📜 ⬆️ ⬇️

About mobile privacy and open source



Hi Habr.

Not so long ago, I had a desire to write a whole series of articles on security, privacy and anonymity on the Internet. I do not want to waste the time of readers, once again describing a very deplorable situation with the collection of personal data, all this has already been done before me, so let's get straight to the point.

And so, is it possible to use a mobile device without serious damage to privacy?

The answer is yes, it is possible, but for this it is necessary to get rid of software and services that collect data uncontrollably. This will require a desire to change something and any device on which you can install the custom Android system (iOS, for obvious reasons, is not considered, and of the alternatives only SailfishOS and GNU / Linux, but these systems can be installed on a very limited number of models). Anyone who is interested, I invite under the cat.

AOSP and LineageOS


The Android system ( AOSP ) itself is open under the Apache 2.0 license, but most smartphones and tablets go on sale with Google Play Services closed and cannot be deleted without root (except on Android One). Also, manufacturers often install their own proprietary software of dubious quality and functionality. It should be understood that any application that has received permissions (and when building the firmware, you can give the application any permissions) can collect huge amounts of information, therefore a more adequate alternative (for a person who cares about his privacy) is AOSP based assemblies ( Omnirom , NitrogenOS and etc.) or LineageOS ( CrDroid , XenonHD , etc.). The code for such systems is usually completely open (except for binary blobs required for compilation) and is supported by the community.

A little about Open Source, shadowing and spirituality
In general, the fact that the program code was published does not mean that they will not collect information about you or show you targeted ads, or that there are no bookmarks and backdoors in the application (as well as closeness does not indicate the opposite), but in any case it's better than just a black box, which is ordinary proprietary software.
In my opinion, it is worth choosing programs that correspond not only to the letter, but also to the spirit of free and open source software.

AOSP and LineageOS have a lot of forks and assemblies, unfortunately I can’t recommend something specific, because stability and performance strongly depend on the device model, components, phase of the moon, etc. But in addition to LineageOS itself, ROMs are quite popular 's AEX , Resurrection Remix , CandyOS , DotOS and Liquid Remix , I think with them and should start.
CandyOS 9.0 * screenshots are clickable

Differences LineageOS from AOSP
LineageOS is a fork and follower of the good old CyanogenMod. LineageOS as well as cyan offers unique features that are missing in AOSP:

  • Custom Button Placement - allows you to reassign touch buttons, as well as display additional buttons.
  • System Profiles - allows you to activate various profiles both manually and by programmable trigger.
  • Expanded Desktop - allows to open applications in full-screen mode that do not support “immersive mode”.
  • LiveDisplay - changes the temperature of the display color depending on the time of day.
  • Trust - an interface that allows you to view the privacy and security settings of the system, as well as learn how to fix possible problems (from version 15.1).
  • Protected Apps - hides applications from the launcher, you can create special safe folders for quick access, to which you can put a graphic password.
  • PIN scramble - shuffles the arrangement of numbers on the PIN code input screen, which makes it difficult to peek at the code or attempts to calculate the code numbers from fingerprints on the screen.
  • Custom pattern sizes - adds the ability to use 4x4, 5x5 and 6x6 fields for a graphic password.
  • Styles - light and dark style for the system, can work automatically depending on the wallpaper or the time of day.
  • Call recorder - records audio calls (may not be available in some countries).


The main difference between official and informal assemblies is that they are compiled from signed source codes, but not always so simple, for example, in the LineageOS project, only ROMs assembled on a special build server are signed with a secret key and receive the status of “official” (besides Lineage still has a calendar of releases and quite full support). Some other projects are a bit easier and you can build an official build on your own PC.

If bootloader is locked
Try to get root or temporary root via ADB , you can hardly put a custom system, but at least you can remove the garbage software from / system / apps and system / priv-apps (in general, Android is a modular system, you can remove or replace quite a lot of components, but by itself, you can break everything). If you use ADB, then you can write a script to automate, since Android uses regular Unix commands.

About F-Droid


The F-Droid catalog contains only free and open source software ( FLOSS ), all applications are compiled and published by the F-Droid team. If the catalog does not contain your favorite open application, then you can send a proposal here , or write a metadata yourself , but note that only open-source components and libraries are used in the build.

