To any Android system expert:
I just experienced the following:
I'm using an iptables firewall on all my Android devices (Avast and since a few days AFWall+ (Play Store version)).
I started blocking many apps to limit data usage.
Now I wanted to open up a webpage with Google Chrome, but it always failed with DNS_PROBE_FINISHED_NXDOMAIN.
The iptables log was showing blocked packages of UID 0, so the root UID, listed as "Root execution" in the firewall apps.
Unblocking this UID resulted in web pages loading fine in Chrome.
I just want to know: Has Android some built-in DNS resolver that Chrome uses and that is running as root out-of-the-box, so that it could get blocked by that?
It is some really interesting behavior in my opinion, so I just would like to understand the system.
I would also like to block root execution from internet access (even while apps could remove the block, I know, but most of them wouldn't, as I think), mostly because of said data usage, especially on roaming, but I want to continue using Chrome.
If that is not possible due to this and my question above has an understandable answer, it would also be ok.
I did not try with other browsers for now, so I don't know whether this is a Chrome-specific thing or not.
Also, all my devices (as seen in my signature) are running some sort of AOSP, so I also don't know whether some carriers/manufacturers changed something with that.
Thank you in advance!
EDIT: Partially answered at http://forum.xda-developers.com/showthread.php?t=2386584
Seems to be an "issue" of the Android system.
If anyone knows more, or a way to circumvent this (on Lollipop) to block everything except the DNS requests, please tell me.
Related
Is there an app available which provides similar features to ios restrictions, such as being able to prevent changes to accounts and contacts, meaning for apps such as hangouts or messenger i can prevent my brother from only contacting existing contacts and prevent him from adding random people (hes autistic...) Im currently using Norton parental controls and this allows me to block certain websites and send me usage reports, however i would like for him to be able to actually contact his family on the tablet, however being able to add people is a big no-no as he can become abusive to people. I managed this perfectly fine on his Ipod as within Ios restrictions you can simply turn on the option to prevent changes to accounts...
I'am quite an advanced android user and i cant seem to find a way to do this... i also cant believe people are praising the restricted profiles in android 4.4.2... i think it is awful only allowing you to block apps... there are numerous apps available to do this anyway.
Another issue i have is with the play store not asking for a password for apps even though this option is selected in 4.4.2. I know this is a reported issue as i have found a forum on the issue however no one had a solution.
Any help would be appreciated
Say I wanted to have the most secure Sony Xperia Z Ultra possible (without "too much" sacrifice of useability).
In the context of this thread I define security as broadly anything barring network anonymity ie. hiding your device public IP address.
So I want security from network attackers (eg. drive-by download, WiFi attacks), physical device attackers (eg. customs searching devices for IP violations ... no really, that's about to become a thing apparently, GF and/or mistresses) .
How would you do it?
Could you please use sections of
Code:
firmware
phone settings
app settings
behavior
because I want to curate the best answers from users in this post for the good of the forum.
My thoughts so far are:
Firmware:
Root is disabled
Bootloader should be locked.
^^ These I'm not sure about - see if we don't have root then we don't have iptable firewall and hosts level server blocking.
One recovery should be used
Honestly I'm not sure which ROM is more secure than another but I'm assuming the latest and greatest is more secure so that would be MM atm. No idea if Sony is more secure than another flavour of ZU Android.
Phone settings:
Developer options off
Sideload apps off
Do not connect to unknown WiFi
NFC Off by default
Bluetooth Off by default
PIN unlock required
Auto-lock ON
App settings: (this includes apps you should have/not have and their settings)
I figure every additional app that I don't use is a needless attack surface so start with no apps at all - uninstall everything. Only install what you use ... for which you need root unless the ROM is premade like this.
Firewall app (Netguard no-root Firewall, DroidWall if we have root)
Adblock (if we have root)
AV - honestly most mobile AV seems pathetic at being secure and not acting like malware (notifications, popup windows etc) but Avast at least seems to not hog resources.
-Auto update every app
User behaviour:
NEVER:
-install apps from anywhere other than Google Play. Or possibly FDroid
-let another person use your device
I'd like to hear your suggestions, critique and everything else, cheers!
So you're not gonna install from other than google play, then what ad blocker are you going to use? Where is adblocker connecting to?
You're talking about still having a lot of apps connecting through servers that you don't control.
morestupidemailnames said:
You're talking about still having a lot of apps connecting through servers that you don't control.
Click to expand...
Click to collapse
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
panyan said:
Well if you are worried about connecting to servers that you dont control - isnt that all servers?
At which point you may as well remove all WIFI and Mobile Data capabilities and just stick to 2G
Click to expand...
Click to collapse
Exactly my point.
The op is a long winded question that leaves you with more questions.
Probably why there's been such a landslide of security tips here
Hey guys, I've been seeking an alternate of Network Log (you can find it on Google Play Store) for quite a while but with no luck, so come out to ask if anyone knows one suitable for me .
