Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Suggestion: mention XPrivacyLua #399
XPrivacyLua is an Android open source xposed module which blocks access to personal data by feeding fake data to apps instead of revoking permissons, I think it should be added to the "worth mentioning" section of "Mobile Operating Systems".
This is in line with the #338. The plugin seems great though, I can't understand how it's done, but I am a fan of security by obfuscation.
The problem here is that XLUA needs root, or in other words, the Xposed framework installed, this triggers Google Play Store and it's SafetyNET check. Currently, there is no workaround to bypass this, even if it takes only some small changes in order to re-detect this.
NetGuard should be preferred from all mentioned solutions cause it simply works with Android's native VPN API which doesn't need you to root your device and works for everyone without triggering security mechanism by Google.
@CHEF-KOCH XPrivacyLua and NetGuard are very different things, NetGuard just prevents apps from accessing the internet while XPrivacyLua can feed fake data to them, improving your privacy and letting apps use the internet.
SafetyNet gets always triggered as soon you install Xposed Framework, there is no patch or bypass for this. Because Google Play Store constantly gets updates in order to detect this. Telling people installing yet another program to bypass something which is meant to secure your device is wrong.
I'm aware that XprivacyLua is not the same as NetGuard, but the end result will be the same, you might end up cutting several connections of or you fake the data. The question is why you should install and use Xposed when there is not really any benefit? You archive already similar things with NetGuard (No need to install AdAway since NetGuard also comes with a HOSTS list). I wonder how you fake your login data in order to e.g. use facebook, right it's not possible. So this layer doesn't provide much.
I'm not sure if the advice to install xprivacy lua is a good one, especially because there more negative side-effects, as said, rather than it helps, especially because the normal user don't even know what to restrict/fake or do you like to start here a sub-project which explains on each app what is safe to restrict/fake and what not? I doubt that.
That you can't use e.g. another VPN with NetGuard running is partially wrong because you can still use a SOCKS5 proxy (most VPN providers offering support for this like PIA,etc). so you can theoretically run the rest through the SOCKS5 tunnel. Once that is running you already 'fake' several meta-data already. However, none of those solutions prevent any website to track you because some apps and website still can submit what you clicked, what you liked, comment etc and this is not 'fakable' with XPrivacy LUA and there will never be a tool for this.
AFWall+ also requires root and if you activate the advance module the Xposed framework.
Faking information doesn't prevent:
Besides Android 7/8/9 already get more and more abilities (by default) to restrict permissions. So thereotically if you're done with the app you can prevent it from running in the background (works well in Android 8.1).
I'm not sure if it overall makes the difference, there is also no research nor proof if faking application data has any benefit, due mention reason it doesn't fake all kind of things or prevent several mechanism.
Your device doesn't become unusable if it doesn't pass safetynet, only few apps use that API, like Android Pay, Pokemon Go, Google Play for the device certification and some other banking related apps.
I hope that if somebody chooses to root their device is expert enough to understand the risks.
The end result isn't the same, many apps become unusable without internet access. With XPrivacyLua you can keep (some) of your privacy even with those apps. I mentioned Adaway because it's a good companion for AFWall+
A SOCKS5 proxy isn't as secure as a real vpn.
Well at least they can't record you or read all your notifications and I hope that nobody who values his/her privacy has the Facebook or Instagram apps installed.
The Xposed module isn't necessary for using AFWall
XprivacyLua can prevent some tracking, connections can be blocked with a good hosts file loaded in adaway or NetGuard and it can even hide login details from apps.
An app can detect if you are denying it a permission using AppOps and may refuse to run and you can't block many things using the stock permissions system.
It has the benefit of not allowing the app to access the real data, for example your messages, your notifications, a specific folder, your accounts etc...
It's (as I said pointless) especially when you login into a page, because only the app gets faked data which is 'helpful' when you send through the app e.g. a bugreport away which shows then your faked data but this does not prevent the site from reading information such as what you liked, when you went online, what you clicked etc.
There is no proof that XPrivacyLua 'secures' anything and I have many doubts because it doesn't prevent any website to obtain several information, this only can be done to block connections to the specific domain/API and not while you manipulate the application data, which only makes sense when an app by itself sends data away as I explained for eg bug reports, crashes etc.
