitter and co. Not that website operators use data protection friendly techniques like heise's (Attention: German page):

    https://www.heise.de/newsticker/mel...iche-Social-Media-Buttons-weiter-2466687.html

    In addition, you should use addons if possible. So if you use Firefox, the following AddOnds wouldn't be bad:
    uBlock Origin, uMatrix, CanvasBlocker, Decentraleyes, First Party Isolation, Neat URL, Skip Redirect, Smart Referer to name just a few that are essential. See point 5.1 for more information about tracking in Websites.

    5.1 Tracking in Websites
    Yes, tracking is also used in websites, uMatrix (https://addons.mozilla.org/de/firefox/addon/umatrix/) always shows you exactly which external third parties are involved, which access data every time you call them.
    Especially socialmedia buttons are a nuisance, because in addition to a possible app they also track on an infinite number of user pages. A blog once examined how many German news papers have installed the facebook button and found out that on three quarters of these pages the user is tracked by facebook (Attention German page):
    https://rufposten.de/blog/2019/06/03/facebook-tracker-auf-deutschen-medienseiten/

    5.2 Another Browser

    However, many people use a different browser that uses Tor to access websites, such as Orfox and of course the Tor client Orbot.
    More information OrFox: https://guardianproject.info/fdroid/
    More information Orbot: https://guardianproject.info/archive/orweb/
    In this situation i recomend using Tor Browser.
    https://blog.torproject.org/orfox-paved-way-tor-browser-android

    5.3 Search engine
    Yes, also the search engine is a point which should be mentioned. "Google it" is already a standard quotation, however google saves your search words and all they can get e.g. IP-Adfresse, screen dimension etc., (see also point 5 e.g. http://uniquemachine.org/ to see what all can be collected) but ther are enougth alternatives, you have to try it, and please dont stop using it after an hour or a day. It is important to know, that they didn't store any data. Here are some search engines:

    Metager -> https://metager.de/
    This service can also be accessed from the Tor network via a hidden service.
    https://metager.de/tor

    another search engine is

    Qwant -> https://www.qwant.com/
    which also offer a Javascript free version
    https://lite.qwant.com/

    Last but not least, there is

    Startpage -> https://www.startpage.com/

    Your search words will be anonymously submited as request to google and returns non-personalized results.

    Lots of you knows the search engine DuckDuckGo, but, why should you trust DuckDuckGo? If you value trust, why should you entrust your data to a search engine subject to the Patriot Act?

    6. Services
    Yes, we have to talk about it, no matter if messenger, cloud or social media, all big providers are out to collect and use your data, not only facebook, google calendar or twitter, it goes so far that all central networks do exactly that, they collect data. But they don't collect them because they want to do something good for you, they collect them mainly because they don't want to offer this "free" service for free, but have to earn money, and what better way to earn money if you use the data for advertising purposes. No, also google does not sell your data perse to anyone, no, they collect it for themselves to tell others which advertising to deliver at what time. The logic does not necessarily take place with the advertiser but with google itself, they would be stupid if they would sell your data, because then the buyer could also act without google.
    Ok, let's start with some services that should be exchanged:

    6.1 WhatsApp
    Yes, everyone always says that this is not possible because all my acquaintances and "friends" are at WhatsApp. But, I counter that, and everyone should remember the word friend and think about what it is to a friend who does not accept to install another messenger to stay in touch with you, a friend. Personally, I am of the opinion that I can do without such friends.
    Ok, long story short, there are enough privacy friendly and also decentralized messengers, especially Conversations:

    https://conversations.im/
    https://f-droid.org/en/packages/eu.siacs.conversations/

    or/and Matrix

    https://matrix.org/
    https://f-droid.org/packages/im.vector.alpha/

    If you wanted to rate other messengers, you'd get something like that:

    Briar -> https://f-droid.org/de/packages/org.briarproject.briar.android/
    Open source, decentralized, only suitable for text messages, only for Android

    Delta Chat -> https://f-droid.org/de/packages/com.b44t.messenger/
    Open source, decentralized, only for Android

    Telegram -> https://f-droid.org/de/packages/org.telegram.messenger/
    Client: Open source, Server: proprietary, not decentralized

    Threema
    Client and server not open source, not decentralized

    KakaoTalk
    Includes 16 trackers
    https://reports.exodus-privacy.eu.org/en/reports/38224/
    Client and server not open source, not decentralized

    Jami:
    https://f-droid.org/de/packages/cx.ring/
    Open Source, decentralized, group chats are not possible

    Signal:
    Open Source, not decentralized.

    Silence -> https://f-droid.org/de/packages/org.smssecure.smssecure
    Open source, decentralized, SMS/MMS service are used thus the telephone number is bound

    TOX
    Open Source, decentralized, group chats are not possible with Android

    WhatsApp
    Client and server proprietary, not decentralized.

