What does HackerNews think of XPrivacyLua?
Really simple to use privacy manager for Android 6.0 Marshmallow and later
This could be achieved with something like Xposed, a cool project is https://github.com/M66B/XPrivacyLua.
I actually made a "clone" with the option to generate data per permission as a school project, good times
Alternatively if you are rooted Xprivacy[0] does what you asked, allowing you to grant apps permissions but then feeding them fake data as configured.
No idea about iOS though.
EDIT: There seems to be an app called Insular[1] which also works like Xprivacy, but doesn't require root at all and comes with a couple of extra features like the ability to have multiple instances of an app installed. Haven't tried this one though and I have no idea if it even runs on newer versions of Android.
https://github.com/M66B/XPrivacyLua
Requires rooted Android + Xposed though.
Dunno what to do about messengers and such, which integrate with the contact system to show their correspondents in e.g. the ‘share’ menu. Not sure if these contacts are available to other apps—but if they are, it seems impossible to hide them.
Also there's e.g. a plugin for the (non open-source) Xposed ‘framework’, to feed fake data to apps that want to access the location and other such info. Seems to be able to fake the contacts, too, but afaiu requires a rooted phone: https://github.com/M66B/XPrivacyLua
You can achieve this with latest Magisk (v24+, https://github.com/topjohnwu/Magisk), enabled Zygisk and following modules:
- LSposed Zygisk (https://github.com/LSPosed/LSPosed, fork of Xposed)
- Universal SafetyNet Fix (https://github.com/kdrag0n/safetynet-fix)
- Shamiko [optional, more hiding but needs configuration] (https://github.com/LSPosed/LSPosed.github.io)
I haven't kept up with it, it needs a rooted phone and Xposed Framework, and some apps don't like that and stop working.
But in an older version of this app, you can set it to prompt you for any activity the app wants to do, e.g. read clipboard or phone status, where you can say "Allow/deny always, allow/deny for 10 minutes" etc.
it spoofs and restricts Android API calls made by apps.
- for web, stop using chrome, install firefox (or firefox mobile) and in about:config set privacy.resistFingerprinting on true then add following addons:
https://addons.mozilla.org/en-US/android/addon/canvas-finger...
https://addons.mozilla.org/en-US/android/addon/audioctx-fing...
https://addons.mozilla.org/en-US/android/addon/webgl-fingerp...
https://addons.mozilla.org/en-US/android/addon/font-fingerpr...
They will not only prevent fingerprints but also screw with the data (add random noise to audio/webgl sample, return random fonts,...).
- the most important rule, don't use applications like tiktok, fb,.. if your phone is not rooted, with xprivacylua (https://github.com/M66B/XPrivacyLua, for added kicks https://github.com/M66B/NetGuard) installed and you have basic understanding what you allow there (disallow everything for new apps and work permissions one by one). The sole purpose of those apps and their bussiness model is to steal your data. This is most sane advice I can give, sorry :(
Voila. Solved.
Those methods of fingerprinting are few years old and well known.
I am also using XPrivacy Lua (you need rooted phone) https://github.com/M66B/XPrivacyLua to give applications fake details like android id, gps coordinates, contacts etc.
For a nice addition, uninstall all google software and use microg instead.
That's what Xposed Framework does exactly.
> allow it access a dummy, empty folder to read from
That's what Xposed XPrivacyLua plugin does exactly.
[0]: https://forum.xda-developers.com/showthread.php?t=3034811
For spoofing data for apps, if you are on android and have a rooted device there is xposed with xprivacy
This is what I am using: https://lineage.microg.org/ (get rid of google play (and save 1/3 of battery)) apps have a dependancies to google framework and just not having it breaks lots of stuff (this is google true vendor lock-in). Microg is opensource reimplementation of it, but it needs patches into android to fake its file signatures. And lineage microg takes care about it)
First thing, get rid of your gmail/android account, register new account with 3rd party email provider. If you are buying phone, check xda-developers which has most support from ROM builders as you don't want, for instance, Samsung ROM. Only than go for hw specifications. Root phone (don't be afraid, it is nothing special, companies are scaremongering here), flash recovery TWRP (imagine it as "bootloader" for android), flash lineage microg.
From here, you start playing with OS.
- Replace dns server (root required) 8.8.8.8 with other (I use my own but there are plenty privacy oriented like ccc.de)
- Install yalp store (replaces play store, buy things using browser, if developer drm doesnt support verifying that you have bought its app, break it using lucky patcher or demand money back)
- Install xposed framework, install netguard, install xprivacylua (one of rare developers I trust for this, due to his privacy work), pay him donations to get pro versions (I have my own versions of those two built and a tad modified)
- use netguard logging to block all the fishy urls that system is calling (gps service, block complete network access,...)
- take special care about firefox, block all privacy details using xprivacylua, install webapi manager add-in, learn to use it.
- You have set up base os now start using it and block everything that is trying to be contacted using microg. Lineage is by no means clean but you can silence it. Dont trust system apps, broadcom drivers are, for instance, contacting their servers. Dont start installing apps until you have done it, later you will get huge noise from apps. Take a day or two and just use phone normal features blocking everything that seems faul (google ntp servers,...)
- For those who havent noticed it yet (or reversed a few of apps), most of android applications are demanding crazy lot of permissions. The reason is that in they have ~1/3 of developer code any 2/3 of spying code, from ad providers to trackinb and analytics and simply code that "just" needs to access your contacts =/. So... for every application you install, start it with everything blocked (netguard + xprivacylua) and work your way trough allowances. Don't give any app allow for internet if it doesn't need it, fake all the details to app that doesnt need them (South Pole is a nice place to be for gps coordinates)...
To really unhook yourself from google, you will need a server, I came to the point where all google domains are blocked (I mean ALL, not just google.*), all my comunication from all my computers/devices is passing server (i have two ways of doing it, either vpn or ssh tunnel) where communication is cleaned, http (+https mitm) over squid with huge blocklist, caching cdns forever,... and having squid in separate routing table (ok, its freebsd fib but close enough) with openvpn client, so also my ip is gone. I am completely self hosted (own "cloud" for webdav,webcal, files; mailserver; searx;...) and...
.. I am not missing anything that google has to offer, I am using android apps, but without google.
I would really recomend doing it, if you aren't familiar with networks, OS,... it will take a year, two, five, but you will learn a lot.
I have probably forgot about lots of details but please ask it, if you are interested.
Just for a taste, my google data export is 28kb (bought apps,...) after few years. What about yours? :)
Some links you might use: