Hi everyone, first post and all, I just wanted to post my setup for a hardened google-free FP2. It took me a while to get comfortable with the device, I came from a 10-year-old Sony Ericson W995, though with some experience with a Nexus Tablet with CM. I am afraid it will be a long read, I hope someone will take the time and contribute or maybe get a little help. I know this is a quite paranoid setting, so I am very interested in feedback, thanks in advance. I am no native English-speaker, so please forgive my lousy grammar.
Here are the steps I took:
-
Switch to FP Open (yeah sure!)
-
Installed the Xposed Framework (here is a good piece in English: https://www.killiankemps.fr/blog/getting-free-and-fair-with-fairphone-2)
-
Installed XPrivacy in the Xposed Installer plus BootManager, GravityBox [LP] and Greenify (Greenify.v3.0.build.3.apk)
BootManager lets you decide which Apps are allowed to boot, I took a rather aggressive approach: just K9-Mail, my VPN-Provider, Greenify, AFWall+, XPrivacy and Powertoggles are allowed to boot, all others like readers, browsers etc. are not. The other mentioned apps are explained later).
GravityBox is a fantastic tool to implement features of other ROMs like CM in the outdated Android 5.1, more to that later.
Greenify is a tool for putting apps into hibernation. It reduced the amount of RAM in idle mode from 1.1 GB to around 700 MB and helped me also a bit to safe battery life. It’s not revolutionary, but it helps. But beware, this apps tries to contact google every time you are online, which I don’t want, so it has to be disciplined. More on that later.
4 Installed Powertoggles (this will be a tool you won’t miss once you have it, believe me)
It’s available in the Playstore (com.painless.pc) which I don’t have and won’t have. So load the APK with the help of this friendly site: https://apps.evozi.com/apk-downloader/
(It’s a great way to get free APKs from the Playstore)
With Powertoggles you can set shortcuts for Wi-Fi, mobile data, GPS, Bluetooth, rotation, reboot etc. in a widget on the homescreen for very easy access.
5 installed F-Droid and took these apps (just the essentials):
-
AFWall+ as second defence line after XPrivacy
-
AnySoftKeyboard
-
APG for encrypted E-Mail
-
Calendar as a substitute for the broken system calendar
-
Document Viewer for reading pdfs
-
FBReader for eBooks
-
Fennec F-Droid Browser (privacy hardened, see mentions later), native Firefox is also okay
-
K-9 Mail
-
KeePassDroid
-
LibreOffice Viewer for MS-Docs etc.
-
oandbackup for backing up apps with their settings
-
Orbot and Orfox
-
OsmAnd
-
Privacy Browser as a simple backup browser
-
Twidere for use of Twitter
-
Vanilla Music as music player (simply the best)
-
VLC for videos
-
WebTube for YouTube
F-Droid, Twidere and WebTube are routed through TOR through the in-app settings (use TOR or Proxy localhost, 8118). Just don’t use Twitter or YouTube with accounts you use outside of TOR. Get new ones if you must!
Orfox becomes the standard browser for anonymous use.
Fennec F-Droid is for use with real accounts and for browsing for websites which block TOR. The hardening part is this: No Cookies allowed, Startpage gets standard search. Add-Ons: CanvasBlocker, Custom User-Agent String (take the same useragent as Orfox), HTTPS Everywhere, No Resource URI Leak, NoScript (search: NoScript Anywhere), Privacy Settings (Full Privacy), Self-Destructing Cookies (for Cookie exceptions), Smart Referer, uBlock Origin. Yes, this is a lot of Add-Ons, but all have their use.
Privacy Browser is the alternative for a quick search without a thought.
Gravity Box gets this set-up (just the essentials): Data traffic monitor, clear all recent tasks, Recent tasks RAM bar and really important: Advanced reboot menu (direct access to recovery). The rest is up to you.
6 Now we are disabling a few system apps which are to no good use (at least for me, decide for yourself). I disabled:
android keyboard, all stuff concerning live wallpapers and daydream, browser, webview, calendar, e-mail, smspush, music, one time init, print spooler, search, voice dialer.
7 We are nearing the core: controlling the network traffic.
First thing is AFWall+. I whitelisted the apps who can have potential access to the internet. These are K9-Mail, the browsers, Orbot, OsmAnd, XPosed Installer, XPrivacy, FairPhone Updater and if you have: VPN networking plus the VPN Apps. No, I repeat no system apps are allowed. Note that this hinders the downloads in some apps who rely on the app 1006: Media Storage. You can use Fennec for downloading stuff or you give the permission. I chose not to.
Now to XPrivacy where things get a bit more complicated. This is a powerful tool and in the beginning I was quite intimidated. Since we play with the innermost of the system, please make sure to have a full backup with TWRP. I do this regularly and it works like a charm.
First thing is to handle the internet category of the apps. Yes, we already have a firewall, but monitoring had me still a few disturbing insights (although I am not the android buff to say on which level the monitoring and the firewall are.). What shocked me, was that the system tried to connect to connectivitycheck.android.org every time I turned on Wi-Fi or mobile data. These are Googles servers. I don’t know if the firewall blocks this, I think so, but better to be sure and deny the app directly. But this is a bit tricky, since it is the central app 1000 ANT HAL service. If you restrict the internet category in XPrivacy you will have no Internet at all, which is not my goal. I decried to restrict just the categories “connect” and “inet”. So, no more contact with Google every time I connect. Most other apps I restricted totally for internet (including the system apps), even a few of those I have whitelisted in AFWall+, but who only need access for a certain purpose. These are Fairphone Updater, OsmAnd, and XPosed Installer, which I give access temporary when I need an update for maps or the app list. Fairphone updates are not very often, so I see nee sense in making daily contact with the update server, I rather check manually on their website. The rest of the restrictions I handled with the crowd settings of XPrivacy. Other Apps like Greenify who demand access to the internet but where it’s clear that this is used just to phone home or contact Google don’t get any access at any given time. I bought the donate version of XPrivacy which I recommend, a) for being a damn good app and b) get access to the logging of XPrivacy.
That was it in a quite big nutshell, please tell me, what you think. I am pretty sure I will run into problems next time I sit in a hotel and won’t get the Wi-Fi to work, but I will find a way. Best thing on this whole setup is, you don’t get dumber with tampering with your phone.