Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggestion: mention XPrivacyLua #399

Closed
jj-pietro opened this issue Feb 8, 2018 · 26 comments

Comments

Projects
None yet
7 participants
@jj-pietro
Copy link

commented Feb 8, 2018

XPrivacyLua is an Android open source xposed module which blocks access to personal data by feeding fake data to apps instead of revoking permissons, I think it should be added to the "worth mentioning" section of "Mobile Operating Systems".
Github: https://github.com/M66B/XPrivacyLua
Website: https://lua.xprivacy.eu/
Support: https://forum.xda-developers.com/xposed/modules/xprivacylua6-0-android-privacy-manager-t3730663
It requires the Xposed Framework which is open source too.

@hugoncosta

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2018

This is in line with the #338. The plugin seems great though, I can't understand how it's done, but I am a fan of security by obfuscation.

@kewde, @Shifterovich, what do you think if we create a subsection under Mobile OS with useful plugins/add-ons, just like with Firefox (https://www.privacytools.io/#addons)?

@Shifterovich

This comment has been minimized.

Copy link
Member

commented Feb 16, 2018

Sounds great, but someone has to do the work. I'm very busy lately.

@hugoncosta

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2018

Awesome, I'll start hacking at it, I'll see which other add-ons there are that we've been speaking about in the other issues.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Feb 16, 2018

@hugoncosta while you are at it you may want to add AFWall+ and/or Netguard as a no-root alternative.
There's also an hosts file created specifically to block some mobile tracking libraries.

@hugoncosta

This comment has been minimized.

Copy link
Contributor

commented Feb 16, 2018

@pietropacchio I'm currently a user of AFWall, would you say that the big difference is that Netguard requires no root?

I think I'll do two trees - one with and one without root access.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Feb 16, 2018

@hugoncosta well with NetGuard you can load a custom hosts file instead of blocking apps, a thing which you can't do using AFWall+ but for doing its things it needs to use the VPN service, so due to Android limitations you can't use another one.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 3, 2018

The problem here is that XLUA needs root, or in other words, the Xposed framework installed, this triggers Google Play Store and it's SafetyNET check. Currently, there is no workaround to bypass this, even if it takes only some small changes in order to re-detect this.

NetGuard should be preferred from all mentioned solutions cause it simply works with Android's native VPN API which doesn't need you to root your device and works for everyone without triggering security mechanism by Google.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Apr 3, 2018

@CHEF-KOCH XPrivacyLua and NetGuard are very different things, NetGuard just prevents apps from accessing the internet while XPrivacyLua can feed fake data to them, improving your privacy and letting apps use the internet.
Furthermore if you use NetGuard you can't use another VPN, this isn't the case with AFWall+ and Adaway, which don't even trigger safetynet if you use Magisk.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 3, 2018

SafetyNet gets always triggered as soon you install Xposed Framework, there is no patch or bypass for this. Because Google Play Store constantly gets updates in order to detect this. Telling people installing yet another program to bypass something which is meant to secure your device is wrong.

I'm aware that XprivacyLua is not the same as NetGuard, but the end result will be the same, you might end up cutting several connections of or you fake the data. The question is why you should install and use Xposed when there is not really any benefit? You archive already similar things with NetGuard (No need to install AdAway since NetGuard also comes with a HOSTS list). I wonder how you fake your login data in order to e.g. use facebook, right it's not possible. So this layer doesn't provide much.

I'm not sure if the advice to install xprivacy lua is a good one, especially because there more negative side-effects, as said, rather than it helps, especially because the normal user don't even know what to restrict/fake or do you like to start here a sub-project which explains on each app what is safe to restrict/fake and what not? I doubt that.

That you can't use e.g. another VPN with NetGuard running is partially wrong because you can still use a SOCKS5 proxy (most VPN providers offering support for this like PIA,etc). so you can theoretically run the rest through the SOCKS5 tunnel. Once that is running you already 'fake' several meta-data already. However, none of those solutions prevent any website to track you because some apps and website still can submit what you clicked, what you liked, comment etc and this is not 'fakable' with XPrivacy LUA and there will never be a tool for this.

AFWall+ also requires root and if you activate the advance module the Xposed framework.

Faking information doesn't prevent:

  • Tracking
  • A connection
  • Attacks in order to gain your data such as login etc.
  • ...

Besides Android 7/8/9 already get more and more abilities (by default) to restrict permissions. So thereotically if you're done with the app you can prevent it from running in the background (works well in Android 8.1).

I'm not sure if it overall makes the difference, there is also no research nor proof if faking application data has any benefit, due mention reason it doesn't fake all kind of things or prevent several mechanism.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Apr 3, 2018

@CHEF-KOCH

SafetyNet gets always triggered as soon you install Xposed Framework, there is no patch or bypass for this. Because Google Play Store constantly gets updates in order to detect this.

Your device doesn't become unusable if it doesn't pass safetynet, only few apps use that API, like Android Pay, Pokemon Go, Google Play for the device certification and some other banking related apps.

Telling people installing yet another program to bypass something which is meant to secure your device is wrong.

I hope that if somebody chooses to root their device is expert enough to understand the risks.

I'm aware that XprivacyLua is not the same as NetGuard, but the end result will be the same, you might end up cutting several connections of or you fake the data. The question is why you should install and use Xposed when there is not really any benefit? You archive already similar things with NetGuard (No need to install AdAway since NetGuard also comes with a HOSTS list). I wonder how you fake your login data in order to e.g. use facebook, right it's not possible. So this layer doesn't provide much.

