[TUTO] How To Secure Your Phone - xda-developers

There was a time where “enlightned” people used to make fun of guys like me:

paranoid, conspirationist, tin foil hat, ha ha ha!

The thing is that there has never been any conspiracy theory, it's a term invented by those in
power to ridicule people exposing their treacheries.

A conspiracy is a plot aimed at overthrowing a king or a government so how could those in power
make any conspiracy against the people, us, since we are not in power?

A theory is something that has not been proven and well, after the Snowden's revelations things
have been made clear, so long for the “conspiracy theory”.

The enlightened stopped laughing and started to realise what's going on,
and that their dear
government and their beloved google were not such a
nice bunch to say the least.

Nowadays more and more people wake up and understand that their phones are heartlily spied
upon and data mined all the time, and I decided to write a tutorial about how to gain back one's
privacy on one's phone.

Remember, Android has not been build with privacy in mind and everybody wants our data, cuz
data means money and money has been driving, is driving and will be driving humanity for a long
time.

In a way it's ok if one doesn't mind ads and spams, one has to bear in mind that nothing comes
for free and the costs to develop an app like let's say what's app or to maintain a site like facebook
are huge so the
money has to come from somewhere (as some say, if it's free than you are the
product).

Plus, one is allways free not to use them, but unfortunately one needs an OS (google), and one
needs an oem to manufacture the phone.

Then comes power, it has been driving humanity for even longer than money.

As @CHEF-KOCH
said, data means knowledge and knowledge means power. In the past it was a
hard task to manually gather data about people and one can easily understand that the present
huge data sum that's on the web is of very significative importance for the agencies.

So of course they pressure google, facebook, apple, microsoft and the others to get access to your
data, from their point of view it makes sense.

I have nothing to hide but as a matter of principle I have allways tried
my best to be in control,
and I have to admit that it's fun and interesting too, one learns many things in the process.

I don't know everything (who does anyway?) and everyone is welcome to add some more infos on the
subject, let's share our privacy settings!!!

Let's start, with a brand new phone...

I - THE BASICS

1 - Don't give your real name when you buy a new phone (it sounds obvious but many people don't even
think about it), and pay in cash in order not to leave any traces.

2 - Second, don't give your real name when you buy a SIM.

3 - DO NOT put any SIM in the phone for now, DO NOT connect to the internet through WIFI, and put
your phone in plane mode. You'll be able to connect after you're done and secure.

4 - Root and install Busybox, flash a custom recovery (I won't cover that part, search the forum and
you'll find all what you need).

5 – Let the fun begin, uninstall as many stock apps as you can!

Don't think that installing a custom ROM like AOSP or CM would be any better than your stock ROM
privacy wise, custom ROMs don't have OEM bloatware but when it comes to privacy, data mining and
outrageous system apps' permissions they are exactly the same than stock ROMs.

Before you start your uninstalling job, download Aroma File manager from here:
http://forum.xda-developers.com/show....php?t=1646108

Put it on your SD.

It will enable you, in case you get a bootloop, to push back from recovery the file (s) you removed that
caused the bootloop, instead of restoring your backup and loosing all the work you did.

TWRP has a built in file manager that does the same, just make sure you have /system and /data
mounted in the settings.

Uninstall gradually.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Start with the google apps and the OEM bloatware, reboot and see how it goes. If everything is ok then
uninstall more stuff, again reboot and see how it goes, and keep on doing it until you feel it's ok.

You'll be wise, everytime you uninstall a bunch of apps, to copy them first on your SD and label it
something like apps1, apps2 etc.

Now read carefully the folowing about safe to remove apps, in order you to know more precisely what
can be done, and you will see that my phone works with only 10 system apps left.

(Tested on Samsung Mega I9200 XXUAMEE

running JB 4.2.2)

I removed more than 150 system apks, and my Mega works like a charm.

You will notice that the google apks are missing, and that the contacts,
video player, music player,
file manager etc. are missing as well, I removed them because I don't like the way they spy on us
and suck our private data. No worries, just keep on reading for some alternative apks...

IMPORTANT

1 - Before deleting any app do a Nandroid back up, and do a back up of your system/app folder
(where all the system apps are) in case you want to reinstall a specific app later.

2 - If you decide to uninstall the filemanager apk, install first an alternative file manager, like let's
say Ghost Commander, because if you
don't then you won't have any app anymore to navigate to
your files after having uninstalled the file manager.

Same story with the launcher, or you will get a bootloop.

3 - After you uninstalled all the apps do a cache and a dalvik cache wipe.

4 - Reboot and enjoy full speed and no lags, and 1% battery decrease every 10-12 hours when in
stand by!!!

5 - Go to the data/data folder and erase the folders from the removed apps, or use SD Maid or
whatever similar app to do it for you (you don't
need to do it if you are on JB 4.2 or later since the
system will take care of it for you when you reboot)..

IMPORTANT 2

Do not mess with system apps if you don't know what you are doing and if
you don't know how to
get back to the beginning in case things go wrong.

I won't take any responsability for any damage caused to your phone. All
what I mention below
has worked for me but once more, do not play with your system unless you know how to recover if
things get out of control.

SAFE TO REMOVE APPS

Rather than giving a list of removed apps I will list here the apps I didn't remove, so that you can
assume that any app that is not on the list is safe to remove. I do so because it's faster to list the

remaining apps than the removed ones...

So, here are the apps I kept (I have to admit that it's a bit extreme, and you are of course not
obliged to keep so few apps, but at least you'll know which ones are safe to remove):

-Default Container Service

-Fused Location

-Hybrid Radio (removable if radio is not your thing)

-Job Manager (the task manager)

-Package Access Helper

-Sec Phone

-Sec Settings

-Sec Settings Provider

-Sec Telephony Provider

-System UI

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

- Note -

If you delete the Media Provider apk you won't be able to change your ringtone and your
notification tone anymore (not a big deal for me but I
don't know for you), and you will be stucked
with the default tones. To
change them manually you'll have to open the res/raw folder in

framework-res.apk and replace the default tones with your own, not a big
deal.

If you delete the camera then some third part cameras won't work, but A Better Camera does.

If you delete the MTP apk your device won't be detected by your computer
anymore, use SG USB
Mass Storage Enabler or something similar (only works on the external SD).

You can delete VPN Dialogs but then you won't have VPN access anymore.

ALTERNATIVE APPS

- Launcher:

Holo Launcher HD (very low RAM consumption and plenty of customisation),
or whatever launcher
you like, but install it before you uninstall your
stock launcher!

- Keyboard:

I use a modded Xperia keyboard but there are many others. Beware of Swift and Touch Pad, they
have many outrageous permissions and are difficult to restrict.

- SMS:

Go SMS, or any SMS app you like, choice is plentiful.

- Bluetooth:

if you use it for speakers or headphones keep it, but if you use it only
to transfer files then
uninstall it and use Fast File Transfer (it works without WIFI connection and it's MUCH faster than
the Bluethooth) and/or any FTP app (like Swiftp for example, but such apps require an active
internet connection) instead.

- Contacts:

before to uninstall it back up your contacts, then install any third part contacts app. As for me, I
made a file with all my contacts in alphabetical order and copied it as a note in Clipnote apk (a
clipboard manager), and when I need to call someone I just have to click on the phone number
within the file and it opens in the dialer.

- Dialer:

since Logs Provider has been uninstalled you probably don't have any more dialer, just install any
third part dialer that you like.

- Video:

MX Player or BS Player + Floating Player (basic floating window video player).

- File manager:

Ghost Commander (dual panel mode, root browser and more), or Total Commander, or FX.

- Music player:

I like Gone Mad Music Player but there are one zillion other options.

- Browser:

Pale Moon for full desktop experience (it's based on Firefox but it has less permissions and no
adds), Atlas when I want to browse without leaving any cookies (I have changed its

data/data/nextapp.atlas/databases' permissions to rx, rx, x (5, 5, 1) and I erased everything
inside the folder, that way no cookies or history are recorded), Naked Browser to access my email.

Chrome? No thanks, the least google stuff I have in my phone the better I feel!!!

- Gallery:

Quick Pic.

- PDF reader:

Mantano.

- Edit documents (doc., docx. etc.):

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Office Suite or Kingsoft Office.

- Alarm:

any free alarm clock app without abusive permissions will do.

- Google Talk:

Lillypad HD.

- Gmail:

access gmail from Naked Browser or from Atlas, it's faster. Still, you'd
better leave gmail and go
for another email, just my two cents...

- Play Store:

F-Droid offers open source apps and you'll find almost all what you need
there. If you can't live
without apps from the pay store download them on your computer using Racoon (found in the
games and apps section).

- Google maps:

Maverick (but there are others), google earth (stand alone app, and not too much on the spy side,
but unlike Maverick you can't keep as many maps as you want for offline viewing). Google has
disabled Maverick's ability to download google maps, but there are some google maps

downloaders available for Windows that can do the trick (then you just have to relabel the tiles
with a batch editor to make them Maverick readable).

- Clipboard:

Clipnote.

- Calculator:

Arity.

- Quick Notes:

Floating Stickies.

- Html Viewer:

replacable by a third part html viewer or by most browsers as they can read html.

- Camera:

A Better camera

- Bonus:

Greenify (try it, it hybernates apps and saves juice, I'll explain about it later).

Done?

Cool, now go to post #3 and see what else can be erased...

- Note 2-

On KK there are more apps that can't be uninstalled, about 30 or something, pretty annoying and
I guess that it doesn't get any better with Lollipop, thanks to google's efforts to strenghten its grip
on Android and on us.

As for me I came back to JB and you have to ask yourself whether you want to compromise your
privacy to get the latest gimmick and the latest
fancy color (that have anyway been made
available on JB with Xposed modules) or whether you want to be safe.

There are small sacrifices to make and I think the game is worth the candle, but it's up to you...

You can read more on that topic in post #3

II – THE TOOLS

Now you need some tools, namely:

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

- Xposed Installer:
http://repo.xposed.info/module/de.ro...osed.installer

- Xprivacy:
http://repo.xposed.info/module/biz.bokhorst.xprivacy

- App Settings:
http://repo.xposed.info/module/de.ro...ds.appsettings

- AF+ Firewall:
https://f-droid.org/repository/brows...anth.ufirewall

- Network Log:
https://f-droid.org/repository/brows...ode.networklog

- Greenify:
http://forum.xda-developers.com/apps/greenify

- Blue Box Security Scanner (apps and vulnerabilities scanner)

- SQ Editor

- Rom Toolbox Lite (free) or Pro (paid)

- Privacy Blocker (paid)

- First

Open Privacy Blocker.

Scan all your third part apks one by one, and see their dirty little secrets. Then mod the ones you don't
like, it's easy, just follow the onscreen instructions.

- Second

Open Rom Toolbox.

Block adds, prevent apps from auto starting and disable any receiver you
don't like, and try some
build.prop and kernel tweaks while you're at it (be careful).

- Third

Open Greenify.

Greenify everything, except the launcher, the System UI, the Package Access Helper (you could greenify
it but it does nothing since that app is ungreenifiable) and the Keyboard. You can greenify Settings and

Settings Storage too, but it will slow down Settings when you lauch it.
DO NOT greenify Xprivacy and AF+ Firewall since you need them to run in the background (don't worry,
those apps have a very low RAM footprint).

Create a “hibernate now” shortcut on your home screen, and don't forget to use it regularly to hibernate
your apps.

Note that you'll need the donate version to greenify system apps, but it
doesn't cost much and it's a nice
way to support the dev.

- Fourth

Install Xposed, Xprivacy and App Settings.

Enable Xprivacy and App Settings in Xposed's menu (under modules), reboot, and make a new backup
cuz from now chances to get in a bootloop will increase and dependingwhat you've done it may not be
Aroma File manager recoverable..

Open App Settings and disable the apps' perms you don't like (be careful
with System UI as it may result
in constant force close).

To give you an idea I have attached some examples of what can be restricted. You will notice that stock
apps (like contacts, phone, CSC, settings etc.) are the most restricted, that's because they have the

most outrageous perms. The apps in the list don't use the name they have
in the play store but the
packages' names (to find them go to data/app and check there).

Done? Now, open App Settings' menu and make a backup of your current settings.

Open Xprivacy and do the same, but first have a read at its documentation here:
https://github.com/M66B/XPrivacy#xprivacy

and at the following tutorial I wrote some months ago (it was for an old version of Xprivacy, but you'll
get the idea) :

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Join Date: Jun 2012

Posts: 375

[TUTO] How To Secure Your Phone

INTRODUCTION

This page is about generic settings that work with more or less any app.

USER APPS

After a new app is installed restrict everything in Xprivacy. Open the app and check if it crashes or not.

If it doesn't it's fine, you're all set.

If it does, go back to Xprivacy and look for which data the app has tried to access by looking for
categories that have a triangle next to them, and subcategories written in bold with numbers on the
right (the first number is today's date, the four digits after the slash mean the last time the app tried to
access that data). Unrestrict the data it has
tried to access and see what happens, it should most likely
bring your app back to life.

BUT!

Some apps try to access data even if they don't really need it to work, which means that restricting it
shouldn't be a problem (it's not because
an app has tried to access this or that data that it needs it to

function, and that's what Xprivacy is about).

Try selectively : restrict one subcategory, launch the app and see what happens. If it crashes or forces
close it means that you shouldn't have restricted that subcategory, so just allow it again and go for the
next one. If once opened the app doesn't crash and seems to have its basic functions working normally
then you can go for more restrictions, but close the app first (not by hitting the back button, you need
to really close/kill it, with a task killer or anything similar).

Back to Xprivacy, restrict one new subcategory's data access, launch the app again, see what happens
and so on...

Usually, and as a rule of thumb, what causes apps to crash is restricting some subcategories in the Shell
section (like "loadLibrary",
"load", and sometimes "exec"), the Storage section (mainly

"getExternalStorage", but it could be "sdcard" as well), and the System (installed apps) section. So look
for the triangles and the subcategories in bold, because if it's ok to restrict a subcategory in let's say
Accounts or Contacts even though you see it in bold, most of the time restricting such a subcategory in
the Shell, Storage, and System sections will make the app force close, or at least prevent it from
working normally.

Don't take my word for it though, in some cases it's possible to restrict even subcategories in bold in
those three sections. But it's on
a case by case basis, thus making it impossible to give a general rule.
The only way to find out is to test by yourself...

Now let's see section by section.

The below settings are the ones I use for my phone and my tab, and you will probably notice that I'm a
bit extreme and that I don't use some very popular apps. You are of course not obliged to be as
restrictive as
I am, but at least you will see what can be restricted and what can't be.

Accounts (Google, Facebook, etc) :

I don't want ANY app to know which accounts are registered on my phone so it's all restricted for all
apps, even for the ones that try to access this data like Firefox (remember the triangle and the

subcategories in bold?). Feel free to add whatever you think is relevant
for people that use Facebook,
Gmail, Google play, Yahoo or whatever similar app, as for me I can't since I don't use those apps.

Browser (bookmarks/history), Calendar, Calling (phone, SMS, MMS), Contacts, Dictionary

(user), Email, Identification (device) :

those sections can be completely restricted (with all their subcategories), except for specific apps that
need to access such data (but once more, always try to restrict first). Since I don't use such apps I can't
tell anything about it, feel free to add some lines if you do.

Internet :

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

an app that needs internet shouldn't have it restricted, for obvious reasons. Most apps that need
internet will work with only "inet" allowed, although some may need "isConnected" to be allowed as
well.

Since version 1.7 more restrictions have been added, and I found out that besides "inet" some browsers
may need "getAllByName", and/or “getbyName”, and/or “getActiveNetworkInfo” allowed.

Location (fine/coarse) :

I don't want ANY app to get my location so by me it's all restricted for
all apps. Feel free to add
whatever settings you have if you use apps that need to know one's location.

Media (audio, photo, video) :

the subcategories are pretty self explanatory, allow or restrict based on your apps. Restrict all for an
app that doesn't need media access, allow "startRecording" and/or "setOutputFile" for a voice recorder,

"takePicture" and/or "android.media.action.Image_Capture" for the camera
etc., easy.

Messages (SMS, MMS) :

pretty self explanatory as well, all restricted for all apps, except SMS app.

On mine only "getAllMessagesFromIcc" and "VoiceMailContentProvider" have
been restricted, I had to
leave the three other ones allowed as my SMS app (Go SMS) crashes otherwise.

Network (addresses) :

all restricted, for all apps, except apps like FTP or Fast File Transfer
(file transfer through WIFI). For
those apps I left "getInetAddresses" and "getInterfaceAdresses" allowed. Some other similar apps may
need "getScanResults" as well.

NFC :

all restricted, for all apps. If you use NFC you will have to find by yourself which one (s) can or can't be
restricted but no biggie, there are only three subcategories.

Phone (ID, numbers, calls) :

all restricted, for all apps.

Shell (commands, superuser) :

root apps may or may not need "sh" and "su" allowed, look if they are in
bold if an app crash. Same
thing for "exec", "load", "loadLibrary" and "start" (root and non root apps alike), look if they are in bold
but bear in mind that in some rare cases you still can restrict those subcategories even if you see them
in bold (as said above).

Try selectively if like me you like to restrict just for the sake of it .

Storage (media, SD card) :

all restricted for all apps, except the ones that need to access data on the sdcard like media player, pdf
reader etc.

Once more look for the subcategories in bold, and once more remember that this bold text doesn't
necessarily mean that the app needs access to that data to be able to work. Generally apps that need
sdcard access will need "getExternalStorageState", and/or "sdcard", and/or “media”, and/or “open”
allowed, but surprinsigly
sometimes they work even with some of those subcategories restricted. The
"media" restriction is to prevent writing on the external sdcard, leaving it read only.

System (installed apps) :

all restricted, for all apps, except apps like Sidebar or Launcher that really need to know which apps are
on the device. Those ones need some subcategories to be allowed and the bold text is sometimes your
friend, but as usual, the fact that it's there doesn't mean that data access for
this subcategory is really
needed.

View (browser) :

restricted, for all apps. If you restrict it you have to know that it won't work anymore when you click on
a link inside an app and want it to
be opened in your favorite browser, and for this reason if you want to
report an issue in Xprivacy you will need to have it unrestricted. You may have to enable
“android.intent.action.View” to open files from your file manager

CAUTION!

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

We are talking about user (installed) apps. For those apps, wrongly restricting something in Shell,
Storage or System is not a big disaster,
since at the most it will force close repetitively but still leave
you enough time between two force closes to get back to Xprivacy.

When it comes to system (stock) apps it's another story, and restricting the wrong one (s) could result
in a bootloop.

SYSTEM APPS

As said above, restricting those apps is potentially dangerous and you need some tools beforehand, in
case something gets out of control. Most people do a Nandroid backup but hey, it takes forever to
restore, and if
your backup is a bit old the latest changes you made in your ROM will be lost.

Use Aroma File Manager instead (look for it in XDA, all credits to its developer amarullz), a very nice
little zip that enables you to copy, paste, delete and change files' permissions from within CWMR.

TWRP can do the same, without Aroma FM.

If you get in a bootloop, all you have to do is to boot into recovery and install Aroma File Manager. Once
done it will open by itself and then you can navigate to the folder where Xprivacy is installed (/data/app
if it's installed as an user app, /system/app if it's installed as a system app) and delete it. Just to be on
the safe side delete as well the Xprivacy .dex in /data/dalvik-cache. I'm not sure whether it's really
needed or not, if you have a definitive answer about
it you are welcome to edit this article.

Now you can reboot. Of course Xprivacy is gone, and so are its settings,
but if you had backed it up
(hopefully you had) using the pro key or Titanium Backup you are good.

I have tested the following settings on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus P6210 and
Galaxy Mega I9200, but I don't see any reason why it shouldn't work on other Samsung ROMs.

My ROMs are skinned to the extreme and to the extent that I only have a few system apps left, which
implies that I only can talk about those apps. My settings are a bit extreme as well, and you may want
to allow more subcategories than I did depending on what you want to do with your
device in terms of
sharing, social networks, location access, contacts and the like, this article has only been meant as a
guideline to show what can be restricted under extreme conditions.

Android System, Settings Storage, Settings, Wlan Test :

Particular care must be taken here, it's the most dangerous package and the most prone to cause
bootloops.

Remember that the following settings work for sure on Samsung Galaxy Grand I9082, Galaxy Tab 7 Plus
P6210 and galaxy Mega I9200, but on other
devices no one knows before one tries. Have your Aroma
File Manager ready, and go for it...

All categories and subcategories are restricted, except :

"getDetailedState", and "isConnected" in Internet (on my devices restricting "getDetailedState" ended
up in a bootloop),

update as for Xprivacy version 3.5, allowed:

“Connectivity.getActiveNetworkInfo”, “Connectivity.getNetworkInfo”, “InetAddress.getByAddress”,

“InetAddress.getByName”, “NetworkInfo.getDetailedState”, “NetworkInfo.getState”,

“NetworkInfo.isConnected”, “NetworkInfo.isConnectedOrConnecting”, “Wifi.getConnectionInfo”,

"getScanResults" in Location (if I restrict it my devices can't see new WIFI networks anymore, but on
other devices it can be restricted without
that annoying side effect. In any case it won't cause a
bootloop so just try),

"getConfiguredNetworks" in Network,

update as for Xprivacy version 3.5, allowed:

“NetworkInfo.getExtraInfo”, “Wifi.get.ConfiguredNetworks”, “Wifi.get.ConfiguredInfo”,
"Wifi.getScanResults",

all the Shell subcategories. It worked with "sh" and "su" restricted but
I decided to allow them again by
fear that it could lead to instability. Android System is one of the core app in your device and AFAIK it
can bypass such restrictions, so there's no point restricting them, plus that doing so could cause
instabilities (but I may be wrong, if anyone knows better please correct me). Regarding "exec", "load",

"loadLibrary" and "start", I didn't even try to restrict them, for the same reasons as above,

all the Storage subcategories. I used to have them restricted and everything was still working, except
that it erased most of my /data/data folders' contents,

"getInstalledApplications", "getInstalledPackages", "getRunningAppProcesses", "queryIntentActivities",

"queryIntentActivitiesOptions" and "queryIntentServices" in System.

You can restrict those subcategories though, but if you do so the Application Manager in your device's
Settings won't show your apps, and your keyboard (s) may not pop up.

If you use a Lock Screen that requires Device Administrator to be enabled you may have to allow
"queryBroadcastReceivers".

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Update as for Xprivacy version 3.5:

Overlay and Sensors categories, I let them all alowed.

Camera :

All categories and subcategories restricted, except :

"loadLibrary" in Shell,

"getExternalStorageState" and "sdcard" in Storage.

Certificate Installer :

All categories and subcategories restricted.

*'''com.sec.android.FlashBarService (Multi Windows Bar) :'''

All categories and subcategories restricted, except :

"queryIntentActivities" in System.

Contacts, Contacts Storage, Logs Provider :

All categories and subcategories restricted, except :

the whole Contacts section,

"loadLibrary" in Shell.

If you want to import/export your contacts list you will have to allow "sdcard" in Storage, but once it's
done you can restrict it again.

Package Access Helper :

All categories and subcategories restricted, except :

"sdcard" in Storage.

Package Installer :

All categories and subcategories restricted, except :

"sdcard" in Storage.

Phone, Dialer Storage, Sim Toolkit, CSC :

All categories and subcategories restricted.

If the Phone app crashes the first time you run it after you restricted everything, just allow the bold
subcategories in the Phone (ID, Numbers,
Calls) section. In my case it was "getSubscriberID" and

"TelephonyProvider", and the app actually crashed when I disabled plane mode for the first time (I had
installed Xprivacy while in plane mode). Once everything was back to normal I restricted again the two
above mentioned subcategories and everything has been fine ever since.

System UI :

All categories and subcategories restricted, except :

"isConnected" in Internet (this one is actually restrictable, but if you
do so the WIFI icon won't show up
anymore when you are connected), Inet.Address.getByAddress,

"getExternalStorageState" in Storage,

"getRecentTasks", "getRunningTasks" and "queryIntentActivities" in System.

Task Manager :

All categories and subcategories restricted, except :

"getRunningAppProcesses" and "getRunningTasks" in System.

Done with Xprivacy? Now, open its menu and backup its settings.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

(To Be Continued)
Attached Files
AppSettings' Restrictions Examples.txt (21.4 KB, 110 views)

Last edited by unclefab; 30th December 2014 at 07:55 PM..

Sponsored Links

2nd December 2014, 05:20 PM
 
#2  

unclefab

[OP] Join Date: Jun 2012
 
Posts: 375
Senior Member

(Continued From Last Post)

- Fifth

Open Blue Box Security scanner and let it scan for vulerabilities.

Most likely it will find some, patch them with Master Key and Fake ID Fix:
http://repo.xposed.info/module/tungs...sterkeydualfix
http://repo.xposed.info/module/tungs...osed.fakeidfix

- Sixth

Get init.d support (search the forum or use Universal Init.d apk).

Make a script to erase and/or disable some folders that are otherwise recreated each time the phone boots.

I give you the following as an example that works on Samsung 4.2.2 but you may have to edit it depending
which phone you have and which ROM version you are on:

#!/system/bin/sh

rm -r /data/anr/*

rm -r /data/backup/*

rm -r /data/clipboard/*

rm -r /data/local/tmp/*

rm -r /data/log/*

rm -r /data/system/container/*

rm -r /data/system/dropbox/*

rm -r /data/system/netstats/*

rm -r /data/system/registered_services/*

rm -r /data/system/shared_prefs/*

rm -r /data/system/usagestats/*

rm -r /data/system/throttle/*

rm -r /data/system/users/*

rm -r /data/tombstones/*

if [ -e dev/log ] ; then rm -r dev/log ; fi

busybox chmod 000 /data/anr/

busybox chmod 000 /data/backup/

busybox chmod 000 /data/log/

busybox chmod 000 /data/system/dropbox/

busybox chmod 000 /data/system/registered_services/

busybox chmod 000 /data/system/throttle/

busybox chmod 000 /data/system/usagestats/

busybox chmod 000 /data/tombstones/

If you decide to use this script paste it in a good editor like Note Pad
Plus. Then edit it if needed and don't forget
to set the EOL conversion
(found in the edit menu on the toolbar) to Unix/OSX format.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Or maybe you want to do it directly from your Android?

Try 920 Text Editor app, it does the job fine (when you save a file set "Convert Line Break" to Unix/Android) :
http://920-text-editor.en.uptodown.com/android

Here's another init.d script, done with Pimp My Rom app (credits @Androguide.fr), to protect your phone from
various MIM (Man In The Middle) attacks :

#!/system/bin/sh

### Pimp my Rom : Block Redirects

busybox sysctl -e -w net.ipv4.conf.all.accept_redirects=0; ###ICMP broadcast

busybox sysctl -e -w net.ipv4.conf.default.accept_redirects=0;

busybox sysctl -e -w net.ipv4.conf.all.secure_redirects=0;

busybox sysctl -e -w net.ipv4.conf.default.secure_redirects=0;

### Pimp my Rom : Block Source-Routing

busybox sysctl -e -w net.ipv4.conf.default.accept_source_route=0; ### ICMP redirects

busybox sysctl -e -w net.ipv4.conf.all.accept_source_route=0;

### Pimp my Rom : IPv4 Tweaks

busybox sysctl -e -w net.ipv4.tcp_timestamps=0;

busybox sysctl -e -w net.ipv4.tcp_sack=1;

busybox sysctl -e -w net.ipv4.tcp_fack=1;

busybox sysctl -e -w net.ipv4.tcp_congestion_control=cubic;

busybox sysctl -e -w net.ipv4.tcp_window_scaling=1;

### Pimp my Rom : Avoid Time-Wait

busybox sysctl -e -w net.ipv4.tcp_tw_recycle=1;

busybox sysctl -e -w net.ipv4.tcp_tw_reuse=1;

### Pimp my Rom : Protection against SYN Attacks

busybox sysctl -e -w net.ipv4.tcp_syncookies=1;

busybox sysctl -e -w net.ipv4.conf.all.rp_filter=1; ###Forwarding traffic

busybox sysctl -e -w net.ipv4.conf.default.rp_filter=1;

busybox sysctl -e -w net.ipv4.tcp_synack_retries=2;

busybox sysctl -e -w net.ipv4.tcp_syn_retries=2;

busybox sysctl -e -w net.ipv4.tcp_max_tw_buckets=16384;

busybox sysctl -e -w net.ipv4.icmp_echo_ignore_all=1;

###Turn on protection for bad icmp error messages

busybox sysctl -e -w net.ipv4.icmp_ignore_bogus_error_responses=1;

busybox sysctl -e -w net.ipv4.tcp_max_syn_backlog=1024;

busybox sysctl -e -w net.ipv4.tcp_no_metrics_save=1;

busybox sysctl -e -w net.ipv4.tcp_fin_timeout=15;

busybox sysctl -e -w net.ipv4.tcp_keepalive_intvl=30;

busybox sysctl -e -w net.ipv4.tcp_keepalive_probes=5;

busybox sysctl -e -w net.ipv4.tcp_keepalive_time=1800;

busybox sysctl -e -w net.ipv4.ip_forward=0;

One more (credits @bazz77 – http://forum.xda-developers.com/show...7#post40767777 , do visit the thread as
you will find infos about how to harden your system) :

###Avoid a smurf attack

sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1;

###ICMP redirects ipv4

busybox sysctl -e -w net.ipv6.conf.all.accept_redirects=0;

###ICMP redirects ipv6

busybox sysctl -e -w net.ipv4.conf.all.send_redirects=0;

### ICMP redirects

busybox sysctl -e -w net.ipv4.conf.all.forwarding=0;

###Forwarding traffic

busybox sysctl -e -w net.ipv4.conf.all.log_martians=1;

###filter martians

busybox sysctl -e -w net.ipv4.tcp_max_syn_backlog=1280;

###TCP syn half-opened

sysctl -w net.ipv4.ip_forward=0;

###Tune IPv6 and disable lol

busybox sysctl -e -w net.ipv6.conf.default.router_solicitations=0;

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

busybox sysctl -e -w net.ipv6.conf.default.accept_ra_rtr_pref=0;

busybox sysctl -e -w net.ipv6.conf.default.accept_ra_pinfo=0;

busybox sysctl -e -w net.ipv6.conf.default.accept_ra_defrtr=0;

busybox sysctl -e -w net.ipv6.conf.default.autoconf=0;

busybox sysctl -e -w net.ipv6.conf.default.dad_transmits=0;

busybox sysctl -e -w net.ipv6.conf.default.max_addresses=1;

busybox sysctl -e -w net.ipv6.conf.all.disable_ipv6=1;

busybox sysctl -e -w net.ipv6.conf.default.disable_ipv6=1;

busybox sysctl -e -w net.ipv6.conf.lo.disable_ipv6=1;

### Don't act as a router

busybox sysctl -e -w net.ipv4.conf.all.send_redirects=0;

busybox sysctl -e -w net.ipv4.conf.default.send_redirects=0;

- Seventh

Open AF+ and set it for WIFI, data, VPN and roaming.

I think using white list option (allow selected) is better than black list since newly installed apps are blocked by
default.

Restrict all apps, including system apps, that don't need to have internet access, and restrict Linux kernel, Linux
shell, Internet time servers, DHCP+DNS services, GPS and Media server.

Enable IPV6 support.

Now, make a script to block inbound and outbound unwanted connections and put it in data/local or in
data/data/dev.ukanth.ufirewall/app_bin.