Faking data makes you more unique and you get more attention to you, the better strategy is to get one 'known' ID for everyone. This is the idea behind the tor project - so you say they're wrong or what? Maybe read that making your data more unique ends with the opposite, been less secure and more a target. The goal should be to remove or prevent the data, not to fake them. The logic to fake data to be more secure is wrong, it exposes you more quickly.
Don't answer on this unless you have research papers, showing the Tor network and it's idea behind to combine one ID for everyone is wrong - whops, right there is no such research otherwise the entire network would fake infos rather than hiding/deleting it.
You can just refrain from installing any other module and don't allow any su request
You're right, AFWall and adaway are just an alternative if you want to use a vpn. I never said that NetGuard is inferior.
Not really. A SOCKS5 proxy provides support for authentications but your data doesn't get encrypted as you can see from this PIA support page: https://www.privateinternetaccess.com/pages/client-support/ "The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one's IP address, censorship circumvention, and geolocation.
XPrivacyLua isn't meant to prevent tracking on the web, for that you should use browser extensions. If you are worried about your data on Facebook and Reddit you should not login and use a script blocking extension.
If you want to block connections you should use the hosts file, XPrivacyLua can fake the values used to connect your activity to your device and can block some analytics providers. It isn't a substitute to the hosts file or NetGuard thought and it isn't meant to be.
I just used the wrong term, my point is still valid; apps can detect if you revoke them a permission and refuse to run. See here: https://developer.android.com/training/permissions/requesting.html "If the user denies a permission request, your app should take appropriate action. For example, your app might show a dialog explaining why it could not perform the user's requested action that needs that permission."
Even if you block background activity they can still steal your data while opened.
This is a whole other issue and nothing can prevent data you voluntary give to sites from being collected and used.
XPrivacyLua wasn't designed to prevent websites from obtaining data, there are other ways to do that. The purpose is avoiding to involuntary share data like your contacts, messages, photos etc with apps without giving consent.
XPrivacyLua uses the same data for all its ~2000 users, this way you are more unidentifiable than by giving away unique identifiers like your IMEI. You can verify this by checking the github repo. If you want you can change that behaviour but you don't have to.
You still don't give any proof that faking information prevents any tracking/data 'giveaway' since there is no proof on this 'theory', which means that's already the end of the discussion. Yet you refuse to accept it cause you're a fanboy?! It's like talking against a wall which tries to protect a product behind it - with arguments which clearly shows you didn't understand anything and pick up things from the internet without doing own research or tests or studies based on current findings.
I answer once more your BS in order to debunk some lies.
Xposed triggers several things like SePolicy etc. some module can change this and might add the ability to close holes which are in the first place created by Magisk/Xposed/root. Saying this is secure is wrong cause Sepolicy and other mechanism are not designed to be ever disabled no matter which app. You can't deny su requests for apps which running already on su rights (a real-world example is to restrict via magisk su but allowing adb or insecure bootloader which bypasses this) and a normal user might never know what application is legitimate or not. That's one of the reasons Google Play Store also integrates a scanning app feature cause it's difficult.
It's depending on the configuration, Socks5 can also leak information same as VPN did, the encryption point is however only valid when you use servers which aren't supporting HTTPS over their tunnel (which is dying soon or later anyway). The only point I see here is that it doesn't protect you against MITM, the rest doesn't matter much for the normal user. Here is an example configuration which shows how to mask your IP behind socks5. The point, however, wasn't about what 'should' be preferred, it was about the thing that NetGuard still allows you to use Socks5 which is not incorrect. I might not even add that a VPN also doesn't protect you from everything as also mentioned in the official NetGuard FAQ page: 'it's doesn't protect you from everything'. Which I totally agree with. Some VPN's btw also offering ad-blocking support native e.g. PIA MACE.
Indeed but that destroys your entire argumentation that faking data have a 'privacy' benefit, it's like saying I recommend you to use repair 3 out of 4 wheels when it's obvious that a car needs 4 in order to drive. Pointless right?
