Full Privacy & Security DeGoogled EeloOS / LineageOS with more Security / Privacy Workaround

Hi guys,

I want to show you how you can get rid of all things that the developer of Eelo haven’t done yet. In this guide we will do all things to get your Eelo or LineageOS devices safe!
If you want more privacy you can soon buy the Librem 5 > Pinephone or use CopperheadOS > GrapheneOS > EeloOS > LineageOS ordered after privacy fokus.
Don’t worry if you see settings for LOS (LineageOS) because it’s most of the time exactly the same -> Eelo is a fork of this :wink:

What should be done:

  1. GPS -> In Eelo fixed
  2. DNS -> In Eelo fixed
  3. WebView -> Change to BromiteWebview
  4. Captive Portals
  5. Privacy Apps
  6. Hostfile

//Add a “h” to “tttps://” = “https://” for using the links, i don’t know why, but i can’t post a real link here! or and start of the adress remove “/”


First we need root / Magisk for the Setup (Attention: With every Eelo update you must do this again because sadly Eelo Official OS is without root):

  1. Install EeloOs like in the install documentation from the e-team on the site
  2. Instal Magisk ttps://github.com/topjohnwu/Magisk/releases/download/v19.3/Magisk-v19.3.zip like the OS: adb sideload magisk.zip after the Rom in TWRP!
  3. After this enable USB-Debugging in Developer-Options (Tap 7 times on Build-Number in Options)

Assumptions:

  • Phone running Eelo, Lineage OS 14.1, 15.1 or 16.0 (note that each LOS version might require a different solution)
  • Root access ( Magisk open source)
  • No OpenGApps or unofficial addons like microG -> Go in settings and deactivate all -> it’s crap don’t use google services and change your hostname, bluetooth name for privacy to random letters)
  • ADB Fastboot needed like in the OS install
  • Amaze File Mangaer from F-Droid Store (install too) and go in Settings enable root-rights and hidden files

1) DNS

Eelo set-up: EeloOS is using Quad9 with 9.9.9.9. not the best solution but it’s okay

Default set-up: LineageOS uses AOSP default DNS servers, which are Google’s DNS servers 8.8.8.8.

Solution: Replace Google’s DNS servers with those of a preffered DNS provider (see below for recommendations).

How-to:

LOS 16.0:

Settings > Network & internet > Advanced > Private DNS > Private DNS provider hostname > [enter your preferred DNS provider hostname here. Traditional IP addresses are not accepted in this field, so you need to enter a hostname of a provider that supports DNS-over-TLS (DoT)]

LOS 14.1 and 15.1:

i) Manual edit for each network (works only for wi-fi). Cumbersome and impractical when connecting to more wifi hotspots and unusable when connecting to public hotspots or using mobile data. Wifi list -> Long press select network -> Modify network -> IP settings from DHCP to Static -> Fill out all fields.

ii) Bypass by using a VPN tunnel or Tor (Orbot or orWall). Either a full on VPN (OpenVPN or Wireguard) or a DNS-only VPN DNS66 ttps://www.f-droid.org/en/packages/org.jak_linux.dns66 or 1.1.1.1 ttps://play.google.com/store/apps/details?id=com.cloudflare.onedotonedotonedotone. Simple, but more of a circumvention than solution. Requires background VPN to be constantly on (battery usage increase can be significant).

iii) App ‘DNS man’ on F-Droid ttps://f-droid.org/en/packages/io.github.otakuchiyan.dnsman/. Unmaintained since 2016, but could work -> has 4 setting methods -> try System properties first.

iv) For Magisk users, you can use the CloudflareDNS4Magisk Module ttps://forum.xda-developers.com/apps/magisk/module-cloudfaredns4magisk-t3772375

v) [UNCONFIRMED!] Manual edit of /system/build.prop by adding the following lines

net.dns1=1.1.1.1 
net.dns2=1.0.0.1
net.rmnet0.dns1=1.1.1.1
net.rmnet0.dns2=1.0.0.1
net.wlan0.dns1=1.1.1.1
net.wlan0.dns2=1.0.0.1