About dubious functionality
Antifeatures is a warning that the application may perform some unwanted actions, such as displaying advertisements or collecting data (this is not prohibited by the F-Droid rules, but such modules must be opened). The most common are: the use of non-free network services (for example, DuckDuckGo), the original source code contains closed parts (in this case, the directory will be presented with a fork with the cut components), dependence on proprietary software (for example, the application does not work without Google Maps) and promotion of non-free add-ons. All the rest are quite rare: vulnerabilities, the application has become closed, etc.

F-Droid client


Application catalog with the ability to connect third - party repositories (or your own). There are also alternative clients - m-Droid and G-Droid , but they are still damp for use.

Pros:


Minuses:


Sources:Gitlab
License:GPLv3
F-Droid app *Privileged Zip Archive

F-Droid Security



However, the F-Droid team cannot guarantee you 100% security, so it is recommended to check permissions and pay attention to hacking news.

Applications


It is clear that the applications presented in the catalog are far from always a full-featured replacement of proprietary programs from Google Play or other analogues, so I tried to make a small comparative analysis and find out which applications are suitable for everyday use, and which ones should be avoided.

Hidden text
1. Since In the F-Droid catalog there are more than 2.5 thousand applications, then I will consider in detail only more or less unknown programs with interesting functionality, but from the category needed by the user most of the time. All the rest (well-known, or those in which there are no interesting chips, or with some critical, in my opinion, flaws), I will mention with a few comments.

2. I will assign applications from 1st to 3 stars for usability, this is my subjective opinion, so you can ignore it.

3. Some applications do not have / incomplete / curve Russification, so I decided not to produce visual chaos, and take screenshots in English (maybe it was a bad idea, but I hope you will forgive me for that).

Yalp and Aurora


I understand that the complete abandonment of non-free software is impossible for many people. But at least you can get rid of Google Play Services on your smartphone without losing access to the Google Play store. Yalp and Aurora applications allow you to download .apk directly from Google servers, technically both applications are very similar since Aurora is Yalp's fork using the material design, there is no particular difference in stability and functionality:


There are some differences:


About microG
Some applications from Google Play require Google Play Services to work, there is a free implementation of these services called microG, in order to download them via the F-Droid client, you need to add a repository .
Read more about installing and configuring microG in this article.

Yalp Store
Sources:Github
License:GPLv2
Download in F-DroidRating:
Aurora Store
Sources:Gitlab
License:GPLv2
Download in F-DroidRating:

Browsers


The first thing that strikes you is the absence of familiar brands like Mozilla Firefox or Chromium, but in fact not everything is so bad, at least the Firefox browser is present in the directory, albeit under a different name, but the assembly of a mobile chromium seems to be It still depends on Google Play Services, so there are only downloaders in the catalog that download .apk from a third-party resource. The same problem applies to browsers made on the basis of Chromium, so the F-Droid mainly presents add-ins for AndroidSystemWebView and browsers on the Gecko engine.

Icecatmobile


GNU IceCat - fork of the Firefox ESR browser (Extended Support Release), originally branched off from GNU IceWeasel, but unlike the Debian project focused on rebranding, code changes were made to IceCat. The mobile version is supported by a separate team that has returned to the MPL 2.0 license. Of the new products introduced by the community, a cat with a huge tail on the logo stands out as follows:


Regarding GNU LibreJS (blocking all non-open-source scripts) and Searxes Third-party Request Blocker (blocking third-party resources), I advise you to remove them because it is inconvenient to use them - so to add a site to the white list LibreJS you need to either copy the site address, or enter it manually (all scripts will be allowed at once), and in the TPRB addon it is impossible to add a second level domain entirely for example in the form of * .wikipedia.org. Instead of these additions, you can put uBlock Origin , uMatrix or NoScript to choose from. Hidden HTML should also be disabled, since this addon will interfere with constant requests. Incidentally, the add-ons page has been redone, now it leads here , you can already find a link to the list of recommended extensions, but some links (for example, NoScript) are broken, so I personally use the usual Firefox add-on site .

Pros:


Minuses:


Sources:GNU
License:MPL 2.0
Download in F-DroidRating:

DuckDuckGo Privacy Browser


The browser is from the development team of DuckDuckGo search engine, a service that is positioned as an alternative to respecting the privacy of users (note that the code of the search engine itself is not open). For rendering pages uses AndroidSystemWebView.
Some features of the browser are quite interesting:


In my opinion, the main drawback is the lack of history or at least switching between incognito / normal modes (after all, this should be in the main browser).

