So you've installed LineageOS on your device, and now you're unsure on how to proceed. You think that an AOSP-based build can't track you because there's nothing installed on it - but that's where you're wrong.
This guide focusses on what to do to keep you safe, what to do and what to prevent in order to further securing your Privacy on your smartphone.
Some steps in this guide require having a Rooted Phone, which means that
binaries need to be available in order to execute
commands with higher privileges (as the
user) on the system.
In case you don't come from the Unix world and don't know what
it's heavily recommended to not root your phone as you can easily brick
your device if you don't know what you're doing.
Android Wi-Fi Connectivity Check
Android's integrated and non-deactivateable Wi-Fi Connectivity Check sends your current approximate GPS location and your device's MAC address every 10 seconds via the Wi-Fi's connection, so that Google can keep track of where you are and what you do.
The data that is received by those domains contains the current NTP-verifiable timestamp, the system's installed exact Chromium Webview and Android version, the system's IMEIs and hardware MAC addresses, and of course the IP of the Wi-Fi connection itself. This is certainly enough data to make any enduser uniquely identifiable, which very likely is its purpose.
The only way to block them is by editing the system-wide
requires a rooted phone. In order to deactivate the tracking mechanism, you'll
also need either an
Then you can edit the
file after remounting the system
partition with read and write access, as it's mounted with read access by
[$] su -; # get root rights [$] mount -ro remount,rw /; # remount system partition [$] vim /system/etc/hosts; # edit hosts file
As the Wi-Fi Connectivity Check is implemented pretty cleverly, it rotates between a lot of google-owned domains once one of them is blocked. Therefore the hosts file has to contain at least the following domains in order to block access to them. Note that this will also block web access to those domains if the Web Browser is not routed through TOR.
127.0.0.1 localhost ::1 ip6-localhost # These are all rotated domains for the Wi-Fi Connectivity Check as of AOSP version 10 127.0.0.1 play.googleapis.com 127.0.0.1 www.google.com google.com 127.0.0.1 www.google.ru google.ru 127.0.0.1 connectivitycheck.gstatic.com gstatic.com 127.0.0.1 time1.google.com 127.0.0.1 time.android.com 127.0.0.1 clients1.google.com clients2.google.com clients3.google.com 127.0.0.1 dns.google.com dns.google
DNS and Firewall
Android 10 and later has integrated a so-called
Network and Internet
Settings. But as some might suspect, it's still
sending all DNS requests right to Google depending on which AOSP based
Android ROM you're using and what kind of patches were integrated in it.
The best recommendation for blocking and encryption of DNS requests is Rethink DNS which is a DNS, Firewall and VPN App that allows to block network connections. It can also block both on a per-IP basis for all other Apps and on a per-domain basis for DNS lookups. Additionally, it allows to forward its requests to public DNS over TLS resolvers, so that your ISP cannot track your DNS requests.
The screenshots show an example configuration of the App, and the Network Log which allows to inspect what an App does on a per-connection basis.
Detection of Trackers and Loggers
App Warden is an open-source tool which integrates the list of known trackers and loggers that is maintained by the Exodus Privacy project.
Additionally, if the device is rooted, App Warden can modify and disable Services and Components of the App. Depending on whether or not the App is really dependent on the Trackers, it might be usable in a tracker-free manner.
The screenshot shows the Scanner's view of
Permission Manager X
App that helps to modify App Permissions in a more detailed way. It uses the
API behind the scenes, which allows to override App Permissions and
ensure that the App cannot use features of your smartphone, even when the
App's Manifest includes those.
Additionally, the App can start an ADB session and a Debug Mode which allows a developer to inspect all tracking features of an App on the fly.
The screenshot shows
and their overridden settings.
Sometimes, Apps can be a little annoying and they constantly start themselves when they're not supposed to. While Permission Manager can help with the prevention of Apps that are starting themselves all the time, it's still sometimes necessary to suspend an App that doesn't want to quit by itself.
If an App resists persistently, you can use
as an App to automatically
or manually freeze all Apps that keep running in the background.
SuperFreezZ is an App that allows freezing a list of Apps easily, including System Apps.
The screenshot shows a list of Pending Freezes, which are configurable on a per-App
basis. Pressing the Lightning Button on the bottom right will auto-freeze all Apps
that have pending freezes. The App will then go into each
App view of
the selected Apps and press the
button there in an automated way.
The best navigation App and the by far most integrated one is OSMAnd , which uses the publicly available OpenStreetMaps datasets and map layers.
The App also offers a nice address-based search which allows to quickly lookup an address and figure out what's available in the area. The Point of Interests overlay is compatible to the same ones that are available on OpenStreetMaps, like restaurants, cinemas, or gas stations.
As OSMAnd also offers different modes of transportation where you can set it to either
, it's also amazing when being on a hiking
trip that's a little more rural.
feature allows to download all kinds of regions, from continents to countries
to even on a per-city basis, so it's very flexible when you're abroad in only a specific city
and don't want to download the whole country's map.
The screenshot shows the a sample route navigation, and the Local Maps feature in the Settings View of the App.
If you want a privacy respecting messenging service, you should use a reasonably trustworthy decentralized end-to-end encrypted messenger. This means that the message has to stay encrypted until the other client decrypts it and has to be encrypted by default (not optionally).
This kind of rules out
due to it backing up its decryption keys via Google Play APIs,
and it rules out
Telegram FOSS Fork
because the server implementation is not Open Source and neither verifiable in its behaviour
of what happens to the Drafts. As
Luckily, there's Briar as a rising messaging client that is peer-to-peer and is built for total disaster-scenario usage, where Clients can even chat via the same Wi-Fi locally, and even share their messages/forums via Bluetooth.
Web Browser is a harsh topic, as I historically want to like Firefox. But Firefox for Android sends so many packets back to the Mozilla domains that an MITM can easily fingerprint your specific Firefox version that you've got installed. So I cannot recommend it, and my findings were similar to the one of Spyware Watchdog .
I'm currently building up my own Browser Stealth and a WebKit fork called RetroKit due to those exact reasons, so I'm very biased on the topic when it comes to the availability of no other Browser that has a minimal attack surface.
I'm probably going to write a dedicated article about Web Browsers on mobile in the future, and how everybody can write exploits that use techniques like Heap Spraying attacks or stack corruptions in the proprietary and outdated GPU drivers, because WebGL, WebGPU and other APIs weren't designed with having security in mind.