@sjjh @paulakreuzer @Roboe @TobiasF: Apart from the Google Apps and Services, I am aware of the following connections to Google which even happen with an AOSP (or FPOOS) version:
- The “captive portal check”.
- Connection to Google’s DNS servers.
There might be more I don’t know of. Both can be turned off with root access (without root acces, 2. can be turned off only for Wi-Fi, but not for mobile data - at least as far as I know). Edit: As @sjjh points out, 2. may actually not be used. See the next post. end of Edit
Note that I myself am relatively new to this as well and my main source for this was the great German blog Kuketz IT-security, but I’ll try to explain both as best as I can:
1) Captive Portal check
After connecting to a Wi-Fi network or after toggling on mobile data, Android connects to a Google server (which is especially set up for this purpose) to check whether the internet connection is really working fine:
This is particularly useful in Wi-Fi networks where some kind of login on a special first web page is needed (e.g. hotels), as Wikipedia explains:
The topic @freibadschwimmer’s post is from discusses this in quite some detail and I only give a short version how to turn this off with root access and the phone connected via adb. You then just need to execute the following commands in a terminal:
$ adb shell su -c "settings put global captive_portal_server 127.0.0.1"
$ adb shell su -c "settings put global captive_portal_detection_enabled 0"
Note however that Wi-Fi networks with login pages (such as in e.g. hotels) won’t work anymore! Edit: You could also set another or an own server properly configured for pinging.
2) Google’s DNS servers
I’m aware of at least one Forum post mentioning this:
When entering a web site’s address (such as http://fairphone.com - I only link the http version here for the purpose of demonstration (it wouldn’t work that easy with the https version) - use https whenever possible!) into your browser, your PC (or smartphone or device XY) needs to know where to get the content of the website from, i.e. how to connect to the corresponding server (the Fairphone server in this case). For this purpose, any server has an assigned number uniquely identifying it on the internet (imagine a telephone number as an analogy), which is the so-called IP address. E.g, the Fairphone’s server IP address is 213.108.107.71. These numbers are suited very well for the technological communication and would actually be sufficient - you can even try this out by just entering the IP address 213.108.107.71 into your browser (address bar)! If you do this, by some magic (i.e. internet protocols and its infrastructure) you’ll get the Fairphone website as if you’d have put fairphone.com in there.
Though technically seen, you only need IP addresses for this to work, they are highly impractical, because they are hard to remember for humans and not very handy for every day usage. Hence, you’ve got a name (called domain name) for every website and in particular the domain name fairphone.com for the Fairphone site. However, only through it’s IP address 213.108.107.71 is the Fairphone server directly accessible via the internet “magic”. This direct access is not possible by it’s domain name fairphone.com - there an additional step is needed to get to know the IP address corresponding to this domain name in order to initialize a connection.
(Old school) telephones are a great analogy here: By dialing a telephone number (analogy: entering IP address), you’ll get connected to the person (analogy: server) you want to talk to by some telephone (analogy: internet) infrastructure magic. However, if you do not know the person’s telephone number (analogy: server’s IP address), but only the name (analogy: domain name), you’d have to take a look into a telephone book provided by someone, as the telephone in front of you wouldn’t know what to do with a name. In the internet world, the analogy of telephone books are DNS servers. DNS stands for “Domain name system”, which is only the system that I just explained (in a simplified way), i.e. it connects domain names to IP addresses. See the Wikipedia article for more information.
Whereas a telephone book normally is on your desk, the “telephone book” of the internet is not stored on your own PC, but also on public servers (for disk space reduction and other reasons, I guess). You need to connect to those servers to get the IP addresses. Google maintains it’s own DNS servers (as do ISPs, other organizations and companies). As far as I know (though I’m lacking a reliable source atm), Android is preconfigured to use the Google DNS servers for all internet traffic (Edit: this may be false as[@sjjh explained reasonably in the following post), which means that the Google DNS server could track all the web addresses you visit. In principle, the DNS server also has the ability to just block some sites for you, i.e. to censor some sites or parts of the internet (which for most people in Europe might not be a problem as big as in other countries of the world).
I’m also asking myself whether the DNS server will appear in the firewall. If someone with the default configuration might have a look for Google’s DNS server IPs 8.8.8.8. and 8.8.4.4 in the firewall’s protocol, we could confirm their usage. But this might be a false guess as I’m not sure whether AFWall+ shows the DNS server addresses in the logs …
Workaround: You can configure DNS servers by yourself. Note, however, that every DNS server you are using would in principle be able to track your browsing history. Hence, you need to choose DNS servers you trust carefully. The openNIC project claims to be open, democratic and neutral without censorship and has a list of such DNS servers. I’ve just recently discovered it and don’t know it very well, but at the first glance, it looks rather trustworthy and I maybe would trust them after getting deeper knowledge about it. Personally, I’d also put trust in the DNS servers of
- the German Hacker assocation Chaos Computer Club (CCC),
- the registered association Digitalcourage e.V.
- the Swiss Privacy foundation. However, they’ve switched off their DNS servers and now recommend the servers of xiala.net.
Of course, there are many, many others out there (thousands of DNS servers do exist) and you may choose one on your own. Anyway, if you have chosen a DNS server, get to know it’s IP address (i.e. 213.73.91.35 for the CCC’s one), you can change this for Wi-Fi connections only as follows (translated from German):
Settings → Wi-Fi → long tap on your Wi-Fi → Change network → Show advanced options → choose “static” in IP settings → scroll down to “DNS 1” and “DNS 2” and enter one DNS server’s IP address in every field (you might preventively choose two of them) (Google’s DNS servers 8.8.8.8 and 8.8.4.4 might even be preconfigured?! are suggested)
You need to do this for every Wi-Fi network you want to (e.g. every network you’re connecting to). For mobile data, it’s not that easy. If you are familiar with custom scripts of the firewall app AFWall+ (hence you need root), you can add the following lines to your custom scripts:
# Necessary at the beginning of each script!
IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables
...
# Fix DNS-Server
$IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination <DNS SERVER>:53
$IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination <DNS SERVER>:53
where <DNS SERVER> is a placeholder for the DNS server’s IP address, i.e. you need to replace it with this IP number (and yes, this time you should enter the same IP in both lines, i.e. you only configure one DNS server).
Well, Syncthing (Android app available in F-Droid) seems to be an open-source software solution without storing data on a cloud server. It seems as if you need to install some software on the end devices and data then gets synchronized through the app. The data will not be stored on a server, but only the sync process (i.e. the data transport) will be technically initiated and carried out by the servers. However, don’t take this for granted, I just read this in a blog post and only grasped at the website. Moreover, even if my description is correct, I still haven’t understood the process and protocol in detail and can therefore not say whether it’s secure and can be trusted. Please do your own research, if you want to know more.