Privacy from Google/analytics/tracking with Lineage OS + microG

[xJumper]

Just recently got back into the smartphone game, last time I had one was
an HTC Desire back with Android 2.0. I opted to go with a custom ROM
this time around was seeing how pervasive/intrusive all the
analytics/tracking from Google and the OEM's on Android phones has become.

So right now I have a Oneplus 5 running the latest version of Lineage OS
with the microG patch built in. It does not and neither have I installed
GAPPS or any Google services thus far.

I don't really download apps and if I do I only use F-Droid or directly
install an apk from a trusted developer (e.g. the .apk from OWS Signal,
etc) so my phone isn't filled with a bunch of tracking malware built in
system wide ads apps or anything like that.

I have disabled all extra crash/usage data sending, analytics options,
location services, wifi, etc in my phone. I am not rooted, I use the
privacy guard option and only allow the minimum and obvious permissions
that an app should need to work.

Obviously your carrier could still track you but other than that, have I
covered all my bases here? Am I completely immune from all the
analytics/tracking that Android smart phones have if I do all this while
running Lineage OS which is a custom ROM with all the Googliness
stripped out, or is there some base I am missing here?


Lastly, while the above is my method of operation 95% of the time,
sometimes I do need to use a map service/GPS. Google unfortunately is
king in this realm and this is why I installed the microG version of
Lineage OS. I'm still not 100% sure how that works/what it does but I
was able to download the official Google Maps app from Yalp (an app that
lets you download from the Playstore without a Google account) and get
the Google Maps app to work.

My question is, is having Google Maps installed and running off the
microG system compromising me and allowing Google to collect all sorts
of analytics and tracking data or does microG "spoof" that somehow while
still allowing you to use their service? Furthermore, is this potential
tracking/analytics by the Google Maps app running on microG only a
vulnerability when I use it (I set it NOT to start at boot) or is this
essentially compromising my whole setup here by having the very thing on
my system even though I only use it when I absolutely need to.

[richard lucassen]

On Sun, 19 Aug 2018 03:31:28 -0400
xJumper <suga...@mailinator.com> wrote:

[google spyware]

> My question is, is having Google Maps installed and running off the
> microG system compromising me and allowing Google to collect all sorts
> of analytics and tracking data or does microG "spoof" that somehow
> while still allowing you to use their service? Furthermore, is this
> potential tracking/analytics by the Google Maps app running on microG
> only a vulnerability when I use it (I set it NOT to start at boot) or
> is this essentially compromising my whole setup here by having the
> very thing on my system even though I only use it when I absolutely
> need to.

I'm not able to answer your question, I run LineageOS as well, but why
not use OsmAnd (Open Street Map app) instead of maps? Ok, it is far from
the quality google offers, but that's the price I'm willing to pay to
keep some privacy. OsmAnd can be found at F-Droid repository.

R.

--
richard lucassen
http://contact.xaq.nl/

[xJumper]

On 08/19/2018 03:41 AM, richard lucassen wrote:
> I'm not able to answer your question, I run LineageOS as well, but why
> not use OsmAnd (Open Street Map app) instead of maps? Ok, it is far from
> the quality google offers, but that's the price I'm willing to pay to
> keep some privacy. OsmAnd can be found at F-Droid repository.
>
> R.

Mostly because I rarely use maps/gps services unless I really really
need to and when I do there's no time to eff around, I gotta know
something or be someplace asap.

I figure if (like I said if, I could be wrong) microG and the Mozilla
UNLP it uses can "spoof" whatever it is Google requires and because of
the lack of any other Google services on the phone it can't mine
telemetry/data mine me then it's basically ALL perks and no
disadvantages of running Google Maps in that limited way I do.

[richard lucassen]

On Sun, 19 Aug 2018 04:54:28 -0400
xJumper <suga...@mailinator.com> wrote:

> On 08/19/2018 03:41 AM, richard lucassen wrote:
> > I'm not able to answer your question, I run LineageOS as well, but
> > why not use OsmAnd (Open Street Map app) instead of maps? Ok, it is
> > far from the quality google offers, but that's the price I'm
> > willing to pay to keep some privacy. OsmAnd can be found at F-Droid
> > repository.
>

> Mostly because I rarely use maps/gps services unless I really really
> need to and when I do there's no time to eff around, I gotta know
> something or be someplace asap.

I'd opt for OsmAnd, download the maps you want to use and go for it. The
only very BIG disadvantage of OsmAnd is that searching an addres is
really a big disaster (non indexed database AFAIK) but you can use
AddressToGPS app from F-Droid wich converts an addres to lat/long
coordinates and send it to OsmAnd.

