# Privacy on Android, possible?



## Timur

What does it take to make my Android phone / tablet protect my privacy when I go online?

To be clear. I don't need total privacy ALL of the time. Not even most of the time. But occasionally I do. There are cases, when I don't want to be logged or tracked. So, what do I do? Should I...

- use Tor?

- use public WiFi?

- spoof my WiFi MAC address?

- disable G-framework / G-apps?

- use an outgoing firewall?

- use AppOps to deny certain apps access to the net?

- disable all locations services?

- fix DNS from switching to 8.8.8.8 behind me?

- use a supercharged /etc/hosts to get rid of trackers?

- disable Javascript? use https-anywhere?

- update many advanced browsers settings?

- avoid signing into any web-services (i.e. avoid email)?

All of the above? Anything missing on that list? And how to manage all that?


----------



## DR3W5K1

Timur said:


> What does it take to mak specifie my Android phone / tablet protect my privacy when I go online?
> 
> To be clear. I don't need total privacy ALL of the time. Not even most of the time. But occasionally I do. There are cases, when I don't want to be logged or tracked. So, what do I do? Should I...
> 
> - use Tor?
> - use public WiFi?
> - spoof my WiFi MAC address?
> - disable G-framework / G-apps?
> - use an outgoing firewall?
> - use AppOps to deny certain apps access to the net?
> - disable all locations services?
> - fix DNS from switching to 8.8.8.8 behind me?
> specifi- use a supercharged /etc/hosts to get rid of trackers?
> - disable Javascript? use https-anywhere?
> - update many advanced browsers settings?
> - avoid signing into any web-services (i.e. avoid email)?
> 
> All of the above? Anything missing on that list? And how to manage all that?


I use the apps orbot and orweb to browse anonymously. Personal I configure orbot to only use proxy's from specific countrys.
The browser is preconfigured to be completely anonymous and it also resolves the DNS issue


----------



## yarly

There's two kinds of privacy on the Internet.

Each is mostly mutually exclusive because #2 (below) is only accomplished through not leaving an "online paper trail" and methods of privacy pertaining to #1 generally leave some sort of faint trail at some point, but are good enough to keep someone from knowing who you are.

1) The kind where you only want to avoid people tracking because one believes in having a degree of online privacy in their life

2) The kind where one wants to mask their trail to do more gray area things (not implying in any way that this is what you're asking about)

I'm going to presume we're only talking about #1, since #2 is only accomplished through doing mostly gray area to illegal actions that I don't condone.



Timur said:


> - use Tor?


I wouldn't trust it if you're using it at home. Also if using it with any sites that personally identify you directly/indirectly.



> - use public WiFi?


Only if it's something not tied to you as public wifi is far from secure. Should be combined with SSH tunneling/proxy or VPN. Tor would also be more reasonable with this.



> spoof my WiFi MAC address?


Not sure what good that would do. Only 2 reasons to ever do that:

1) Network is not to be trusted in the first place, which if one is worried about their MAC being recorded, there's bigger issues to worry about on that network (packet sniffing, man in the middle attacks, etc)

2) Network does MAC filtering and you want on that network (which would be unauthorized access and not legal)



> disable G-framework / G-apps?


Somewhat useful, if one does not trust Google, but then again, if one is doing this, why would they want to still use their DNS (8.8.8.8 and 8.8.4.4)? One's carrier can still track the device as long as it's on their network, even if Google cannot. Also assuming that the device are not using Google web based (not Google Apps) services (as well as Chrome) on the web (especially logged into them), since they can set cookies.

Alternative DNSs are OpenDNS and Level3 (4.2.2.1 to 4.2.2.6)



> use a supercharged /etc/hosts to get rid of trackers?


Won't get rid of them all. Most of those lists miss many I find on my own from looking at what loads on sites I visit. Also, most are not going to block things that are just as bad because users would complain if they didn't work (Google+, Facebook, Disqus and other APIs used on 3rd party sites for "connecting" or passwordless signups/logins).