Here's an example of such script :

# Necessary at the beginning of each script!

IP6TABLES=/system/bin/ip6tables

IPTABLES=/system/bin/iptables

## Force DNS (in this Case [OpenDNS](http://www.opendns.com/))

$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true

$IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true

# Deny IPv6 only connections

$IP6TABLES -P INPUT DROP

$IP6TABLES -P OUTPUT DROP

#

# Google

$IPTABLES -A "afwall" --destination "8.8.8.8/32" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "8.8.4.4/32" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "64.233.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "66.102.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "66.249.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "72.14.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "74.125.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "173.194.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "209.85.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "216.239.0.0/16" -j "afwall-reject" || exit

#

# Others

$IPTABLES -A "afwall" --destination "23.4.92.33/32" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "23.32.0.0/11" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "23.64.0.0/14" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "23.253.56.120/32" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "64.207.128.0/18" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "68.232.32.0/20" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "91.103.140.0/24" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "104.16.0.0/12" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "104.64.0.0/10" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "116.214.0.0/16" -j "afwall-reject" || exit

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

$IPTABLES -A "afwall" --destination "118.214.0.0/16" -j "afwall-reject" || exit

$IPTABLES -A "afwall" --destination "198.232.125.88/32" -j "afwall-reject" || exit

#

# Turla

$IPTABLES -A "afwall" --destination "80.248.65.183/32" -j "afwall-reject" || exit

#

# Google

$IPTABLES -I INPUT -s 8.8.8.8/32 -j DROP || exit

$IPTABLES -I INPUT -s 8.8.4.4/32 -j DROP || exit

$IPTABLES -I INPUT -s 64.233.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 66.102.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 66.249.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 72.14.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 74.125.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 173.194.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 209.85.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 216.239.0.0/16 -j DROP || exit

#

# Others

$IPTABLES -I INPUT -s 23.4.92.33/32 -j DROP || exit

$IPTABLES -I INPUT -s 23.32.0.0/11 -j DROP || exit

$IPTABLES -I INPUT -s 23.64.0.0/14 -j DROP || exit

$IPTABLES -I INPUT -s 23.253.56.120/32 -j DROP || exit

$IPTABLES -I INPUT -s 64.207.128.0/18 -j DROP || exit

$IPTABLES -I INPUT -s 68.232.32.0/20 -j DROP || exit

$IPTABLES -I INPUT -s 91.103.140.0/24 -j DROP || exit

$IPTABLES -I INPUT -s 104.16.0.0/12 -j DROP || exit

$IPTABLES -I INPUT -s 104.64.0.0/10 -j DROP || exit

$IPTABLES -I INPUT -s 116.214.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 118.214.0.0/16 -j DROP || exit

$IPTABLES -I INPUT -s 198.232.125.88/32 -j DROP || exit

#

# Turla

$IPTABLES -I INPUT -s 80.248.65.183/32 -j DROP || exit

If you decide to use this script paste it in a good editor like Note Pad
Plus. Then add you own values and don't
forget to set the EOL conversion (found in the edit menu on the toolbar) to Unix/OSX format.

If you want to do it directly from your device look back at part six, I've put a link to a Text Editor app.

Bear in mind that by using it you will prevent google from accessing your phone, so google related web sites
(youtube, blogspot, google search, play store etc.) won't work anymore.

Now it's up to you, if you want google access you'll have to erase the lines under #google (both inbound and
outbound).

If you want to check where an IP adress belongs go to :
http://whois.domaintools.com/ (I like this one the most cuz it shows you the IP range to block)
http://www.hcidata.info/host2ip.htm

Want more?

Check here (credits @ukanth and @CHEF-KOCH ) :
https://github.com/ukanth/afwall/wiki/CustomScripts

.

While you're at it change the DNS in the system/etc/resolv.config file to Open DNS or whatever you wish (if you
don't use Open DNS then edit the beginning of this script accordingly), and do the same for

system/etc/dhcpd/dhcpd-hooks/20-dns.conf.

Note to Kit Kat users, credits @Primokorn :

On Nexus 5 - Kitkat 4.4.4 - I do not have the first file (resolv.config). At the end, I downloaded an app called
DNS forwarder by
Evan He (read the description for more details especially the information for KitKat users).

OpenDNS has been successfully tested through this URL: https://store.opendns.com/settings/

To check whether you are using Open DNS or not you'll have to enable cookies.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

If you still see unwanted connections despite the Firewall check posts #71 and #72, big thanks to @optimumpro
for the tip!

To stop the DNS resolve of, and HTTP request to clients3.google.com on every connection to any Wifi Access
Point open your android terminal and
type :

su -c "settings put global captive_portal_server 127.0.0.1"

su -c "settings put global captive_portal_detection_enabled 0"

To stop the resolve/request for 2.android.pool.ntp.org on every boot (even with network time disabled) type :

su -c "settings put global ntp_server 127.0.0.1"

(credits https://blog.torproject.org/)

- Eighth

Install a good host file in system/etc, it will block adds and unwanted web sites.

Check this link about MoaAB (Mother of All Ad Blocking), credits to @BSDgeek_Jake :
http://forum.xda-developers.com/show....php?t=1916098

You can add the following web adresses to whatever host file you decide to use, I have hand picked them one
by one (but as above, don't forget to set the EOL conversion to Unix/OSX format):

127.0.0.1 localhost

::1 localhost

127.0.0.1 apis.google.com

127.0.0.1 ajax.googleapis.com

127.0.0.1 [url]www.googletagservices.com

127.0.0.1 fonts.googleapis.com

127.0.0.1 google-public-dns-a.google.com

127.0.0.1 clients3.google.com

127.0.0.1 mystatus.skype.com

127.0.0.1 cdn.api.twitter.com

127.0.0.1 platform.twitter.com

127.0.0.1 ajax.aspnetcdn.com

127.0.0.1 gdata.youtube.com

127.0.0.1 swappa.s3.amazonaws.com

127.0.0.1 google.com

127.0.0.1 [url]www.google.com

127.0.0.1 facebook.com

127.0.0.1 [url]www.facebook.com

127.0.0.1 m.facebook.com

127.0.0.1 twitter.com

127.0.0.1 www.twitter.com

127.0.0.1 m.twitter.com

127.0.0.1 mobile.twitter.com

127.0.0.1 cdn.themerapp.com

127.0.0.1 akamai.com

127.0.0.1 a23-9-194-110.deploy.static.akamaitechnologies.com

127.0.0.1 https://channel-proxy-shv-13-prn1.facebook.com

127.0.0.1 https://channel-proxy-shv-06-ash2.facebook.com

127.0.0.1 https://edge-star-shv-01-sin1.facebook.com

127.0.0.1 https://edge-star-shv-02-sin1.facebook.com

127.0.0.1 https://edge-star-shv-03-sin1.facebook.com

127.0.0.1 https://edge-star-shv-04-sin1.facebook.com

127.0.0.1 https://edge-star-shv-05-sin1.facebook.com

127.0.0.1 https://edge-star-shv-06-sin1.facebook.com

127.0.0.1 https://edge-star-shv-07-sin1.facebook.com

127.0.0.1 https://edge-star-shv-07-sin1.facebook.com

127.0.0.1 https://edge-star-shv-08-sin1.facebook.com

127.0.0.1 https://edge-star-shv-09-sin1.facebook.com

127.0.0.1 [url]http://channel-proxy-shv-13-prn1.facebook.com

127.0.0.1 [url]http://channel-proxy-shv-06-ash2.facebook.com

127.0.0.1 [url]http://edge-star-shv-01-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-02-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-03-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-04-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-05-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-06-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-07-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-08-sin1.facebook.com