> I figure if (like I said if, I could be wrong) microG and the Mozilla
> UNLP it uses can "spoof" whatever it is Google requires and because of
> the lack of any other Google services on the phone it can't mine
> telemetry/data mine me then it's basically ALL perks and no
> disadvantages of running Google Maps in that limited way I do.

As I said, I'm not able to answer that question. Once you have Maps
installed, you don't know what it's doing under water. Maybe I'm too
paranoia, I have no idea. Anyway, the words "privacy" and "google"
in one sentence sound like a contradictio in terminis to me.

[Arlen Holder]

On 19 Aug 2018 06:33:15 GMT, richard lucassen wrote:

> you can use
> AddressToGPS app from F-Droid wich converts an addres to lat/long
> coordinates and send it to OsmAnd.

Thanks for that suggestion, as one of the biggest flaws in most offline map
apps is the lack of a good address lookup (which Google Maps does best).
<https://f-droid.org/en/packages/me.danielbarnett.addresstogps/>

When I ran it, it says "powered by Google" though. :(
<http://www.bild.me/bild.php?file=5287625lookup.jpg>

But it's still a very nice application indeed, particularly for the stated
purpose of doing an address lookup that is accurate and outside of Google
Maps!

So thank you for this wonderful suggestion!

Apparently the MIT server it connects to makes a connection to Google's
API, where the server sends you the coordinates based on whatever Google
tells them.

Hopefully there is "privacy" in the MIT server being the "middleman".

The interface is nice where you press "Navigate" and it asks which map
program you want to use, where I hit "OsmAnd~" and then in OSMAnd~ I could
use the navigation buttons.

So it's a nice feature ... where ... let's hope ... the MIT middleman
doesn't tell Google who we are. :)

[Arlen Holder]

On 19 Aug 2018 00:41:41 GMT, richard lucassen wrote:

> I'm not able to answer your question, I run LineageOS as well, but why
> not use OsmAnd (Open Street Map app) instead of maps? Ok, it is far from
> the quality google offers, but that's the price I'm willing to pay to
> keep some privacy. OsmAnd can be found at F-Droid repository.

As noted, nothing is as good as Google Maps for quality, and for traffic,
but for routing, you can "make do" with OSMAnd~ as noted above, or
MapFactor Navigator.

Here are the various map apps I use, which are in preferred order:
<http://www.bild.me/bild.php?file=5191009maps.jpg>

Top five offline road map apps for me are...
- MapFactor Navigator
- OSMAnd~
- CoPilot GPS
- Sygic
- Navmii USA

[Arlen Holder]

On 19 Aug 2018 00:31:28 GMT, xJumper wrote:

> So right now I have a Oneplus 5 running the latest version of Lineage OS
> with the microG patch built in. It does not and neither have I installed
> GAPPS or any Google services thus far.

You're way ahead of most of us, where we can learn from you!

> I don't really download apps and if I do I only use F-Droid or directly
> install an apk from a trusted developer (e.g. the .apk from OWS Signal,
> etc) so my phone isn't filled with a bunch of tracking malware built in
> system wide ads apps or anything like that.

I don't even have a Google Play account - although sometimes I create a
throwaway Google account to download apps I don't have APKs for.

I also use F-Droid & sometimes Aurora Store; but most of the time I just
re-use an APK from one phone to the next.

> I have disabled all extra crash/usage data sending, analytics options,
> location services, wifi, etc in my phone. I am not rooted, I use the
> privacy guard option and only allow the minimum and obvious permissions
> that an app should need to work.

It would be nice if we can come up with a step-by-step checklist for a
current Android OS for disabling all the privacy-leaking features - all the
while enabling the power and flexibility of Android (e.g., developer
options like unknown sources).

> Obviously your carrier could still track you but other than that, have I
> covered all my bases here? Am I completely immune from all the
> analytics/tracking that Android smart phones have if I do all this while
> running Lineage OS which is a custom ROM with all the Googliness
> stripped out, or is there some base I am missing here?

Good question. I can't answer - so I will watch for what others suggest.
Getting rid of Google Framework is a good start for sure.

> Lastly, while the above is my method of operation 95% of the time,
> sometimes I do need to use a map service/GPS. Google unfortunately is
> king in this realm and this is why I installed the microG version of
> Lineage OS. I'm still not 100% sure how that works/what it does but I
> was able to download the official Google Maps app from Yalp (an app that
> lets you download from the Playstore without a Google account) and get
> the Google Maps app to work.