> disable Javascript? use https-anywhere?


Much of the web will be painful to use if disabling JavaScript totally (also won't save you from being stored within server logs for Apache and whatever else). It will have much of the same effect as host blocking though and speed up sites that have lots of crap on them (main reason I disable JS at times). Few developers sadly care about gracefully degrading their websites to work without JS anymore. Https anywhere is just a way to force https on sites that allow it, but don't default to it. Won't save someone from sites that do not have https period though.



> update many advanced browsers settings?


I use Opera 12 (not 'fake opera' [versions newer than 12] based on Chrome) for that reason and also some of your previous reasons. Features I list below are only easy to access via the PC version of Opera, but Opera Mobile (the older version) can use them as well, but there's no user interface to do so (requires modding files).

- It lets me block javascript per site (via right clicking and doing "edit site preferences")

- Disable specific aspects of JavaScript per site (right click detection, etc)

- Ditto for Flash per site

- Disable HTML5 video if needed per site

- Disable Sound/Gifs per site

- Disable cookies for specific sites (as well as third party ones).

- Delete cookies for a site on browser close

- Disable iframes on specific site

- Disable site referrers (another way to track where you came from)

- Disable all plugins per site

- Disable automatic redirection (on shady sites that do it)

- pressing f12 brings up a menu to globally disable much of the above without other plugins or menus needed

- Opera has a good track record for security (despite being a closed source browser) and it's built in a country that has pretty good privacy laws.



> Anything missing on that list?


VPN or SSH proxy, but those are only as secure as much as you trust the provider of the VPN or the server host you are tunneling to for SSH.

Privacy mode in most browsers (will kill history, cookies, url history, cache)

I also put my browser history/cache on my ram drive. All gets wiped when my PC reboots. That's less about privacy reasons though and more about increasing performance just a tad.



> And how to manage all that?


Most of that list is just initial setup, not managing it.Most privacy online is mostly just through awareness of one's actions and common sense.


----------



## Timur

DR3W5K1 said:


> I use the apps orbot and orweb to browse anonymously. Personal I configure orbot to only use proxy's from specific countrys.
> The browser is preconfigured to be completely anonymous and it also resolves the DNS issue


Can you, in general terms, elaborate on this country configuration? Also, when using orweb over orbot, how can you (probably not being a developer of the stack), trust the whole thing to work the way you expect it to? I'm asking, because it often happens to me, that after using some piece of technology for month or years, I suddenly learn about some weakness that kind of ruins the whole thing. How can one trust in anything as complex as a browser running on Tor running (partly) on your smartphone OS... to be sufficiently secure? And aren't you concerned about your other apps (and parts of the OS) likely taking advantage of your plain internet connection and possibly leaking sensitive info - while you are using Tor? So even if you are not doing this at home (or on your 3G contract), the ISP you are using Tor over may be able to tell who you are. Plus: your WiFi MAC address is likely registered under your real name.



yarly said:


> There's two kinds of privacy on the Internet.


Whenever you leave "some sort of faint trail", someone may come and pick it up and your stuff may eventually end up in a big personal profile of yours. I think there is only one kind of privacy.

> 2) The kind where one wants to mask their trail to do more gray area things

People can be 100% innocent + legal and may still desire true privacy. From this weeks WH report: http://i.imgur.com/3Zc413D.png

In my case: I'm interested in privacy, because a free, liberal democracy requires a certain amount of it. I would like to find out if Android can be used as a privacy protecting platform. And if so, how much effort it truly takes, to get there. Is it maybe just a theoretical possibility? Or can real people enjoy this with reasonable amount of time and effort (and technical skill)?

> ...if one does not trust Google...

Last time I heard, G was not the only organization having access to the data G is collecting. Just saying.


----------



## yarly

Timur said:


> Can you, in general terms, elaborate on this country configuration? Also, when using orweb over orbot, how can you (probably not being a developer of the stack), trust the whole thing to work the way you expect it to? I'm asking, because it often happens to me, that after using some piece of technology for month or years, I suddenly learn about some weakness that kind of ruins the whole thing. How can one trust in anything as complex as a browser running on Tor running (partly) on your smartphone OS... to be sufficiently secure? And aren't you concerned about your other apps (and parts of the OS) likely taking advantage of your plain internet connection and possibly leaking sensitive info - while you are using Tor? So even if you are not doing this at home (or on your 3G contract), the ISP you are using Tor over may be able to tell who you are. Plus: your WiFi MAC address is likely registered under your real name.
> 
> Whenever you leave "some sort of faint trail", someone may come and pick it up and your stuff may eventually end up in a big personal profile of yours. I think there is only one kind of privacy.
> 
> > 2) The kind where one wants to mask their trail to do more gray area things
> 
> People can be 100% innocent + legal and may still desire true privacy. From this weeks WH report: http://i.imgur.com/3Zc413D.png
> 
> In my case: I'm interested in privacy, because a free, liberal democracy requires a certain amount of it. I would like to find out if Android can be used as a privacy protecting platform. And if so, how much effort it truly takes, to get there. Is it maybe just a theoretical possibility? Or can real people enjoy this with reasonable amount of time and effort (and technical skill)?
> 
> > ...if one does not trust Google...
> 
> Last time I heard, G was not the only organization having access to the data G is collecting. Just saying.


We're obviously not going to agree on what is total privacy. However, there are degrees to privacy by what I go by. Best you are going to get without breaking the laws of most countries is paying for some sort of VPN or SSH proxy acces with cash/prepaid card/bitcoin and avoiding doing basically everything I listed above (plus a handful of things I forgot or didn't think about, such as user agent signature, plugins installed and detected on one's browser, etc). Even then, you're still subject to tracking by heuristics as what you say and do online gives you away.



> Last time I heard, G was not the only organization having access to the data G is collecting. Just saying.


I really don't want to debate who has access to what, because it all becomes a big feedback loop that has already been reenacted many times on places like reddit....just saying

You should probably dump your smart phone for a pre GPS era dumb phone if you're that worried or not carry a phone at all as you can still be tracked by towers.

If the above is not a concern, then you should probably at least stop using Android devices and supporting the Android eco-system, because having any device with closed source blobs is subject to black box unknowns you can never control.

I suggest looking into http://neo900.org/ if you still want a smart phone because Android will never give you certainties like this:



> Neo900 can be used with 100% Free Software stack. Forget about spying and influences of intelligence agencies. If you turn off GSM modem from the software, you can be sure it's really turned off.


----------



## DR3W5K1

I don't think you can ever hide who you are from your ISP tor hides what you are doing by using encryption.
I use this site to check if everything is working correctly 
http://www.stayinvisible.com/

Also I don't really care about them knowing my location with Google services that much.
You can use tor to encrypt those as well as any other processes if you're rooted.
As far as the country thing go into the orbot settings and check the box that says strict nodes. You then place the proxy's you would like to use in the entrance and exit nodes menu separate the ip address's with commas. I get my tor nodes or proxies from this list 
https://www.dan.me.uk/torlist/

I choose the nodes to use based on the country's privacy laws and their relations with the US.


----------



## xapt3r5

Hey Timur, nice to hear from you... My In-dash is now looking like a oem factory head unit, partially thanks to your hard work. 

If there's one thing I've yet learned about OS security is that almost anything that's Linux(Unix) based is more secure than everything else out there. I can perfectly see where you're going with this, but I wouldn't worry so much. ISP's will only ever give away your location to law enforcement entities, for legal purposes, but that would mean, they needed to already have "something" on you. The same, applies for Google. You'll find your confidential/personal information is more likely to be "obtained" through a lost/stolen tablet/smartphone, than by any other means, these days. Just leave your location retrieval settings unchecked and keep your personal data (ex: credit card number) away from non-trusted websites and you'll be fine, I think. Encryption, all the way, of course!


----------



## DR3W5K1

xapt3r5 said:


> Hey Timur, nice to hear from you... My In-dash is now looking like a oem factory head unit, partially thanks to your hard work.
> 
> If there's one thing I've yet learned about OS security is that almost anything that's Linux(Unix) based is more secure than everything else out there. I can perfectly see where you're going with this, but I wouldn't worry so much. ISP's will only ever give away your location to law enforcement entities, for legal purposes, but that would mean, they needed to already have "something" on you. The same, applies for Google. You'll find your confidential/personal information is more likely to be "obtained" through a lost/stolen tablet/smartphone, than by any other means, these days. Just leave your location retrieval settings unchecked and keep your personal data (ex: credit card number) away from non-trusted websites and you'll be fine, I think. Encryption, all the way, of course!


You do realize the government has been collecting mass amounts of data from everyone for awhile now


----------



## xapt3r5

Which government? From what country?... US? Well, aside from getting paranoid about it, I don't see why one would mind having data collected by any government anywhere in the world, unless of course, you are living somewhere in the Middle East or in North Korea, or you're not keeping it clean. Apart from that, there is only so much privacy, or security, until you join the social, public, global mass machine that World Wide Web is today, and start living your real life by it. You can run away from that, no more than you can run away from street surveillance cameras. You'll always have to find a balance between privacy/security/sociability, and none of these alone. The only way one can have 100% privacy, these days, is to fall back to a cave man, an hermit...


----------



## PonsAsinorem

Don't forget about XPrivacy. The most comprehensive privacy/permission manager I've seen.


----------



## DR3W5K1

xapt3r5 said:


> Which government? From what country?... US? Well, aside from getting paranoid about it, I don't see why one would mind having data collected by any government anywhere in the world, unless of course, you are living somewhere in the Middle East or in North Korea, or you're not keeping it clean. Apart from that, there is only so much privacy, or security, until you join the social, public, global mass machine that World Wide Web is today, and start living your real life by it. You can run away from that, no more than you can run away from street surveillance cameras. You'll always have to find a balance between privacy/security/sociability, and none of these alone. The only way one can have 100% privacy, these days, is to fall back to a cave man, an hermit...


Probably all of them by now. I was referring to the United States though


----------



## Timur

xapt3r5 said:


> The only way one can have 100% privacy, these days, is to fall back to a cave man, an hermit...


Yes. But what about 10%? Can you produce 10% privacy for yourself?

It's much harder to make a fully qualifying picture of a person, if there are some essential holes in the data. It's worth it.



PonsAsinorem said:


> Don't forget about XPrivacy. The most comprehensive privacy/permission manager I've seen.


Wow, 1st time I see this. Looks very detailed. Are you using it?

And a 500+ pages thread. Let me go through that first


----------



## PonsAsinorem

Timur said:


> Wow, 1st time I see this. Looks very detailed. Are you using it?
> 
> And a 500+ pages thread. Let me go through that first


Yes, I'm using it, and it's ridiculously powerful, yet very simple and intuitive to use. You don't have to read the whole thread, or even search it. Most of the pertinent info is located in github links in the OP.


----------



## Timur

PonsAsinorem said:


> very simple and intuitive to use


XPrivacy seems to be a very powerful app, indeed. It appears to be a supersized AppOps and DroidWall. Q: Is this app really able to fully replace DroidWall/AFWall?

Right now, after using it for about an hour, I definitely do not understand all implications. I wouldn't use "very simple" to describe this app.

It would be good if this app came with something like a Preset-Wizard (medium, strong, paranoid). I'll continue playing with it.


----------



## PonsAsinorem

Timur said:


> XPrivacy seems to be a very powerful app, indeed. It appears to be a supersized AppOps and DroidWall. Q: Is this app really able to fully replace DroidWall/AFWall?
> 
> Right now, after using it for about an hour, I definitely do not understand all implications. I wouldn't use "very simple" to describe this app.
> 
> It would be good if this app came with something like a Preset-Wizard (medium, strong, paranoid). I'll continue playing with it.


