I am about to switch from my Fairphone 3 running on LineageOS to a Fairphone 5 from Murena running on /e/OS and I’ve got some quesions regarding the setup. It would be great if you could help me with them:
I am looking for a way to set up an application firewall and to also prevent apps from reading out sensors and sensitive information by returning made up data, as I would like to continue using some of the apps I bought.
Up until now I used XPrivacyLua Pro and Netguard Pro running on LineageOS 18.1 to achieve this.
But to do so, I had to unlock the bootloader, to root the FP3 using Magisk and to install the LSPosed framework. On top of that, XPrivacyLua is not in active development anymore (sadly).
So thanks a lot in advance for any hints on possible alternatives to those apps on /e/
I wrote a topic on rooting and privacy back in August. Many things you’d like being described there. I hoped for a more vibrant discussion and users posting their apps, modules and settings, but unfortunately that did not quite happen.
@infinity: Thanks for the info on your thread! I have to admit, that sometimes I am also a bit wary of the constant effort required to keep apps from spying on you, but in such cases I only have to have a short look at the logs…
@irrlicht : RethinkDNS looks very promising and if I understood the info on the project’s github correctly, it would be possible to use it as a firewall, as a kind of pie-hole and to route the traffic on to a VPN-provider at the same time, which is great. Plus its available via f-droid.
To do the same with NetGuard, one needs to setup a work profile and jump from NetGuard to the work profile that offers the VPN connection.
What I am still searching for in the documentation on RethinkDNS is the ability to hide sensitive information e.g. to return an empty contacts list or an empty calendar to nosy apps asking for it, which is what XPrivacyLua can do. Did I just miss that or do you know any add- on / other software to achieve this ?
No, RethinkDNS doesn’t hide specific information by it’s type. The main functions are
logging all app specific network traffic (the first thing is: you must know what happens)
controlling app specific network traffic (either general (wifi and/or mobile) or specific for requested servers or domains)
routing DNS requests over own servers
filtering requests by a lot of given blacklists
I also thought about contacts. But contacts have the side effect that there’s always another side. The contacts you have collected do also appear on their mobiles and will probably not be protected there at all, hosted in the cloud and whatever. So what you guard like gold is probably well known in the big spy companies for years and cross checked with many sources. Protecting the contacts on one phone is nearly hopeless.
It is quite certain that it is not 100% possible to protect your own data - at least some government institutions will always be able to get them - which is perfectly fine, as long as it is used to solve crimes - And I cannot protect my info from being uploaded via other phones, that is quite true, but I can prevent the confirmation of these contacts from my side by not sending my data. And I can prevent my appointments and other personal data from being leaked. So I think that it is possible to protect yourself from commercial spies to a considerable extent even under the circumstances you mentioned, although it requires some effort.
The procedure I am following for years now with every new phone is to install CyanogenMod / LineageOS right after unboxing it, then root it and only install the tiniest possible GApps package like OpenGApps nano or MindTheGapps. In both cases I restricted the packages additionally by removing unwanted parts.
Then I try to harden the phone, I turn off any sync service and install XPrivacyLua and NetGuard and some other apps that I downloaded before to be able to do this offline without sim card and with an empty sdcard.
I only transfer my personal data to the phone after I set up everything like this.
I also host my own CalDav/CardDav/WebDav server to sync my data against and I only use reasonably secure and privacy respecting messengers and apps. And I don’t use WhatsApp, Facebook, X…
I guess the last point is the hardest for most people once they are used to these apps.
From your reply I take it that you did not come across any alternative to XPrivacyLua to block your contacts etc from being copied unwillingly, or did you find one but decided against its use as you thought it to be pointless ?
I don’t protect my contacts. Half of them are enlightened Apple users.
But I have always an eye on what my apps do, I set the permissions carefully and block suspicious traffic when I can. That’s not as hard as it could be, especially the traffic must first happen for that I can block it, but this affects only some very few (I mean: two) apps.
@Infinity Thanks a lot for your hint, I did not use AppOps up until now, good to know.
If I understood the first infos I found on AppOps and its “Shizuku mode” correctly, this means that the device needs to be rooted for AppOps to run without having to jump through hoops upon each reboot - which in turn would mean that the bootloader needs to be unlocked.
This is something I hoped to avoid with the new FP5 which is why I bought it with /e/ preinstalled, as most banks are switching from external readers to apps nowadays.
I’ve read some info, that it should be possible to re-lock the bootloader of /e/ os, but I was doubting whether this is really possible and if this would help with the banking app issue if it were so - do you have any info on that ?
Just a note in case other users with the same question are reading this thread - I read that it is not a good idea to try to re-lock your bootloader on a FP5 once you rooted it - in case of the FP5 it bricks the device