The end result isn't the same, many apps become unusable without internet access. With XPrivacyLua you can keep (some) of your privacy even with those apps. I mentioned Adaway because it's a good companion for AFWall+

That you can't use e.g. another VPN with NetGuard running is partially wrong because you can still use a SOCKS5 proxy (most VPN providers offering support for this like PIA,etc). so you can theoretically run the rest through the SOCKS5 tunnel.

A SOCKS5 proxy isn't as secure as a real vpn.

However, none of those solutions prevent any website to track you because some apps and website still can submit what you clicked, what you liked, comment etc and this is not 'fakable' with XPrivacy LUA and there will never be a tool for this.

Well at least they can't record you or read all your notifications and I hope that nobody who values his/her privacy has the Facebook or Instagram apps installed.

AFWall+ also requires root and if you activate the advance module the Xposed framework.

The Xposed module isn't necessary for using AFWall

Faking information doesn't prevent:
Tracking
A connection
Attacks in order to gain your data such as login etc.
...

XprivacyLua can prevent some tracking, connections can be blocked with a good hosts file loaded in adaway or NetGuard and it can even hide login details from apps.

Besides Android 7/8/9 already get more and more abilities (by default) to restrict permissions. So thereotically if you're done with the app you can prevent it from running in the background

An app can detect if you are denying it a permission using AppOps and may refuse to run and you can't block many things using the stock permissions system.

I'm not sure if it overall makes the difference, there is also no research nor proof if faking application data has any benefit, due mention reason it doesn't fake all kind of things or prevent several mechanism.

It has the benefit of not allowing the app to access the real data, for example your messages, your notifications, a specific folder, your accounts etc...
No solution is perfect, but XPrivacyLua increases your privacy on Android by much.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 3, 2018

  • Installing Xposed or Magisk by itself can be a security risk, this was already million times explained on XDA and other forums since this allows 'bad' modules. We're not talking about the people which are 'expert' enough to identify such apps. We are talking about those who are 'new' to the whole topic, btw I never said anything will become unusable.
  • AdAway is not a 'companion' to AFWall+ nor is it regularly updated, the last two or three updates are provided by the community. The better solution is still NetGuard since it provides everything under one interface -> fewer apps == less battery drain.
  • SOCKS5 is as secure as a real VPN, it's depending on how your provider configured it's backend configuration.
  • That a website can't record you is wrong, they do and they can. most sites I'm aware of such as Facebook, Reddit & Co. tracking you real-time by parsing a .json file which forwards the metadata information to a specific domain, XPrivacyLua does not inject this it only inject the things coming from the app itself which is pointless especially when you're logged in into a website with (of course) your account which is again not fakable.
  • The Xposed AFWall+ is necessary in order to provide all functions and in order to close some holes which are caused by several ROM's, maybe do some research why the xposed module was created in the first place.
  • XPrivacyLua can't prevent any tracking, it's there to fake data, it doesn't block any connections, maybe read how it works?!
  • AppOps is not needed in Android 7 or higher versions since this function is natively integrated into Android's API. Since Then a lot of things have improved, I suggest again to do some research. You can restrict (as I said) background running behavior, this is not blockable by external apps without root since Android's deamon runs on a higher level in order to prevent to bypass this.

It has the benefit of not allowing the app to access the real data, for example, your messages, your notifications, a specific folder, your accounts etc...
No solution is perfect, but XPrivacyLua increases your privacy on Android by much.

It's (as I said pointless) especially when you login into a page, because only the app gets faked data which is 'helpful' when you send through the app e.g. a bugreport away which shows then your faked data but this does not prevent the site from reading information such as what you liked, when you went online, what you clicked etc.

There is no proof that XPrivacyLua 'secures' anything and I have many doubts because it doesn't prevent any website to obtain several information, this only can be done to block connections to the specific domain/API and not while you manipulate the application data, which only makes sense when an app by itself sends data away as I explained for eg bug reports, crashes etc.

Faking data makes you more unique and you get more attention to you, the better strategy is to get one 'known' ID for everyone. This is the idea behind the tor project - so you say they're wrong or what? Maybe read that making your data more unique ends with the opposite, been less secure and more a target. The goal should be to remove or prevent the data, not to fake them. The logic to fake data to be more secure is wrong, it exposes you more quickly.

All Tor browsers has standardized user agent which helps to make Tor users to be less distinguishable from each other. By changing your user agent periodically, you are making yourself more unique from other Tor users with the standardized user agent.

Don't answer on this unless you have research papers, showing the Tor network and it's idea behind to combine one ID for everyone is wrong - whops, right there is no such research otherwise the entire network would fake infos rather than hiding/deleting it.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Apr 3, 2018

@CHEF-KOCH

Installing Xposed or Magisk by itself can be a security risk, this was already million times explained on XDA and other forums since this allows 'bad' modules. We're not talking about the people which are 'expert' enough to identify such apps.

You can just refrain from installing any other module and don't allow any su request

AdAway is not a 'companion' to AFWall+ nor is it regularly updated, the last two or three updates are provided by the community. The better solution is still NetGuard since it provides everything under one interface -> fewer apps == less battery drain.

You're right, AFWall and adaway are just an alternative if you want to use a vpn. I never said that NetGuard is inferior.

SOCKS5 is as secure as a real VPN, it's depending on how your provider configured it's backend configuration.

Not really. A SOCKS5 proxy provides support for authentications but your data doesn't get encrypted as you can see from this PIA support page: https://www.privateinternetaccess.com/pages/client-support/ "The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.
If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service."

That a website can't record you is wrong, they do and they can. most sites I'm aware of such as Facebook, Reddit & Co. tracking you real-time by parsing a .json file which forwards the metadata information to a specific domain, XPrivacyLua does not inject this it only inject the things coming from the app itself which is pointless especially when you're logged in into a website with (of course) your account which is again not fakable.