127.0.0.1 [url]http://edge-star-shv-09-sin1.facebook.com

127.0.0.1 [url]https://a23-51-0-107.deploy.static.akamaitechnologies.com

127.0.0.1 http://a23-51-0-107.deploy.static.ak...chnologies.com

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

127.0.0.1 a23-51-0-107.deploy.static.akamaitechnologies.com

127.0.0.1 pa-in-f109.1e100.net

127.0.0.1 pd-in-f109.1e100.net

127.0.0.1 sin04s02-in-f30.1e100.net

127.0.0.1 sin04s01-in-f30.1e100.net

127.0.0.1 sin01s14-in-f30.1e100.net

127.0.0.1 sin01s14-in-f1.1e100.net

127.0.0.1 sa-in-f95.1e100.net

127.0.0.1 2.android.pool.ntp.org

127.0.0.1 174.37.231.83-static.reverse.softlayer.com

127.0.0.1 208.43.122.142-static.reverse.softlayer.com

127.0.0.1 50.22.240.168-static.reverse.softlayer.com

127.0.0.1 108.168.180.116-static.reverse.softlayer.com

127.0.0.1 mqtt-shv-10-frc1.facebook.com

127.0.0.1 mqtt-shv-13-prn1.facebook.com

127.0.0.1 mqtt-shv-08-prn2.facebook.com

127.0.0.1 mqtt-shv-06-frc1.facebook.com

127.0.0.1 mqtt-shv-06-ash2.facebook.com

127.0.0.1 mqtt-shv-04-ash3.facebook.com

127.0.0.1 74-82-89-154.rdns.blackberry.net

127.0.0.1 74-82-91-166.rdns.blackberry.net

127.0.0.1 74-82-93-25.rdns.blackberry.net

127.0.0.1 74-82-93-39.rdns.blackberry.net

127.0.0.1 ec2-54-227-243-121.compute-1.amazonaws.com

127.0.0.1 ec2-54-235-74-151.compute-1.amazonaws.com

127.0.0.1 r-199-59-150-46.twttr.com

127.0.0.1 en.mywebzines.com

127.0.0.1 pnsen.dolphin-browser.com

127.0.0.1 tracken.dolphin-browser.com

127.0.0.1 jekyll.ispgateway.de

127.0.0.1 amazonaws.com

127.0.0.1 ads.yahoo.com

127.0.0.1 geo.query.yahoo.com

127.0.0.1 ucs.query.yahoo.com

If you restrict all those adresses you won't be able to connect to facebook, twitter and any google service
(including youtube, blogspot, google search, play store) anymore, so filter first and remove the web sites you
want to be able to access.

- Ninth

Open Network Log and connect to the internet.

Check all your connections (long press on an IP to know which web site it refers to, or check with the web sites
I mentionned in part 7), some are legit, some are not.

Block the unwanted stuff using either the host file, or the firewall script, or both.

There's an apk called Blockit! that can help you find host names for some stubborn web sites that can't be
blocked using their IP, and whose host name can't be found otherwise (like apis.google.com,

ajax.googleapis.com, www.googletagservices.com, fonts.googleapis.com, google-public-dns-a.google.com, just
to name a few that I found thanks to BlockIt!).

About one year ago I found out that my kernel was connecting to some google related IPs and to google's DNS
(eventhough I had set the phone to use Open DNS in the resolv.conf file, eventhough I had removed over 150
system apps and eventhough I was already using AF+Firewall, App Settings and Xprivacy), and that my
android system was calling home (read "at google's central office in Mountain View, California") everytime I
connected (note that my phone had never been linked to any google account whatsoever).

From that day that I started to gather informations about host files and firewall scripts...

- Tenth

Open SQ Editor, and have a look at your apps' databases.

If you find anythig you dislike, erase it (it's located in data/data/yourappname/databases).

Some files, like google analytics or gaClientid, reappear once the app is reopened again, in this case you have
to set their perms to 000 and fully erase their content (like this the files are still there and don't
get recreated,
but they are inactive).

You may have to suppress the write permissions on the folder that contains those files (use you file manager),
ie something like rx, rx, x
(5, 5, 1).

Some other potentially unwanted files could be in data/data/yourappname/files or in
data/data/yourappname/shared_prefs, if
that's the case do as above.

III - ADVANCED
http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

- I'll deliberately stay vague on those matters, only people that know what they are doing should
mess with that kind of stuff. -

1- Decompile some of your system apps and some of your jars, and track lines refering to specific websites
and DNS.

For a starter have a look at SecSystem.apk, framework.jar and framework2.jar...

2 - Xprivacy is a fantastic tool, but due to android limitations it can't restrict ids for the android system.

Have tou ever heard of android.id, build.serial, ro.boot.serialno, ro.serialno etc.?

And what about the serial_no and the mac in the efs folder? And the cpu info in proc? And the serial_number
in sys?

Those are ids specific to your device and of course they identify you, that's what they are meant for!

An example, have a look at the wpa_supplicant.conf localised in data/misc/wifi. You'll see that it has your
serial_number which means, and experts please correct me if I am wrong, that everytime you connect
on the
WIFI your serial_number gets sent.

You want to change it manually?

Yeah sure, edit it directly from the file. Now start you wifi and check again the serial_number, you are back to
the original value.

I'm not sure whether, if your firewall script is well done and if Xprivacy has been well configured (read "VERY
restrictively configured"), those ids leaks or not, but since I like to have more than
one protection layer I've
edited all of them.

Some ids are easily changed using the setprop command (with an android terminal) or the setpropex
command (I've attached it at the end of this post, unzip it and depending your configuration put it in
system/bin or system/xbin, and chmod it rwx, rx, rx or 7, 5, 5. Credits @goroh_kun -- http://forum.xda-
developers.com/show....php?t=1201657 ). Then make an init.d script like:

#!/system/bin/sh

/system/xbin/setpropex ro.boot.serialno 1

/system/xbin/setpropex ro.serialno 1

echo 1 > /sys/devices/virtual/android_usb/android0/iSerial

echo 1 > /sys/devices/cpaccess/cpaccess0/cp_rw

echo 00000001 > /sys/devices/platform/wcnss_wlan.0/serial_number

(the last one will take care of the WIFI's serial_number I spoke about few lines above),

some will require editing in the efs folder (potentially dangerous, so back it up first!), and some will require
boot.img tweaks, but I won't explain any further since as written above only people knowing what they
do
should play with that stuff.

IV – BASEBAND
ISOLATION

That's an important subject and here's an interesting link to start with :
https://blog.torproject.org/blog/mis...ty-and-privacy

You can uninstall STK.apk, LogsProvider.apk, CSC.apk, SecContacts.apk, SecContactsProvider.apk,
SecPhone.apk and SecTelephonyProvider.apk altogether, problem solved, your phone isn't a phone anymore
(obviously)
but a WIFI only device.

Or, you can buy a WIFI only device and save some money compared to a GSM device.

As for me I solved the matter by uninstalling STK.apk, LogsProvider.apk,
CSC.apk, SecContacts.apk and
SecContactsProvider.apk, and by chmoding SecPhone.apk's and SecTelephonyProvider.apk's permissions to
000 in order to completely disables them (which is not the case when one freeze
them, or when one uses the
pm command, the apps are ineffective in the way that the user can't use them but they are on nevertheless).
Then, I made a chmod 644/000 script to enable/disable them, done!

Of course it's not very practical, and if one only uses one's phone to call one's mum or one's
girlfriend/boyfriend there's no need to turn to such extreme safety measures.

But if one lives in a rogue country (including, but not limited to, the states, India, Indonesia, China, Russia,
Thailand, Cambodia, Myanmar, Bangladesh, the Stans) and if one could be put in danger because of one's
phone then it's something that one has to consider.

Otherwise, if you don't want anyone to know that you are using that phone then use a public phone, because
whatever we do our provider allways knows who we are calling, for how long etc., everytime we use the phone
functions, and AFAIK there's no way to prevent that. Except maybe by using those apps that encrypt
communications but I can't comment on that since I don't use my phone to call or to text.

Well, the thing is that if security really matters you shouldn't have a GSM device but a WIFi only device, or a
GSM device where STK.apk, LogsProvider.apk, CSC.apk, SecContacts.apk, SecContactsProvider.apk,

SecPhone.apk and SecTelephonyProvider.apk have been uninstalled, the above link leading to Tor project's
blog explains well why.

One more thing, have you ever heard about IMSI catcher AKA fake cell towers? Here's a very interesting

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

project that deals with it :

http://forum.xda-developers.com/show....php?t=1422969

Oh yeah, you may like that one too :
http://www.wired.com/2014/10/verizons-perma-cookie/

ANDROID 5.0 (Lollipop)

Xposed is not yet compatible with ART, so no Xprivacy and no App Settings.

