Follow

You don't have to use Google Play on your Android phone.

There's a free open alternative app store called F-Droid, which is much more privacy-friendly, and which you can install yourself relatively easily.

There's a simple instruction guide for beginners on switching.social:

switching.social/ethical-alter

There's a much more detailed guide by @IzzyOnDroid here:

android.izzysoft.de/articles/n

You can follow the official F-Droid account here:

@fdroidorg

@switchingsocial Just a heads up: There are two number 8 steps on the page.

@switchingsocial

@IzzyOnDroid @fdroidorg

Fdroid I use, I've got no Google Play, I'm happy

Sometimes I do use google maps though thats only in the web browser

@Food @switchingsocial @fdroidorg I've replaced Google Maps by #OsmAnd and don't miss a thing. Google on my device is a thing of the past: I've flashed LineageOS and no GApps at all. #microG is used for location services only (no GCM), with a local OpenCellId database for lookup. And of course F-Droid for apps. Works perfect for me.

@Valium @fdroidorg @IzzyOnDroid @switchingsocial or some apps arbitrarily crash or refuse to run without Google Play Services lol, it's a little sad but at least Android can still hold some ground for now until more open phones release

@machetebadger @Valium @switchingsocial @fdroidorg There are no apps on F-Droid that wouldn't run without GServices, so I've no idea what you're talking about… 🤣

@switchingsocial
müssten dann nur noch wieder soviele neue Apps sichtbar werden wie sie bei Version 1.3 kamen. Oder die sind seitdem in warteschlange
@IzzyOnDroid @fdroidorg

@switchingsocial @IzzyOnDroid @fdroidorg And if you really need an app from Google Play you can use the app "Yalp" and even scan the apps if they contain trackers inside with Exodus in the same Yalp app.

@josantleon @fdroidorg @IzzyOnDroid @switchingsocial and as always, mileage may vary if they're not broken up apks and bound to GPS to work

@machetebadger @switchingsocial @josantleon @fdroidorg for the latter, use UnifiedNlp from F-Droid - or LineageOS for microG, which has it integrated. Once a month I update my local OpenCellId database. Location without GPS works like a charm, even if I'd turn mobile data off.

@IzzyOnDroid
You realize that Google, Facebook, etc, is almost certainly still getting your realtime GPS coordinates via your cell carrier, who is effectively selling it to anyone who'll pay, right?
@machetebadger @switchingsocial @josantleon @fdroidorg

@darkmeson @fdroidorg @josantleon @switchingsocial @IzzyOnDroid lol I only see this now, I meant Google Play Services and not Global Positioning System hehe, but yea true

@machetebadger Ah well (shrugs) No such stuff on F-Droid (the only market where never was a malware found), so what? 🙈

@IzzyOnDroid
We're on the same page about the Google stuff. I was mostly just sanity-checking you, since your generalizing made it seem like you thought your countermeasures made you bulletproof (which is a really good way to get burned...badly). btw, don't ever think that being in F-Droid makes it non-malware/spyware. There are several dodgy apps like Twidere and Blokada in there too that make all sorts of suspicious, unsolicited connections
@machetebadger

@darkmeson @IzzyOnDroid sure but it's more often than not that those sort of apps appear, and most of the time they warn you about non-free connection services. Blokada on the other hand can be scrutinised due to the methods it employs to block ads without a hosts file so that's not fair

@machetebadger
That's why I specifically mentioned Twidere (no warning signs, other than the usual "non-free services"). Others like Yalp, Aurora, etc, phone home, but only AFTER asking if you want to use builtin credentials, and it's to satisfy the user's request. Blokada does none of these things, AND it seemingly makes connections for purposes OTHER than list management (hence, suspicious). No excuse to check for or self-update either, btw.
@IzzyOnDroid

@machetebadger @IzzyOnDroid
Actually, that probably deserves a bit of explanation. IF an app wants to check for an update, it should be sending an intent to an actual app store. Some apps try to continue with old, bad habits because it allows them to stealthily collect statistics, device fingerprints, etc (which even when done with the best of intentions, can and probably WILL be used to cross-reference with other dbs for the purposes of privacy invasion later)

@darkmeson @machetebadger Why should an app ping some store? Either I use the store (then the store notifies me on updates), or I don't (then it makes no sense as I might willingly have decided that way). It should ask me whether I want it to check, and tell me where it will check so I can make my own decision.

@IzzyOnDroid
That's the point. Apps shouldn't be checking for their own updates, but IF for some reason there's reason to think there might be one, THEN the proper way to do that on Android is to send an intent and let Android figure out how to handle it (which in this case would be to pass it to an app capable of handling the intent type -- an app store). So, basically, apps are supposed to send an intent and then wipe their hands of it.
@machetebadger

@darkmeson @machetebadger "Nothing can happen to me, I'm 1000% safe – you know, I have an Anti Virus…" 🤣 Yeah, that's exactly how to start making shit happen. Never feel safe – but always take the best steps you can toward that goal.

I run LOS on my devices. I have AdAway to filter traffic. I have XPrivacy(LUA) to block analytics & co. This weekend I setup one of my devices fresh and add AFWall+. Am I bulletproof? Definitely not. I still could act the idiot (I won't, hopefully). And I probably still leak…

@darkmeson @machetebadger I'm fully aware there's no such thing as 100% safety/security. But why take chances? Why not target a higher level, if I can? No reason to play the fatalist ("I don't care, they get my data anyway – and anyhow, I've got nothing to hide" – especially who says the letter should get his/her hide beaten, as that way they endanger others as well).

I'm not perfect. But I can try 😃

@IzzyOnDroid
"Why take chances?"...am I to assume you're running a device lacking a cellmodem, are instead using a separate cell hotspot device, and are supplementing the remaining, missing functionality with a SIP account then? :)
@machetebadger

@machetebadger @switchingsocial @darkmeson @IzzyOnDroid @fdroidorg I always block all the internet connections I want (even gps) with the non-root firewall Netguard.

@josantleon
Netguard is the best of the lot in F-Droid, but breaks itself badly enough that it won't start the VPN service. I'm thinking it has something to do with the number of apps, but can't do anything about that. It only has comparable features to NoRootFirewall in the for-pay version anyway. Really need root to simulate with iptables since it can't do always-on tho
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg Netguard is already using the VPN in Android to work and as you know you can only use 1 VPN at the same time. So, you can't use a VPN service. Instead, you can use Tor. And I prefer using Tor and blocking almost all the Android apps to access internet.

@josantleon
The problem with this is that you have to be using Pro to do filtering the right way. Otherwise, you have to add a filtering proxy to the equation too (Polipoid, Termux with Squid, Polipo, Privoxy, etc), and then you'd STILL need root for iptables access to force all apps through it (it's purely advisory, and lots of apps seem to ignore it and connect directly)
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg With Netguard I can control all apps, even the system apps, and I avoid them to connect, even not being root. It seems that Android VPN works in that way. And I'm happy with the donation and the pro features. I can also use socks5, DNS of my choice, check the logs, etc. I don't need to root my phone.

@josantleon
If you have a reasonable understanding of the implications,and are satisfied with the level of security and privacy that that offers, then that's fine. That first part tends to be something of a problem ime though, and studies have shown that a false sense of security tends to be worse than none at all. I'm not saying that's you, just laying out my motivations ;)
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@josantleon
That's the biggest problem. It's kind of hard to even justify paying for pro when the regular one spontaneously breaks after some time and the root of the problem hasn't been fixed since it surfaced a year or so ago.
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg Have you tested with your smartphone and ask Marcel about it?. Maybe it's not working for you then.

@josantleon
For purely FOSS applications, that'd definitely be the course of action I'd take (and sometimes with patches, if it proved to be a simple enough issue). The only form of this that's all that useful is the for-pay version though, and that raises the bar quite a bit (especially when simply using something else is easier; can't trust Netguard Pro any more than NRF)
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @switchingsocial @IzzyOnDroid @fdroidorg It also contains Google CrashLytics, and miss a lot of advanced options needed to secure my smartphone. I avoid apps with trackers: reports.exodus-privacy.eu.org/

@josantleon
Ended up writing a couple embarrassingly simple shell scripts to handle removing and/or breaking analytics, telemetry, .fabric, and various other snoops, and they run every so often from crond atm. Would be nice to have them listen for PACKAGE_(ADDED/REPLACED/UPDATED) and the like, but I suspect I'm going to have to write my own bridge daemon for it, and that might be a while (!android dev)
@switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @switchingsocial @IzzyOnDroid @fdroidorg And many "unknown" sources in the app. Can it be a copy of Netguard with less options?. I could try it even if Virustotal gives 1 virus result. Does it also filter ipv6, udp....?

@josantleon
Afwall iis definitely the most generally useful and well-polished of the ones I've tinkered with, but one still has to make use of the custom script feature for certain, common things, like restricting some apps to RFC-private network access only (for shady apps like TrebleShot that try to phone home for no reason), proxy host/port access only, etc.
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg Oh, I didn't know. I never used it, I only use a normal Android avoiding almost all apps to connect to Internet, and controlling the logs and using Tor.

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg I checked that app (NoRootFirewall) and I don't trust it. And I see that it's only like a bad copy of Netguard and with many limitations. I don't even know if it's opensource or not. I'm happy wiith Netguard and It works in my phone.

@josantleon
NoRootFirewall definitely isn't open source, and the only reason I trust it is because I went to the effort of dissecting the apk, and I have infrastructure in place both on-device (XPrivacy, etc) and in my home network (internet access is only allowed through a highly restrictive, filtering proxy) that allows me to audit connection attempts. No issues in ~2yrs
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @IzzyOnDroid @fdroidorg That's good to know, but what about updates?. You must check it always. But I understand that if Netguard doesn't work in your smartphone then you must find other solutions 👍

@josantleon
Well, this post's threads have gone all over the place, but I DO recall saying that Netguard was the best of the FOSS lot ;)

In my case, I have the need to run (highly-thieving,) non-FOSS apps, so naturally my stacks also give me the luxury of using NRF at no additional effort. For anyone using exclusively FOSS, vanilla Netguard is probably more than enough

@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@josantleon
As far as updates go, that tends to happen through Yalp or similar (when I have the luxury of public wifi and little surveillance), or alternatives like GetJar, Aptoide, etc. Package signing makes it relatively safe for updates, just not initial installations, and apps can't get away much without my knowledge, in any case.Disclaimer: still NOT generally advisable
@machetebadger @switchingsocial @IzzyOnDroid @fdroidorg

@darkmeson @machetebadger @switchingsocial @josantleon @fdroidorg Yes. But that still doesn't make me hand it over to them on a silver platter. And the other question is which cell carriers hand it to whom. So reducing risk is a good thing.

Sign in to participate in the conversation
Mastodon

mastodon.at is a microblogging site that federates with most instances on the Fediverse.