Managing your privacy on later Android versions

A while back, I used to use an Xposed module called XPrivacyLUA to let me precisely control (and fake) permissions to apps, which helped in cases of apps which I didn’t particularly trust (eg: Steam Chat, Instagram etc) which required permissions and had access to things on my phone I didn’t want to give them access to.

So, when I upgraded my device to LineageOS 16 (based on Android 9.0) I was quite displeased to be met with a screen on the Xposed Installer app that stated that my Android version was not supported yet — and over a year and a half later still isn’t supported so I would have to take things into my own hands and try something else.

I am rooted with Magisk, which has modules itself a bit like Xposed, but there didn’t seem to be support for XPrivacyLUA.

Then I came across TaiChi, which claims to be a replacement to Xposed, and there is a module to get it working right in the Magisk repos. Upon further looking into this, I found that there is a modified version of XPrivacyLUA in their module repository on their website, and so I installed it right away.

One thing to note is that right away, TaiChi seems to default to non-system-wide mode where it cannot interact with other apps the way Xposed does, but this can be changed (as long as you have the TaiChi magisk module) in the setting section of the TaiChi app. Also, you will have to press the button in TaiChi to enable it in the “manage modules” section, then reboot.

Now, you will be able to open the XPrivacyLUA app you installed from the TaiChi repos, and tap on apps you want to restrict the permissions of (although beware that it does not seem to be able to fake storage access so you may want to leave this part to Android’s built in permissions manager and put up with apps pestering you for it).

Avoiding Google

It is a well known fact that Google has the ability to track your every move. From recognizing your daily work commute to collecting your DNA and selling information about your genetic diseases to life insurance companies who will in turn raise your health insurance price, there is a lot to fear, even if you have nothing to hide. In this post I will share my knowledge of small things and big things that you can do to avoid the google botnet.

Using alternative services

This is probably one of the first things that comes to mind when you think of how you can avoid google – and probably the most effective.

Gmail

Some people may have a hard time switching over to, say, ProtonMail or a self hosted email from a google service such as gmail because their gmail address is how many people may contact them, and they might find it too much effort to distribute their new email address to everyone in their contacts. One solution to this is to set up a forwarding service to forward your gmail inbox to a more privacy centered provider. You can see Google’s official page on how to do this on this link: https://support.google.com/mail/answer/10957?hl=en or avoid going to the google website and view the archived link here: http://archive.is/cXmIs.

A smaller way to ‘avoid’ gmail is to stop using the official app and instead use another email app that can connect to gmail through the standard IMAP and SMTP protocols, such as K-9 Mail. This might sound confusing but K-9 should configure this for you and you should be good to go. One thing to note is that in some cases you might be required to enable ‘less secure services’ on your google account, but do not fret! This is just one of google’s many tactics to tie you in to using their apps. IMAP and SMTP are standard, secure protocols used by almost every email provider on the planet.

YouTube

This is one of the harder ones to avoid, seeing as most creators upload to YouTube and only YouTube so competitors are often lacking in content, and most competitors fail after a few years because hosting is very expensive and not much money can be made, even if you plague the site with advertisements (see http://vid.me and http://vanillo.co, and a news article detailing YouTube’s net loss).

– Invidio.us

invidio.us is a private, add-free way of watching YouTube. It is open source under AGPL and does not require JavaScript to view the site. There have been other attempts at achieving this before, most notable HookTube, however hooktube relied heavily on YouTube’s API and the API states in its terms and conditions that you cannot use it to create YouTube alternatives. This caused HookTube to essentially shut down and now it just embeds the YouTube content, meaning Google can still track you. Invidio.us gets around this by directly crawling YouTube which does not require use of their API, but it does mean that sometimes videos fail to load. There is also an instance of invidio.us on Tor, which allows for extra privacy: http://qklhadlycap4cnod.onion/.

– Floatplane

Floatplane is a video hosting site from the popular creator Linus Tech Tips. I believe this will not fail like many others as it is backed by Linus Media Group and already has many creators on the site. They have a sustainable business model because the viewers pay a monthly subscription to see exclusive videos from creators. Because of this, it is not a complete alternative to YouTube because many YouTube users would not be willing to pay.

Search

This is arguably the easiest service to replace. Many alternative search engines exist; DuckDuckGo is a very prominent alternative and claims to respect your privacy, however the creator of DuckDuckGo was previously involved in a data analytics company so personally I don’t trust him. It is up to you to decide if he’s changed his ways. They have been caught using a notorious tracking method ‘Tracking Pixels‘. It is also in US jurisdiction and does not have a warrant canary so I assume that they are being forced to share information with the US government.

Some good search engines to use are: Qwant, a search engine in French jurisdiction which claims not to track you; and StartPage, a search engine that returns Google search results without compromising privacy. StartPage are in EU jurisdiction.

Google Chrome

Chrome is the dominating web browser, with 65% market share. Like many other Google products they track your every move. Chrome’s tactics can be explained in the infographic below

Obviously, Firefox looks to be a good alternative at first glance, but when you look into Mozilla they don’t appear to be much better than Google. More details can be found here: https://spyware.neocities.org/articles/firefox.html and here https://digdeeper.neocities.org/ghost/mozilla.html.

Personally I use GNU IceCat, which is a fork of Firefox ESR but with spyware disabled and some privacy-enabling addons, although I do recommend disabling the ‘Third Party Request Blocker’ and ‘LibreJS’ extensions as they tend to break most websites. Another option is to use LibreFox which is a set of files you put in Firefox’s installation directory which disables Mozilla’s spying, and because it is not a fork you can keep Firefox up to date, meaning you will always get the latest bug-fixes and security mitigations.