Pros:


Minuses:


Sources:Github
License:Apache 2.0
Download in F-Droid *Rating:

Privacy browser


The add-on for AndroidSystemWebView with a focus on privacy, although one feature caused my questions: the browser sends the user agent with the PrivacyBrowser / v1.0 parameter. You can imagine how many people use the browser with such an agent, and if you consider that the OS can be easily calculated using a specific TCP / IP stack, then this doesn’t make sense at all (and there is also JavaScript spoofing, tap detection, etc.), however in the settings you can set another agent. Of the features:


Pros:


Minuses:


Sources:stoutner.com
License:GPLv3
Download in F-DroidRating:

Bromite


Browser based on Chromium, with changes aimed at increasing privacy and blocking advertising. Patches from projects such as Iridium, Brave, Ungoogled Chromium and Inox patchset were included in Bromite.
Features:


To download Bromite you need to add a repository .

Pros:


Minuses:


Sources:Github
License:GPLv3
Repository *Rating:

More options (no rating)


Tor Browser - build provided by The Guardian Project (you must enable the repository in the settings). Until recently, the Tor Project did not support the Tor Browser for Android, and the applications that made it possible to access the Tor network — Orfox and Orbot — were developed by the Guardian project team. In September 2018, the Tor project participants announced the release of an alpha version for the Android system, although they still do not have their own F-Droid repository.

Fennec F-Droid is essentially a FOSS version of Firefox . I did not manage to find a complete list of proprietary components used in current versions of mobile Firefox, so it’s hard to say what was cut apart from analytics trackers (AdJust and LeanPlam) and DRM. For example, the wiki says that the Health Report module (telemetry) has been removed, but in the current version it is and works after launch. But in any case, there are no non-free dependencies in Fennec (otherwise they could not have collected it).

FOSS Browser is another add-on, in principle, a good application, but on some firmware it transmits a smartphone model in the agent (WebView 66 version, but in many add-ons this has been fixed). An ad blocker is present, and the address bar has been moved down.

Firefox Klar - it’s Firefox Focus (the difference is that Klar’s ​​telemetry is disabled by default), Mozilla’s private browser uses GeckoView, there is a tracker lockout.

Interesting in the Play Store:

Brave Browser - is based on chromium, there is a built-in ad blocker with local lists, HTTPS Everywhere and protection against fingerprint removal.

The Brave team came up with a rather interesting way to monetize the content: any Brave user can make a donation, which will then be transferred to the cryptocurrency and distributed among the visited sites or blogs registered in the Brave Reward program, but this feature is not yet available in the mobile version.

Waterfox - fork of XUL-versions (up to the 57th) Firefox browser, telemetry and non-free components are removed.

Messengers


Of course, in the F-Droid directory, you will not find the popular WhatsApp, Viber or Skype applications, but there is a Telegram client. But note that push notifications do not work in F-Ddroid messengers, since in Android they are tied to Google’s proprietary service Firebase Cloud Messaging .

Pix-Art Messenger


Pix-Art is a fork of Conversations , a mobile client using XMPP for communication. In F-Droid there are also Conversations Legacy , which retains the functionality of version 1.23+ (OTR and custom names for client identification, but without the novelties from version 2+). Pix-Art Messenger relies on the 2+ branch, but there is an integrated OTR, as well as daily backups, a list of servers for registration and a revised menu.
Features of the application:


In all versions of Conversations, it is possible to leave the active service after the client is closed, which, in theory, should not allow the system to close the client’s connection to the server, but many custom assemblies have strict energy saving policies set up, so Conversations must be added to the exceptions (this is how the push- notifications).

Pros:


Minuses:


Sources:Github
License:GPLv3
Download in F-Droid *Rating:

Rocket.Shat


Corporate instant messenger with the ability to use your own server (FOSS version supports up to 1000 users).If XMPP does not suit you (for example, the lack of a uniform client on all platforms or 2FA ), then Rocket.Chat is not such a bad choice:


The application is not very suitable for ordinary users, after all, it is focused on teams with a professional admin.