Incorrect if you like to block ads on Android do it via DNS over VPN API, no root needed. To workaround that you might still want to connect to a VPN, which is easy, simply configure your router in order to use VPN, so all devices are protected without any tools at all. That not all router supporting it is another thing but it's possible, at least every router allows you to create a VPN tunnel in case you're on the run so you can use your home routers internet in order to been monitored while sitting in McDonalds. Hosts was never really designed to block ads, nor is it efficient because it doesn't work with regular expressions etc. so it ends up with more RAM usage, slower device and thousands of entries instead of one which does the same .*ads.
Apps also can detect with the same method if you're behind Xposed, Xposed Lua or other apps. You rekt yourself with your own statement. However, this doesn't work in Android 8 the same way since an app can't invoke SYSTEM anymore because that's blocked and only bypassable with root ... whoops, here we go again.
And since you can't prevent it you think XprivacyLua helps, nope it doesn't.
How they steal data if the app isn't running.
It does not prevent websites from obtaining data. As you said yourself: "This is a whole other issue and nothing can prevent data you voluntary give to sites from being collected and used.".
"For now I have decided to not implement restrictions that are useful to prevent tracking only. There are simply too many data items that can be used for tracking and it would take too much time to develop restrictions for all these data items.
The basic idea is to restrict only things that 'define' you, so which contacts you have, where you are, which apps you use, etc."
Too many data to monitored by one single developer, right, So it won't cover everything same story with XPrivacy. The program is limited by itself via the Android API which means it doesn't cover any data which are outside this official api, especially malware programs not often use 'their standards' in order to bypass certain things. XprivacyLua also doesn't cover this fact.
The developer itself mention limitations in his FAQ
Overall spoken a lot of things are missing, none functional or restricted by Android's API limitation. He also mentions it with a warning.
"Apps with root permissions can do whatever they like, so they can circumvent any restriction. So, be careful which apps you grant root permissions. There is no support on restricting apps with root access."
That everyone gets same data which uses XPrivacyLUA is also a con not a pro, since this can be used to flag all users so an attacker can build a strategy in order to bypass it's 'functions'.
Bring proof that faking information stop tracking or that it doesn't expose you, you simply can't. I pay 1000$ if you can because you would be first ever, Tor would also like to know otherwise everyone on earth was wrong and instead of using a firewall we simply could fake everything ... you're delusional my friend.
First things first, a correction I'd like to see on privacytools.io: XPrivacyLua DOES NOT require Root to work, or Magisk for that matter. That is just the most common way of getting it. But XPL itself only requires the Xposed framework, which can be installed standalone from the recovery without root.
Before you say anything: This still voids your warranty, because it is not Root access that makes it void but unlocking the Bootloader, which you need to do in order to install Xposed. And yes, it still breaks SafetyNet (which is by the way NOT meant to secure your device, it is meant to secure the data/integrity of companies like Netflix). But that can be fixed on a lot of cases by using microG - with its implementation of SafetyNet, phones with Xposed up and running have passed the test, and with a little luck, yours will too.
About Root being a security issue: Not really, just like Xposed. But like anything powerful, it is a two-edged blade, and if you're dumb enough to cut yourself with it, then that's on you. If you really want to make it "safe for average users", I'm sure it wouldn't be a big problem to create a version of the Xposed Manager App that only lets you enable XPrivacyLua and nothing else - problem solved.
You are confused about how this works. It's either I share a unique ID with 2000 people that use XPL, or I share it...wait for it...not with millions, not with thousands...not even with hundreds...with nobody! And, as adressed many times before in the XPL thread, the MAC adress can't be accessed by apps in recent versions of Android. Yes, there are more identifiers that XPL doesn't cover. But it does cover the most important ones. Most apps that use tracking only use those, since they're usually all that is required to identify a user. Besides, the majority of all apps doesn't even use any tracking itself, but instead relies on libraries that do it for them, of which - surprise, surprise! XPrivacyLua can disable the most used ones.
There are no alternatives available that can do the same thing, much less without root. The default Android permissions don't nearly cover everything, and all apps expect them and are able to react to being denied those permissions.
No, definetely not with the same method. Apps can technically detect whether they are being restricted by XPrivacyLua - but none I know of do, because the portion of users using XPrivacyLua is insignificant to them. And if some app really starts to block features because of this: Too bad, soon there'll be additional hooks bypassing that. App developers can't fight Xposed because Xposed has full control over the app. To use a metaphor, they can try to hide in a castle, but Xposed can simply make that castle disappear. They can only try to make it a little harder.
Nope, not at all. Because I got other tools that are able to cover the 4th wheel. If you want a solution that protects 100% of your privacy, the only possible way to do that is to destroy your phone and every digital device you own. You always have to use multiple tools that each cover their own part. And if you really want XPrivacyLua to be the lord and savior of your privacy, go ahead and write some custom hooks! That way you can actually cover everything...
True, but again, XPrivacyLua doesn't have to cover everything in order to be useful. And what is also noteworthy: Google will remove these alternative pathways in future Android versions. So it's just a matter of time until this argument becomes irrelevant.
Let me think about this... You're saying there is no proof that when I restrict the contacts an app has access to my privacy is valued more than when I just let it access everything? I don't yee what you don't understand about this - information we don't give an app can't be abused by it, and that XPrivacyLua does feed fake values instead of the real ones is 100% proven.
You also talk about some things about battery usage, background processes and network access that have nothing to do at all with what XPrivacyLua does so I'm not going to write anything about that.
It seems you defend a product with ignoring the simple fact that the XPL integrated mechanism are too weak to get my recommendation and because it can't protect you against simply leakages I see no point to bring this to our attention.
That there is also no additional protection is semi-true since there is no evidence given that XPL holds it promises. If you have research or an audit or POC let me know. My real world example with Reddit stands, login into reddit, get tracked like your mouse position, what you liked etc this can't be faked with any module and this is not incorrect. So you can fake the application by itself (pointless) but not the services which are been used to expose you and there will probably no real solution for this except to block the stuff via an adblocker which tries to monitor you (which also is not perfect).
I never said at any point that giving up on this is 'better' I said that XPL is not a security manager or an app which helps on the matter. You can fake application data all day long when you're login into a website you're lost this is a fact, it doesn't matter if the application itself sends data or not, you can block it with the firewall and that's it, no need any application for this, this is provided by Android's own mechanism, the issue you not understand is that once I started the app and I login into it's service you can't fake it's tracking which is designed to expose you. There some little benefit on your app/argumentation, e.g. when apps are in the background, sending statistics etc away without your knowledge, I do agree however the time you login or re-login into the website you expose you again and then it doesn't matter if you're faked all other data before because the service then knows you might fake data or build strategies in order to defeat this.
Nothing on your comments here is proven, please give me research paper, it's my word (tor/chrome) research against yours.
Snaik oil is strong these days.. I know.
I agree 100%. Because it isn't intended to. You're talking again and again about an attacker exploiting stuff, but that is simply not what XPL tries to protect you against. Assuming that XPL will do anything for your or your devices security is wrong, because it doesn't even try to.
Please read my text again. I didn't say the app itself doesn't need root therefore nothing needed root (although it is also true that XPL itself doesn't need root). XPL only requires Xposed. And Xposed does ALSO not. require. root. (mind = blown... right? Nah, not really). What Xposed requires is the ability to flash ZIPs aka modify the /system partition. That is NOT root, that is an unlocked bootloader. Root means that there are binaries placed in /system that allow apps to acces the
I never said you could fix spying with it. Just that it allows you to bypass SafetyNet even with Xposed.
Yes and no. It is due to security reasons, but much more because the average user can't be trusted with that much power over their own system. I mean, you can literally delete your phones system files with root while it's running. You don't want a user thinking "Oh, what are all these weird files on my phone? I didn't put them there, so I don't need them! Let's just delete it all!"
IMO, Android is stronger in this regard than many other systems simply by having a permissions manager in place. On Windows, Linux or really any Desktop OS, when you run an application, you give it access to all your user data without any further restrictions. You have to trust the binary, which in many cases you can't. Buut that's a discussion for another day.
I never said it can't be compromised. But again, you appear to have a different attack model.
So for you it's all or nothing? You do you, but I'd rather have most of the data and sensors on my phone private than none of them.
Your example for Reddit although true does not make sense because, yet again, that is not what XPL is for. Especially with info like upvotes, which is completely ridiculous because you are giving that information to them on purpose.
Yes I can. Do you know what Fabric is? In case you don't it's a very popular library you can include in any app for free that is meant solely for tracking. It starts with crash reports, but goes on to notify the developer of the app about your system specifics, exactly what things you did in the app (even if the apps purpose itself is completely offline) down to every click, scroll or swipe you do to build heatmaps. And XPL can snap completely disable all of its functionalities. There are also numerous apps/games that look harmless at first, but then while you're playing start recording with your mic without you noticing and sending that data to their servers. XPL can protect against that. So what it protects against is certainly not a niche. And that is the kind of attacker XPL wants to help against. Not people who want your IP adress, not people who want to exploit your phone and gain unwanted root access.
Well, it seems to me that you are, after numerous explanations, still refusing to accept what the scope and intention of XPrivacyLua is and judge it for not doing things you want it to do. I personally don't need a research paper for seeing that it works, it's not some blind faith I have. But if you really need one to trust that your privacy is being protected better than before, nobody will stop you to fund someone to do the research.
I think you defend something which is not worth to get any more attention, you now decide to go the same bitch way like M66B, which doesn't even has the guts to answer on his own topics/app, hell not even allowed issue tickets, instead we need to talk about this on the wrong place.
It's pointless to me to discuss something which doesn't offer any benefit overall and that's the reason why this issue ticket is already closed.
I think the rest of your text is just to defend pointless argumentations, without proper context or whitepapers. There is also no scope of using a Module which needs root (no matter how you like to call it) nor you are able to understand that it doesn't cover important things like MAC address. It's pointless to fake your IP or other things when your MAC address gets exposed (while e.g. using IPv6) which also can't be faked (as for now).
XprivacyLua is a worthless try to 'secure' Android claiming that one developer can do it better than hundreds of Android developers. I not even mention that Marcel needs other people to defend his product. So I have serious doubts about 'research' background when it comes to security (which this is all about 'security manager').
You know what AV industry did over last 20 years, same as you right now. Claiming it 'secures' something but it simply is not true. It offers only some kind of attack surface reduction but it also allows other problems/holes. Root itself is one of it's problems, another app can manipulate or change it's behavior. This is definitely not covered in his current code and never will be because it's not possible.
If you're arrogant enough to say you need no research/audit in order to prove your words than I highly recommend to not work on any 'security' products, that's not how things work, the fact you and Marcel and the community can't handle criticism on a professional level shows that people should stay away from this developer, all his products, and such a toxic community.
Refusing valid argument by finding excuses or pretend it's not true without anything is seriously the wrong way. This entire thread + XDA shows only that you can't fight the FUD and it only results in a waste of (my) lifetime which is not worth.
Bring proper code audits, research whitepapers or anything which is not from you or someone which is not involved in this matter, otherwise, you get no credibility here. The VeraCrypt/TrueCrypt developer did prove that their software is worth my recommendation, because there is a code audit and research + an independent point of view, XPL current (?) can't provide this, instead people starting to bitch fight about a FUD argument that it provides a 'protection' which is not true unless you show me, which you still haven't you write useless so-called arguments to look better now, ignoring all the facts I said before.
I think everyone else is just FUD from you or the developer, it was the right decision to close this issue ticket.
Some actual research (for no ignorant people):
M66B lost all credibility by lying straight into my face. The proof is here.
At some point I'm glad I destroyed his FUD & BS, he and XDA is spreading that this app is a 'privacy manager' (which is to fool people, maybe even steel money from them). I hope other people are not stupid to support him or to install the app cause there is no reason anymore after such strange lies and nonsense talk that this offers some kind of 'protection'. It only reduces attack surface, not more and not less . Point is exactly here -> .
Thanks for the drama.
he did, you stopped responding
for unrelated reasons you never asked about
It doesn't try or want to. Why do you not understand this?
The little word "personally" is very crucial here.
you are the only one who's been insulting and, as you call it "bitching". Marcel was cooperative and friendly the whole time and I tried my best to do so as well.
So your first thing to assume is that somebody is lying to you? Odds are it was either some kind of bug, or that he misunderstood something about the UI. But sure, it is definetely a lie against you, because it is absolutely in his interest to lie to you about something completely insignificant like that (that was sarcasm btw).
You don't wanna trust something that isn't backed up by whitepapers? Fine. But your whole text has proven to me that you have not understood anything about what XPrivacyLua is, what it is intended for and literally everything I've been trying to explain to you this whole time. I conclude that you are unwilling to listen or even think about anything that I said or will say and any further discussion is thus pointless. If you don't mind, I'm going down a waterslide now.
There seems to be some misunderstanding here, I closed the issue only because XPrivacyLua has already been added to the site
What do you not understand that the xposed framework can't hook something without root access? Stupidness in this thread is damn high. Xposed does need a rooted device after all. You can also use magisk if you want (it's possible to go the magisk) way (just saying). But via Xposed (installation process) is the one which are preferred by (I assume) most people. You also can flash it via TWRP, sadly it doesn't change something at the unlocked booloader/root argumentation anyway.
Okay, I simply didn't saw (cause 'is:pr is:closed xprivacy' returns 0 entries + the merge title wasn't probably labeled) that this was already merged with a pull request. However we should consider to remove it or give clearly warnings about xposed and his downsides. I think it simply should be stated that you lose warranty, need root in order to get the framework and all it's function working etc. Which is currently not stated (in the original pull request). There also justified suspicion doubts about efficiency of such 'apps', and the developer doesn't prove anything or give a guide how to use it which is pointless especially for beginners, besides you need a pro version get 'unlock' it's full potential.
I think the section and entire category needs be be re-written in oder to correct several things.
I'm not going to comment on your Root bs anymore. But I do agree that the current entry should be changed. The dependency on Magisk note should be removed, as well as the note on Root. What does make sense would be something like "The following add-ons require not completely stable software which has a chance of breaking your device. Proceed with caution and make use of backups!"
In fact I believe that the description undersells XPl by a bit, since yes, it does solve the mentioned problem of malfunctions, but it actually provides more restrictions than Android has to offer by default (some of which can be crucial for privacy-aware users). But I guess the current description is fine as well, if it catches the readers attention they will look into the details and learn more about the project themselves.
@CHEF-KOCH Neither Xposed nor XPrivacyLua has root access on my device and yet, XPrivacyLua works flawlessly. How do you explain that?
Unlocking the bootloader doesn't always void the warranty. It depends on your local laws and the manufacturers.
1.) It's not BS that the boot loader needs to be unlocked, or how else you flash the Xposed framework without access to it? So you can call it what you want you need low-level access which voids your warrenty. Security wise also a nightmare since your phone is widely open then, especially if you can flash unsigned files. Recommed this for one module is more than questionable. The upper layer xposed module would require root to hook into system apps, otherwise it would have no access. This is currently 'due stabilty' reasons not implemented.
In general spoofing data is not a good idea, as shown on my research project, maybe the developer should read some of the documents. But I forgot he said in his own XDA Thread that 'he does not need any research'. I never heard someone in security topics been that arrogant to say he not needs research. It's again marketing here and this is like AV products - snake oil and nothing but this.
I could make a video demonstration that GPS/MAC spoofing doesn't prevent shit especially not behind encrypted connections (which can't be intercept/MITM to fake something) but it's my time I waste with this and why should I do the work while he gets the money for his false marketing claims.
@CHEF-KOCH You mention it as
Actually, it's not other modules. It's apps.
It's simple like this, xposed-art, xposedbridge, xposed modules, and the app-to-hook are in the same process, that's dalvikvm.
XposedBridge inject it into dalvikvm (art) by some hooks, and app-to-hook can also replace the hooks. And it's the base of XposedBridge native part, the only if xposed-art put the hooks to otp or so, otherwise, it can anti-hook. I won't show the source code, and, actually it's very easy for native hook developers.