I have to say Network Log is almost worthy for purchasing (although it is not a paid app), considering the job it's done in categorizing by protocols, by apps, displaying packets by size and time, graphing as a timeline, and that made it an excellent choice for analyzing apps consuming data and draining battery, but unfortunately the app owner doesn't respond to bug summit or emails.
The thing is, Network Log no longer works after Android 6.0, while others in the market relies on system-built-in VPN function to capture data, which is not suitbale for people like me in China using proxies to reach out to world .
So if anyone knows apps that can capture packets (not necessarily able to decrypt contents) and display by apps, just to make it easy to let me see the amounts and frequency Android apps uses the Internet, I‘ll be thankful that you recommend them to me (again it cannot be using Android VPN function since Shadowsocks is already using VPN, so I think the app maybe require root permission but I'm OK)
check...
will somebody know that???
Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
I too would be interested to hear about anyones experience regarding this OS
johndoe118 said:
Hey guys,
what do you think about GrapheneOS? (https://grapheneos.org)
I think there are some disadvantages:
- only Pixel devices (because only these have some security "flags")
- no root access
- hardcoded Google domains
and some advantages:
- good hardware support
- hardenized aosp
- closed bootloader after flashing
Now I would like to discus about this ROM
Click to expand...
Click to collapse
I'm interested in this ROM too. I have a Pixel 3a. I haven't flashed it yet because I'm trying to find out what people's experiences are first. There doesn't seem to be a lot of posts about it. Did you ever flash it? Also, what do you mean by "hardcoded Google domains"?
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi. That was one reason why I lost interest in the ROM. The other was the limited device support and missing root access. I absolutely need access to the iptables. As a one-man show, the ROM can be adjusted at any time.
johndoe118 said:
Well, the captiveportal contacts the Google servers regularly when you connect to a WiFi.
Click to expand...
Click to collapse
Do you have some kind of reference for that? I'm using it now and would really like some proof to bring up in their subreddit as a WTF.
graphene seems great, no root does not
I don't want the bootloader locked.
I want Magisk extensions
I need root for LP _only_ to remove ads. Is there something like LP that allows (interactively) disabling app activities?
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
GrapheneOS leaves these set to the standard four URLs to blend into the crowd of billions of other Android devices with and without Google Mobile Services performing the same empty GET requests. For privacy reasons, it isn't desirable to stand out from the crowd and changing these URLs or even disabling the feature will likely reduce your privacy by giving your device a more unique fingerprint. GrapheneOS aims to appear like any other common mobile device on the network.
HTTPS: https://www.google.com/generate_204
HTTP: http://connectivitycheck.gstatic.com/generate_204
HTTP fallback: http://www.google.com/gen_204
HTTP other fallback: http://play.googleapis.com/generate_204
Click to expand...
Click to collapse
nay_ said:
hardcoded google domains info from faq
https://grapheneos.org/faq#device-support
Click to expand...
Click to collapse
Thanks, right from there
I have Graphene OS taimen-factory-2020.07.06.20.zip on my Pixel 2 XL.Under "System update settings" is "Check for updates" but nothing happens if I tap.Only the field becomes darker.Has someone experience with this?
Update with adb sideloading to 2020.08.03.22 works.
OTA update from 2020.08.03.22 to 2020.08.07.01 likewise.
I'm personally not a fan of these kinds of projects, they aren't really all that 'secure', you're still using proprietary vendor blobs and such
help please
Hello! In the description
I pointed out that you can change servers just not through the GUI.
Has anyone tried this?
```
Providing a toggle in the Settings app for using connectivitycheck.grapheneos.org as an alternative is planned. The option to blend into the crowd with the standard URLs is important and must remain supported for people who need to be able to blend in rather than getting the nice feeling that comes from using GrapheneOS servers. It's possible to use connectivitycheck.grapheneos.org already, but not via the GUI.
```
captive portal leak + location services data leak
Few points:
1. General idea is that privacy/security oriented OS (as graphene is advertised) should limit network activity as much as possible, and not ping google using captive portal service every few seconds providing perfect IP-based location to google
It is possible to switch it off, but should be off by default
2. Connections of android location services to get GPS constellations were shown before to send sim card imsi and connected cellular tower id to provider (qualcom/google):
"blog.wirelessmoves.com/2014/08/supl-reveals-my-identity-and-location-to-google.html"
Graphene still allows those connections (check their FAQ on website)
W/O root no way to switch this off. Even some devices ignore config files and still leak data (on the level of cellular modem most probably)
3. Android services make other weird connections. Example: AOSP dialler app is querying phone numbers against online database leaking all contacts to google. How was this taken care of in graphene? Are all AOSP services/apps security-verified to not leak any data?
w/o root no way to install afwall to block everything
Is graphene built-in firewall capable of blocking system services from network access?
first time posting on the P6 forum (last had a P3).
previously, I used dns.adguard.com for the Private DNS setting. however, that was not blocking all of the ads from within some apps. it worked pretty well until then. Now, I downloaded blokada 5, and that successfully blocks almost all ads. the lone problem is that when connecting to a website, it often slows it down.
curious to see if anyone has a similar experience or recommend an alternative to dns.adguard.com.
thanks!
jco23 said:
first time posting on the P6 forum (last had a P3).
previously, I used dns.adguard.com for the Private DNS setting. however, that was not blocking all of the ads from within some apps. it worked pretty well until then. Now, I downloaded blokada 5, and that successfully blocks almost all ads. the lone problem is that when connecting to a website, it often slows it down.
curious to see if anyone has a similar experience or recommend an alternative to dns.adguard.com.
thanks!
