[Q] Is SlimRom a good choice for privacy-consious users? - SlimRoms Q&A

Hi,
Stock ROMs aren't really trustworthy by default (e.g., phandroid.com/2014/11/06/carrier-iq-settlement).
Some manufacturers' devices aren't really trustworthy, even with stock ROMs removed (e.g., theepochtimes.com/n3/830922-chinas-xiaomi-smartphones-may-be-spying-on-you).
Cyanogenmod went donwhill:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where your product or device is used so that we can better understand customer behavior and improve our products, services, and advertising.
Click to expand...
Click to collapse
(from cyngn.com/legal/privacy-policy) They started on this path long ago, but I won’t go there now.
I would like to buy a new Android phone. I won’t have national secrets on it, but I still don't want any Google-style spying. Assuming I don't add GApps, is SlimRom a good choice for me? Does it respect the privacy of its users? Does it contain any components that would ever connect anywhere to trunsmit any information like GApps do. Obivously, I'm not talking about user initiated events.
One more thing, does it have a permission manager? Ideally, something that allows the user to choose for each permission for each apps whether real, fake or blank data is shared, but a bit cleaner than XPrivacy.
Thanks!

Slim has App Ops but it's missing the Advanced section that can be found in CM, Carbon and others, which I think gives more control. Still doesn't beat Xposed though. Is there a reason you don't want to use it? I don't know the downsides, if any.

wh00p said:
Slim has App Ops but it's missing the Advanced section that can be found in CM, Carbon and others, which I think gives more control. Still doesn't beat Xposed though. Is there a reason you don't want to use it? I don't know the downsides, if any.
Click to expand...
Click to collapse
It's not that I dislike Xprivacy, it's just that the controls are quite messy, and I was wondering if there's something with similar functionality, but cleaner. Looking at the privacy guard function in CM, that's no where near complete, though. It only blocks permissions someone chosen to allow us to block, so Xprivacy it is.

riding1 said:
It's not that I dislike Xprivacy, it's just that the controls are quite messy, and I was wondering if there's something with similar functionality, but cleaner. Looking at the privacy guard function in CM, that's no where near complete, though. It only blocks permissions someone chosen to allow us to block, so Xprivacy it is.
Click to expand...
Click to collapse
I'm with ya, middle-ground would be nice. Something like ProtectMyPrivacy for iOS.