XPrivacyLua isn't meant to prevent tracking on the web, for that you should use browser extensions. If you are worried about your data on Facebook and Reddit you should not login and use a script blocking extension.

XPrivacyLua can't prevent any tracking, it's there to fake data, it doesn't block any connections, maybe read how it works?!

If you want to block connections you should use the hosts file, XPrivacyLua can fake the values used to connect your activity to your device and can block some analytics providers. It isn't a substitute to the hosts file or NetGuard thought and it isn't meant to be.

AppOps is not needed in Android 7 or higher versions since this function is natively integrated into Android's API. Since Then a lot of things have improved, I suggest again to do some research.

I just used the wrong term, my point is still valid; apps can detect if you revoke them a permission and refuse to run. See here: https://developer.android.com/training/permissions/requesting.html "If the user denies a permission request, your app should take appropriate action. For example, your app might show a dialog explaining why it could not perform the user's requested action that needs that permission."
And XPrivacyLua can restrict many more things than the default permissions system.

You can restrict (as I said) background running behavior, this is not blockable by external apps without root since Android's deamon runs on a higher level in order to prevent to bypass this.

Even if you block background activity they can still steal your data while opened.

It's (as I said pointless) especially when you login into a page, because only the app gets faked data which is 'helpful' when you send through the app e.g. a bugreport away which shows then your faked data but this does not prevent the site from reading information such as what you liked, when you went online, what you clicked etc.

This is a whole other issue and nothing can prevent data you voluntary give to sites from being collected and used.

There is no proof that XPrivacyLua 'secures' anything and I have many doubts because it doesn't prevent any website to obtain several information, this only can be done to block connections to the specific domain/API and not while you manipulate the application data, which only makes sense when an app by itself sends data away as I explained for eg bug reports, crashes etc.

XPrivacyLua wasn't designed to prevent websites from obtaining data, there are other ways to do that. The purpose is avoiding to involuntary share data like your contacts, messages, photos etc with apps without giving consent.

Faking data makes you more unique and you get more attention to you, the better strategy is to get one 'known' ID for everyone. This is the idea behind the tor project - so you say they're wrong or what? Maybe read that making your data more unique ends with the opposite, been less secure and more a target. The goal should be to remove or prevent the data, not to fake them. The logic to fake data to be more secure is wrong, it exposes you more quickly.

XPrivacyLua uses the same data for all its ~2000 users, this way you are more unidentifiable than by giving away unique identifiers like your IMEI. You can verify this by checking the github repo. If you want you can change that behaviour but you don't have to.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 4, 2018

You still don't give any proof that faking information prevents any tracking/data 'giveaway' since there is no proof on this 'theory', which means that's already the end of the discussion. Yet you refuse to accept it cause you're a fanboy?! It's like talking against a wall which tries to protect a product behind it - with arguments which clearly shows you didn't understand anything and pick up things from the internet without doing own research or tests or studies based on current findings.

I answer once more your BS in order to debunk some lies.

You can just refrain from installing any other module and don't allow any su request

Xposed triggers several things like SePolicy etc. some module can change this and might add the ability to close holes which are in the first place created by Magisk/Xposed/root. Saying this is secure is wrong cause Sepolicy and other mechanism are not designed to be ever disabled no matter which app. You can't deny su requests for apps which running already on su rights (a real-world example is to restrict via magisk su but allowing adb or insecure bootloader which bypasses this) and a normal user might never know what application is legitimate or not. That's one of the reasons Google Play Store also integrates a scanning app feature cause it's difficult.

Not really. A SOCKS5 proxy provides support for authentications but your data doesn't get encrypted as you can see from this PIA support page: https://www.privateinternetaccess.com/pages/client-support/ "The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.
If you need encryption, please use the Private Internet Application or OpenVPN protocol with our service."

It's depending on the configuration, Socks5 can also leak information same as VPN did, the encryption point is however only valid when you use servers which aren't supporting HTTPS over their tunnel (which is dying soon or later anyway). The only point I see here is that it doesn't protect you against MITM, the rest doesn't matter much for the normal user. Here is an example configuration which shows how to mask your IP behind socks5. The point, however, wasn't about what 'should' be preferred, it was about the thing that NetGuard still allows you to use Socks5 which is not incorrect. I might not even add that a VPN also doesn't protect you from everything as also mentioned in the official NetGuard FAQ page: 'it's doesn't protect you from everything'. Which I totally agree with. Some VPN's btw also offering ad-blocking support native e.g. PIA MACE.

XPrivacyLua isn't meant to prevent tracking on the web, for that you should use browser extensions. If you are worried about your data on Facebook and Reddit you should not login and use a script blocking extension.

Indeed but that destroys your entire argumentation that faking data have a 'privacy' benefit, it's like saying I recommend you to use repair 3 out of 4 wheels when it's obvious that a car needs 4 in order to drive. Pointless right?

If you want to block connections you should use the hosts file, XPrivacyLua can fake the values used to connect your activity to your device and can block some analytics providers. It isn't a substitute to the hosts file or NetGuard thought and it isn't meant to be.

Incorrect if you like to block ads on Android do it via DNS over VPN API, no root needed. To workaround that you might still want to connect to a VPN, which is easy, simply configure your router in order to use VPN, so all devices are protected without any tools at all. That not all router supporting it is another thing but it's possible, at least every router allows you to create a VPN tunnel in case you're on the run so you can use your home routers internet in order to been monitored while sitting in McDonalds. Hosts was never really designed to block ads, nor is it efficient because it doesn't work with regular expressions etc. so it ends up with more RAM usage, slower device and thousands of entries instead of one which does the same .*ads.