App Settings can be replaced by Permissions Denied Pro (paid), but make sure it's Lollipop compatible :
https://play.google.com/store/apps/d...s.donate&hl=en

Sorry for the play store link but that's the only non warez site I found
about that app. If you want to purchase
it you don't need to go through
the play store though, just contact its dev and pay him with Pay Pal :
[email protected]

It's a powerfull app so before to start using it read its FAQ (when in the app swipe to the right until you get to
it) and remember that you have to unlock permissions before you flash a new OS. Otherwise you may have a
powerful bootloop, it happened to me once and believe me it wasn't funny.

You can use the settings examples I put for App Settings (in the second chapter part 4) since Permissions
Denied works more or less the same way.

It's a bit more tricky, if doable at all, to replace Xprivacy. Have a look at Donkey Guard, its dev said that he
will make it Cydia substrate compatible but I'm not sure he managed :
http://forum.xda-developers.com/xpos...ement-t2831556

Alternatively, see if Pdroid is Lollipop compatible but AFAIK it isn't.

As for me I'll stay away from Lollipop, at least for now...

A FEW WORDS ABOUT COMMON SENSE

Stick to older Android versions, like 4.1 or 4.2.

From 4.2 google has strengthned its grip on Android, and added some very unpleasant stuff.

In 4.2 it added FusedLocation.apk, to know better where you are, basically a spying app eventhough google
calls it an “enhancement”.

That apk can neither be uninstalled nor be frozen (or well, it actually can but then the phone doesn't boot), but
fortunately its receivers can be desactivated with Rom Toolbox and it can be greenified.

In Kit Kat it got worse, you will understand by yourself when you start uninstalling system apps and/or when
you have a look at what's inside the system folder.

As I already said in the first chapter, you have to ask yourself whether
you want to compromise your privacy
to get the latest gimmick and the latest fancy color (that have anyway been made available on JB with Xposed
modules) or whether you want to be safe.

Forget about Kit Kat, I think the game is worth the candle but it's up to you...

Do not trust too much encryption and do not store sensitive data in your
phone. If you have sensitive data
keep it on an usb stick, or a hard disk, the idea is to have it on a support that is not web connected.

Do not link your phone with any account, and don't use apps like facebook, twitter etc... Access those web
sites from your browser , and greenify your browser once done.

Use Tor to secure your IP, your operator will know that you use Tor but it won't know anything else.

Depending what you do, where you live or travel and who you are you may consider to have two phones, a
secured one for your sensitive activities, and an insecure one to call mum.

Do not update your apps blindly, not all updates bring improvements. Sometimes they add more permissions
and/or adds, sometimes the app got sold to a company and policies have changed, you see what I mean. So

before you update make a backup of the current app's version, in case you want to get back to it later.

CREDITS AND THANKS

@rovo89 for Xposed, respect!

@M66B for the Xprivacy, respect!

@Tungstwenty for App Settings, Master Key Dual Fix, Fake ID Fix, respect!

@Chainfire for Super Su, respect!

@ukanth for AF+Firewall, respect!

@oasisfeng for Greenify, respect!

@THE Tor Project Team, respect!

@f-droid, respect!

@all the XDA people writing tutorials and sharing their knowledge, respect!

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Did I forget anyone? If that's the case be insured that it was absolutely unintentionnal, send me a PM and I'll
fix it

Last but not least, all those devs and groups have spent days, if not
weeks or even months, coding,
writing, tweaking, modding, in a word working, for us to enjoy better security on our devices.

They did it for free, in a materialistic, greedy and selfish world where
gratuitousness and altruism
are an oddity, so the least we can do is to
support them.

Please consider sending them a donation, or buying the pro version/license of their app (s), we are
talking about a few dollars which is not much compared to what they have given, are giving, and
will
give to us.

Remember that we are nothing, or let's say not much, without them!!!

Thanks in advance for them...

LINKS
http://repo.xposed.info/module/de.ro...osed.installer]
https://github.com/M66B/XPrivacy#xprivacy
https://f-droid.org/repository/browse/
https://github.com/ukanth/afwall
http://forum.xda-developers.com/apps/greenify
https://www.torproject.org/
https://blog.torproject.org/
https://guardianproject.info/
https://prism-break.org/en/

CONCLUSION

That's all what I can remember for now and that's it, my phone works fine...

An additional plus is that while in standby battery decrease is only 1% every 10-12 hours, it doesn't hurt

If all of the above has been done I don't think that anyone can get much
data out of your phone, but I'm no
security expert and I'd like to hear
what the big guys on this forum have to say on that matter....

Feel free to add any settings, tips and tricks you have, thanks in advance

Attached Files
setpropex.zip (13.7 KB, 56 views)

Last edited by unclefab; 23rd January 2015 at 04:48 PM..
Reason: [TUTO] How To Secure Your Phone (Continued)

2nd December 2014, 05:41 PM
 
#3  

unclefab

[OP] Join Date: Jun 2012
 
Posts: 375
Senior Member

Posts can't be more than 30000 words long, and since both post #1 and post #2 have reached that limit I have
to put the last updates to OP here.

Sorry for the mess .

(Continued from the end of 'Safe To remove

Apps" in Chapter I)

Before to proceed copy your system/etc/permissions, system/framework and
system/lib somewhere safe,
make sure you have aroma file manager ready at hand, and that you have a backup of your system.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

Safe to remove jars in system/framework :

access.control.jar

allshare.jar

allshareJmDNS.jar

android.test.runner.jar

bmgr.jar (backup manager)

browsermanagement.jar

bu.jar

cneapiclient.jar

com.android.future.usb.accessory.jar

com.android.location.provider.jar (if you remove this jar then FusedLocation.apk will force close when the
phone boots, greenify once the apk and click on the "hibernate all" widget everytime after booting to get
rid of the annoyance)

com.android.nfc_extras.jar

com.broadcom.bt.jar

com.broadcom.nfc.jar

com.dropboxpartner.jar

com.google.android.maps.jar

com.google.android.media.effects.jar

com.google.widevine.software.drm.jar

com.quicinc.jar

com.samsung.android.sdk.bt.jar

com.samsung.device.jar

content.jar

CustFeature.jar

GlobalConfig.jar

ime.jar (stock keyboard)

javax.obex.jar

kies_feature.jar

libvtmanagerjar.jar

mmappframeworklib.lib.jar

mms-common.jar

monkey.jar

org.codeaurora.Performance.jar

org.simalliance.openmobileapi.jar

qcmmediaplayer.jar

requestsync.jar

sc.jar

scrollpause.jar

sec_feature.jar

sec_platform_library.jar

seccamera.jar

sechardware.jar

secmediarecorder.jar

secosp.jar

services-ext.jar

settings.jar

smartfaceservice.jar

smartfaceserviceapi.jar

smatlib.jar

stayrotation.jar

svc.jar

svi.jar

sws.jar

uiautomator.jar

videowall.jar

After you're done don't forget to wipe the dalvik-cache.

Bear in mind that it works for me cuz I removed nearly all the stock apps, but depending on your phone
configuration you may have to keep more jars.

For example, the stock keyboard would probably not work anymore if ime.jar is gone, same story with the

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

stock camera if seccamera.jar has been deleted.

The same applies to other apps and functionalities, but the good news is that most jars are self
explanatory.

Safe to remove xmls in system/etc/permissions :

access.control.xml

allshare_library.xml

allshareJmDNS_library.xml

android.hardware.nfc.xml

android.hardware.wifi.direct.xml

android.software.live_wallpaper.xml

android.software.sip.voip.xml

com.android.location.provider.xml (warning, to remove this xml you'll need to mod FusedLocation.apk in
order to force it not to need the xml anymore)

com.android.nfc_extras.xml

com.broadcom.nfc.xml

com.google.android.media.effects.xml

com.google.widevine.software.drm.xml

com.samsung.android.sdk.bt.xml

com.samsung.device.xml

com.sec.feature.hovering_ui (accelorometer sensor)

com.sec.feature.irda_service.xml

com.sec.feature.yosemite.xml (accelorometer sensor)

kies_feature_library.xml

mmappframeworklib_library.xml

org.simalliance.openmobileapi.xml

sec_feature.xml (may break the stock FM radio, dunno about third part radios like Spirit)

sec_mdm.xml

seccamera.xml

secmediarecorder.xml (may break the stock FM radio, dunno about third part radios like Spirit)

smartfaceservice.xml

smat_library.xml

svi_library.xml

sws.xml

usb_print2.xml

videowall_library.xml

vtmanager_library.xml

Bear in mind that it works for me cuz I removed nearly all the stock apps, but depending on your phone
configuration you may have to keep more xml.

For example, the nfc would probably not work anymore if one of the xmls that have "nfc" in the title is
gone, same story for stock camera if seccamera.xml has been deleted (but some third part cameras will
still work).

The same applies to other functions, but fear not since most xmls are self explanatory.

Safe to remove files in system/lib :

the whole drm folder

all files that have "google" in it

More files can be removed (about 60 that I tested up to now), but risks to break this or that functionality
increase, and since I don't think that many people use such a barebone phone like me I'll pass for now.

If you want to know which libs just tell me and I'll add them.

Miscellaneous :

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

- The system/etc/cmds folder.

- The system/etc/secure_storage folder.

- The system/etc/videotelephony folder.

- The system/tts folder (unless you use text to speech features).

- The system/usr/srec/en_US folder (unless you use google now's english offline typing features).

- The system/voicebargeindata folder.

- The system/wakeupdata folder

Special cases
Am.jar (Activity Manager)

It can be removed, and then something interesting happens:

newly installed root apps can't get super user rights, but root apps that had previously been installed and
are in the super su list work as usual.

I'm not 100 % sure, but that could prevent privilege escalation by malicious apps or processes.

Still, be careful and test it only with root apps that you know for sure are safe.

Actually this am.jar works as an activity manager that can be used remotely to start an activity or an app,
force stop apps, kill processes, debug, broadcast an intent and more, through adb or directly from within
your phone by using a terminal app.

To get an idea about what it can do type in your terminal:

su

am

and see by yourself.

If you are not into playing with such activities and if you don't use adb you won't feel any difference once
you disabled am.jar, not to mention that preventing adb operations is one more step towards better

security.

There's another am file in system/bin and it works as a trigger to activate am.jar, so disabling/chmoding
000 that system/bin/am prevents am.jar from starting/working without the need to remove am.jar.

Still, I rather take care of both, just to be on the safe side.

I made two scripts.

One to erase/disable the am functionalities (but before to proceed, copy system/framework/am.jar
somewhere safe):

#!/system/bin/sh

mount -o remount,rw /system

rm /system/framework/am.jar

chmod 000 /system/bin/am

rm /data/dalvik-cache/system@[email protected]@classes.dex

One to restore/enable am (make a folder called scripts in your sd, and put am.jar inside):

#!/system/bin/sh

mount -o remount,rw /system

cp /sdcard/scripts/am.jar /system/framework

chmod 0644 /system/framework/am.jar

chmod 0755 /system/bin/am

Pm.jar (Package Manager)

Pm.jar can be removed too, and just like am.jar it has a triggering file
located in system/bin. Disabling
them will disable the package manager.

This package manager enables apps to be installed/uninstalled, apps' data to be cleared, apps'
components to be enabled /disabled, apps' permissions to be granted/revoked and more, through adb or
with an Android terminal app.

To know what it can do type :

su

pm

and see by yourself if you think it's worth keeping it or not.

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

If you don't use adb you won't feel any difference after you disabled pm.jar (you will still be able to install,
uninstall and clear data manually) not to mention that preventing adb operations and specially remote
installation/uninstallation of apps is pretty important security wise.

Still, you have to bear in mind that apps like Titanium backup, Rom Toolbox or App Settings use pm to
freeze apps or disable apps' components and permissions, and for example when pm is desactivated it

prevents me from disabling apps receivers/components (like start on boot, factory reset, etc.) with Rom
Toolbox.

Not a big deal cuz pm can easily be enabled and disabled, but I report the issue nevertheless in case it
happens to somebody else....

In theory, removing pm could enable one to install unsigned apps, which can be useful in some situations
(particularly when one needs to edit the android manifest on system apps).

Remember that doing so is dangerous, since any dodggy app could be installed, so be cautious and test it
only with system apps and/or apps that you trust.

As said above there's another pm file in system/bin and it works as a trigger to activate pm.jar, so
disabling/chmoding 000 that system/bin/pm
prevents pm.jar from starting/working without the need to
remove pm.jar.

Still, I rather take care of both, just to be on the safe side.

Now, two scripts.

One to erase/disable pm (but before to proceed, copy system/framework/pm.jar somewhere safe):

#!/system/bin/sh

mount -o remount,rw /system

rm /system/framework/pm.jar

chmod 000 /system/bin/pm

rm /data/dalvik-cache/system@[email protected]@classes.dex

One to restore/enable pm (make a folder called scripts in your sd, and put pm.jar inside):

#!/system/bin/sh

busybox mount -o remount,rw /system

cp /sdcard/scripts/pm.jar /system/framework

chmod 0644 /system/framework/pm.jar

chmod 0755 /system/bin/pm

Disabling adb

This should do the trick :

#!/system/bin/sh

mount -o rw,remount -t rootfs rootfs /

chmod 000 /sbin/adbd

mount -o ro,remount -t rootfs rootfs /

If it doesn't work try this :

#!/system/bin/sh

mount -o remount,rw /system

chmod 000 /system/bin/adb

Safe to remove applets

Applets are like small programms or commands that can be performed by the system, sometimes with
root permissions. They are located in system/bin and system/xbin, and this is where the heart of your
root beats (su and sh). Some came preinstalled on your phone, others are installed along busybox (those
ones are usually symlinked, and bear a different installation date than the stock applets).

We all have different interests and different needs, so here's some documentation in order to help you
decide which applets you want to keep
and which applets you want to remove (don't forget to make a
backup) :
http://busybox.net/downloads/BusyBox.html

To start, you can delete the ones that are nothing but a trigger for framework jars (like am or pm they
bear the same name than their framework counterpart, and they are very light, like 100-200 b, since all

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]
[TUTO] How To Secure Your Phone - xda-developers

what's inside is a short command to trigger the jar).

Then, watch out for the ones that have internet access.

I will write more about it, and give some examples, in a few days when I have time...

Upgrading to later Android versions?

Some people say that later Android versions are "safer" cuz vulnerabilities have been patched?

Nice one, that's what google and his friends want you to believe.

Like this you will jump on new versions as soon as you can, and they will tighten the knot.

Most vulnerabilities (except one or two) only work if one has installed a
doddgy app, or has had a nasty
app installed remotely hence the importance to disable pm, or opened a nasty sms through WAP push
(WAP is
anyway uninstalled if one has followed OP).

If you are the type of guy that installs apps from shaddy sources, and that clicks on any link on any sms
that promises to increase your d...k's size to 25 inches then I agree, you should stick to later Android
versions.

But as for me I'm not that type of guy, and anyway, what are those bad apps using those vulnerabilities
we are talking about?

They are a few nasty bits, flooded amongst millions of Android apps on board over one billion Android
devices, and those nasty bits account for
something like 0.01% (even less if you only installs from trusted
sources and don't click on 25 inches offer sms').

OTOH, google's tracking on Android is on 100 % of newly bought smartphones and wifi tablets, and its
tracking becomes more and more sophisticated and harder and harder to remove as the Android version

rises (it started with 4.2 and got much worse with 4.4).

Now think a bit, what kind of risk are you willy to take with your phone?

Still undecise? I don't have too much time to search the net about it, but since I'm a good uncle here's a
link to start with:
http://www.greenbot.com/article/2148...tching-it.html

WIP:
- safe to remove system/framework jars (done),
- safe to remove system/etc/permissions xmls (done),
- safe to remove system/libs (done),
- safe to remove stuff in system/bin and system/xbin (done),

- annihilate bluethooth and nfc (working on it),

- search the baseband/modem for privacy leaks (started, but still a long
way to go). That one will be a hard
task, I'm new in that field and most of it is closed. Any help will be very much appreciated, thanks in advance!!!

- 2-3 things more

Last edited by unclefab; 30th December 2014 at 08:16 PM..

http://forum.xda-developers.com/general/security/tuto-how-to-secure-phone-t2960077[15.02.2015 14:38:13]