In the cited paper (https://www.scss.tcd.ie/Doug.Leith/Android_privacy_report.pd...), the device used to test LineageOS was a Google Pixel 2 running LineageOS 17.1 which also included an installation of OpenGapps 10.0 nano.
It's not the OS that is transmitting the data over to Google, but rather OpenGapps (ie. Google Play). OpenGapps is software that can be optionally installed after the initial installation of LineageOS (but before first boot). A user can still use LineageOS without OpenGapps, though they just won't have the benefits (and drawbacks) that come with it (such as being able to use apps that require GSF). The user can instead opt for an app manager like F-droid or possibly Aurora Store.
In addition, there exists an alternative to OpenGapps called MicroG. This is like Google Play but allows users the option to anonymize themselves. One can find custom LineageOS builds that include MicroG from the MicroG website (as the members of the LineageOS project do not advocate for its use, instead giving preference to OpenGapps). Keep in mind, however, that there are fewer devices supported by those builds.
I can recommend LineageOS, however be aware that lots of malware infected builds have made it to xda dev in the past, so you should build it yourself if possible (or use the official downloads).
Regarding the Connectivity Check: You can add all google related domains to /system/etc/hosts if you have root/sudo access.
Additionally I'd recommend everyone to use RethinkDNS as a DNS adblocker and app firewall - and AppWarden to patch out the Analytics parts of proprietary Apps.
Has anyone succeeded in running multiboot on "smartphone" hardware, i.e., where the user can boot into a choice of kernel/userland. One choice might be Android, another might be GrapheneOS/LineageOS, another might be an OS that does not rely on any third parties whatsoever (no conveniences, "app stores", "connectivity checks", etc.) and is fully controlled by the user. In other words, the third choice lets the pocket-sized computer be used more like a pre-smartphone era desktop/laptop OS. Basic functionality.
Right, that's what I do. In fact this post comes from a smartphone sans SIM with airplane mode on, with a firewall against apps phoning home, no Google or Gmail account, all Google Gapps nuked including playstore - in fact all Gapps have been completely removed - not to mention that most replacement apps come via F-Droid.
Yes, technically it's not fully airgapped but it is against Google and that's my main aim.
Of course there's a penalty: I also carry around both a pocket router with WiFi and SIM to which the smartphone connects as well as the dumbest of dumb phones just for phone calls.
Yes, it's a little inconvenient in that the combined paraphernalia is about equivalent to two normal smartphones (both the router and dumb phone being somewhat smaller). Next step is to upgrade to a Fairphone or equivalent. (I've often wondered where I'd fit on a percentage scale of users who'd go to such lengths - somewhere between 0.1 and 0.001% I suspect.)
You may well ask why I've gone to such lenghts. It's more principle than privacy really. It's because governments around the world completely abrogated their responsibility when they deregulated the once-private telephone networks in the 1980s, when they did they let the Wild West take over. This 'vacuum' then led to a depreciation in the value of privacy on telephone networks. The ultimate insult came when the vacuum was filled by the likes of Google and others who usurped the last vestiges of our telephone privacy for good - and these damn governments just stood by and let it happen without so much as whimper. Remember, we telephone users were never first consulted about our privacy - governments just let Google and Apple et al take over the whole damn caboodle without question. (In the future after all the world has finally woken up to the disaster then we'll have dozens of historians trying to figure out what the hell happened and why. When realization finally dawns everyone will be flabbergasted.)
Now, long after the horses have bolted and without so much as an apology, governments are trying to reign in the likes of Google and Facebook. Right, our governance is a fucking farce - it has to be when governments simply allow Big Tech to not only effectively overrule longstanding law but also to go on and do whatever they damned well feel like with impunity.
The R216 lasts for at least 6 hours on battery, often much longer (and the battery is removable, so you can have spares to extended its operational life). Whilst this modem is principally an ISP one (Vodafone) it comes unlocked. I note that that link says it's locked but it's likely not - as most assume ISP-supplied stuff is but to be sure you'd better check that's so where you are. Also, if you aren't using a Vodafone SIM then first just check that it works even if it's guaranteed unlocked (some other SIMs may need setting up).
If the R216 isn't available or its locked in your country - or you have that common aversion to using Huawei equipment - then there are several other brands that are essentially equivalent. If you want the details I'll provide them.
Note this is a real router/modem and it'll run up to five smartphones/PCs at a time (which can be very handy). Some others that are a little more expensive can connect 10 devices to each other by their WiFi LAN and or to the SIM's mobile network. Also the R216 will take a micro SD card (one's mobile NAS so to speak :-)). Given its small size size and usefulness I'd never be without one (I've three of this model and several earlier types).
It's about double the price, based on openWRT (but not fully open source).
Here, it seems to me the key issue of whether to buy that one in preference to, say, a somewhat lesser model with fewer features will depend on how you use it. Right, that's stating the damn obvious but from experience I've found it's very important when it comes to mobile stuff, all too often I (and others) have glanced over this important portability factor.