Related

Protecting Privacy - Compiling TaintDroid into Kernel to find leaky apps

Most people don't yet know that many Android software leak all sorts of information to the internet with only scant user acknowledgement (basically what you accept when you install the app).
Due to this and the fact that there are already privacy information harvesting apps for Android on the marketplace - a team of security experts have created TaintDroid:
What is TaintDroid?
From the project's web page: "A realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones."
From: http://appanalysis.org/index.html
How can I install TaintDroid?
As TaintDroid is currently compiled into the kernel, you cannot easily install it, but you have to cook your own kernel. Instructions (for Nexus 1) are available at the project web site: http://appanalysis.org/download.html
How does TaintDroid work?
Here's a video demonstrating how TaintDroid works once it is installed and configured:
http://appanalysis.org/demo/index.html
Why would you want to install this?
There can be many reasons for installint TaintDroid:
- You want to learn about privacy features and play with Android kernel
- As it is currently impossible to differentiate between innocent and sneaky Android apps based only on what access rights they request, you may want to dig in deeper
- You are worried about what apps are doing behind your back and you want to know which apps to uninstall
- You want to help create Android a more secure and privacy-protected platform, instead of the swiss cheese it currently is
What can you do?
As compiling kernels is mostly beyond the reach of mere mortals currently, consider cooking TaintDroid into your kernel, if you are cooking one yourself and offering it available for others to try and use.
Hopefully increased awareness and usage will bring this program eventually into other modders and perhaps even Google's attention and something more easily accessible is offered for the public at large.
BTW, I'm just a user, interested in getting TaintDroid on my own Galaxy S. I'm not affiliated with the research program, but I like what they are doing. This information is purely FYI.
+1 for the idea
Sent from my GT-I9000 using XDA App
+1
Since we cannot expect information gatherer Google to come up with a good privacy protection mechanism soon I think we are forced to take measures ourselves.
I also learned that several of my bought applications are constantly forcing me to enable synchronisation and/or 3G internet. They either randomly uninstall (Asphalt 5), their icons disappear (for example: Mini-squadron) or won't start, with (Schredder Chess) or without a message. Angry Birds Beta2 lite (free game) and Hungry Shark are 2 more examples. So much for an incentive to buy games...
It would be great if applications used a well-defined mechanism to check their validity on-line, and not have this sneaky, lingering attack from all sides to any privacy or battery consumption aware user.
I can not cook Kernels, but this is something i want to use.
Not that i am worried, but i dont know what apps are sending when you open them. Thats something i want to know!
I am sure i am not the only one.
+1
Yes please... This should be in all android phones... as a security option you could turn on!!!
Antonyjeweet said:
Not that i am worried, but i dont know what apps are sending when you open them. Thats something i want to know!
Click to expand...
Click to collapse
And do some of these applications only send stuff when you open them?
--
From a user perspective it currently is really difficult to judge applications that need to start at boot-up and deal with many facets of your computer (Launchers, tools combining lots of divers features).
Do you know some ROM where Taindroid is included?
I've posted in hardcore and laststufo kernel threads to ask if they could add it.
We just need more people wanting it so they think about adding it
exadeci said:
I've posted in hardcore and laststufo kernel threads to ask if they could add it.
We just need more people wanting it so they think about adding it
Click to expand...
Click to collapse
glad you did that
+1 support the idea. hope some of our hardworking kernel builders will add this in.
My concern is how much another real time service will affect battery life. For people trying to make the leanest, fastest kernel I'm not sure it's viable.
I have been wanting TaintDroid built into android by default since the day it was announced, but I really do not think google cares about this, so please, please ROM cookers out there (Maybe Doc?), lets add this into our galaxy S roms.
Well, this seems to work only on android 2.1
Make it so.
+1
Combined with walldroid (or other firewall) this could put back power into users hands. Would really love to see this inside hardcores kernel. Maybe as an option for the stable releases?
+1
This should be the next standard in aAndroid
idea about spoofidroid application
how about a program to spoof or make the phone send fake:
GPS location,
IMEI,
phone number,
simcard id,
etc... information to applications that ask without permission.
this way you can feed these application with information they want but without breaking your privacy. (both end sides are more than happy)
-----
nice option to have:
1) enable/disable auto generate different id every time.
2) allow list / ban list of application to have real or fake id.
3) enable/disable notify for application request.
-----
there are all ready applications that fake your simcard PLMN mobile network codes without the need of kernel rights, but you need to enable disable the flight mode to restore the default code.
===========
good luck to spoofidroid or similar applications.
Jumba said:
My concern is how much another real time service will affect battery life. For people trying to make the leanest, fastest kernel I'm not sure it's viable.
Click to expand...
Click to collapse
I hope there will be developers out there who prioritize privacy/security over speed/battery and storage usage.
I'm the project lead of the TaintDroid system. We are currently working on a few extensions of TaintDroid but unfortunately are short on engineering resources to port TaintDroid onto other systems than Nexus One that we originally developed. We'd greatly appreciate it if XDA developers would take on this effort! Many ongoing projects would hugely benefit from having easy-to-run TaintDroid ROM available for many different devices and upcoming Android systems let alone user benifit.
Thanks,
Jaeyeon
Research Scientist @ Intel Labs Seattle
Ettepetje said:
I also learned that several of my bought applications are constantly forcing me to enable synchronisation and/or 3G internet. They either randomly uninstall (Asphalt 5), their icons disappear (for example: Mini-squadron) or won't start, with (Schredder Chess) or without a message. Angry Birds Beta2 lite (free game) and Hungry Shark are 2 more examples. So much for an incentive to buy games...
Click to expand...
Click to collapse
beta2 lite? i think that was malware, make sure it came from rovio otherwise it's fake and you should delete it.
It's really scary to see with the lookout app how many apps can access to your imei, telephone number "Read Identity Info", can access your contacts, track your position, and can send out all this data.
Here a HTC Desire user, asking for some privacy.
Best regards!

