"Is LineageOS without Google apps 100% Google-free?": No, it isn't.
– some LOS services like NetworkMonitor still connect to Google (https://github.com/LineageOS/android_frameworks_base/blob/lineage-16.0/services/core/java/com/android/server/connectivity/NetworkMonitor.java)
– some settings like the phone's DNS server can still send data to Google
– besides, LOS, many apps, and the whole internet heavily rely on libraries, protocols, and standards (e.g. HTTP/2, Certificate Transparency) developed by Google, so there will never be a "100% Google-free something" for average users
You are true. But :
Network connectivity check doesn't allow google to identify the device. It's just a ping to know if server is reachable and name resolution works.
Dns server is the ones provided by your DHCP usually. The google dns are not used if you recieve those.
Certificate transparency is design to be a bit anonymous by not reporting to google exavtly which domain you request. And thus is included by default in Firefox.
In our tests (see /e/ article), the connectivity check also transmitted device information (User Agent). There are older examples on Reddit, showing the same behavior.
DNS was just an example.
The last point was about technology developed by Google, not about technology sending data to Google.
The main point is: Users must monitor their whole traffic to see if Google gets their data directly. Of course, service providers can still leak it indirectly.
I wouldn't be so quick to ascribe bad intentions to Google for the connectivity check url. You need *some* url to check, and how many domains do you know that are able to process *billions* of http queries per day from all Android phones in the world?
If that domain goes down, suddenly all Android phones would think their wifi link has no Internet connectivity.
If the check is leaking the user agent, that should be fixed in both LineageOS and AOSP.
@infosechandbook I wonder what the alternative is then, if there is any?
We aren't aware of any completely "Google-free" Android operating system. Even /e/ isn't fully Google-free as shown in https://infosec-handbook.eu/blog/e-foundation-first-look/#communication
@infosechandbook I'd settle for a definition of "Google-free" that means "Does not send information about me or my devices to Google, unless I explicitly ask it to." Okay, maybe "Google-surveillance-free" would be a more accurate term, then. I think that's what most people care about.
That may be true, but there are some hardcore idealists who still tell everybody that they aren't using anything from Google … 😉
@infosechandbook Ah, I get your point, then. 🙂
@infosechandbook still tho, advising lineage to get away from google is a pretty solid advice, modify or turn off the connectifity check, roor it to change the dns. And only download fdroid apps(maybe excluding signal). And you have a fairly googless device.
This is good advice. However, there are many blogs, articles etc. that just tell anybody to install LOS/F-Droid apps and there is no Google anymore. This isn't true.
@infosechandbook Yh, this should indeed be stated more clearly, anyhow these changes can be fairly easy to solve upstream, the server used for the connectifity check could be the lineage website. Dns might be a bit more tricky. While its easy to change the default dns, who would this dns provider be, and why would this provider be trustworthy? Maybe lineage can run their own dns? They could also include f-droid by default.
@infosechandbook thwse are all questions that would need to be discussed and answered first.
@infosechandbook "HTTP/2 is Google" is some take of course
@lanodan @infosechandbook Is it possible to make a full list and also publish info on how to fix it where possible? @kuketzblog already collected some things. Unfortunately, he mostly relys on root access to fix things. If things cannot be changed in the phone, maybe we can open issues on GitHub or similar for each one. It's hard to accept that there it no Google free operating system out there.
@infosechandbook I see your points. But the problem is that there are bits and pieces around the net, but no list for a default privacy aware user to start with. I know about the pitfalls (different Android versions, gets obsolet, only fixable with root, etc.). Do you get me?
Your point is absolutely valid. It's like telling people to use GNU/Linux if they use Windows. Some people are able to do it, most are not. That's why optimizing Android is a first step.
There are many findings on the internet. For example, Reddit lists some of them and there are GitHub issues, of course.
However, such lists are blacklist approaches: You create a huge list that gets longer and longer while there is no guarantee that all connections to Google are on the list (especially in rare use cases or in customized LOS variants like /e/).
On the other hand, even a firewall on a rooted Android phone doesn't allow you to fully control your traffic.
mastodon.at is a microblogging site that federates with most instances on the Fediverse.