I just used the wrong term, my point is still valid; apps can detect if you revoke them a permission and refuse to run. See here: https://developer.android.com/training/permissions/requesting.html "If the user denies a permission request, your app should take appropriate action. For example, your app might show a dialog explaining why it could not perform the user's requested action that needs that permission."
And XPrivacyLua can restrict many more things than the default permissions system.

Apps also can detect with the same method if you're behind Xposed, Xposed Lua or other apps. You rekt yourself with your own statement. However, this doesn't work in Android 8 the same way since an app can't invoke SYSTEM anymore because that's blocked and only bypassable with root ... whoops, here we go again.

This is a whole other issue and nothing can prevent data you voluntary give to sites from being collected and used.

And since you can't prevent it you think XprivacyLua helps, nope it doesn't.

Even if you block background activity they can still steal your data while opened.

How they steal data if the app isn't running. 🤔 If you don't trust the app block it or the better advice, simply don't install it. What does this have to do that XPrivacyLua offers a benefit here, right nothing? If they steal original or faked data you still lose data, as explained you even expose more since you are more unique which makes you a bigger target, not lesser a target. The goal is to avoid or delete this not to agree and give 'fake' data away. It's like running on the battlefield with a Red X on your chest while others are all having same grey uniforms.

XPrivacyLua wasn't designed to prevent websites from obtaining data, there are other ways to do that. The purpose is avoiding to involuntary share data like your contacts, messages, photos etc with apps without giving consent.

It does not prevent websites from obtaining data. As you said yourself: "This is a whole other issue and nothing can prevent data you voluntary give to sites from being collected and used.".

XPrivacyLua uses the same data for all its ~2000 users, this way you are more unidentifiable than by giving away unique identifiers like your IMEI. You can verify this by checking the github repo. If you want you can change that behaviour but you don't have to.

"For now I have decided to not implement restrictions that are useful to prevent tracking only. There are simply too many data items that can be used for tracking and it would take too much time to develop restrictions for all these data items.

The basic idea is to restrict only things that 'define' you, so which contacts you have, where you are, which apps you use, etc."

Too many data to monitored by one single developer, right, So it won't cover everything same story with XPrivacy. The program is limited by itself via the Android API which means it doesn't cover any data which are outside this official api, especially malware programs not often use 'their standards' in order to bypass certain things. XprivacyLua also doesn't cover this fact.

The developer itself mention limitations in his FAQ

Revoking internet permission will result in apps crashing and faking offline state doesn't prevent apps from accessing the internet. Therefore internet restriction cannot properly be implemented. You are adviced to use a firewall app to control internet access, for example NetGuard.

If you still want to fake offline state, you can download the hook definition NetworkInfo.createFromParcel from the hook definition repository using the pro companion app.

MAC addresses are not available anymore on supported Android versions. Some manufacturers made an exception for this and to fix this you can download the hook definitions BluetoothAdapter.getAddress, WifiInfo.getMacAddress and NetworkInterface.getHardwareAddress from the hook definition repository using the pro companion app.

Overall spoken a lot of things are missing, none functional or restricted by Android's API limitation. He also mentions it with a warning.

"Apps with root permissions can do whatever they like, so they can circumvent any restriction. So, be careful which apps you grant root permissions. There is no support on restricting apps with root access."

That everyone gets same data which uses XPrivacyLUA is also a con not a pro, since this can be used to flag all users so an attacker can build a strategy in order to bypass it's 'functions'.

I summarize:

  • You want to use people rooting their device (warranty lost) in order to install a Framework which allows holes into your OS cause it triggers SEPolicy etc in order to install an Module which doesn't detect all app things or fake really everything.
  • Recommend XprivacyLua even if there alternatives are available which don't need root, also ignoring the fact that the XprivacyLua developer warns us that there is no support for rooted apps.
  • You seriously want people using the module because (2000 ... let's say 10k people have same ID) vs how many million others? Since MAC can't be spoofed you still are not less unique anyway even if you fake things like Browser referer etc. I already gave an example that in real-world it's not helpful, you refuse to accept the valid tracking point. While writing this on GitHub I expose myself to them, how does XPrivacyLUA help here? Right, it can't, ah right I can just stop using any service - GENIUS advice.
  • You want to combine this with AFWall+, AdAway possible other apps in order to workaround giving away data. How many people you think are going to do that? 10k vs 100 mio. you won nothing with this strat cause it's not a reliable strategy and not even works for everyone, every device etc.
  • XPrivacyLUA doesn't offer any layer of security, this is also mentioned in the FAQ, see the section what it can and can't restrict or change.
  • XPrivacyLUA requires an unstable framework which is not even in a final version (yet) for Android 8.x users. In the past, even stable versions had their problems, cause it's a critical system change you allow on your OS. I see this as critical and more for a small group of users.
  • Android's own permission system also already has the ability to stop background apps or disallow internet per-app basis for Wifi/mobile but you recommend instead of stopping it - to fake it. And you ignore the fact that background running apps are still draining more battery, the better strat here is again to prevent and stop it rather than allow and fake it.
  • There is no evidence or proof from the developer that this helps against tracking or against someone which want to expose you or get your data, cause if the data are faked or real doesn't matter at the end due the fact that you're more unqie faking this. I explained it well with the soldier's argument which even ends up flagging a specific group (similar to VPN <-> Netflix).
  • The original developer already warns that this solution, is same like NetGuard etc, not an 'ultimate' tool but you ignore that by arguing that this offers something.