Ok, simple for what it does. Once you read what it restricts, and understand the implications of it (for instance, restricting mass storage means the app can't save to sd, and restricting internet means the app can't access the internet, etc).

As for is it a good substitute for a firewall, yes and no. If all you do is restrict apps from the internet period, then yes, XPrivacy can do this for you. But if you restrict all apps from Roaming, some apps from mobile data because you're on a data plan, but let them have access to wifi, then no, XPrivacy is not a good substitute. From the FAQ:



> (19) Does XPrivacy have a firewall?
> 
> Yes, you can restrict internet access for any application. If you want to partly enable internet, for example for Wi-Fi only, you will have to use a firewall application, like AFWall+. The reason is that XPrivacy works within Android and detailed firewall rules can only be applied within the Linux kernel.


And if you have a feature request (such as your Preset Wizard), you can create an issue. M66B is pretty quick at responding:

If you have a feature request, please create an issue.


----------



## Timur

PonsAsinorem said:


> As for is it a good substitute for a firewall, yes and no. If all you do is restrict apps from the internet period, then yes, XPrivacy can do this for you. But if you restrict all apps from Roaming, some apps from mobile data because you're on a data plan, but let them have access to wifi, then no, XPrivacy is not a good substitute.


OK, I am using XPrivacy or DroidWall to prevent my FlashLight, Calculator, etc. apps from getting access to the net. This solves those fully unreasonable cases.

But how can I prevent apps that I DO want to use with network access, from doing so behind my back?

As far as I know, apps can register with the boot intent, so they always get to execute some code on system start. They will then register for specific "Alarm events" and as a result they will get executed at certain times or intervals. If necessary, these alarm events will re-launch the requesting app. Killing such an app before the requested alarm event triggers, will not make any difference. The app can even request the alarm event to wake the device from deep sleep (with the screen off). This functionality is often being used by apps to search for updates. It is usually only visible in logcat. Firefox for Android, for example, manages for it's org.mozilla.firefox.UpdateService to be executed at random times - even if "Automatic updates" have been disabled in the FF settings!

Unfortunately, Android OS does not provide the user with any control over this.


----------



## Timur

Timur said:


> But how can I prevent apps that I DO want to use with network access, from doing so behind my back?


A bit later, I asked a similar Q on the "guardian-dev" mailing list:

https://lists.mayfirst.org/pipermail/guardian-dev/2014-January/002977.html


----------



## PonsAsinorem

Timur said:


> But how can I prevent apps that I DO want to use with network access, from doing so behind my back?


Your best bet is to use either (or a combination of) Boot Manager to restrict boot permissions, or Greenify to place apps in an auto hibernated state (think, umm, frozen or not active), but are activated when you select them. Both are available on the Play Store, and are Xposed modules.


----------



## Timur

It's really good to know these solutions exist. But don't you think downloading them from the Play Store doesn't somehow defeat the purpose? With G Framework running on your device (prerequisite to use Play Store), how much sense does it make to freeze individual apps in an attempt to stop their chattiness? (No rhetorical question.)

A different approach: get a machine with two network interfaces; run a http proxy server, have it listen to the 2nd network interface; provide access to the Internet only to the 2nd interface; do not run a router (no ip forwarding) on this machine; connect your mobile device via the 1st network interface (probably a WiFi or Bt interface); configure your preferred app to use the http proxy on the 2nd interface - done. No code running on your mobile device will see the light - except for this one app. The http proxy can be a Tor server also. All you need to do now, is to make sure your one app doesn't leak unique/personal data. This may be a whole new universe to solve. But at least it is a smaller universe.


----------



## PonsAsinorem

Timur said:


> It's really good to know these solutions exist. But don't you think downloading them from the Play Store doesn't somehow defeat the purpose? With G Framework running on your device (prerequisite to use Play Store), how much sense does it make to freeze individual apps in an attempt to stop their chattiness? (No rhetorical question.)