When I try to get Yalp from F-Droid for my LG Stylo 3 Plus (Nougat, Android
7.0), it is grayed out so I can't get it. Bummer.

> My question is, is having Google Maps installed and running off the
> microG system compromising me and allowing Google to collect all sorts
> of analytics and tracking data or does microG "spoof" that somehow while
> still allowing you to use their service?

Good question. The "installed" part is different from the "running" part,
where, you must know, that you "can" download Google Map data for offline
use - but - unfortunately - that requires a login to save the data.

So it's a catch-22 in that respect.

> Furthermore, is this potential
> tracking/analytics by the Google Maps app running on microG only a
> vulnerability when I use it (I set it NOT to start at boot) or is this
> essentially compromising my whole setup here by having the very thing on
> my system even though I only use it when I absolutely need to.

Good question.
I commend you for the questions.
I will be watching for answers from others to learn from your question.

[xJumper]

On 08/19/2018 11:40 PM, Arlen Holder wrote:
> You're way ahead of most of us, where we can learn from you!

>

> Good question.
> I commend you for the questions.
> I will be watching for answers from others to learn from your question.

If you're running the stock version of Lineage OS right now, every phone
that has a current update to date build has an equivalent build in the
MicroG fork. It's probably something worth checking out.

https://lineage.microg.org/

The best way would be to download the full ROM and just do a clean
install instead of trying to patch your "pure" Lineage OS only ROM with
the microG patch.

[Arlen Holder]

On 20 Aug 2018 03:40:40 GMT, Arlen Holder wrote:

> When I ran it, it says "powered by Google" though. :(
> <http://www.bild.me/bild.php?file=5287625lookup.jpg>

Once you have the L/L for any address in the world, any good offline map
app should be able to route to that L/L address (although the
aforementioned F-Droid addresstogps tool makes that integration seamless.

While the aforementioned tool seamlessly integrates the address lookup to
any installed offline map app, another way to find the latitude/longitude
(aka L/L) for any address in the world is to use any of these online
address-to-coordinate web-based lookup engines.
https://getlatlong.net/
https://www.latlong.net/
https://www.gps-coordinates.net/
https://mynasadata.larc.nasa.gov/latitudelongitude-finder/
https://developer.mapquest.com/documentation/tools/latitude-longitude-finder/
etc.

Then you manually feed those coordinates into any offline map routing app.

[Theo]

xJumper <suga...@mailinator.com> wrote:
> If you're running the stock version of Lineage OS right now, every phone
> that has a current update to date build has an equivalent build in the
> MicroG fork. It's probably something worth checking out.

That's useful. Though it doesn't cover phones that are unofficially
supported on LineageOS by folks on XDA (usually because a few features don't
work, often those you might not care about like heart rate monitors or NFC
or whatever)

Anyway, one answer to your question would be to firewall the Maps app. By
default, firewall it so it can't talk to the internet. When you actually
want to use it, unfirewall it. Then kill it and re-enable the firewall when
you're done. On a regular phone with Gapps, either Maps or GMS could be
chatting to Google. Since you're running MicroG you don't have GMS, so
firewalling Maps should be sufficient.

When running Maps may be sending location data to Google. When firewalled
it will operate in offline mode - that may be sufficient, but I think recent
versions need a Google account to download maps.

There's a variety of firewall apps which operate in different ways, you
might have to try a few.

Theo

[xJumper]

On 08/21/2018 06:03 AM, Theo wrote:
> That's useful. Though it doesn't cover phones that are unofficially
> supported on LineageOS by folks on XDA (usually because a few features don't
> work, often those you might not care about like heart rate monitors or NFC
> or whatever)
>
> Anyway, one answer to your question would be to firewall the Maps app. By
> default, firewall it so it can't talk to the internet. When you actually
> want to use it, unfirewall it. Then kill it and re-enable the firewall when
> you're done. On a regular phone with Gapps, either Maps or GMS could be
> chatting to Google. Since you're running MicroG you don't have GMS, so
> firewalling Maps should be sufficient.
>
> When running Maps may be sending location data to Google. When firewalled
> it will operate in offline mode - that may be sufficient, but I think recent
> versions need a Google account to download maps.
>
> There's a variety of firewall apps which operate in different ways, you
> might have to try a few.
>
> Theo

Not sure I can "firewall" Google Maps or anything for that matter
without root. Yea I'm actually not rooted... I figure for the most part
it's liability, I don't want to do 99% of stuff rooted users use it for
so I figure why get it, as Linux user as well you learn to shy away from
root unless absolutely necessary.

I do however use the built in feature in Lineage OS called "privacy
guard" and turn everything that it needs to "ask first" and everything
else that it would not need to "ignore", I don't get prompts when the
app isn't running so I figure it's not using/"talking" to Google in ways
I wouldn't want it to.

else that it would not need to "ignore". I don't get prompts when the
app isn't running so I figure it's not using/"talking" to Google in ways
I wouldn't want it to.

As for running it firewalled (like an actual iptables allow/deny
firewall) and the app being tricked into offline mode and thus running
in offline mode, I figure that would be useless with Google Maps. The
areas you can cache offline are tiny/lack detail in comparison to say
OsmAnd so firewalling wouldn't really allow for anything OsmAnd couldn't
do or any of the advantages Google Maps has.

What I am wondering though is does MicroG somehow "spoof" or
"scramble/obfuscate" the data it sends when talking to Google services?
Or is it like a pass through that is sending all your data along just
like if you had all the GSF/Play installed on your phone to begin with
just so your apps run?

[Theo]

xJumper <suga...@mailinator.com> wrote:
> Not sure I can "firewall" Google Maps or anything for that matter
> without root. Yea I'm actually not rooted... I figure for the most part
> it's liability, I don't want to do 99% of stuff rooted users use it for
> so I figure why get it, as Linux user as well you learn to shy away from
> root unless absolutely necessary.

You don't need root for firewall - for example there's NetGuard:
https://github.com/M66B/NetGuard

> I do however use the built in feature in Lineage OS called "privacy
> guard" and turn everything that it needs to "ask first" and everything
> else that it would not need to "ignore", I don't get prompts when the
> app isn't running so I figure it's not using/"talking" to Google in ways
> I wouldn't want it to.

Privacy Guard covers apps getting data (like location or contacts), but
doesn't cover transmission. In other words you can stop Maps getting
location. But if you allow Maps to get location (such as for navigation) it
can then transmit it.

> As for running it firewalled (like an actual iptables allow/deny
> firewall) and the app being tricked into offline mode and thus running
> in offline mode, I figure that would be useless with Google Maps. The
> areas you can cache offline are tiny/lack detail in comparison to say
> OsmAnd so firewalling wouldn't really allow for anything OsmAnd couldn't
> do or any of the advantages Google Maps has.

I wasn't suggesting that, simply firewalling at the times you aren't using
Maps. Then it'll limit any transmission to when you actively opened the
Maps app. It won't completely avoid sending location, but that's necessary
for features like navigation anyway.

> What I am wondering though is does MicroG somehow "spoof" or
> "scramble/obfuscate" the data it sends when talking to Google services?

If you don't install a GMS location service to MicroG or use Google Cloud
Messaging for push notifications, I don't think it talks to Google services.

Theo

[xJumper]

On 08/21/2018 03:46 PM, Theo wrote:
> You don't need root for firewall - for example there's NetGuard:
> https://github.com/M66B/NetGuard

Good to know, I'll look into this

>
> Privacy Guard covers apps getting data (like location or contacts), but
> doesn't cover transmission. In other words you can stop Maps getting
> location. But if you allow Maps to get location (such as for navigation) it
> can then transmit it.

So unless I were to "allow" and then "deny" once I was done Google Maps
could potentially sneak data off in the background? What about if I made
it "ask every time" and then deny when I wasn't using it?

> I wasn't suggesting that, simply firewalling at the times you aren't using
> Maps. Then it'll limit any transmission to when you actively opened the
> Maps app. It won't completely avoid sending location, but that's necessary
> for features like navigation anyway.

I'll be trying this. See how feasible it is to run with a setup like that.

> If you don't install a GMS location service to MicroG or use Google Cloud
> Messaging for push notifications, I don't think it talks to Google services.
>
> Theo

I was under the impression that "microG" is ALL of those things, and it
even allows communication to Google servers if it is required.

If you look under the "options" for microG Settings it allows you to;

Enable/Disable

"Google device registration"
"Google Cloud Messaging"
&
"Google SafetyNet"

What's even more strange to me is ALL that is required for the official
Google Maps app to work is "location services" turned on. I have all
those above listed settings in microG set to OFF/Disable and maps
somehow still works.

I'm really trying to figure out what angle the whole microG thing has so
I can see what angles it opens and/or closes in regards to privacy.

[xJumper]

I ended up trying "Net Guard", meh.... Just added more bloat and didn't
really deliver as a firewall. The good stuff like logs require the paid
version.

I think running one of the various iterations of firewalls that require
root might be better.