    As you can see there are a lot of messengers and much more and they always have their weaknesses here and there when it comes to privacy, the most popular service, WhatsApp, even comes off worst when you see the above and see the other disadvantages like linking the data with facebook and Instagram.

    6.2. Twitter
    For twitter there is also another platform where you can move around in a privacy friendly way, here would be

    Mastodon -> https://mastodon.social/about

    and an adnroid client
    Tusky -> https://f-droid.org/en/packages/com.keylesspalace.tusky/ zu nennen.

    6.3. Facebook
    Also for facebook, which is really collecting more and more data just like twitter, there is a suitable free data protection-friendly network, it is called

    Diaspora -> https://diasporafoundation.org/

    An Android client would be e.g.

    dandelion -> https://f-droid.org/packages/com.github.dfa.diaspora_android/

    But you have to be careful, because this app uses the Androids WebView component.

    6.4. Apps and Co.

    6.4.1 Navigation
    Google maps, well, has never been my case, not only because they collect data, but because I get annoyed by the penetrating fade-in of some crude privacy policy and the annoying Javascript, who ever searches with Javascript turned off for a place gets no result.
    Actually I use

    Osmnd -> https://f-droid.org/packages/net.osmand.plus/

    because it works offline as well as online, my second choice is actually

    Here WeGo -> https://wego.here.com/

    Annoying that facebook and co as a tracker are in here, but also for that I found a way, or found several ways to turn it off, more about that later. But it is also rarely used, Osmnd does his services almost everywhere very well.Here WeGo is only a fall back system, which can be used and the data collection keeps itself within limits or is not difficult to turn off. (See Point 12, 13, 14)

    6.4.2 Weather
    Well there are quite a lot of weather apps, there are for sailors and for planes or even for those who just want to know what to wear in the morning. I already worked 10 years ago with openweathermap https://openweathermap.org/ and wrote an app that shows the weather in several countries, of course tracker free, but the API guidelines of Openwethermap have changed so much, that a useful use would have been difficult for the end user. But on the same basis there are several apps that use this service. However i must say that this service, openweathermap, is not open source, and the data is subject to a certain restriction, so trust is appropriate here and in case of doubt maybe you should look out of the window in the morning and develop a feeling for the weather. As the saying goes, there is no bad weather only wrong clothes. ;)
    But the two apps are good, at least they are open source and don't send any more data to third parties.

    Weather Widget-> https://f-droid.org/en/packages/nl.implode.weer/

    and

    Forecast -> https://f-droid.org/en/packages/cz.martykan.forecastie/

    I could now enumerate countless apps that give a better and more privacy friendly impression, e.g.

    K9-Mail -> https://f-droid.org/packages/com.fsck.k9/

    RSS-Reader Feeder -> https://f-droid.org/packages/com.nononsenseapps.feeder/

    Kalender Etar -> https://f-droid.org/packages/ws.xsoh.etar/

    Or my absloluter favorite the picture gallery

    Simple Gallery Pro -> https://f-droid.org/en/packages/com.simplemobiletools.gallery.pro/

    but I want to leave it at that, in the F-Droid Store (https://f-droid.org) you can all browse yourselves, much more I want to go into other things how you can achieve even more privacy.

    7. Network
    There are several ways to protect your data, even if you have to deal with trackers and advertising banners. As I have already said for the browser, where uMatrix, uBlock Origin etc. can be used to prevent the browser from reloading unwanted things, there are other possibilities you should use.
    Here, for example, is something that I actually install before I even set up a sim card and a wlan, a firewall. I personally use

    AfWall+ -> https://f-droid.org/en/packages/dev.ukanth.ufirewall/

    but this only works if you have root privileges, but

    NetGuard -> https://f-droid.org/en/packages/eu.faircode.netguard/

    doesn't need root privileges and is useful for protecting your privacy.
    XPrivacy should not be missing either.

    7.1 VPN

    7.1.2 Open VPN
    OpenVPN for Android
    https://f-droid.org/packages/de.blinkt.openvpn/

    7.2 Tracking protection


    Blockada -> https://f-droid.org/en/packages/org.blokada.alarm/

    and

    Adaway -> https://f-droid.org/en/packages/org.adaway/

    You can find more information in point 11, 12, 13, 14

    8. Security
    There are so many things you have to watch out for if you want to get some security, it just stands and falls with the trackers, as I have already mentioned several times. Which benefit do i have, when a password manager, if it contains trackers that pass on my data? Nothing, so there is also a lot to consider here, because with the own security of the device the own data sovereignty stands or falls.

    8.1 Password manager
    KeePass D X -> https://f-droid.org/en/packages/com.kunzisoft.keepass.libre/
    Should actually be self-explanatory, PINs passwords and Co. we have plenty, a proper administration with sufficiently good protection should be mandatory to prevent identity theft. Good passwords and good pins are essential to keep your data safe. (See also point 11.10)

    8.2. OpenPGP
    OpenKeychain -> https://f-droid.org/en/packages/org.sufficientlysecure.keychain/
    Is an encryption app that also uses by K9-Mail to send encrypted emails or Conversations to send encrypted messages.