Pros:


Minuses:


Исходники:GitHub
Лицензия:MIT
Скачать в F-DroidRating:

Ещё варианты (вне рейтинга)


Telegram is a very popular instant messenger, the application in F-Droid is updated with a delay because it is essentially a fork with components cut out. Telegram uses closed servers on which the history of correspondence from “unclassified chats” is stored, the account is tied to a mobile phone number, and indeed the project has some strange privacy policy (and I understand that due to the lack of Push, the list of servers is not can be updated automatically).

Riot.im is an analogue of Slack, uses the matrix protocol, correspondence from rooms (rooms) is stored on proprietary servers and the owners of the service reserve the right to transfer the collected data to third parties. Riot client written in Reactso if you are allergic to javascript it is best to refrain from consuming it. There is end-to-end encryption (in beta).

Jami - in other words VoIP-softphone Ring, supports third-party SIP and IAX services and TLS and ZRTP encryption . Open under license GPLv3.

TRIfA - uses the Tox protocol , there are audio / video calls, although it is impossible to use them (if you raise the Tox-node, the situation will change), until the connection is terminated and the client periodically drops. Messages also sometimes do not reach.

Interesting in the Play Store:

Signal - as well as in Telegram, the account is tied to the phone number, the Signal Protocol is used for communication, and all correspondence is stored on user devices.

Interesting fact: previously there was a free implementation of LibreSignal (with remote components of Google), but moxie0 was against the use of servers and the name Signal. I do not understand how the 3.5 anonymus, which use LibreSignal, could prevent, so I will not express my opinion about this situation.

Wire is another instant messenger using Signal Protocol, supports email for registration, as well as group calls for up to 10 people, the application is open under GPLv3 license ( uses Google Firebase Analytics, Mixpanel, and HockeyApp).

Cards


Perhaps the main drawback of open-source cards is the lack of cross-platform applications, and the integration of these applications with online services. For example, there are online maps on the site www.openstreetmap.org , but you cannot transfer the planned route from the browser to the PC to your smartphone (at least I did not succeed, when I try to export the map to the .osm file, all routes disappear). On the other hand, if you do not care about the synchronization problem, then everything is not so bad.

Maps


Offline maps. Fork application Maps.Me, owned by you know what the Russian company on the "M". In the original application, according to the Exodus project, there are 15 different analytics trackers and there is advertising, but on Maps both have been removed. Despite its apparent simplicity, the application has quite a few useful features:


Pros:


Minuses:


Sources:Gitlab
License:Apache 2.0
Download in F-DroidRating:

OsmAnd ~


Very detailed and well-developed application, there are both detailed offline maps based on OpenStreetMaps and online maps for navigation. OsmAnd offers a large number of interesting features:


The application is open under the GPLv3 license, but not all of the offered services are free.

Pros:


Minuses:


Sources:Github
License:GPLv3
Download in F-DroidRating:

More options (no rating)



Open Map is an online map, though unlike previous ones, it is non-interactive, and with regular images in .jpeg format, instead of vector rendering.

PocketMaps is another application using OpenStreetMaps, but with the size of the cards, the developers obviously overdid it, for example, the map of Japan weighs 3.1 GB. As in the Open Map, the map itself is non-interactive.

Security and anonymity


There are many applications in the F-Droid directory that help protect your data: from encryption software to anonymous network clients, but not all software is available by default. So the repository of The Guardian Project (a project aimed at creating easy-to-use secure applications and open libraries) is disabled by default in the settings.

EDS Lite


The analogue of the program VeraCrypt, allows you to create encrypted containers with the file system Fat or exFat. Features of the application:


The Play Store also has a paid version of this application with enhanced functionality similar to VeraCrypt and LUKS, but EDS Full contains proprietary components.

Pros:


Minuses:


Sources:Github
License:GPLv2
Download in F-DroidRating:

KeePass DX


Java fork KeePass. Computer security experts recommend using different passwords for each service, it’s clear that remembering a large number of complex passwords is impossible, and it’s not necessary, it’s easier to use a manager with random password generation and database encryption, so you only need to remember one master password ( NIST standard recommends long passwords like “SmokeontheWatertheFireintheSky” that are easy to remember and hard to find), and then which file is used as a key.
Features KeePass DX:


The developers of KeePass DX do not want to complicate the application code by adding cloud synchronization (though they are thinking of forcing some file manager to simplify access to remote resources), instead we recommend using a client of any cloud service (for example, NextCloud with free client / server), you can put the database in the directory with the configured synchronization.