DNS provider recommendations (get DNS server IP addresses from the sites directly):

  1. Cloudflare ttps://1.1.1.1/dns/, offers DoT (for LOS 16 Private DNS), global,
  2. OpenNIC ttps://www.opennic.org/, no DoT, global,
  3. DNSWatch ttps://dns.watch/, no DoT, Germany,
  4. UncensoredDNS ttps://blog.uncensoreddns.org/, DoT (on ttp://www.unicast.uncensoreddns.org, Denmark,
  5. CZ.NIC ttps://www.nic.cz/odvr/, DoT, Czech Republic.

Wikipedia list of DNS providers ttps://en.wikipedia.org/wiki/Public_recursive_name_server

2) Captive Portals

Default set-up: The Captive Portal detection checks for a HTTP 204 code from a Google domain (/connectivitycheck.gstatic.com for LOS 13+)

Solution: Replace Google’s captive portal server with a third party alternative.

How-to: Enter the following in terminal (or use adb - for that method, see German source below) and for the domains pick your preferred option from the list below:

Connect your Smartphone to a PC and use in Terminal (Linux recommend)
Use this code with “adb shell” and “su”:

settings put global captive_portal_mode 0
settings put global captive_portal_detection_enabled 0
settings put global wifi_watchdog_on 0
settings put global wifi_watchdog_background_check_enabled 0
settings put global captive_portal_server f-droid.org
settings put global captive_portal_https_server "https://f-droid.org"
settings put global captive_portal_http_server "http://f-droid.org"
settings put global captive_portal_fallback_url "http://f-droid.org"
settings put global captive_portal_other_fallback_urls "http://f-droid.org"

-> I used f-droid because this is the better choise than the eelo store! Only open source software with no tracking

Select a non-Google server from the following options:

http://captiveportal.kuketz.de

Source, German ttps://www.kuketz-blog.de/android-captive-portal-check-204-http-antwort-von-captiveportal-kuketz-de/). Site and server belong to Mike Kuketz; a German security researcher. Based on his blog and privacy policy, Mike is the genuine article. Reach your own conclusion, but I have zero qualms recommending his server. I also encourage reading through his site and forum (German only). Great posts for privacy-conscious users.

https://e.foundation/net_204/ (if you forget the "/" at the end, it won't work) and http://204.ecloud.global (for http)

Hosted at ScaleWay. These are newly set-up check servers by the people behind the /e/ ROM, which is based on LOS and focuses on user-privacy.

http://elementary.io/generate_204

Hosted at Cloudflare. ElementaryOS is a, dare I say it, game-changing linux distro based off of Ubuntu and which puts heavy focus on UI and UX - think of them as the macOS of linux.

http://httpstat.us/204

Hosted at Microsoft’s Azure. Site created by two US IT professionals. Claim no data stored.

Further reading on Android captive portals with explained commands is here ttps://android.stackexchange.com/questions/100657/how-to-disable-captive-portal-detection-how-to-remove-exclamation-mark-on-wi-fi and here ttps://android.stackexchange.com/questions/186993/captive-portal-parameters.

Notes:

  • Do not use /connectivity-check.ubuntu.com as previously suggested. It does not work correctly, is hosted on Google Cloud and the Ubuntu community (not only on reddit) is quite touchy when you try to raise this issue and suggest they self-host.
  • whatever server you choose (and yes, you can make one yourself), make sure it returns a HTTP 204 code (use curl -I to make sure)

3) A-GPS

Eelo set-up: With the Mozilla Location Service the eelo-team had done a great job -> the only thing you shoud change is: disable all microG-Features in Settings and Disable all GPS connection with MobileInternet and Wlan in the location settings to be save.

Default set-up: LineageOS defaults to /supl.google.com for SUPL data ttps://patents.google.com/patent/US20150005006, which helps in speeding up device positioning (aka TTFF) when using A-GPS, but each request to server is accompanied by device’s IMEI.

Solution: replace every mention of Google’s A-GPS SUPL servers in /system/etc/gps.conf with that of one of the following servers. Apparently, disabling A-GPS and using GPS only might not help. Sadly, very little credible research exists on this topic. Firewalling GPS is also a possible solution. Note that this increases TTFF, as it relies solely on GPS sattelite signal instead of local cell tower data.

Servers found:

  • /supl.sonyericsson.com - Working (port 7275 is open), located in Ireland, hosted with Amazon.
  • /supl.vodafone.com - Working (port 7275 is open), located in Germany, self-hosted.
  • /agpss.orange.fr - live, but port is filtered, located in France, self-hosted.
  • /agps.supl.telstra.com - live, but port is filtered, located in Australia, self-hosted.
  • /221.176.0.55 - default Xiaomi SUPL server IP, belonging to state-owned China Mobile and hosted in Beijing. Please share if you voluntarily choose this over Google.

Further reading: There’s a very good post on the privacy aspects of A-GPS ttps://blog.wirelessmoves.com/2014/08/supl-reveals-my-identity-and-location-to-google.html and how the gps.conf route might not work, as some GPS chips bypass the OS completely, so I recommend a read through that. This is followed up by a German blog post ttps://www.kuketz-blog.de/android-imsi-leaking-bei-gps-positionsbestimmung/. That said, there is surprisingly very little information on this topic given the severity of the privacy implications.

Note:

  • SUPL is not the same thing as NLP (Network Location Provider), which is not present on LOS without GAPPS
  • For anyone wondering, Advanced Mobile Location (AML, which Google calls Emergency Location Service; ELS) will become compulsory in the EU in 2020 and should not be present in LOS, because it is a part of Google Play Services
  • As linked above, this might not work for all devices, as some have SUPL running on the GPS radio level, which means that anything you do on the Android OS level will have no effect
  • both /supl.nokia.com and /supl.iusacell.com are confirmed offline

4) AOSP Webview

Default set-up: LineagOS uses ‘AOSP Webview’ (listed under ‘Android System Webview’ in Apps) - this is different to Chrome, which handles Webview in Android 7 onwards - but AOSP Webview, like the Chromium browser, is open-source but not fully degoogled - although it is better than the proprietary Chrome.

Solution: Replace AOSP Webview with a more degoogled impletentation; Bromite’s SystemWebView ttps://www.bromite.org/system_web_view.

How-to: Download Bromite SystemWebView apk, (from their F-Droid repo or directly), and then follow the official installation instructions ttps://github.com/bromite/bromite/wiki/Installing-SystemWebView.

  • Install Bromite with the Magisk Module in Downloads section (Only works with some LineageOS devices, so do the next steps but do this point also, can’t be wrong)
  • Install Amaze FileManager from F-droid store (Install this store too)
  • Load the Bromite Webview from the Page with your mobile device (The Site generate the file you need for your phone
  • Rename it to BrowserWebView.apk for Eelo (For LineageOs webview.apk)
  • Connect device to pc and write “adb shell” than “su”
  • now use the command:
    For Eeelo: "mv /storage/emulated/0/Download/BrowserWebView.apk /system/app/BrowserWebView
    For LineageOS: "mv /storage/emulated/0/Download/webview.apk /system/app/webview
  • Restart device and use Webview Test Apk from the ApkMirror
  • Choose Html5-Site and https and the result should be chrome74 with galaxy s9 for example not your real phone device!

5) Project Fi

Default set-up: Certain [Project Fi devices ttps://en.wikipedia.org/wiki/Google_Fi#Devices have extra Google apps to function properly ttps://old.reddit.com/r/LineageOS/comments/823m9r/why_do_i_still_have_google_connectivity_services/.

Solution: Remove Project Fi apps for those LineageOS users that are not Project Fi customers

WARNING: Uninstall system apps at your own risk (may cause system crash)!

How-to: Uninstall the following apps using a (root-requiring) system app removal tool of choice or via adb (instructions ttps://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/):

X Google enrollment (/com.android.hotwordenrollment.xgoogle)
T Google enrollment (/com.android.hotwordenrollment.tgoogle)
OK Google enrollment (/com.android.hotwordenrollment.okgoogle)
Tycho (/com.google.android.apps.tycho)
Google Connectivity Services (/com.google.android.apps.gcs)
Carrier Services (com.google.android.ims)

source ttps://github.com/lineageos4microg/l4m_website/issues/16#issuecomment-374364988

Presence of the above apps on following devices:

Device X/T/OK Google enrollment Tycho Google Connectivity Services Carrier Services
Google Pixel XL (marlin) yes
Google Pixel 2 (walleye) yes yes yes yes
Google Pixel 2 XL (taimen) yes yes yes yes
Google Pixel C (dragon) yes yes
Google Nexus 6P (angler) yes yes yes yes
Google Nexus 5X (bullhead) yes yes yes yes
Essential PH-1 (mata) yes
Google Nexus 6 (shamu) yes yes yes
Motorola Moto X 2015 (clark) yes
Motorola Moto G4 (athene) yes

Source ttps://github.com/lineageos4microg/l4m_website/issues/16#issuecomment-374491502

6) Privacy APKs

  • AppStores: Use F-Droid store first, than Eelo-Store for non free Apps (like for your bank) and the yalp-Store if you want all apps like in the goolge store with the google repo (Eelo store isn’t full of apps)
  • Privacy: Use a VPN like from f-Droid Store, Only payed VPN-Provider deliver good Speed or better Orbot + use K3pler Apk and set a proxy on localhost:8090 so you can check connections and block them + Adblock plus apk with root to block ads and load the app Launch on boot from apkpure at set it for k3pler, because k3pler wont start with boot
  • Chat & Messaging : Change in the Settings the SMS/Phone application because Signal isn’t a great app, look here: ttps://www.securemessagingapps.com/ -> Using Threema (not open source) or Wire open source is a better solution with less tracking. Never use apps / services from USA, the privacy laws there a very bad and NSA loves your data -> Better germany/switzerland. The best solution is nextcloud with a good server you can choose by yourself or xmpp-application like https://f-droid.org/en/packages/eu.sum7.conversations/. Best for privacy if you host on your own nas / router a server and use this with nextcloud or xmpp for all your people you chat with!
  • With ttps://f-droid.org/en/packages/de.j4velin.systemappmover/ you can remove apps, if you have root, like telegram and signal :slight_smile: , remove the bad system apps!
  • Good to know, you can install the eelo-appstore on other androidOS system like for LineageOS. Here is the APK i made with Amaze!:
    https://www97.zippyshare.com/v/EFwoOHqC/file.html

7) Host-File:

  • Use the Amaze filemanager to find the host file in /system/etc/host.conf and edit it with it
    a blocked adress should look like this
    127.0.0.1
    127.0.0.1 …

Here a list of my blocked sites i found with k3pler:
/google.com/gen_204
/accounts.google.com:443
/connectivitycheck.gstatic.com/generate_204
/google.com:443
/s3.amazonaws.com:433
/collector-hpn.ghostery.net:443
/cmp-cdn.ghostery.com:443
/api.ghostery.net:443
/cdn.ghostery.net:433
/updates.signal.org:433
/googleads.g.doubleclick.net:433
/fonts.googleapis.com:433
/api.cleanapk.org:433
/clientservices.googleapis.com:443
/ssl.google-analytics.com:443
/bahn.de:443
/deutschebahn.sc.omtrdc.net:443
/assets.adobedtm.com:443
/cdn.optimizely.com:443
/settings.crashlytics:443
/firebaseremoteconfig.googleapis.com:433
/graph.facebook.com:433
ttp://xtrapath1.izatcloud.net/xtra3grcej.bin
ttp://xtrapath2.izatcloud.net/xtra3grcej.bin
ttp://xtrapath3.izatcloud.net/xtra3grcej.bin


-> Last privacy advice:
Use VPN + Adblock in your openVPN Router (TurrisOmnia/GLiNet are good) or on your phone.
-> Best AndroidOS are: Replicant > CopperheadOS > Eelo > LineageOS (Best Linux Phone Librem 5 / Pinephone)
-> Use a Linux PC with no IntelManagmentEngine like lenovo x200 with coreboot changed wifi > Librem 13/15 > Normal PC with Linux but Intel ManagmentEngine


Links:

ttps://www.reddit.com/r/degoogle/comments/clcgtl/degoogling_lineageos_instructions_august_2019/

5 Likes

Btw: Look for Linux Privacy OS, my favorite one is ParrotOS

1 Like

I’m sorry to correct you, but he is no eelo anymore !!! In the moment the name of the OS is /e/ but we all are hoping that this worst name will changed soon.

1 Like

Maybe he did that on purpose. I also still call it eelo. /e/ is a ridiculous name, if I want to tell people about eelo, I’m not saying that I use slash-e-slash. Most people lose me at “OS”, let alone “fork” or even worse “slash-e-slash”. I’m not sure how high the owner, ceo, dev team or who ever came up with it, was when choosing for /e/, but this name was a bad choise.

3 Likes

I know that you can see everywhere that they use /e/ but harvey186 you absolutely right. I allways tell people i’m using “eelo” or “lineage” on my devices or linux “parrot”. /e/ is too difficult for search engines and for non-technical people they thing when you say “/e/” you the biggest nerd in town, meaning that in a bad way, so i’m using “eelo” without really thinking about the new name. I think my consciousness brain never accepted the new name :wink:

2 Likes

Thank you for a very interesting and detailed post.

AppStores: Use F-Droid store first, than Eelo-Store for non free Apps (like for your bank)

Here a list of my blocked sites i found with k3pler:
/api.cleanapk.org:433

Why is cleanapk blocked? Doesn’t that break Eelo-Store?

Download the apk from another repository if applications from Apps are not working. We are doing it for a number of other applications while we try to figure out why it does not work through Apps

A petty this thread is closed:


I have ethical question according /e/ Apps store, one of the applications I consider bloatware and would like to remove (tried everything, even crashing the system several times) but after every update, succesfully removed apps reappeare. Screenshot of one app from “Apps”, something like ccleaner or whatever, just an example. What are applications like that doing in /e/'s Apps?

2 Likes

Hi @pjmbraet as you are aware Applications in Apps are requested by users. We do not police what apps can and cannot be there. It is for the user to decide why they still want to use such apps even when they can see this list of trackers in them.

On this forum there is a thread asking can we install Google play store on /e/ ? How do we explain that? It is for the user to decide what they want and do not want. We will provide a clean Os background what the user adds on top is up to them entirely.

1 Like

Thank you for your interesting post.

I’d like to add a few things:

  • DNS we have added a low-level feature to enforce DNS in Settings, whatever you are using Wifi or mobile data access. Our default setting is actually 9.9.9.9 but you can put anything your prefer (Cloudflare’s 1.1.1.1 might be OK, but keep in mind that Cloudflare has Google as an investor…)
  • “captive portal” = connectivity check. This issue is ongoing development in /e/ and will be fixed soon (details in our Gitlab issues)
  • webview: as you maybe know, /e/ is using a fork of Bromite, which is also a fork of Chromium, because Chromium is open source but NOT ungoogled. And /e/'s default webview is now this this fork of Bromite webview.
  • blocking sites in /etc/hosts file: I’m curious about all those 433 ports? typo?

Also I’d like to remind that’s /e/'s purpose is exactly to bundle as much as possible of all of this for users who don’t know how todo by themselves.

2 Likes

/e/ is about freedom. That’s the reason why you will find all the apps with useful information.This way, users can choose to use an app, or not use it, in full knowledge of the situation.

