Follow

"Is LineageOS without Google apps 100% Google-free?": No, it isn't.

– some LOS services like NetworkMonitor still connect to Google (github.com/LineageOS/android_f)
– some settings like the phone's DNS server can still send data to Google
– besides, LOS, many apps, and the whole internet heavily rely on libraries, protocols, and standards (e.g. HTTP/2, Certificate Transparency) developed by Google, so there will never be a "100% Google-free something" for average users

@infosechandbook

You are true. But :
Network connectivity check doesn't allow google to identify the device. It's just a ping to know if server is reachable and name resolution works.

Dns server is the ones provided by your DHCP usually. The google dns are not used if you recieve those.

Certificate transparency is design to be a bit anonymous by not reporting to google exavtly which domain you request. And thus is included by default in Firefox.

@tuxicoman

In our tests (see /e/ article), the connectivity check also transmitted device information (User Agent). There are older examples on Reddit, showing the same behavior.

DNS was just an example.

The last point was about technology developed by Google, not about technology sending data to Google.

The main point is: Users must monitor their whole traffic to see if Google gets their data directly. Of course, service providers can still leak it indirectly.

@infosechandbook @tuxicoman
I wouldn't be so quick to ascribe bad intentions to Google for the connectivity check url. You need *some* url to check, and how many domains do you know that are able to process *billions* of http queries per day from all Android phones in the world?

If that domain goes down, suddenly all Android phones would think their wifi link has no Internet connectivity.

If the check is leaking the user agent, that should be fixed in both LineageOS and AOSP.

@infosechandbook @tuxicoman Oh, actually the connectivity check url and user-agent are configurable via android settings even in Android P. LineageOS could have easily changed it if they wanted to:

github.com/LineageOS/android_f

@infosechandbook @tuxicoman Also, I believe users can easily change it themselves via 'adb setprop' (probably requires root access).

@infosechandbook I am disgusted that I must use a (((Smart Phone))) for the time being. I spent an entire year without a phone number and I did fine. As soon as I get the chance, the phone gets the hammer.

I have secured this bastardization of technology to my best, and it still isn't good enough. I am disgusted.
@se7en @infosechandbook

Trying to hide from the authorities is pointless. You can only obfuscate, but even if you do well they'll just make shit up and plaster it all over the media.
The best path is just to not piss off the wrong person or become a threat until you have a backing. Look at Sargon, Robinson and Co - total ninnies, but got enough of a following that they can't be easily eliminated. That's saying something since they live in the UK.
@IsaacWestcott @infosechandbook

I still feel that every attempt possible should be made to shield yourself from the technological arm of the International Zionist Conspiracy

@christian

We aren't aware of any completely "Google-free" Android operating system. Even /e/ isn't fully Google-free as shown in infosec-handbook.eu/blog/e-fou

@christian @infosechandbook If you want android, I don't know, but if you're looking for a smartphone-OS, then @ubports Ubuntu Touch can be an alternative

https://ubports.com

@infosechandbook I'd settle for a definition of "Google-free" that means "Does not send information about me or my devices to Google, unless I explicitly ask it to." Okay, maybe "Google-surveillance-free" would be a more accurate term, then. I think that's what most people care about.

@fnord

That may be true, but there are some hardcore idealists who still tell everybody that they aren't using anything from Google … 😉

@infosechandbook still tho, advising lineage to get away from google is a pretty solid advice, modify or turn off the connectifity check, roor it to change the dns. And only download fdroid apps(maybe excluding signal). And you have a fairly googless device.

@blacklight447

This is good advice. However, there are many blogs, articles etc. that just tell anybody to install LOS/F-Droid apps and there is no Google anymore. This isn't true.

@infosechandbook Yh, this should indeed be stated more clearly, anyhow these changes can be fairly easy to solve upstream, the server used for the connectifity check could be the lineage website. Dns might be a bit more tricky. While its easy to change the default dns, who would this dns provider be, and why would this provider be trustworthy? Maybe lineage can run their own dns? They could also include f-droid by default.

@infosechandbook thwse are all questions that would need to be discussed and answered first.

@infosechandbook
> There will never be a 100% google-free something for average users

Protocols are quite unavoidable if you want it to be a smartphone but the software is avoidable, LineageOS is basically just a distribution from Google+Vendor software so it cannot be Google-free.
@lanodan @infosechandbook There will be if Google is nationalized and its servers incinerated.
@judgedread @lanodan @infosechandbook I agree with socialism if it means destroying SJW corporations

Destroy these globalists

@lanodan @infosechandbook Is it possible to make a full list and also publish info on how to fix it where possible? @kuketzblog already collected some things. Unfortunately, he mostly relys on root access to fix things. If things cannot be changed in the phone, maybe we can open issues on GitHub or similar for each one. It's hard to accept that there it no Google free operating system out there.

@marco @kuketzblog @infosechandbook
There is Google-free ones but of course they aren’t android:
- Ubuntu Touch
- Plasma Mobile
- Maemo (if it’s still alive)
- SailfishOS (non-libre)
- PostmarketOS

And freeing up android will not get you very far IMHO, specially as a huge lot of stuff will have to be done and compatibility will be hard to keep.

@infosechandbook I see your points. But the problem is that there are bits and pieces around the net, but no list for a default privacy aware user to start with. I know about the pitfalls (different Android versions, gets obsolet, only fixable with root, etc.). Do you get me?

@lanodan
Your point is absolutely valid. It's like telling people to use GNU/Linux if they use Windows. Some people are able to do it, most are not. That's why optimizing Android is a first step.

@marco @lanodan

There are many findings on the internet. For example, Reddit lists some of them and there are GitHub issues, of course.

However, such lists are blacklist approaches: You create a huge list that gets longer and longer while there is no guarantee that all connections to Google are on the list (especially in rare use cases or in customized LOS variants like /e/).

On the other hand, even a firewall on a rooted Android phone doesn't allow you to fully control your traffic.

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.