    8.3. Brute-Force-Protection
    Wrong PIN Shutdown -> https://f-droid.org/packages/org.nuntius35.wrongpinshutdown/
    Yes also brute force attacks can occur, especially Android has its problems here, because I can enter the PIN as often as I want, of course there is a time delay, but only for 30 seconds. WrongPINShutdown goes much further, it restarts the device and after x entries it reboots, you have 50 attempts, a message appears that after the next 9 unsuccessful attempts the data on the system will be deleted.

    9. Root
    Yes, we have to talk again about why root rights are always acknowledged with the statement that it would be too insecure. It's true, however, that when dealing responsibly, the opposite happens. With Magisk, AddonSU you are asked much more if you let an app execute the su command (substitute user) or not. So apps don't just have root rights just because the smartphone is rooted. Furthermore there are other stumbling blocks, like google SafetyNet service which was made to recognize root to warn the app provider. Netflix, Snapchat, Banking-Apps and Co. refuse their service if the SafetyNet-Check fails.
    But AddonSU creates some files "/system/bin/su" or "/system/xbin/su", so the SafetyNet-Check hits and the apps that query them then refuse their service. And that's where Magisk comes in. It provides a system root, Safty net passes, and Magisk-Hide can hide root access from apps, and it also provides extensions to import host files from AdAway even though dm-verify is active.

    So if you prefer to get your apps from the F-Droid Store like I do, you can use AddonSU because it offers little code and therefore little attack surface. To e.g. get the Hosts file from an AdBlocker you just have to disable dm-verify, here I show you how:

    Code:
    adb root
    adb disable-verity
    ...
    adb reboot
    adb root
    adb shell
    mount -o remount,rw /
    mount -o remount,rw /vendor
    
    To reactivate it, the following must be entered:

    Code:
    adb root
    adb enable-verity
    
    If you prefer to use Magisk because you get apps from the Playstore and want to use banking apps, you should use Magisk.
    I'm not going to give any instructions on how to install Magisk here, but there are countless pages on the net. It's just about which program you need to recover data economically and the control over your data.

    10. Sandboxing
    Shelter -> https://f-droid.org/en/packages/net.typeblog.shelter/
    With Shelter you can separate private data from business content or apps. The work profile is a specially isolated area, in which data-hungry apps can be stored. In addition to the normal environment in which all apps are normally located, Shelter creates another workspace that is logically separated from the other workspace. From this bunker, apps cannot access data that is located in the normal environment - but they can access all data from apps that are also located or locked in the shelter.
    For example, you could lock WhatsApp in the bunker and the app could not access the normal contacts but only the contacts that are also stored in the bunker. But also apps that start background processes can be frozen, you could theoretically install the same app twice on the same device.


    11. Sensors, modems and others
    Ok, everything we had so far is quite easy to understand, and everyone can actually change it by themselves.
    From now on it goes a bit deeper into the system and some things will surely surprise one or the other.
    Again and again, of course, common sense is needed. Those who leave their GPS switched on, although they don't need it, collect data that can also be sent if necessary. There are enough apps that collect GPS data and create whole motion profiles to counteract this you have to pay attention to some things:

    11.1 Location options
    You also have to be careful about locating possibilities,
    WLAN and GPS as well as NFC and Bluetooth are used to perform tracking. Whenever possible, you should therefore switch off these chips, firstly because it prevents tracking, and secondly because it saves power, which is not necessarily a bad disadvantage. That's also the reason why I'm like the device Libreme 5 (https://puri.sm/products/librem-5/) of Purism, which I mentioned in 1.4.1, because it has hardware switches to make the chips like the modem and GPS completely powerless.

    11.1.1 Activate only on demand
    So the first thing is to activate GPS only on demand

    11.2 Disabling WLAN and Bluetooth
    Switching off in the status bar does not mean that no WLANs and Bluetooth beacons are collected, android of course collects this information further. Only after switching off both functions in the
    Settings -> Location -> Hamburger Menu -> Search
    you can disable "WLAN search" and "Bluetooth search".

    11.3 Disabling WLAN Tracking
    More and more often we can notices that shops and cities count and recognize passers-by with a WLAN tracker, because by querying the WLAN interface the unique MAC address of the device is usually sent. If it is stored by the trackers, and you pass another WLAN tracker, they can create a motion profile, calculate times between the two points and generally recognize a person if he or she reappears at another time. This is quite controversial from a privacy point of view, because when we talk about Europe and the DSVGO, the user has to be informed and in addition the user, as the person to be tracked, has to agree to the data being stored.
    Therefore you should deactivate the WLAN interface when you leave the house, but if you like to forget this or if it is too complicated for you, you can use tools like

    WiFi Automatic -> https://f-droid.org/en/packages/de.j4velin.wifiAutoOff/

    or

    WiFi-Manager -> https://f-droid.org/de/packages/org.secuso.privacyfriendlywifimanager/

    Lineage also offers its own solution. They all have one thing in common, they switch off the WLAN if you leave your WLAN or predefined WLAN, but the disadvantage should not be forgotten to mention that when you arrive at home, you have to switch on the WLAN again, otherwise the mobile data will be used.