Which Apps Are 'OK' to block permissions?

I know this is a feature of CM7 or roms based on their coding, but I haven't really seen much discussion about it.
Does anyone use the block permissions feature? I'm wondering if there's a list or if we can accumulate one of permissions which are safe to deny for the most popular apps out there.
Android 17 said:
I know this is a feature of CM7 or roms based on their coding, but I haven't really seen much discussion about it.
Does anyone use the block permissions feature? I'm wondering if there's a list or if we can accumulate one of permissions which are safe to deny for the most popular apps out there.
Click to expand...
Click to collapse
By "ok" do you mean system apps that are alright to block while still allowing the phone to function properly?
I haven't used it yet. I'm not sure how you define "OK". When you use this feature, you're intentionally breaking something. That could be ads, or something else you're perfectly happy to break in the name of security, but you're breaking something.
this apps are ok:

Permissions

Will omniroms system apps have the same unnecessary and abusive permissions as stock roms and cyanogen mode roms have?
I'm quite concerned about privacy and whatever rom I use, be it stock, cyanogen mode or aosp, I have to restrict dozens of privacy related permissions.
And of course the device still works, which means that those perms weren't needed.
For example, I don't see why some system apps (I mean, not Google apps cuz I get rid of them but apps like systemui, settings, android system etc.) want to access my location, my contacts, my logs, my imei, my id, my serial number, my phone number, my provider, the list of accounts on the phone etc. eventhough they don't need it to work properly.
I guess that cyanogen mode doesn't have any other choice but to include what is to my opinion little more than spyware in the source, cuz if they didn't Google wouldn't allow them to use its material.
So what about omni roms? Will they be free from Google spyware or will they be enfeoffed to it?
unclefab said:
Will omniroms system apps have the same unnecessary and abusive permissions as stock roms and cyanogen mode roms have?
I'm quite concerned about privacy and whatever rom I use, be it stock, cyanogen mode or aosp, I have to restrict dozens of privacy related permissions.
And of course the device still works, which means that those perms weren't needed.
For example, I don't see why some system apps (I mean, not Google apps cuz I get rid of them but apps like systemui, settings, android system etc.) want to access my location, my contacts, my logs, my imei, my id, my serial number, my phone number, my provider, the list of accounts on the phone etc. eventhough they don't need it to work properly.
I guess that cyanogen mode doesn't have any other choice but to include what is to my opinion little more than spyware in the source, cuz if they didn't Google wouldn't allow them to use its material.
So what about omni roms? Will they be free from Google spyware or will they be enfeoffed to it?
Click to expand...
Click to collapse
Those permissions are there so they can interact with other things in the system.
unclefab said:
Will omniroms system apps have the same unnecessary and abusive permissions as stock roms and cyanogen mode roms have?
I'm quite concerned about privacy and whatever rom I use, be it stock, cyanogen mode or aosp, I have to restrict dozens of privacy related permissions.
And of course the device still works, which means that those perms weren't needed.
For example, I don't see why some system apps (I mean, not Google apps cuz I get rid of them but apps like systemui, settings, android system etc.) want to access my location, my contacts, my logs, my imei, my id, my serial number, my phone number, my provider, the list of accounts on the phone etc. eventhough they don't need it to work properly.
I guess that cyanogen mode doesn't have any other choice but to include what is to my opinion little more than spyware in the source, cuz if they didn't Google wouldn't allow them to use its material.
So what about omni roms? Will they be free from Google spyware or will they be enfeoffed to it?
Click to expand...
Click to collapse
Out of the box, there's no "spyware" that anyone is aware of in Android. If you install Google Apps, you are giving those apps these permissions obviously.
If you don't use Gapps (like me), then you should be fine - you can check what each app does in its own source code.
I am also looking into ways to help protect against spying third party software you install (ie. apps a user installs), for those who want added protection.
I work as a security researcher, so yes, I do care quite a bit about security, and excessive permissions is a life-long hate of mine There are no gapps when you install Omni, so you'll be safe. For those who want them, they can flash them.
What I meant with spyware is not what one usually calls spyware, but I didn't have any other term to refer to it.
What I wanted to say it's that system apps (not Google apps like gmail or gtalk but system apps like phone, android system, systemui etc.) have intrusive, and unnecessary, permissions. When I say unnecessary I mean it, cuz I block or spoof them without my phone to have any problem. I know it's not the devs' fault but Google's, who likes to know what we do, who and where we are, and thus releases android updates full of spying system apps.
So then I wanted to know if Omni's system apps will be free from such perms, since the source comes from Google.
Until cm7 it was possible to block perms directly from the app manager, but I guess Google got annoyed at it and obliged the cm team to remove that function.
Whatever rom we use now, we are left with system apps spying on us, and that's why I call them spyware.
Cuz for me apps that want to know where I am, what contacts I have, what numbers I have called, my phone number, my imei etc, eventhough they don't need it, are in a way spywares. For instance look at the framework-res.apk (android system), every time we connect to the internet it calls home (I've checked, the address is Google inc, mountain view, CA). Look at the perms the systemui or the phone apk have, it's insane! Not to mention all the other system apps that want to access the /proc folder, our serial number and the like. Oh yeah, I nearly forgot fusedlocation.apk, Google's latest spyware since 4.2.2, that one can't uninstall or freeze or block.
I do not use Google apps, and I do use apps like Xprivacy or af+wall, but still, it annoys me to always have to play cat and mouse, and it annoys me that the android system always calls Google when I connect to the internet. Not that I'm an internationally wanted terrorist, but hey, privacy is privacy!
The thing is that future android updates will be more and more filled with such spyware (above mentioned fusedlocation.apk being the perfect example), and I hope that devs will find a way to bypass it.
That's why when I saw an announcement about Omnia I came to see if it will be better than cm privacy wise, and to give some suggestions about privacy and permissions...
unclefab said:
What I meant with spyware is not what one usually calls spyware, but I didn't have any other term to refer to it.
What I wanted to say it's that system apps (not Google apps like gmail or gtalk but system apps like phone, android system, systemui etc.) have intrusive, and unnecessary, permissions. When I say unnecessary I mean it, cuz I block or spoof them without my phone to have any problem. I know it's not the devs' fault but Google's, who likes to know what we do, who and where we are, and thus releases android updates full of spying system apps.
So then I wanted to know if Omni's system apps will be free from such perms, since the source comes from Google.
Until cm7 it was possible to block perms directly from the app manager, but I guess Google got annoyed at it and obliged the cm team to remove that function.
Whatever rom we use now, we are left with system apps spying on us, and that's why I call them spyware.
Cuz for me apps that want to know where I am, what contacts I have, what numbers I have called, my phone number, my imei etc, eventhough they don't need it, are in a way spywares. For instance look at the framework-res.apk (android system), every time we connect to the internet it calls home (I've checked, the address is Google inc, mountain view, CA). Look at the perms the systemui or the phone apk have, it's insane! Not to mention all the other system apps that want to access the /proc folder, our serial number and the like. Oh yeah, I nearly forgot fusedlocation.apk, Google's latest spyware since 4.2.2, that one can't uninstall or freeze or block.
I do not use Google apps, and I do use apps like Xprivacy or af+wall, but still, it annoys me to always have to play cat and mouse, and it annoys me that the android system always calls Google when I connect to the internet. Not that I'm an internationally wanted terrorist, but hey, privacy is privacy!
The thing is that future android updates will be more and more filled with such spyware (above mentioned fusedlocation.apk being the perfect example), and I hope that devs will find a way to bypass it.
That's why when I saw an announcement about Omnia I came to see if it will be better than cm privacy wise, and to give some suggestions about privacy and permissions...
Click to expand...
Click to collapse
If there's anything that you've found like "call home" routines, please let us know - they will be looked at and removed if necessary.
Totally agree with you on privacy though here. It's very important. I have some ideas to go further than CM, but it's all ideas for now.
pulser_g2 said:
Out of the box, there's no "spyware" that anyone is aware of in Android. If you install Google Apps, you are giving those apps these permissions obviously.
If you don't use Gapps (like me), then you should be fine - you can check what each app does in its own source code.
I am also looking into ways to help protect against spying third party software you install (ie. apps a user installs), for those who want added protection.
I work as a security researcher, so yes, I do care quite a bit about security, and excessive permissions is a life-long hate of mine There are no gapps when you install Omni, so you'll be safe. For those who want them, they can flash them.
Click to expand...
Click to collapse
Question here, if you do not use gapp what exactly do you use? I mean you need ways to download apps right? so you only install the playstore and call it a day or what?
mgbotoe said:
Question here, if you do not use gapp what exactly do you use? I mean you need ways to download apps right? so you only install the playstore and call it a day or what?
Click to expand...
Click to collapse
If you want to keep only the play store you can, but you will have to keep the Google service framework as well, and maybe the Google log in.
@pulser_g2
my phone is very well protected, and skinned to the extreme (like only 20 or so remaining system apps), so for now the only app that performs a call home routine is the android system. But if I disable all the protections then the wlan test, the settings and the settings storage do call home as well. I guess other system apps would do it as well, but since I've uninstalled more than 150 of them I can't tell which ones.
One can check by oneself using this:
http://www.xda-developers.com/android/monitor-your-devices-network-connections/
and this:
https://play.google.com/store/apps/...dium=organic&utm_term=network+log+google+play
Regarding android system's home call routine, could you please point me at a tutorial explaining how to disable it (I searched the web but couldn't find anything)? I'm not a dev, but I'm not bad at modding
I'm happy to see that you are more privacy concerned than cm, and when Omnia gets released I think I will try to make a build for my galaxy grand i9082 (cuz there's not much development going on for that device)...

[Q] Virus or Android now Untamed?

Hello Good People of XDA
I have been a i9506 owner for quite long, had a 9100 before,
I am used to root and mess with apps to customize things to my wim,
at the best of my knowledge (I lack android programming skills, but I can do things with terminal and filesystems).
All that before to say I am not totally a noob, but my lack of technical knowledge might bite me there.
System wise, I am under 4.2.2, rooted, unknow sources are not allowed, system check for apps is allowed,
I have an antivirus (more than one, but only one works each day, just to be sure I don't miss things)...
My problem is that I recently found out that some apps, actually system apps, blocked
with Titanium backup, or with gemini app manager, or app quarantine,
were actually running anyway.
They are marked as blocked in my app manager, but can still be force closed,
and they appear in battery displays (most of these under the android system block, in the list of services/apps used),
and in process running when using Ccleaner apps.
Also, my battery display show GPS is activated, while when I go into options, all boxes are off or unticked.
I thus wonder what's happening?
How is it possible to have these schrödinger apps tamed and blocked like I want them.
I want these to shut down and only work when I DO ALLOW these, for them not to suck my battery or do unauthorized chores like tracking me when I don't want.
How is it possible that they even behave like that? In i9100, I never observed that in Android 4.0.
I wonder if Google didn't change the workings for making us unable to disactivate what we don't want to work, which was pissing them off.
They already change the permissions displays in the market so permissions as intrusive as "contacts/sms message/USB stockage" are considered "not relevant/important",
while they are depending on the announced display of the app.
But I don't want to go on the "conspiracy route" (I am not like that, I am a pragmatist and I just observe facts, like these apps, with sensitive access, not being able to be deactivated), so let's focus on the technical part:
such apps were Maps, Samsung sync adapters, NFC service , Google Agenda/Contact synchronisation, sysscope, context provider, etc.
That's a lots of things that are supposed to communicate to cloud or other devices, with feels lot like a gaping flaw in the armor...
I want a phone and a tool, not something that track me or put me at risk of being stolen by somebody with technical knowledge.
Am I alone?
Thanks for any insights.
Blocked apps still working
I don't know if my title was too unclear, so I would like to change the title but am unable to do so?
Is it please possible for a moderator to do it (with the title of this post)?
Thanks by advance.
I feel like it is a true problem not being able to block some apps,
or even more, to believe they are blocked while they perfectly perform in the background,
and display activity only in secondary reports, not under their respective "buttons"/information tabs.
I wonder abourt the technical reason to such behavior.
Then delete those apps or block some of the permissions with an app (eg Privacyguard).
It's my opinion that an antivirus app (at the moment) is a waste of resources. Just think before you install something. Also if you are worried about security, you should always run the latest version of Android. 4.2.2 is an old version.
Lennyz1988 said:
Then delete those apps or block some of the permissions with an app (eg Privacyguard).
It's my opinion that an antivirus app (at the moment) is a waste of resources. Just think before you install something. Also if you are worried about security, you should always run the latest version of Android. 4.2.2 is an old version.
Click to expand...
Click to collapse
Thanks for your answer.
Well I don't want to delete system app when they might be useful at time.
I just want them to behave correctly, that is, not work when they are blocked.
That is not a solution to say "uninstall this", while the true problem is Android general behavior here.
I didn't installed system apps, they came with the thing, and all of them are not bloatware.
"NFC service" is something I want to keep for when I am ready to use it,
but I don't want to let it free and unleashed because of the opening it leaves on my phone.
Same goes for bluetooth, synced backups and so on.
I don't want backups on the cloud, so I deactivated the options, and blocked the apps.
Why are they running? It is not normal!
And my old version is maybe not secure, but actually trying 4.3 hasn't changed anything,
and I only suspect this to be some "new feature".
The antivirus is a waste for scans, I agree, still it has useful firewall features that justifies in itself its uses.

[Q] Is OmniROM a good choice for privacy-consious users?

Hi,
Stock ROMs aren't really trustworthy by default (e.g., phandroid.com/2014/11/06/carrier-iq-settlement).
Some manufacturers' devices aren't really trustworthy, even with stock ROMs removed (e.g., theepochtimes.com/n3/830922-chinas-xiaomi-smartphones-may-be-spying-on-you).
Cyanogenmod went donwhill:
We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where your product or device is used so that we can better understand customer behavior and improve our products, services, and advertising.
Click to expand...
Click to collapse
(from cyngn.com/legal/privacy-policy) They started on this path long ago, but I won’t go there now.
I would like to buy a new Android phone. I won’t have national secrets on it, but I still don't want any Google-style spying. Assuming I don't add GApps, is OmniROM a good choice for me? Does it respect the privacy of its users? Does it contain any components that would ever connect anywhere to trunsmit any information like GApps do. Obivously, I'm not talking about user initiated events.
One more thing, does it have a permission manager? Ideally, something that allows the user to choose for each permission for each apps whether real, fake or blank data is shared, but a bit cleaner than XPrivacy.
Thanks!
Just for the record, you can remove CM-specific apps and block their servers in your device's hosts file. It takes literally 5 minutes and it's pretty good after that.
Dragoon Aethis said:
Just for the record, you can remove CM-specific apps and block their servers in your device's hosts file. It takes literally 5 minutes and it's pretty good after that.
Click to expand...
Click to collapse
Thanks, good to know.
Yes, OmniROM does not include proprietary tracking software unlike cyanogenmod.
Personally if OmniROM does not support your device, I suggest using cyanogenmod + freecyngn (http://forum.xda-developers.com/showthread.php?t=2550769).
One more thing, does it have a permission manager? Ideally, something that allows the user to choose for each permission for each apps whether real, fake or blank data is shared, but a bit cleaner than XPrivacy.
Click to expand...
Click to collapse
Yes. It has "apps permissions". Open the app info of an app and click on apps permissions. There you can disallow access.
6hunnid9 said:
Yes, OmniROM does not include proprietary tracking software unlike cyanogenmod.
Personally if OmniROM does not support your device, I suggest using cyanogenmod + freecyngn (http://forum.xda-developers.com/showthread.php?t=2550769).
Click to expand...
Click to collapse
Thanks for this tip.

Categories

Resources