Click to expand...
Click to collapse
I personally use both NordVPN as well as AdAway with root; AdAway has a VPN function of its own, and you can use your own host lists, but the VPN solution is more resource intensive than the root solution.
V0latyle said:
I personally use both NordVPN as well as AdAway with root; AdAway has a VPN function of its own, and you can use your own host lists, but the VPN solution is more resource intensive than the root solution.
Click to expand...
Click to collapse
interesting - thanks for the quick reply.
i do have windscribe, but rarely use it. i have not rooted this device yet, as my understanding rooting will disable Google Wallet/GPay - and I use those more often than I would need to hide ads.
+1 to AdAway, plus if your preferred browser supports it, install an adblocker in it as well - I use uBlock for Firefox.
There's also MinMinGuard which has recently gotten an update to make it work on current systems, but that requires Lsposed if you don't already use it, as well as individually enabling it for every new app you install. Honestly, though, with AdAway plus a browser adblocker, I almost never see any ads in any app, so I don't find MinMinGuard necessary anymore.
Ad blocking apps like Blokada and DNS-based ad blockers like AdGuard can be effective at blocking ads, but they can also slow down your browsing experience. This is because ad blockers need to process and filter out ads, which can take up resources and cause delays.
One alternative to dns.adguard.com that you could try is Cloudflare's 1.1.1.1. This is a free, fast, and secure DNS resolver that also includes ad-blocking capabilities. Cloudflare's 1.1.1.1 uses their own ad-blocking technology which is based on the same technology used by their enterprise-grade Web Application Firewall (WAF). This can block ads at the DNS level, which can be less resource-intensive than using an app like Blokada.
jco23 said:
interesting - thanks for the quick reply.
i do have windscribe, but rarely use it. i have not rooted this device yet, as my understanding rooting will disable Google Wallet/GPay - and I use those more often than I would need to hide ads.
Click to expand...
Click to collapse
No root will not disable Google Wallet/GPay, you just have to install Safety net fix module and all works great, for banking apps just hide root into settings. I use all my banking apps, card tokens and gpay/wallet everyday. Rooking root + adaway.
anawilliam850 said:
Ad blocking apps like Blokada and DNS-based ad blockers like AdGuard can be effective at blocking ads, but they can also slow down your browsing experience. This is because ad blockers need to process and filter out ads, which can take up resources and cause delays.
One alternative to dns.adguard.com that you could try is Cloudflare's 1.1.1.1. This is a free, fast, and secure DNS resolver that also includes ad-blocking capabilities. Cloudflare's 1.1.1.1 uses their own ad-blocking technology which is based on the same technology used by their enterprise-grade Web Application Firewall (WAF). This can block ads at the DNS level, which can be less resource-intensive than using an app like Blokada.
Click to expand...
Click to collapse
i tried installing the 1.1.1.1 app from cloudflare, and it did NOT block the ads on my scrabble app. thx for the suggestion though.
Have you tried using a browser like Brave which would help with your browsing experience. I use a combination of Blockada for system wide blocking, pihole for in-home network based blocking and browsers like Brave/DDG for blocking and so on. I have a tasker based activity for turning on/off blockada when in home/out of home. It's my non-root solution.
Additionally you can also lookup -
ahadns.com - you get a customised secure dns url, you can setup filter lists and the URL is configured based on the seelctions.
nextdns.io - something similar to the above. 300,000 free ad-blocking queries per month and past that, the non-blocking DNS service will work till the next month.
cbarai said:
Have you tried using a browser like Brave which would help with your browsing experience. I use a combination of Blockada for system wide blocking, pihole for in-home network based blocking and browsers like Brave/DDG for blocking and so on. I have a tasker based activity for turning on/off blockada when in home/out of home. It's my non-root solution.
Additionally you can also lookup -
ahadns.com - you get a customised secure dns url, you can setup filter lists and the URL is configured based on the seelctions.
nextdns.io - something similar to the above. 300,000 free ad-blocking queries per month and past that, the non-blocking DNS service will work till the next month.
Click to expand...
Click to collapse
Hey, just stumbled across your post and thought that if you use piehole at home, you should be able to just use a VPN to you piehole when on the road so you don't have to rely on third party apps. Don't know about performance though, but you might give it a try.
Cheers
Been taking NextDNS for a test ride. Easy set up with a lot of features, up to 300,000 queries per month for free. What's not to like?
Fast and running pretty smooth so far, day 7.