    11.4 Deactivating AGPS
    Another point is that AGPS (Assisted GPS), android contacts the google server (supl.google.com) to get data from SUPL (Secure User Plane Location). This means that google also collects data here, because in this case the IMEI number of the device is also transmitted. The combination of the IMSI number with the radio cell ID enables google or other SUPL server operators to uniquely identify a user as soon as the smartphone locates or limits the location via a SUPL request.
    The definition of the SUPL servers is either defined in the file
    /etc/system/gps.conf
    or
    /vendor/etc/gps.conf
    But it can also happen, e.g. with Oxygen OS, that these are commented out, if so, then a fallback to the google SUPL server is used. The required lines concern the SUPL data:

    Code:
    SUPL_HOST=supl.host.com or IP
    SUPL_PORT=7275 <oder anderer>
    
    The question is whether you really need AGPS or do not use this feature to be data efficient.
    Of course there are other SUPL servers as well:

    supl.vodafone.com -> Germany, Hosting: vodafon
    supl.sonyericsson.com -> Irland, Hosting: Amazon
    agpss.orange.fr -> France, Hosting: orange
    supl.qxwz.com -> China, Hosting: unbekannt
    agps.supl.telstra.com -> Australia, Hosting: telstra

    Important: It doesn't matter if you select "High accuracy", "Energy saving mode", or "Only device" for the GPS determination, an AGPS request is always made. If you want to prevent this, you have to edit the above file and insert or replace the following entries:

    Code:
    SUPL_HOST=localhost
    SUPL_PORT=7275
    
    Only by setting localhost it is prevented that an AGPS request is made online to google servers, because now the request goes directly to the own device and nothing happens, if you have set "Only device" in the options, it takes a bit longer until the position is found, but as long as the IMSI of the device is sent along, although it is not needed at all, this is the only workaround to be data efficient.

    11.5 How to Deactivate a Phone Number Search
    The phone app unfortunately has a built-in search function that not only searches locally for phone numbers but also searches the input online at google, so whoever searches for a name, passes the search to google, this applies to names as well as numbers or what you just enter. This procedure should of course be deactivated or at least changed to data protection friendly services.
    Unfortunately it is not possible to disable this behavior with Oxygen, but if you use lineage, you can change it in the search options.

    11.6 Deactivating the NFC interface
    If you want to do it exactly, you can deactivate NFC if you don't need it, because tracking can also be done here. Each interface has unique parameters and these parameters are stored and evaluated. If the phone is not used for a longer period of time, you should even consider switching on the flight mode.

    11.7 Changing DNS Settings WLAN
    If you are assign 8.8.8.8 or 8.8.4.4 as DNS server, you can be sure that google gets the data here as well. However, this can also be switched off with data protection-friendly DNS servers. For this you have to change the DNS server either in your WLAN installations or at the router.

    Here are some data friendly DNS servers:

    digitalcourage -> https://digitalcourage.de/support/zensurfreier-dns-server

    or

    SecureDns -> https://securedns.eu/ both support DNSSEC

    For digitalcourage the unencrypted variant, Port 53, could be reached with the following IP addresses,
    IPv4: 46.182.19.48, IPv6: 2a02:2970:1002::18
    Via DNS over TLS it is host: dns2.digitalcourage.de, Port: 853
    Further information can be found on the corresponding pages.

    11.8 DNS Settings Mobile (Provider) Network

    If you use Android 9 or higher you can simply activate DNS over TLS here:
    Settings -> Network & Internet -> Advanced -> Private DNS
    Select the hostname of the private DNS provider and then enter the address of the servers, see 11.7 for an example.

    You can also enter the settings in AFWall+ with a custom script, but then the requests are not encrypted.

    Code:
    $IPTABLES -t nat -I OUTPUT -o rmnet+ -p tcp --dport 53 -j DNAT --to-destination 85.214.20.141:53
    $IPTABLES -t nat -I OUTPUT -o rmnet+ -p udp --dport 53 -j DNAT --to-destination 85.214.20.141:53
    
    But you can also solve it with a VPN tunnel. Here, for example, a solution of a RaspBerry Pi with

    WireGard -> https://www.wireguard.com/

    is a good choice.
    Advantage: You can also install Pi-Hole on the RaspBerry PI see point 12.
    I actually prefer the last variant, because PiHole is important to me, but also because it works really good.
    Ok, my configuration is a little bigger and more mature, but that's because that's my job, too.

