Android Privacy

2014-10-23

I recently switched from iOS to Android with the goal of obtaining more control over my smartphone. One major question was if I could significantly reduce the amount of data I would have to “share” with the ecosystem provider (now Google instead of Apple) and with third party app developers.

I do not have a personal Google account and don’t use their services except for web search and Maps, and hoped to keep it that way as much as possible. Fortunately, it turns out that I could significantly reduce data leakage on Android compared to iOS. So here are the notes on my setup for anyone who is thinking about switching as well.

Choice of Hardware

I chose the Google Nexus 5 for three reasons:

  • The hardware satisfies my feature list except for an SD card slot.
  • It runs stock Android without bloatware and gets timely updates from the source.
  • It has proper developer support, such as boot loader unlocking and factory images which provide a safety net for tinkering.

Google promises 18 months of updates for the phone, which is bad compared to iOS devices and ridiculous when compared to the PC world. The progress curve of smartphone hardware has saturated in my opinion, so I won’t be upgrading soon. I’ll have to see whether Google extends support beyond that window (as they did with the Nexus 4), or if a third party ROM will provide an alternative update path.

Recovery and Rooting

I chose TWRP over ClockworkMod ROM Manager for the touch screen and disk encryption support. Install TWRP via ADB using fastboot flash recovery twrp.img

Once booted into recovery, install SuperSU, reboot and install the SuperSU GUI from TWRP afterwards.

De-Googlefy

Convenience and speed is important on a phone, so I am not willing to forgo all proprietary apps - being limited to F-Droid makes for a poor experience. I therefore need Google Play store and services support, but without all of their other offerings: I want apps such as Now or Plus and background services such as cloud backup removed or at least disabled.

The proper way to obtain control over a system is to follow an additive approach. Applied to Android, this means to start with pure AOSP and add the minimal subset of Google .apks needed to get the Play store and services working. Unfortunately, AOSP builds for the Nexus 5 are rather involved due to driver issues. I did manage to get a working build, but guing through the process for each OS update is too fragile and too much of an effort for me.

This left me with the subtractive approach: start with the stock Nexus 5 image and remove or at least disable unneccessary apps and services. This is best done interactively and reversibly, because deactivating certain .apks can break essential functionality. Apps can be disabled from the command line using pm disable com.google.android.apps.plus or using a tool such as Titanium Backup. To remove the Google quick search box, I found it necessary to first install an alternative launcher such as Nova. Otherwise, the boot sequence gets stuck after the lock screen.

Fortunately, it is possible to create a Google account for Play using a pseudonym and pay with gift cards. Of course, account syncing should remain disabled for contacts, the calendar etc.

Disk Encryption

Android supports separate passwords for disk encryption and the lock screen. To encrypt the phone:

  1. Set a PIN and start encryption

  2. Install F-Droid, and the terminal emulation app

  3. Set a strong passphrase using su -c vdc cryptfs changepw newpassword. Note that you have enter the new password as a command line argument, which is bad design: the password is not masked during entry and ends up in the history.

App Permissions Management

Android has a fine grained permissions model, but it’s all or nothing when installing an app. One of the best reasons for switching to Android is Xprivacy, which enables on-demand permissions management. Xprivacy provides fake data to apps requesting blocked permissions, so most of the time the app continues working properly.

Get the Xposed installer and then install the Xprivacy module. I also installed PlayPermissionsExposed to see the full list of requested permissions when installing an app.

As defense in depth, I also installed the AFWall+ firewall from F-Droid in whitelisting mode.

Safer Browsing

One of the serious limitations of iOS is that Apple forbids third party browsers. On Android, I can finally install Firefox with privacy and security enhancing add-ons: AdBlock, Ghostery, HTTPS Everywhere, Self Destructing Cookies and Smart Referer work well on FF mobile. Unfortunately, the UI of NoScript Anywhere is still buggy and Certificate Patrol has no mobile version.

Calendar, Contacts, To-Do List and File Syncing

Mavericks no longer supports local syncing of the calendar and the address book via iTunes, removing one of the privacy benefits that iOS had over Android.

I made the effort and set up an ownCloud instance on a personal server (more on that in another post) for calendar, contacts and file sharing. To minimize the attack surface, the server is only accessible using IPSec. On the smartphone, I use the StrongSwan VPN client and authenticate using X.509 certificates.

The calendar and address book are synced using DAVdroid. For file syncing (aka Dropbox functionality), I use FolderSync. To-Dos are managed using Simpletask Cloudless with the todo.txt file stored in the ownCloud folder.

Private Communications

I use TextSecure as my default SMS application, and would use Redphone if any of my peers could be convinced to use it as well… As mentioned above, I run my own VPN server which acts as a trusted gateway if I am traveling.

Wi-Fi Management

Wi-Fi is becoming a popular tracking vector and is already employed by shops to profile customers. Instead of manually switching Wi-Fi on and off whenever I am close to an access point that I trust, I set up a Tasker profile such that Wi-Fi is only active when I am in range of cell phone towers that are close to those access points.

I use the Power Toggles widget to manage tethering with a single tap.

Location Management

So far, I have found no better solution than to activate and de-activate location services manually, again using Power Toggles.

Unfortunately, GPS only mode is really slow in getting a first lock. If I am impatient, I activate High Accuracy mode which sends “anonymous” location requests to the mothership.

Further Reading

The “Mission Impossible” Tor blog post contains good background information and many practical recommendations to increase privacy on Android.