If you just use the Play Store first off your phone, yes that wouldn't be very practical. Greenify is only available via the Play Store, but I'm sure you could ask the dev for the free apk if you asked nicely and told him why. But Xposed framework and the XPrivacy module aren't available by the Play Store, and you can download them separately or compile them. So what you could do is:

1) Compile your ROM from source (gotta love open source for this reason) and flash it.
2) Do not flash Gapps.
3) Install Xposed and XPrivacy (you could even compile these two from source if you wanted)
4) Have XPrivacy limit everything, including system apps, and use the default strict template.
5) Flash Gapps.
6) Go back into XPrivacy and configure the Gapps with the permissions you want.

This is not guaranteed to work, however, since some apps don't handle restricted data that they're expecting to have, and begin FCing. But you could always have it use "faked" data instead of your or no data.



Timur said:


> A different approach: get a machine with two network interfaces; run a http proxy server, have it listen to the 2nd network interface; provide access to the Internet only to the 2nd interface; do not run a router (no ip forwarding) on this machine; connect your mobile device via the 1st network interface (probably a WiFi or Bt interface); configure your preferred app to use the http proxy on the 2nd interface - done. No code running on your mobile device will see the light - except for this one app. The http proxy can be a Tor server also. All you need to do now, is to make sure your one app doesn't leak unique/personal data. This may be a whole new universe to solve. But at least it is a smaller universe.


This would be more ideal, but I think I'd rather not install the Google framework if I was that worried. Then again, I do crazy stuff when bored.


----------



## Timur

PonsAsinorem said:


> This would be more ideal, but I think I'd rather not install the Google framework if I was that worried.


But this is the crucial point: you could.

It's also completely effortless. And it will continue to work if you switch ROM's, etc. It's nor fragile.

Edit: Also doesn't require root.


----------



## Zanoni

As so often is the case, the weakest part of any security setup is the human.

I would point out that it is completely wrong to assume an ISP, or any other company, will not hand over your information.

Every US company is subject to the p4triot 4act. They are obliged to hand over any information they have upon request.

I would fully guarantee you that no company has refused or failed to comply.


----------



## yarly

Zanoni said:


> As so often is the case, the weakest part of any security setup is the human.
> 
> I would point out that it is completely wrong to assume an ISP, or any other company, will not hand over your information.
> 
> Every US company is subject to the p4triot 4act. They are obliged to hand over any information they have upon request.
> 
> I would fully guarantee you that no company has refused or failed to comply.


It's not exactly true that no company has refused or failed to comply. The most recent example is Lavabit, who shut down rather than comply with the order to hand over all customer emails. They're currently appealing in hopes they can reopen. http://www.bbc.co.uk/news/technology-25930222

Another example are librarians that refused to comply with National Security Letters demanding they turn over records of whom checked out what books http://www.wired.com/threatlevel/2007/06/librarians-desc/ (they also won and had their gag order lifted).


----------



## DR3W5K1

I think Google resisted for awhile.


----------



## Timur

I think he was mostly talking about ISP's. If I need to look up something that I don't like to have on "my record", I'm also hesitant to do that from home or from my mobile phone. Public Wifi would better. Question is, whether I should use my Android device for that.


----------



## Zanoni

yarly said:


> It's not exactly true that no company has refused or failed to comply. The most recent example is Lavabit, who shut down rather than comply with the order to hand over all customer emails. They're currently appealing in hopes they can reopen. http://www.bbc.co.uk/news/technology-25930222
> 
> Another example are librarians that refused to comply with National Security Letters demanding they turn over records of whom checked out what books http://www.wired.com/threatlevel/2007/06/librarians-desc/ (they also won and had their gag order lifted).


Thanks yarly. Timur's correct in pointing out that is was a reference to ISP, but it's interesting to know someone was defiant. It does appear though that, like the Borg say, 'Resistance is futile.'


----------