Bring proof that faking information stop tracking or that it doesn't expose you, you simply can't. I pay 1000$ if you can because you would be first ever, Tor would also like to know otherwise everyone on earth was wrong and instead of using a firewall we simply could fake everything ... you're delusional my friend.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Apr 4, 2018

@CHEF-KOCH I don't really have time to reply to all this. If you think we're putting users at risk just open another issue asking for the removal of XPrivacyLua from the suggested tools.

@jj-pietro jj-pietro closed this Apr 8, 2018

@Namnodorel

This comment has been minimized.

Copy link

commented Apr 8, 2018

First things first, a correction I'd like to see on privacytools.io: XPrivacyLua DOES NOT require Root to work, or Magisk for that matter. That is just the most common way of getting it. But XPL itself only requires the Xposed framework, which can be installed standalone from the recovery without root.

Before you say anything: This still voids your warranty, because it is not Root access that makes it void but unlocking the Bootloader, which you need to do in order to install Xposed. And yes, it still breaks SafetyNet (which is by the way NOT meant to secure your device, it is meant to secure the data/integrity of companies like Netflix). But that can be fixed on a lot of cases by using microG - with its implementation of SafetyNet, phones with Xposed up and running have passed the test, and with a little luck, yours will too.

About Root being a security issue: Not really, just like Xposed. But like anything powerful, it is a two-edged blade, and if you're dumb enough to cut yourself with it, then that's on you. If you really want to make it "safe for average users", I'm sure it wouldn't be a big problem to create a version of the Xposed Manager App that only lets you enable XPrivacyLua and nothing else - problem solved.

You seriously want people using the module because (2000 ... let's say 10k people have same ID) vs how many million others? Since MAC can't be spoofed you still are not less unique anyway even if you fake things like Browser referer etc. I already gave an example that in real-world it's not helpful, you refuse to accept the valid tracking point.

You are confused about how this works. It's either I share a unique ID with 2000 people that use XPL, or I share it...wait for it...not with millions, not with thousands...not even with hundreds...with nobody! And, as adressed many times before in the XPL thread, the MAC adress can't be accessed by apps in recent versions of Android. Yes, there are more identifiers that XPL doesn't cover. But it does cover the most important ones. Most apps that use tracking only use those, since they're usually all that is required to identify a user. Besides, the majority of all apps doesn't even use any tracking itself, but instead relies on libraries that do it for them, of which - surprise, surprise! XPrivacyLua can disable the most used ones.

Recommend XprivacyLua even if there alternatives are available which don't need root, also ignoring the fact that the XprivacyLua developer warns us that there is no support for rooted apps.

There are no alternatives available that can do the same thing, much less without root. The default Android permissions don't nearly cover everything, and all apps expect them and are able to react to being denied those permissions.

Apps also can detect with the same method if you're behind Xposed, Xposed Lua or other apps.

That everyone gets same data which uses XPrivacyLUA is also a con not a pro, since this can be used to flag all users so an attacker can build a strategy in order to bypass it's 'functions'.

No, definetely not with the same method. Apps can technically detect whether they are being restricted by XPrivacyLua - but none I know of do, because the portion of users using XPrivacyLua is insignificant to them. And if some app really starts to block features because of this: Too bad, soon there'll be additional hooks bypassing that. App developers can't fight Xposed because Xposed has full control over the app. To use a metaphor, they can try to hide in a castle, but Xposed can simply make that castle disappear. They can only try to make it a little harder.

it's like saying I recommend you to use repair 3 out of 4 wheels when it's obvious that a car needs 4 in order to drive. Pointless right?

Nope, not at all. Because I got other tools that are able to cover the 4th wheel. If you want a solution that protects 100% of your privacy, the only possible way to do that is to destroy your phone and every digital device you own. You always have to use multiple tools that each cover their own part. And if you really want XPrivacyLua to be the lord and savior of your privacy, go ahead and write some custom hooks! That way you can actually cover everything...

The program is limited by itself via the Android API which means it doesn't cover any data which are outside this official api, especially malware programs not often use 'their standards' in order to bypass certain things.

True, but again, XPrivacyLua doesn't have to cover everything in order to be useful. And what is also noteworthy: Google will remove these alternative pathways in future Android versions. So it's just a matter of time until this argument becomes irrelevant.

You still don't give any proof that faking information prevents any tracking/data 'giveaway' since there is no proof on this 'theory', which means that's already the end of the discussion.

Let me think about this... You're saying there is no proof that when I restrict the contacts an app has access to my privacy is valued more than when I just let it access everything? I don't yee what you don't understand about this - information we don't give an app can't be abused by it, and that XPrivacyLua does feed fake values instead of the real ones is 100% proven.

You also talk about some things about battery usage, background processes and network access that have nothing to do at all with what XPrivacyLua does so I'm not going to write anything about that.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 8, 2018

  • You need to root your device in order to obtain the ability to inject or hook something into the system in order to fake/manipulate something. It doesn't matter if the module doesn't need itself cause the upper layer is xposed which requires a rooted device. You argumentation that the module doesn't need root by itself correct, on the matter however it's wrong since as I said the upper layer definitely needs root.
  • It doesn't matter if you need to unlock the bootloader first or if you found another trick to obtain it, the warranty will be void. If you found a solution for this, let me/us know. That would be real news and a breakthrough on this matter here.
  • MicroG is another topic, you btw can't fix spying with it, I say this because it doesn't solve all problems and it creates new ones which are not fixable due design reasons or because it requires Google API's. Most people give a shit about microg, let me say this clearly. Google will block it, soon or later, once they see it as 'threat'.
  • Rooting the device is a security problem, changing sepolicy is also problematically, it's like saying I disable UAC on windows because I know everything at all time. That's not realistic for 99% of all people. The reason why root is disabled is exactly due security reasons. If you think that's incorrect then you definitely know more than Google, chainfire and other people.
  • If it shares the ID with one, 2000 or 1 million people, attackers still identify these data cause there the same across multiple devices. We do not need to talk about it cause that's not fixable.
  • XprivacyLUA also doesn't cover everything, so to recommend a 'solution' which tries to fix Android's problem is incredibly stupid. You try to fix a weak system with another weak module, that will never work, and proven with the entire AV industry argumentation.
  • Spreading misinformation that XPL can't be compromised is wrong, there is no research on this. Since the module is pretty young, there is no code audit nor evidence that this module can't be compromised. An attacker will watch and use the source code against you. Period.
  • No one said 100% privacy is the goal, the point is that XPL does not and never will fix all the critical holes. Faking data is only one argument, there are more aspects. Installing 100 apps, modules etc is not recommended or smart.
  • I never said something that XPL is not useful, I said I see it as pointless, due the fact that it doesn't cover all aspects or my argumentations. This is tbh not incorrect.
  • There is no evidence that faking data doesn't prevent e.g. the application to transmit it directly, since XPL isn't a firewall or adblocking mechanism it's worthless if the data have a faked header or faked IMEI, the data by itself are still been transmitted.
  • Battery usage has something to do with privacy etc. there some API's which get access to certain functions in order to reveal additional information which might expose you. This is also not covered by XPL, a real-world example is to open your Browser which allows the Battery or geolocation API (mostly via javascript) which expose how many battery % you have left or what is your true location, injecting the data in order to fake this is based on XPL's source code at this point not possible. And I did a test on ipleak which still showed or exposed the things even behind a VPN. That, however, could theoretically improved but I have several doubts that this will work on all Browsers without downsites, some things are isolated the infection might trigger security mechanism or crashes th Browsers. The battery example is important because an attacker could e.g. use your wifi/battery indicators against you, which means it only activates the malware when you're on wifi or xyz % battery usage.

It seems you defend a product with ignoring the simple fact that the XPL integrated mechanism are too weak to get my recommendation and because it can't protect you against simply leakages I see no point to bring this to our attention.

That there is also no additional protection is semi-true since there is no evidence given that XPL holds it promises. If you have research or an audit or POC let me know. My real world example with Reddit stands, login into reddit, get tracked like your mouse position, what you liked etc this can't be faked with any module and this is not incorrect. So you can fake the application by itself (pointless) but not the services which are been used to expose you and there will probably no real solution for this except to block the stuff via an adblocker which tries to monitor you (which also is not perfect).

Let me think about this... You're saying there is no proof that when I restrict the contacts an app has access to my privacy is valued more than when I just let it access everything? I don't yee what you don't understand about this - information we don't give an app can't be abused by it, and that XPrivacyLua does feed fake values instead of the real ones is 100% proven.

I never said at any point that giving up on this is 'better' I said that XPL is not a security manager or an app which helps on the matter. You can fake application data all day long when you're login into a website you're lost this is a fact, it doesn't matter if the application itself sends data or not, you can block it with the firewall and that's it, no need any application for this, this is provided by Android's own mechanism, the issue you not understand is that once I started the app and I login into it's service you can't fake it's tracking which is designed to expose you. There some little benefit on your app/argumentation, e.g. when apps are in the background, sending statistics etc away without your knowledge, I do agree however the time you login or re-login into the website you expose you again and then it doesn't matter if you're faked all other data before because the service then knows you might fake data or build strategies in order to defeat this.

Nothing on your comments here is proven, please give me research paper, it's my word (tor/chrome) research against yours.

Snaik oil is strong these days.. I know. 👎

@Namnodorel

This comment has been minimized.

Copy link

commented Apr 8, 2018

XPL is not a security manager or an app which helps on the matter.

I agree 100%. Because it isn't intended to. You're talking again and again about an attacker exploiting stuff, but that is simply not what XPL tries to protect you against. Assuming that XPL will do anything for your or your devices security is wrong, because it doesn't even try to.

the upper layer definitely needs root.

Please read my text again. I didn't say the app itself doesn't need root therefore nothing needed root (although it is also true that XPL itself doesn't need root). XPL only requires Xposed. And Xposed does ALSO not. require. root. (mind = blown... right? Nah, not really). What Xposed requires is the ability to flash ZIPs aka modify the /system partition. That is NOT root, that is an unlocked bootloader. Root means that there are binaries placed in /system that allow apps to acces the su-command during runtime. Xposed does not need that. Xposed only needs to replace binaries once, and that's it. It doesn't access su to work. You can have an unrooted phone with Xposed. It will still usually break SafetyNet, but it won't be rooted. Do you have a modded Android? If not, I suggest you to try it or at least read some articles/tutorials on the internet about it. That'll give you a better idea what a locked/unlocked Bootloader, Root, and Xposed is and what relation they have to each other.

MicroG is another topic, you btw can't fix spying with it

I never said you could fix spying with it. Just that it allows you to bypass SafetyNet even with Xposed.

The reason why root is disabled is exactly due security reasons.

Yes and no. It is due to security reasons, but much more because the average user can't be trusted with that much power over their own system. I mean, you can literally delete your phones system files with root while it's running. You don't want a user thinking "Oh, what are all these weird files on my phone? I didn't put them there, so I don't need them! Let's just delete it all!"

XprivacyLUA also doesn't cover everything, so to recommend a 'solution' which tries to fix Android's problem is incredibly stupid. You try to fix a weak system with another weak module, that will never work, and proven with the entire AV industry argumentation.

IMO, Android is stronger in this regard than many other systems simply by having a permissions manager in place. On Windows, Linux or really any Desktop OS, when you run an application, you give it access to all your user data without any further restrictions. You have to trust the binary, which in many cases you can't. Buut that's a discussion for another day.

Spreading misinformation that XPL can't be compromised is wrong

I never said it can't be compromised. But again, you appear to have a different attack model.

never said something that XPL is not useful, I said I see it as pointless, due the fact that it doesn't cover all aspects or my argumentations.

So for you it's all or nothing? You do you, but I'd rather have most of the data and sensors on my phone private than none of them.

There is no evidence that faking data doesn't prevent e.g. the application to transmit it directly
How would an application transmit information directly that it doesn't have? This may be true for network-related information, but if I deny an application access to my contacts, no amount of network requests will change that.

Your example for Reddit although true does not make sense because, yet again, that is not what XPL is for. Especially with info like upvotes, which is completely ridiculous because you are giving that information to them on purpose.

you can't fake it's tracking which is designed to expose you. There some little benefit on your app/argumentation, e.g. when apps are in the background, sending statistics etc away without your knowledge

Yes I can. Do you know what Fabric is? In case you don't it's a very popular library you can include in any app for free that is meant solely for tracking. It starts with crash reports, but goes on to notify the developer of the app about your system specifics, exactly what things you did in the app (even if the apps purpose itself is completely offline) down to every click, scroll or swipe you do to build heatmaps. And XPL can snap completely disable all of its functionalities. There are also numerous apps/games that look harmless at first, but then while you're playing start recording with your mic without you noticing and sending that data to their servers. XPL can protect against that. So what it protects against is certainly not a niche. And that is the kind of attacker XPL wants to help against. Not people who want your IP adress, not people who want to exploit your phone and gain unwanted root access.

It seems you defend a product with ignoring the simple fact that the XPL integrated mechanism are too weak to get my recommendation and because it can't protect you against simply leakages I see no point to bring this to our attention.

Well, it seems to me that you are, after numerous explanations, still refusing to accept what the scope and intention of XPrivacyLua is and judge it for not doing things you want it to do. I personally don't need a research paper for seeing that it works, it's not some blind faith I have. But if you really need one to trust that your privacy is being protected better than before, nobody will stop you to fund someone to do the research.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 8, 2018

I think you defend something which is not worth to get any more attention, you now decide to go the same bitch way like M66B, which doesn't even has the guts to answer on his own topics/app, hell not even allowed issue tickets, instead we need to talk about this on the wrong place.

It's pointless to me to discuss something which doesn't offer any benefit overall and that's the reason why this issue ticket is already closed.

I think the rest of your text is just to defend pointless argumentations, without proper context or whitepapers. There is also no scope of using a Module which needs root (no matter how you like to call it) nor you are able to understand that it doesn't cover important things like MAC address. It's pointless to fake your IP or other things when your MAC address gets exposed (while e.g. using IPv6) which also can't be faked (as for now).

XprivacyLua is a worthless try to 'secure' Android claiming that one developer can do it better than hundreds of Android developers. I not even mention that Marcel needs other people to defend his product. So I have serious doubts about 'research' background when it comes to security (which this is all about 'security manager').

You know what AV industry did over last 20 years, same as you right now. Claiming it 'secures' something but it simply is not true. It offers only some kind of attack surface reduction but it also allows other problems/holes. Root itself is one of it's problems, another app can manipulate or change it's behavior. This is definitely not covered in his current code and never will be because it's not possible.

If you're arrogant enough to say you need no research/audit in order to prove your words than I highly recommend to not work on any 'security' products, that's not how things work, the fact you and Marcel and the community can't handle criticism on a professional level shows that people should stay away from this developer, all his products, and such a toxic community.

Refusing valid argument by finding excuses or pretend it's not true without anything is seriously the wrong way. This entire thread + XDA shows only that you can't fight the FUD and it only results in a waste of (my) lifetime which is not worth.

Bring proper code audits, research whitepapers or anything which is not from you or someone which is not involved in this matter, otherwise, you get no credibility here. The VeraCrypt/TrueCrypt developer did prove that their software is worth my recommendation, because there is a code audit and research + an independent point of view, XPL current (?) can't provide this, instead people starting to bitch fight about a FUD argument that it provides a 'protection' which is not true unless you show me, which you still haven't you write useless so-called arguments to look better now, ignoring all the facts I said before.

I think everyone else is just FUD from you or the developer, it was the right decision to close this issue ticket.

Some actual research (for no ignorant people):

M66B lost all credibility by lying straight into my face. The proof is here.
His argumentation that he doesn't need any research or research papers is also suspicious, I haven't heard from any 'expert' that they don't do research otherwise how else you know what is possible and what not?

At some point I'm glad I destroyed his FUD & BS, he and XDA is spreading that this app is a 'privacy manager' (which is to fool people, maybe even steel money from them). I hope other people are not stupid to support him or to install the app cause there is no reason anymore after such strange lies and nonsense talk that this offers some kind of 'protection'. It only reduces attack surface, not more and not less . Point is exactly here -> .

Thanks for the drama.

PS:
@privacytoolsIO Please lock this useless 'I defend x product' discussion'. Thanks.

@Namnodorel

This comment has been minimized.

Copy link

commented Apr 8, 2018

doesn't even has the guts to answer on his own topics/app

he did, you stopped responding

not even allowed issue tickets

for unrelated reasons you never asked about

XprivacyLua is a worthless try to 'secure' Android

It doesn't try or want to. Why do you not understand this?

If you're arrogant enough to say you need no research/audit in order to prove your words

The little word "personally" is very crucial here.

toxic community

you are the only one who's been insulting and, as you call it "bitching". Marcel was cooperative and friendly the whole time and I tried my best to do so as well.

M66B lost all credibility by lying straight into my face.

So your first thing to assume is that somebody is lying to you? Odds are it was either some kind of bug, or that he misunderstood something about the UI. But sure, it is definetely a lie against you, because it is absolutely in his interest to lie to you about something completely insignificant like that (that was sarcasm btw).

You don't wanna trust something that isn't backed up by whitepapers? Fine. But your whole text has proven to me that you have not understood anything about what XPrivacyLua is, what it is intended for and literally everything I've been trying to explain to you this whole time. I conclude that you are unwilling to listen or even think about anything that I said or will say and any further discussion is thus pointless. If you don't mind, I'm going down a waterslide now.

@jj-pietro

This comment has been minimized.

Copy link
Author

commented Apr 9, 2018

It's pointless to me to discuss something which doesn't offer any benefit overall and that's the reason why this issue ticket is already closed.

There seems to be some misunderstanding here, I closed the issue only because XPrivacyLua has already been added to the site

@Primokorn

This comment has been minimized.

Copy link

commented Apr 9, 2018

Seriously, why don't you want to understand that it does NOT require root...

capture

EDIT:

Requirements: Magisk

False!

@CHEF-KOCH

This comment has been minimized.

Copy link

commented Apr 9, 2018

What do you not understand that the xposed framework can't hook something without root access? Stupidness in this thread is damn high. Xposed does need a rooted device after all. You can also use magisk if you want (it's possible to go the magisk) way (just saying). But via Xposed (installation process) is the one which are preferred by (I assume) most people. You also can flash it via TWRP, sadly it doesn't change something at the unlocked booloader/root argumentation anyway.

There seems to be some misunderstanding here, I closed the issue only because XPrivacyLua has already been added to the site.

Okay, I simply didn't saw (cause 'is:pr is:closed xprivacy' returns 0 entries + the merge title wasn't probably labeled) that this was already merged with a pull request. However we should consider to remove it or give clearly warnings about xposed and his downsides. I think it simply should be stated that you lose warranty, need root in order to get the framework and all it's function working etc. Which is currently not stated (in the original pull request). There also justified suspicion doubts about efficiency of such 'apps', and the developer doesn't prove anything or give a guide how to use it which is pointless especially for beginners, besides you need a pro version get 'unlock' it's full potential.

I think the section and entire category needs be be re-written in oder to correct several things.

@Namnodorel

This comment has been minimized.

Copy link

commented Apr 9, 2018

I'm not going to comment on your Root bs anymore. But I do agree that the current entry should be changed. The dependency on Magisk note should be removed, as well as the note on Root. What does make sense would be something like "The following add-ons require not completely stable software which has a chance of breaking your device. Proceed with caution and make use of backups!"

In fact I believe that the description undersells XPl by a bit, since yes, it does solve the mentioned problem of malfunctions, but it actually provides more restrictions than Android has to offer by default (some of which can be crucial for privacy-aware users). But I guess the current description is fine as well, if it catches the readers attention they will look into the details and learn more about the project themselves.

@Primokorn

This comment has been minimized.

Copy link

commented Apr 10, 2018

@CHEF-KOCH Neither Xposed nor XPrivacyLua has root access on my device and yet, XPrivacyLua works flawlessly. How do you explain that?

I think it simply should be stated that you lose warranty, need root in order to get the framework and all it's function working etc.

Unlocking the bootloader doesn't always void the warranty. It depends on your local laws and the manufacturers.

@CHEF-KOCH

This comment has been minimized.

Copy link

commented May 12, 2018

1.) It's not BS that the boot loader needs to be unlocked, or how else you flash the Xposed framework without access to it? So you can call it what you want you need low-level access which voids your warrenty. Security wise also a nightmare since your phone is widely open then, especially if you can flash unsigned files. Recommed this for one module is more than questionable. The upper layer xposed module would require root to hook into system apps, otherwise it would have no access. This is currently 'due stabilty' reasons not implemented.
2.) Safetynet / Google Play Store already detects Xposed Framework.
3.) The entire module should be removed it's marketing Gag and nothing but this.
4.) XPrivacyLUA doesn't solve the problem that Google Play Store, some AV companies etc detect Xposed or the module itself. It's also questionable if a simple Package.name check to detect the module not bypasses the function. LuckyPatcher gets same way detected, they tried to hide it by rotating the name, which is pointless since the new name gets submitted into the cloud each device scan, you only can disable a security mechanism in order to prevent this (also questionable) It was never tested there is also no serious test from the developer. Faking GPS on encrypted network is also not possible (tested by myself). Another things is that other modules can disable other apps/modules, a PoC is here.

In general spoofing data is not a good idea, as shown on my research project, maybe the developer should read some of the documents. But I forgot he said in his own XDA Thread that 'he does not need any research'. I never heard someone in security topics been that arrogant to say he not needs research. It's again marketing here and this is like AV products - snake oil and nothing but this.

I could make a video demonstration that GPS/MAC spoofing doesn't prevent shit especially not behind encrypted connections (which can't be intercept/MITM to fake something) but it's my time I waste with this and why should I do the work while he gets the money for his false marketing claims.

@liudongmiao

This comment has been minimized.

Copy link

commented May 13, 2018

@CHEF-KOCH You mention it as

Another things is that other modules can disable other apps/modules, a PoC is here.

Actually, it's not other modules. It's apps.

It's simple like this, xposed-art, xposedbridge, xposed modules, and the app-to-hook are in the same process, that's dalvikvm.

XposedBridge inject it into dalvikvm (art) by some hooks, and app-to-hook can also replace the hooks. And it's the base of XposedBridge native part, the only if xposed-art put the hooks to otp or so, otherwise, it can anti-hook. I won't show the source code, and, actually it's very easy for native hook developers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.