4 Likes

/api.cleanapk.org:433

Yes that’s Eelo-AppStore. You can let it in, but i don’t want this connection every startup an checking everytime. I’m using F-Droid store with the Magisk root rights and that’s really a store you can use without risk.
-> Eelo-Store (safer than yalp) or Yalp-Store (Google Repository) are create if you want to download and update apps like brave-Browser or Wire (chat). You find this apps not in f-droid.

Also there is a Bromite Chrome Version on the site too :slight_smile: so you can use that :slight_smile:

For the Eelo-Team:

  1. Why don’t add this decision at the start with explanations what do you want with Google wihtout Google pro/cons with no tracking and saving on servers like /e/ to and other?
    OrLike in Parrot os there a a consumer edition and a i call it “hacker”-version. So why you make 2 releases: a) one release without microG (you can install it with magisk anyway) and magisk, degoogled with f-droid or your appstore with only safe apps and Tor, VPN, Adblock k3pler, Browser with addons so there is zero tracking b) One edition with added features for “casual users” with google option
    -> I think for “casual users” is really hard to decide if this app is safe, what is open source, why i can’t use apps all people use, its so smart and easy, can’t be bad. Believe me i got so much, i call it green friends, they fight for animal rights, human rights but they so non technical only thing they say "i dont want to be tracked but i’m not now what i can do or use. So there should be a safe version with added browser without google and prepared addons. No cookies etc with VPN or Tor, Adblock k3pler and the browser. People want it easy! I believe you want to reach a lot of people so they can choose by them self. But this will lead to people who think there a safe from spying and zero dataleak with there orignal ip-adress etc, that’s not fair i think. With the decision on start to choise witch version, it would be more useful.
  2. Some here: You can make in the /e/ Appstore 2 Sektions with Open Source Privacy friendly apps(guardian/f-droid repo) and on Tracking Apps on Sektion. I think the exodus feature is very great for that to be under control but this would be greater to find the apps you really want with privacy and not seeing thousands of tracking apps. Or 2 Appsstores one like the f-droid or use the f-droid store and one for proprietary software.
  3. Why the standard phone/sms-aplication is signal? and telegram is a system app?
    -> check this out: https://www.securemessagingapps.com/ The only really good messangers are signal and Threma(not open source) because the spying less than the others! And the companies are in switzerland. For privacy and security is the best to use most of the stuff from germany / switerland etc. Because there are the privacy laws are better. I saw only “hello nsa” to signal. Thats not freedom! Set up a XMPP-Server :wink:

Yes you can load apps from APKMirror or ApkPure but they all track you for sure :slight_smile:

1 Like

Neither Signal not telegram are a part of the system apps on /e/ ROM’s . We removed them months back

We are working on making all system apps removable by users.

As we have already clarified in this thread we want the user to decide what he / she wants . We will give them a clean mobile OS . What they install on top of it is the users decision.

4 Likes

One thing where eelo already improved over LOS may be interesting to those who (also) use LOS:
In LineageOS the Caller-App defaults to sending phone numbers you call (and get called from) to “lookup providers” (Google and others). Eelo fixed this. :+1:

That’s NOT true with Germany. If server are used there, your data is not secure (like the servers of the email provider cockli or also the server of zwiebelfreunde). Germany is where Finfisher/Finspy is developed. Do your math.

I have come to /e/ and flashed a Samsung S7 to lead a de-googled (smartphone) life. This thread kind of smashes the hope… The opening post by @eelo4life is hard to follow …

I would very much like the have a roadmap of the Odyssey that @gael is talking about. What has been achieved, what is on the agenda. A roadmap that is updated every half year and that is understandable for the non-technical, and at the same time contains enough technical references to educate me.

Personally I am willing to be very restrained in the use of apps, and I would appreciate a fat warning if an app would cause me starting a footprint again in the Google ecosystem.

For me it has no use to convince other people to start using an /e/ smartphone, and knowing that in their use of the smartphone they will most likely spoil their privacy again.

You can check this post

1 Like

Thank you, @Manoj . Wonderful! I need some time to process this information.

This information should not be hidden somewhere in a forum post…