Secure WhatsApp in an unrooted FP3

I admit that its not really an FP3 question as its more AndroidPie related. But since I have not found anything useable on the web I think it fits well here. I do not use WhatsApp (WA) but by better half does.

I am no WA expert, but it scares me to see what premissions the device needs. You need to open all your whole device to this application. Luckily 99% of the features are not used in our case, and a few restrictions and workarounds would be fine (e.g. not address book access, not images, not audio etc). But I can not wait until a root/Recovery solution has been found.

So I am looking for a way in an unrooted FP3 to lock down data leakage to WhatsApp/Facebook as much as possible. Or phrased differently: What are my attack vectors to shrink down this tool to its basic messaging features?

Here is what I have so far.
After spending some time here and at (very recommendable read but unfortunately only in German), I do have in place NetGuard and replacements for all major apps from the F-Droid store, so I could disable or block almost all Gapps and services. I use every permission and control feature I could find to limit access of whats app, but my feeling is that most build in functions are quite useless against WhatsApp. Imho there is not point in unsing its built-in functions :wink:
There are other blocking tools, but unfortunately they either require root or use VPN. Since Android 9 only allows one app to use the VPN I think its not possible to combine them. NetGuard does a great job and should be enhanced with Pro functions, but its not clear to me how to get the pro version without using PlayStore.

I did not really find a lot on how WhatsApp really operates. It sends out encryted, so we can not tell what in there. For example it there an outer encrytion for User and Metadata and an inner for the actual message? Or are packets are actually sent to destinct servers. And do we know what information goes where?
I am sure there are a lot of people who know a lot more about this than I do. And I would like to learn what I can. So please give me some hints where to look or tell me what you have found out or how you did solve that issue.

Thanks for reading
Someone :hole:


Maybe Shelter (F-droid) or Island (playstore) could be what you are looking for. Both work in a similar way (from the description of Shelter):

Shelter is a Free and Open-Source (FOSS) app that leverages the “Work Profile” feature of Android to provide an isolated space that you can install or clone apps into.


Or you might read into Blokada (F-Droid). It offers private DNS and tunneling, which though will cost. For me it’s absolutely worthwhile (5 Euro per month, 48 Euro in a year).

E. g. see here (in German):

This is probably what helps. :grinning:

The basic concept is clear but I did not find really a lot of information about the tool and usage details (also on github). Maybe someone knows a linke where to find a bit more depth. :nerd_face:

I installed it and got an installation with an easy to start link on the desktop. Also it starts.

  • I did not yet find out how to remove file from the shelter
  • I did not understand yet where the workspace/Shelter concept stops, e.g. Android as a single VPN limit. So should I close NetGuard to shelter and run it in parallel, or will this cause the other version to fail?

I tried to install Blokada, but running it disables NetGuard. I read something like using socks to enable multiple ones, but its not clear to me how it works.

However, it seems that the shelter concept is workable quite transparent solution. Disadvantage is only if you have more such data probes you can not isolate each one.

If it could be part of a rooted solution with AF+ and AdAware the cost should not be an issue…

1 Like

I know this was not really your question, but before you put a lot of work into running WhatsApp, have you asked your better half and others if they (would) use another messenger? There is a nice list here in the forum:

My favorite suggestion would be Conversations which is also available in a free and easier-to-get-started edition called Quicksy:

(Again, my apologies for hijacking the thread and not actually helping with your question.)



Sorry, but I’m afraid I’m unable to help you further with this. I just can say that I installed Blokada, though having no other stuff like that on the phone. So Blokada runs without any problems.

As @m4lvin says, using an open messenger is always an option, assumed you convince your friends of saying goodbye to WhatsApp resp. to use an extra messenger for you… :stuck_out_tongue_winking_eye:


I know this was not really your question, but before you put a lot of work into running WhatsApp, have you asked your better half and others if they (would) use another messenger?

Thanks, but as you guessed, thats the first thing I tried…

But my strategy is now changed. As I never uses WhatsApp (and never will) I try to convince family to use Signal internally hoping by getting used to it they might convice their friends to give it try, too

1 Like

So Blokada runs without any problems.

@gougelmobber Good to know, so when I find a way to use more that one app with VPN, I will give it a try. Were you happy with the default, or - if not - what kind of changes did you make?


I did some research into the DNS servers listed in Blokada and found “UncensoredDNS” to be one of the most trustworthy; so I chose this one. Separate from that, I used defaults.

Yes, install Signal as a matter of principle: The more people have it, the better it can compete as an ecosystem.


Yes, install Signal as a matter of principle:

@[      kaihsu 

I was wondering why it would not be available from F-Droid?](

Install Signal and tell your lady to do the same.


And here

is the link to direct download of the .apk, in case you don’t want the app from G00gle :wink:

(scroll down to “danger zone”)


it is available on f-droid, though you have to use an unofficial repository.

copy this into F-droid -> settings > repositories -> +

Then reload and you’ll have the stable signal app =)
It also has Firefox Stable, Beta, Preview and Wire in there too

There are more known repos here:

Edit again:
There’s a Universal (non-GSF) version of Signal in another repo called Ember. I don’t know what GSF is, so be cautious with that one. The rfc one is the same signature as the Google Play one, as they can update over each other =)

NetGuard uses a VPN profile for its firewall functionality, as that method does not require root. So you cannot combine it with another application using VPN functionality to filter data, such as Blokada.

You can use a DNS server which does ad blocking though, such as a Pi-Hole, or a publicly available one.

This is also why I don’t use NetGuard; I use the VPN functionality already (WireGuard, to be specific). However, I can set WireGuard up so that network connectivity is down without the VPN being up. On top of that, I use a DNS server on the WireGuard endpoint which utilizes DNSCrypt and Pi-Hole. So the connection is secure regardless of the network, roaming works well (due to WireGuard), and ad blocking works as well. What does not work is firewalling. I’d need root for that (ie. IPTables with AFWall).

I did read something about clustering SOCKS proxies, haven’t looked into it though.

1 Like

If you want to use the NetGuard pro features without Google services, please contact me through this contact form (select “NetGuard standalone”).

I still have an old Android phone, which I only turn on to download from Play Store. (Or, if the app in question does not match the old phone, I ask somebody else to download it.) Then I use an app extractor to get the APK, and copy that to my FP2. Some apps thus installed complain about missing Google, but all I encountered so far work well if you acknowledge these messages.

People using it without PlayStore seem still to be an absolute minory. I hoped I could spare the author to invest time in a single purchase but thats all the information I do not have about the app without GooglePlay (even not from his web site)

  • actual cost info
  • terms of the license (one time, abo, how many devices per user etc)
  • how licensing works w/o google at all
  • how this works with updates. Re-applying some code or re-activation after each update would be an usability nightmare

The link on the page is pointing to wikipedia. So you can learn what SOCKS is, but not how to install and set it up on your phone. If someone has a link to a good tutorial, please post here.

1 Like