Pros:


Minuses:


Sources:Github
License:GPLv3
Download in F-DroidRating:

andOTP


I remember once upon a time, at the time of the 4th Android, I used the Google Authentificator application to generate OTP codes used in two-factor authentication. Once an update to version 5 arrived on my smartphone and guess what? Naturally, everything has flown to ... But this is not important, because in the andOTP application there is an opportunity to make a backup (how do you find such a Ilon Mask Google?) File saved in JSON. In addition, there are many other features:


Pros:


Minuses:


Sources:Github
License:MIT
Download in F-DroidRating:

Wireguard


Of course, OpenVPN and IPSec still comply with security standards, but we must understand that they were designed for corporate use, rather than anonymizing actions on the Internet. Therefore, if a client / server is configured incorrectly, various leaks (DNS, local IP, IPv6 addresses, etc.) and other privacy issues are possible. WireGuard, on the other hand, was designed to be easy to configure and use a VPN, with a primary focus on performance and security . Features:


Representatives from the University of London conducted a security audit of the WireGuard protocol.

Pros:


Minuses:


Sources:zx2c4.com
License:GPLv2
Download in F-Droid *Rating:

More options (out of rating):


Orbot is an application using system proxies to redirect traffic over the Tor network.

PixelKnot - allows you to encrypt the message in the picture using the F5 shorthand algorithm.

OpenVPN for Android is a client implementation of the most popular VPN protocol.

I2P is a client of an anonymous distributed network I2P, opened under Apache 2.0 license.

Openkeychain - implementation of the OpenPGP encryption standard for the Android system opened under the GPLv3 license. Integrated into many of the applications mentioned in this article (andOTP, Conversations, K-9 Mail, etc.)

Ripple - panic trigger button, can be used in some applications mentioned above. Sources

Interesting in the Play Store:

KeePass2Android is another implementation of KeePass for Android, there is synchronization with cloud services.

Useful apps from F-Droid


Scarlet Notes FD is a good note editor, you can create lists, insert photos, set a reminder, select a note color, tags, etc. You can enable cloud sync.
Perhaps the only negative is that you can not share a note in Google Keep.
Sources:Github
License:GPLv3
Download in F-Droid

NextCloud is a free and open GPLv2 cloud client, it is possible to use your own server or connect to a third-party provider (there are free plans that provide from 2 to 10 GB).
Features:


Sources:Github
License:GPLv2
Download in F-Droid

DAVx5 - synchronization of contacts and calendar (can be configured to work with NextCloud).
Also supports synchronization editor notes Tasks .
Sources:Gitlab
License:GPLv3
Download in F-Droid

K-9 Mail is an e-mail client with a simple interface that supports POP3, IMAP, Push IMAP and OpenPGP encryption ( OpenKeychain is needed).
Sources:Github
License:Apache 2.0
Download in F-Droid

NewPipe is an unofficial YouTube client with support for background playback. There is no regional top yet (but it is possible that it is better not to go there).
Sources:Github
License:GPLv3
Download in F-Droid

oandbackup is a utility for backup, you can make a system cast or a backup of a separate application (data or .apk, or all together). To work, you need a root.
Sources:Github
License:MIT
Download in F-Droid

Forecastie is a weather application using the OpenWeatherMap API. There are forecasts for 5 days ahead, graphs of temperature, rain, pressure and wind speed. As well as a global map of winds, precipitation and temperature.
Sources:Github
License:GPLv3
Download in F-Droid *

AntennaPod is a podcast manager with the ability to listen to online streams and download recordings (there are download settings on a schedule: at intervals, by time, network selection, etc.).
You can add your own podcast directory.
Sources:Github
License:MIT
Download in F-Droid

Let's sum up


For obvious reasons, I am not able to cover everything, or even any significant part of everything that can be called “mobile open-source”. But I can still say that over the past 2-3 years, the situation with open source software for Android has become much better, many new things have appeared, and some old projects have grown significantly in terms of quality and functionality. In my opinion, the guys just did a great job, and without demanding anything in return. Yes, there are problems and much has to be set up manually, but isn’t privacy worth the small inconvenience?

* - localization is incomplete or absent

Source: https://habr.com/ru/post/440280/

More articles: