Yes, of course I can help.
Introduction to Android permissions
First, an introduction to understand this feature to get the right midset for making it serve you well.
Privacy Guard feature dates back to the times of CyanogenMod 4.4, if I recall correctly. Remember that before Android 6, there weren’t toggable permissions per-app. The user just granted all permissions an app requested on install, or they wouldn’t install it. So the clever people at CyanogenMod figured they could hijack the calls those apps made to the system to retrieve data, and replace the real data with fake one. Instead of the list of contacts, apps would get an empty list, or instead of giving access to the camera, they would give an status indicating that it was busy. That way apps wouldn’t crash, and they wouldn’t get those things the user didn’t want them to have.
Once Android 6 was released, permissions of level dangerous
were no more granted at install time, but at run time, asking directly to the user. Apps should then request them at each time they needed it, and the user had the ability to grant or reject them. But apps could react to the rejection, and then act in different ways. Some apps just refuse to work at all when you reject any of the permissions they request —this is a bad practice that has been mitigated since—, while others consider some permissions mandatory for their mere existence —obviously, a camera app need the camera permission, but a mail client app could live without access to your contacts, as long as you don’t mind to type e-mail addresses manually.
TL;DR: Android pre-Marshmallow lacked granular permission-granting. With Marshmallow onwards, the app decides which permission is crucial for it to work. They could (and do) disrespect the user decision not to share something with them.
The case: WhatsApp
WhatsApp, a widely-used, closed-source, Facebook-owned, centralized instant messaging app that even privacy-advocates could not avoid to use sometimes (thank you, network effect, ). As most of you already know, this app uses phone numbers as user addresses, so you don’t need to share your privacyisfreedom@onlineservice.com
address with someone, just your number, and the app will build an address <national_prefix><phone_number>@s.whatsapp.net
transparently for you (I’d say opaquely, though).
The point: the app reads periodically your entire contact list and saves it in their servers (the “cloud”) in order to build this sublist of people you can reach through their service. Naturally, it asks for the “read contacts” permission, and if you reject it, it refuses to work. But the tricky thing here is that you can perfectly receive messages from other people without any problem (people you don’t have their number could message you if they have yours). Privacy Guard to the rescue!
TL;DR: WhatsApp refuses to work when you reject the “read contacts” permission. Nothing prevents the app to receive messages from other people and you interacting with the chat normally when that happens other than the app reaction to the permission rejection.
Tricking WhatsApp with Privacy Guard
So, the plan: giving the “read contacts” permission to WhatsApp, but passing an empty list with Privacy Guard.
First, make sure you have the app installed. Then, enable Privacy Guard for the app: go to Settings #los:settings → Trust → Privacy Guard → look for WhatsApp in the list and ensure the icon at the right is colored:
Then, tap and hold the WhatsApp entry in the list. You’ll be redirected to the Privacy Guard options for that app. Then search for the Read contact option, tap on it, and select “Ignore”. From now on, the OS will send an empty list of contacts to the app when it requests them.
(Not a censured picture, just highlighting the option at the top)
Next time the app asks you to read your contacts, grant the permission. Don’t worry, Privacy Guard has your back. This is the trick: the app will think you’ve shared your contact list. You haven’t, really, :
Caveats
From now on, you won’t see people’s name in the chat, but their numbers. Just don’t expose your list of chats or an opened chat to cameras or other eyes to respect the privacy of your contacts. Privacy is built on trust, just like other human links, and it’s a shared responsibility. I happen to use Guardian Project’s ObscuraCam whenever I need to share some screenshot with personal data (like my list of apps above).
Since you don’t have contacts, the “Statuses” festure of WhatsApp won’t list anything. This is positive for me, since I consider that feature intrusive, annoying and attention-stealing.
Advise: what I’ve learned thanks to GDPR
The EU’s General Data Protection Regulation introduced an obligation to bussinesses to give the user of their services the personal data they have of them on request. I requested it to WhatsApp the first day GDPR went active, and even when I had been tricking WhatsApp for months, they hadn’t erased (what I think is) the last contact list I gave them.
So, if you already shared your contact list with WhatsApp even once, you’ll only avoid them to get updates on it (new contacts, new phone numbers, new names, etc).
To do: ask WhatsApp to permanently delete my contact list from their servers. They must do it complying with the GDPR.
Pro-tip: starting chats with phone numbers
As explored above, once you negate WhatsApp the ability to read your contact list, you can receive messages and interact with already-opened chats, but you cannot start new ones.
This section describes a workaround I discovered to open new chats with random phone numbers (well, you could just use NoWhatOpen, but that’s no fun, right?).
Apps have the ability to react to certain URLs while you browse. WhatsApp uses this for a variety of things, like for those “Share with WhatsApp” links you see on news and articles over the Web. But it can be (ab)used too for opening chats with random numbers.
Whenever you open a link in the form https://api.whatsapp.com/send?phone=<phone_prefix><phone_number>
, it will check if that number is registered in their system and open a new chat window with it. Easy.
The way I use it is with KISS launcher. KISS has an omnibar where you can search for contacts, apps, paste URLs or perform searches in the Web. As a hack, in KISS settings → Providers selection → Add search provider you can enter https://api.whatsapp.com/send?phone={q}
as the URL to search “the Web”, but trigger WhatsApp to open those links. Then, you could write a phone in the omnibar (with prefix!) to open chats directly.
I usually search for the name of my contact, then hold the desired one to copy their phone number, and paste it again in the omnibar to “search it in WhatsApp”.
Phew! That was quite the write!
Your turn. Question, doubts, etc. I promise I’ll be more concise,