My FP2 Open hardened google-free setup

Hi everyone, first post and all, I just wanted to post my setup for a hardened google-free FP2. It took me a while to get comfortable with the device, I came from a 10-year-old Sony Ericson W995, though with some experience with a Nexus Tablet with CM. I am afraid it will be a long read, I hope someone will take the time and contribute or maybe get a little help. I know this is a quite paranoid setting, so I am very interested in feedback, thanks in advance. I am no native English-speaker, so please forgive my lousy grammar.

Here are the steps I took:

  1. Switch to FP Open (yeah sure!)

  2. Installed the Xposed Framework (here is a good piece in English: https://www.killiankemps.fr/blog/getting-free-and-fair-with-fairphone-2)

  3. Installed XPrivacy in the Xposed Installer plus BootManager, GravityBox [LP] and Greenify (Greenify.v3.0.build.3.apk)

BootManager lets you decide which Apps are allowed to boot, I took a rather aggressive approach: just K9-Mail, my VPN-Provider, Greenify, AFWall+, XPrivacy and Powertoggles are allowed to boot, all others like readers, browsers etc. are not. The other mentioned apps are explained later).

GravityBox is a fantastic tool to implement features of other ROMs like CM in the outdated Android 5.1, more to that later.

Greenify is a tool for putting apps into hibernation. It reduced the amount of RAM in idle mode from 1.1 GB to around 700 MB and helped me also a bit to safe battery life. It’s not revolutionary, but it helps. But beware, this apps tries to contact google every time you are online, which I don’t want, so it has to be disciplined. More on that later.

4 Installed Powertoggles (this will be a tool you won’t miss once you have it, believe me)

It’s available in the Playstore (com.painless.pc) which I don’t have and won’t have. So load the APK with the help of this friendly site: https://apps.evozi.com/apk-downloader/
(It’s a great way to get free APKs from the Playstore)

With Powertoggles you can set shortcuts for Wi-Fi, mobile data, GPS, Bluetooth, rotation, reboot etc. in a widget on the homescreen for very easy access.

5 installed F-Droid and took these apps (just the essentials):

  • AFWall+ as second defence line after XPrivacy

  • AnySoftKeyboard

  • APG for encrypted E-Mail

  • Calendar as a substitute for the broken system calendar

  • Document Viewer for reading pdfs

  • FBReader for eBooks

  • Fennec F-Droid Browser (privacy hardened, see mentions later), native Firefox is also okay

  • K-9 Mail

  • KeePassDroid

  • LibreOffice Viewer for MS-Docs etc.

  • oandbackup for backing up apps with their settings

  • Orbot and Orfox

  • OsmAnd

  • Privacy Browser as a simple backup browser

  • Twidere for use of Twitter

  • Vanilla Music as music player (simply the best)

  • VLC for videos

  • WebTube for YouTube

F-Droid, Twidere and WebTube are routed through TOR through the in-app settings (use TOR or Proxy localhost, 8118). Just don’t use Twitter or YouTube with accounts you use outside of TOR. Get new ones if you must!

Orfox becomes the standard browser for anonymous use.

Fennec F-Droid is for use with real accounts and for browsing for websites which block TOR. The hardening part is this: No Cookies allowed, Startpage gets standard search. Add-Ons: CanvasBlocker, Custom User-Agent String (take the same useragent as Orfox), HTTPS Everywhere, No Resource URI Leak, NoScript (search: NoScript Anywhere), Privacy Settings (Full Privacy), Self-Destructing Cookies (for Cookie exceptions), Smart Referer, uBlock Origin. Yes, this is a lot of Add-Ons, but all have their use.

Privacy Browser is the alternative for a quick search without a thought.

Gravity Box gets this set-up (just the essentials): Data traffic monitor, clear all recent tasks, Recent tasks RAM bar and really important: Advanced reboot menu (direct access to recovery). The rest is up to you.

6 Now we are disabling a few system apps which are to no good use (at least for me, decide for yourself). I disabled:

android keyboard, all stuff concerning live wallpapers and daydream, browser, webview, calendar, e-mail, smspush, music, one time init, print spooler, search, voice dialer.

7 We are nearing the core: controlling the network traffic.

First thing is AFWall+. I whitelisted the apps who can have potential access to the internet. These are K9-Mail, the browsers, Orbot, OsmAnd, XPosed Installer, XPrivacy, FairPhone Updater and if you have: VPN networking plus the VPN Apps. No, I repeat no system apps are allowed. Note that this hinders the downloads in some apps who rely on the app 1006: Media Storage. You can use Fennec for downloading stuff or you give the permission. I chose not to.

Now to XPrivacy where things get a bit more complicated. This is a powerful tool and in the beginning I was quite intimidated. Since we play with the innermost of the system, please make sure to have a full backup with TWRP. I do this regularly and it works like a charm.