    11.9 Captive Portal
    If you have always wondered what the cross on the WLAN connection icon in the status bar means, you should know that this triggers the Captive Portal Check. The Captive Portal Check checks whether your device can actually reach the Internet or whether it is only connected via WLAN. This often happens in WLANs and access points where a portal is presented by having to unlock access to the Internet using an access code, e.g. in a hotel.
    The Captive Portal Check is performed by android as follows, the device sends a request to the address connectivitycheck.gstatic.com, this address belongs to goggle. Such a request transmits the public IP address and information about it, the time of the request and which browser is currently used. The server then acknowledges it with the HTTP response code 204 so that the Android system knows that an Internet connection exists.

    11.9.1 Switching off
    Disabling only works if you have root privileges.
    A local terminal on an Android device is required, e.g.

    Termux -> https://f-droid.org/packages/com.termux/

    should be recommended. Now you have to enter the following in the console:

    Android 7.x
    Code:
    su
    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0
    
    reboot
    
    Android 8.x, 9.x
    Code:
    su
    su
    pm disable com.android.captiveportallogin
    
    settings put global captive_portal_detection_enabled 0
    settings put global captive_portal_server localhost
    settings put global captive_portal_mode 0
    
    reboot
    
    11.9.2 Switching to another server

    Android 7.x
    Code:
    adb shell 'settings put global captive_portal_http_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_https_url "https://captiveportal.<domain>.<tld>"'
    
    Android 8.x und 9.x
    Code:
    adb shell 'settings put global captive_portal_http_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_https_url "https://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_fallback_url "http://captiveportal.<domain>.<tld>"'
    adb shell 'settings put global captive_portal_other_fallback_urls "http://captiveportal.<domain>.<tld>"'
    
    <domain>.<tld> should be changed into a real server adresse.

    Check if everything was done correctly
    Code:
    adb shell 'settings get global captive_portal_https_url'
    
    11.9.3 Installing your own Captive Check service
    If you have your own server, a small RaspBerry Pi and nginx is sufficient.
    In nginx you have to enter the following in the configuration:
    Code:
    server {
      listen  80;
      server_name  captiveportal.<domain>.<tld>;
      root  /var/www/sites/captiveportal.<domain>.<tld>;
    
      access_log off;
      error_log off;
    
      include /etc/nginx/conf/headers.conf;
      add_header Content-Security-Policy "default-src 'none'";
    
      location / {
      location ^~ /.well-known/acme-challenge {
      default_type text/plain;
      }
      location = /.well-known/acme-challenge/ {
      return 444;
      }
      # CAPTIVE PORTAL RESPONSE
      location / {
      return 204;
      }
      }
    }
    
    server {
      listen  443 ssl;
      server_name  captiveportal.<domain>.<tld>;
      root  /var/www/sites/captiveportal.<domain>.<tld>;
    
      access_log off;
      error_log off;
    
      include /etc/nginx/conf/headers-ssl.conf;
      add_header Content-Security-Policy "default-src 'none'";
    
      ssl  on;
      ssl_certificate  /etc/ssl/certs/captiveportal.<domain>_ecdsa.pem;
      ssl_certificate_key  /etc/ssl/private/captiveportal.<domain>_ecdsa.key;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_stapling_file /etc/ssl/certs/captiveportal.<domain>_ocspresponse.der;
    
      # CAPTIVE PORTAL RESPONSE
      location / {
      return 204;
      }
    }
    
    <domain>.<tld> should be changed into a real server adresse.
    For more information how to set up nginx Server please refere to the internet.

    11.9.4 Using AFWall+ Settings/Other Server
    You could release the item "User Feedback, OPSkin, com.qti.service.colorservice, ..." in the AfWall+, but that would mean that all other services there would also be allowed to release. But AFWall+ also offers a possibility for a user-defined skipt, there you enter the following:

    Code:
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp -j ACCEPT
    
    or detailed:

    Code:
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp --dport 80 -j ACCEPT
    $IPTABLES -A "afwall" -d 188.68.35.146 -p tcp --dport 443 -j ACCEPT
    
    11.10 Device Encryption
    All manufacturers use device encryption for their devices, but if you choose lineage, it is possible that the device is not encrypted here. It is crucial that you activate it and or ask the maintainer why it does not work if it cannot be activated.
    Whoever has a device encryption should also assign a password or a PIN, otherwise the protection is weak or ineffective.
    Since there is no Bruteforce protection in Android, see also point 8.3. a good password or pin is essential.
    4 digit pins have 10^4 (10000) possible combinations, a Brutforce attack needs about 5000 attempts to guess the pin. Android pauses for 30 seconds after 5 attempts. This means that 5000 tests take 150000 seconds or slightly more than 41 hours. An 8 digit PIN takes almost 48 years. A pattern is not to be recommended because it is not complex enough and has less possibilities for compination. Often you can already see on a display what the pattern is like because the swiping gestures leave fat deposits that you can see on the screen. The longer the PIN or password the better, of course you have to remember it.

    12. PiHole
    https://pi-hole.net/
    Well, to protect us from advertising trackers and Co. who also collect data, since every delivered advertising block also has the IP data of the caller including all header data, you can take a Raspberry Pi and equip it with the PI-Hole Server. Therefore a Pi-Hole is also called DNS-Sinkhole. But that's not all, because advertisers and others only get to see a small part of our data, but a DNS server always gets to see our requests and can thus create a very unique profile of our surfing behavior. Therefore a combination of PiHole and DNS server e.g. Ubound (see point 13) and a VPN PiVPN (see point 14) is a great combination.
    I will spare myself the setup/installation, both on a Raspberry PI, as well as on the Android device, because there are innumerable websites that already deal with this topic. Above all of course Pi-hole itself
    https://pi-hole.net/
    but also here
    https://blog.cryptoaustralia.org.au/instructions-for-setting-up-pi-hole/
    you can find a instruction.

    13. Ubound
    https://www.nlnetlabs.nl/projects/unbound/about/
    With Ubound you get and install a validating, recursive, caching DNS resolver.
    This will enable you to answer DNS requests on your own and not have to trust any other provider to make a mess of your data. I save myself the installation here also because it would exceed the frame of this text by far, and because there are simply innumerable pages in the net, which have occupied themselves with it, one would be e.g. these here
    https://blog.webernetz.net/dnssec-validation-with-unbound-on-a-raspberry/

    14. PiVPN
    http://www.pivpn.io/
    In order to be able to use the two services mentioned above while not at home and or on mobile data connection, a PiVPN is available, which can also be used to route data traffic directly home via the RaspBerry PI and thus PiHole (see point 12) and Ubound (see point 13). PiVPN is a collection of shellscripten that converts the Raspberry PI into a VPN server using OpenVPN.
    Of course, the Internet connection of the RaspBerry Pi is just as important as many people use this service on the RaspBerry Pi. Basically, however, it is better to reduce your data track considerably than to deliver your data faster by faster calls/surfing/<whatever>.

    15. Finish
    As I have already described in the introduction, this only cracks on one surface and is certainly not fully saturated, but it should show that data is collected with every poop.
    Katharina Nocun once tried to get her data from amazon, what came out was more than frightening. The greatest statement she made was that after you've evaluated your data, you see how broken your sleep rhythm is. You can find more information here (Attention German page)
    https://www.heise.de/newsticker/mel...um-reissenden-Amazon-Clickstream-4260031.html
    Normaly i would linke her to
    https://invidio.us/watch?v=4zjkBX0INxs
    But for those who want to have englisch subtitles you can use this link to listen to her presentation and follow it with English subtitles:


    I have said that all this is not complete, I have left out the IoT (Internet of Things) section completely here, but I want to mention it anyway, because here everything is tracked too and everyone has to be cheap, the software is limited to the most necessary and security is usually not capitalized. If you buy so-called intelligent illuminants, it can happen that they are hacked, more about that you can read here:
    http://www.dhanjani.com/docs/Hacking Lighbulbs Hue Dhanjani 2013.pdf
    or even hidden microphones in switch sockets or undocumented web frontends that broadcast passwords in plain text into the world: (Attention German side)
    https://www.heise.de/newsticker/mel...fone-und-unsichere-Web-Frontends-3673101.html
    but also manufacturers who are supposed to be big, like Google aka Nest for example, install a Micro without anyone knowing neither the manufacturer nor the user (Attention German site)
    https://www.heise.de/newsticker/mel...-Mikrofon-von-dem-niemand-wusste-4313669.html
    If you want to search for IoT Devices you can use Shodan (https://www.shodan.io/) and you will see and find Device which provides really personal Date.
    I don't want to start with assistants like Alexa, Siri, google, Cortona etc. where data is collected and processed. I also don't want to talk about automobiles that are all online now, that record driving behavior, that even have sleep tracking and send it all to the cloud. If I wrote about it here, I could make a book out of it and it would have countless subsequent books, because it doesn't stop, data is the raw material everyone wants to have, in my opinion we should make their lives as hard as it is possible to get them, not because you want to annoy them, but solely out of self-preservation instinct. Edward Snowden once said:
    "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    There is even a nice article about it at wikipedia: Nothing to hide argument
    German Wikipedia page: https://de.wikipedia.org/wiki/Nichts-zu-verbergen-Argument
    English Wikipedia Seite: https://en.wikipedia.org/wiki/Nothing_to_hide_argument

    Okay, whoever's made it this far, I really pay my respects. But one thing may still be said, data protection does not stop with implementing things and keeping it that way, data protection means being active, always on guard, adapting to the circumstances and registering and counteracting changes.

    With this in mind, thank you for listening!
     

    #82
  3. cdnfarmer
    Jelly Bean Sep 14, 2019

    cdnfarmer , Sep 14, 2019 :
    Thanks @hennes for the very thorough explanation and details. I appreciate all your efforts in putting all that information together!!!! Great and insightful.
     

    #83
    otto2, luxuskamel, hennes and 4 others like this.
  4. Jhitch
    Donut Sep 14, 2019

    Jhitch , Sep 14, 2019 :
    1568456557577.jpg
    I personally use Adguard to block ads etc. system wide. You do have to download the apk from their site though as it's not on the play store. I paid around $25 'ish for a one time fee. It runs through the VPN but you don't have to use it that way if you don't want to. It's pretty awesome and as can be seen in the screenshot it saves significantly on data.
     

    #84
  5. Abhishek J R
    Donut Sep 14, 2019


    #85
    Texasaggie1 likes this.
  6. Sridhar Ananthanarayanan
    Lollipop Sep 14, 2019

    Sridhar Ananthanarayanan , Sep 14, 2019 :
    Nice tips. But I'm not sure if all that can still make you very safe and private. Because as you said, there are so many ways that big companies and security agencies can still track you.

    If you indeed need that kind of privacy, there are only 2 options:

    1. Go offline. This is almost impossible.
    2. Get the Black Phone and let the experts who designed the phone handle it. I'm not sure if this phone is still being made.
     

    #86
  7. U1564304517653
    Cupcake Sep 14, 2019


    #87
  8. hennes
    Lollipop Sep 14, 2019

    hennes , Sep 14, 2019 :
    I agree with you, being offline is of course the absolute step, but wanting to do that was not my approach either, my approach is to get me, us or you back control over your data. In other words you could decide who you give data to and not who collects data secretly without your knowledge.
    The point is that you give your data to Mastodon, for example, because you decide to do so and because you trust them to do nothing more than expected with it. But also because they don't secretly collect data about other ways that you don't see or that are not obvious.
    Trust is the keyword, and I just don't have it when I think of the data silos where everything is stored, but, with what I've written, you get very close to gaining data sovereignty, for now.
     

    #88
    buntycubal, otto2, script and 2 others like this.
  9. Meleeto
    Eclair Sep 14, 2019

    Meleeto , Sep 14, 2019 :
    would be great oneplus offers its followers free VPN on their mobile phones ... would surely have a huge success [e]1f603[/e][e]1f603[/e]
     

    #89
    Texasaggie1 likes this.
  10. anusharao
    Donut Sep 14, 2019


    #90
  11. Texasaggie1
    US Brand Ambassador Sep 14, 2019

    Texasaggie1 , Sep 14, 2019 :


    Jhitch

    View attachment 1131414
    I personally use Adguard to block ads etc. system wide. You do have to download the apk from their site though as it's not on the play store. I paid around $25 'ish for a one time fee. It runs through the VPN but you don't have to use it that way if you don't want to. It's pretty awesome and as can be seen in the screenshot it saves significantly on data.​


    I used adguard for a few years but switched to blockada about a year ago. It's open source and it blocks trackers too. There are tons every day that are blocked on my phone. Blockada allows you to change the DNS for the phone. It also let's you customize the filter lists
     
    Last edited: Sep 14, 2019

    #91
  12. Texasaggie1
    US Brand Ambassador Sep 16, 2019

    Texasaggie1 , Sep 16, 2019 :
    I was thinking about companies I distrust less than others. I so far don't have a huge problem with Microsoft or duckduckgo.

    in reality I think our motto online should be "trust no one" lol.

    wondering what you all thought
     

    #92
    buntycubal likes this.
  13. G_plusone
    Marshmallow Sep 16, 2019

    G_plusone , Sep 16, 2019 :
    H
    Hope you are fine Now
    Thanks for all the tips :)
     

    #93
    buntycubal, otto2 and Texasaggie1 like this.
  14. Ruby G.
    NA Community Manager Staff Member Sep 17, 2019

    Ruby G. , Sep 17, 2019 :
    Posts like this are why I love our community. So much knowledge flow, every thread topic opens up more opportunities. Nice job @hennes , I have pinned your post so that more people can see your POV on the topic too.
     

    #94
    buntycubal, otto2, cdnfarmer and 3 others like this.
  15. hennes
    Lollipop Sep 17, 2019

    hennes , Sep 17, 2019 :
    Wow, thank you @Ruby G. i feel so honored, thank you.
    Btw. that is the reason why i love that community too, that is also the reason why i made YaImCo.
     

    #95
    buntycubal, otto2, cdnfarmer and 3 others like this.
  16. hennes
    Lollipop Sep 19, 2019

    Stickied Post
    hennes , Sep 19, 2019 :
    Excuse me, that I disturb you again, but I wanted to say the following, because it is also up to date:

    I'd like to point out again that everything I've told you here only rudimentarily scratches the surface.
    There is just another "excitement", I would like to say again, that above are only the few possibilities of the user that can be done.