First thing is to handle the internet category of the apps. Yes, we already have a firewall, but monitoring had me still a few disturbing insights (although I am not the android buff to say on which level the monitoring and the firewall are.). What shocked me, was that the system tried to connect to connectivitycheck.android.org every time I turned on Wi-Fi or mobile data. These are Googles servers. I don’t know if the firewall blocks this, I think so, but better to be sure and deny the app directly. But this is a bit tricky, since it is the central app 1000 ANT HAL service. If you restrict the internet category in XPrivacy you will have no Internet at all, which is not my goal. I decried to restrict just the categories “connect” and “inet”. So, no more contact with Google every time I connect. Most other apps I restricted totally for internet (including the system apps), even a few of those I have whitelisted in AFWall+, but who only need access for a certain purpose. These are Fairphone Updater, OsmAnd, and XPosed Installer, which I give access temporary when I need an update for maps or the app list. Fairphone updates are not very often, so I see nee sense in making daily contact with the update server, I rather check manually on their website. The rest of the restrictions I handled with the crowd settings of XPrivacy. Other Apps like Greenify who demand access to the internet but where it’s clear that this is used just to phone home or contact Google don’t get any access at any given time. I bought the donate version of XPrivacy which I recommend, a) for being a damn good app and b) get access to the logging of XPrivacy.

That was it in a quite big nutshell, please tell me, what you think. I am pretty sure I will run into problems next time I sit in a hotel and won’t get the Wi-Fi to work, but I will find a way. Best thing on this whole setup is, you don’t get dumber with tampering with your phone.

11 Likes

Fine! Looks good. Where did you read about all that?

Sounds like a very nice, privacy concerned setup. I do not have the time at the moment to dive so deep and look for work-arounds all the time to keep things running. I am probably just lazy, but am also inspired by people who do a lot more. So thumbs up.

Just two questions from my side.

  1. Why do you install SuperSU, if the root access is easyly done in the settings of the OS?
  2. What do you mean with “crowd settings of Xprivacy”? I do have and like Xprivacy, but since I am not exactly phone-smart, I do have a hard time denying and allowing access to the apps all the time. Especially, because I do not know exactly the influence of “IPC”, “Shell” etc. Still looking for a good list/explanation what each topic in Xprivacy blocks.

IPC=Inter-process_communication.
Say yes everytime, that’s ok

Hi, thanx, i am really interested in hardening the device and hearing all yout strategies.

@theanswersalwaysyes:

  1. I find it more easy to have a dedicated app for allowing root, i dont know anymore but in Stock Fairphone Open there is no way where you can manage the root apps. I maybe wrong, I quickly went to SuperSU (https://download.chainfire.eu/696/supersu/) which i used on my tablet.
  2. The crowdsite of XPrivacy is https://crowd.xprivacy.eu/, i could only post two links in my first post. There you have the restrictions for almost every app based on user-based feedback. I went there and it seems fairly reliable.
    And my goal is to have a working phone, not a workaround-phone, but a phone where you are the controller of data. For all the settings in XPrivacy there is a lot of reading to do or take the aggressive approach und deny and see what happens.

Go to Settings → Apps, select an application, and scroll down to the “Superuser” section, where you can choose from “Never”, “Always”, and “Ask” to allowing superuser access for the application.

1 Like

Alright, didnt know that. So SuperSU is unnecessary. Will try to edit that out of my first post.

I don’t want to frustrate you, but: https://forum.fairphone.com/t/pencil2-living-without-google-2-0-a-google-free-fp2/11587.

@Spiemops: Thanks and no frustration on my side ;-). I know this article, its good for the first steps but it say little regarding unwanted connections to services i dont understand and dont need. In this config you still have a lot of apps phoning home and a lot of connections to Google without you even knowing that.

1 Like

Did you unhide the bunch of links? there you find this: https://forum.fairphone.com/t/using-afwall-which-settings-have-to-be-enabled/13788

This is definitely a very good read! Thank you @FP2GenericUser :slight_smile: Even though my FP Open setup is a bit less privacy-concerned, your article still triggers quite a few interesting thoughts I might follow…

However, I was a bit irritated about your use of apps.evozi.com. I mean, I read about that site in a bunch of forums, but to me the service seems somewhat dubious… Do you have any background information on who is actually running that site and if it is safe?

1 Like

Hi Spielmops, thanks, good read, hard to find in these forums. My main point is still to find the “gold standard” for a independet and secure phone and i am still not sure if AFWall+ is enough (i woluld like to pay for the Donate-Version that has access to logs but didnt find a way without a Play-Account). I still believe that combining XPriv and AFWall will lead to the most safe enviroment. But i will read further, thanks.

@Jochen17: I found the site through the F-Droid-Forums (https://f-droid.org/forums/topic/secure-apk-downloader/) and if you read their FAQ it seems quite reasonable. For me its the better alternative then installing some shady appstore. And its only one app i need out of Playstore.

Yes, that’s my opinion too. Another link for you might be: https://forum.fairphone.com/t/another-talkative-app-pppreferences/14885

I think shady website or shady appstore makes little difference. If you want to be sure to get the same apk as on the play store without installing it on your phone, I recommend APK Downloader for PC

APG has not been updated for more than two years. OpenKeychain seems to be much better. In particular with the latest k9mail 5.115 you can get automatic key selection working, use PGP/Mime and encrypt attachments.

2 Likes

@m4lvin That actually sounds a lot more trustworthy to me, it’s FLOSS so I wouldn’t expect any hidden spy- or malware in those apks :slight_smile:

@m4lvin: I think it makes a hug difference using a website and installing an appstore. But you can check the downloads, look in their FAQs. There is no total safety and independence, like here, while we talk, Google Analytics is running in the backround (or trying to)… :wink:

This topic was automatically closed 183 days after the last reply. New replies are no longer allowed.