    The next sow is again hunted through the village (Yes sorry it's a German saying),
    Simjacker - Next Generation Spying Over Mobile.
    https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
    No, not that it's something new, not really, but it's coming to light because people are sensitized.

    What is it about?
    Maybe we should start in 2013, when a small group realized that a SIM card is a small computer that can ride on its own without informing the device behind it what it is doing. In other words, the chip on a SIM card (SIM Subscriber Identity Module) has its own identity (IMSI) and a symmetric key (Ki). It is therefore a separate operating system independent of the rest of the smartphone. However, this also means that programs can be installed and executed on the SIM card.
    In the past, before smartphones existed, programs ran on the SIM card. Some people remember when you used to store your contacts on your SIM card. This is such a program that lives on a SIM card, for example.
    It's about a small computer that you carry around with you that you don't control, and it's not the smartphone or the smartphones operating system, but just your SIM card.

    Now, the latest news is again going through all channels and social media networks that there is a questionable hack, which is not recognized by the user. But he can interact with the smartphone and the OS behind it without the user noticing. It means that you can add an app to a SIM card via SMS, which can then read out the address book for further commands, e.g.. It would also be conceivable, however, that it would simply dig for crypto currencies. But it is also obvious that it accesses the NFC interface.

    In such a SIM card a 8-bit AVR CPU with between 20 and 30 MHz is working. This is mostly a 64k Javacard WIB 1.3 USIM with an Amtel AT goSC 25672RU platform and 6KB RAM, 256KB ROM and 72 KB EEPROM (Non-volatile memory).

    But we have known all this since the middle of the 90s. But then there was the fact that in 2012 at the Toorcamp conference, some people talked about SIM cards, and in 2013 at the defcon 21 Eric Butler and Karl Koscher

    showed up and talked about exactly what has been used for quite some time now.
    If you want more you can find it here: The Secret Life of SIM Cards -> https://simhacks.github.io/defcon-21/

    So it's about the so-called S&T Browser
    https://www.simalliance.org/files/S@T/S@T_Specifications_2007/S@T 01.00 v3.0.0 (Release 2007).pdf
    which is part of the S&T framework. This framwork is used by telecommunication providers to push your configuration, to provide subscription services or weather services and so on.
    These services do not run as apps in the smartphone but as programs in the SIM card. Who says that you can only install a program that should use the service of the telecommunication provider, why not something else? Yes, that's exactly what happens, and since the SIM card practically has system rights, and for that you can actually cancel all system rights that you have used. Whether iOS or Android or even ROM developers like OnePlus can put a stop to this, it's unlikely, in my opinion it's just not going to help to switch off these S&T services, because that would cause roaming problems, I think much more that you would have to replace the 1 billion SIM cards, which are probably affected, on which the S&T services have been locked.

    Ok, now, as I said, just a small excursion that can not be controlled by the user, and why I said it only scratched my trip on the surface, but at least it can restrict the obvious things.
    But if we think about it, that almost all chips have an operating system, we just take your modem, your NFC chip, or quite profane, the chip of your SSD. Who does not know that printers were manipulated because they have chips and operating systems, as is sometimes said that if no original ink or toner is used, the printer does not work, now we also know that court decisions of the manufacturer was forced to remove this lock, and an update of the printer driver removes the lock in the printer, but which works again with an old printer driver on another machine.
    You see, well, there are possibilities everywhere, so it's always a matter of common sense what you store in your systems and how far you align your life.

    As Socrates (Aplolgy, 210) said:
    The wisest man is the one who knows that he knows nothing.
     

    #96
  17. Bobby_Rivera
    Gingerbread Sep 19, 2019


    #97
    buntycubal and G_plusone like this.
  18. jtec99
    Eclair Sep 19, 2019

    jtec99 , Sep 19, 2019 :
    I always have my device set to airplane mode. it gives me a sense of well-being.
     

    #98
    Texasaggie1 and G_plusone like this.
  19. pipou14240
    Eclair Sep 20, 2019


    #99
    G_plusone likes this.
  20. elanglois
    Lollipop Sep 20, 2019

    elanglois , Sep 20, 2019 :
    @Texasaggie1

    First, where in Texas are you? I'm a little ways south of Dallas.

    Second, VPNs are kinda pointless really. Hiding your IP doesn't help much and as for public WiFis, you only hain an advantage if someone is smart enough to sniff the traffic and you are DUMB enough to connect to nonSSL web sites of nonSSL email ports. That's pretty much a non-issue. Way too many companies are making ludicrous claims about the protection offered by a VPN and I feel its irresponsible to feed the claims these companies make. Maybe you bought into the VPN hype?

    I haven't read the rest yet
     

    Texasaggie1 and G_plusone like this.