If your intended use is to, say, carry it in your luggage and only use it after you arrive in your hotel or conference room then I'd reckon there'd be nothing better than to buy the Mudi GL.iNet device. On the other hand, if you intend to use it like I use my Huawei R216 router/modem, that being as part of my kit to replace a normal default-type Android phone (as per my previous posts to 1tSlEv and 1vuio0pswjnm7), then a physically smaller device would seem preferable.
As mentioned, carrying around three devices instead of a single smartphone is rather inconvenient in that there's more bulk to carry around, also there's more chance of losing one of the devices. I'm pretty adept at doing so now but when I first started some years back I'd sometimes only take the smart and dumb phones and forget the router/modem—thus I'd have phone access but no internet (right, being Don Quixote and always tilting at windmills isn't necessarily the easiest way to run one's life) :-)
My 'combo phone' isn't the only stuff that I carry around, it has to share my pockets with other junk like screwdrivers, pliers, thumbdrives, multimeters, etc. so physical size is major consideration. From the specs, I've noticed the size of the Mudi GL.iNet router/modem is 145 x 77.5 x 23.5mm and weighs 285 grams; by contrast, my R216 is 95 x 58 x 11mm and weighs only 77 grams. Thus my R216 is only about 22.9% the volume of the Mudi unit and weighs just a nudge over a quarter of its weight. This difference is very significant if one is trying to carry it in, say, one's jeans' pocket along with both a dumb and smart phone.
This brings me to one of my pet peeves; that being the ongoing and progressive decrease in the depth of men's trouser pockets over recent decades. This is no joke or trivial matter; I lost an almost brand new HTC smartphone after going to a concert and sitting in laidback seating, it just slid out of my pocket without me noticing its loss, by the time I had then it was too late. If I were a conspiracy theorist rather than someone who understands that such negative occurrences are 95% the consequence of fuckups then I'd believe there was a conspiracy between phone and clothes manufactures to sell more phones! I cannot understand why the average guy isn't up in arms over the continual withering of his pockets; after all, surely the cost of extra cloth necessary to correct the problem would hardly be measurable in the overall schema of things (BTW, this pocket problem even extends to coveralls/overalls). Anyway, as someone who's been sartorially challenged from birth, I've largely overcome the problem by ignoring fashion altogether and taken to wearing ex-military BDs or equivalent cargo pants. Penny-pinching accountants haven't yet sufficiently infiltrated their manufacturing to have made much difference.
The upshot of this is that I keep the smartphone in one of my trousers side pockets and the dumb phone in the other whilst the R216 router/modem I put into one of my shirt pockets. The caveat here is that it's important to have shirts whose front pockets can be buttoned or zipped up to stop the device falling out whenever one leans over. Given the average size of shirt pockets—and they too have been shrinking in recent years—then there's no way the Mudi GL.iNet router/modem would fit in them.
Which goal gets served by the separate router? I've been thinking here for a while, but the only thing that comes to mind is a very restrictive "allow-list only" firewall.
Which dumbphone are you using? The majority thereof seem to be KaiOS based, which frankly is not sufficiently dumb for me to warrant the switch.
The router was designed to serve three purposes and I use all three of them: (a) to simultaneously connect up to five devices (smartphones/PCs etc.) to the internet via normal WiFi connection which it then routes to the internet via a mobile SIM card; (b) it's also a WiFi LAN switch in that it will allow local interconnection between the five connected devices; and (c), it has provision for an onboard SD card to which the five devices have access (i.e.: it acts as one's local mobile mini NAS). You'll see reference to detailed specs of the Hauwei R216 that I use in my previous post in reply to 1vuio0pswjnm7.
In my case, I use a fully-fledged reasonably current Android smartphone operated without SIM card and set to airplane mode for normal app usage, location and maps when needed, as well as internet browsing and non-Google email (POP/IMAP)—thus, the phone's only internet access is by either WiFi (to the router—my usual way) or Bluetooth—to another phone's internet connection (normally off).
Note: the phone is never used for telephone calls and it cannot be used as such as the router's SIM is a data-only type (that's to say one has a mobile phone number that cannot be used to make normal phone calls). Moreover my ISP, as many do, differentiates a data-only SIM/service from a normal one that does both. (In data-only services, one trades normal voice phone for extra data/cheaper data rates—you know, the usual ISP con job of artificially inflating a mobile phone's data charges. Nuking phone/voice access in data SIMs somehow—as if by magic—justifies ISPs to sell you data at a much cheaper rate. Furthermore, normal SIMs often won't work in routers for similar nefarious reasons).
As mentioned, I deliberately avoid Google services but using a phone this manner doesn't preclude one from doing so. I've found that if you use Google services, etc. then there's an added privacy advantage of disconnecting the phone from the actual telephone number as that now belongs to the router, moreover any app that that reads the phone's IMSI number will not be able to find a corresponding telephone number. I've several phones that I connect to the internet in this manner and every one of them has never had a SIM in it so Google is unable to link the phone's current ISMI-only configuration to any former IMSI/telephone number combination as there's never been one. Furthermore, in one instance when rooting one of my phones I accidentally formatted the partition containing the IMSI information, etc. and whilst I had the means of putting the info back I decided not to—thus apps no longer have even an IMSI number as an ID reference. Incidentally, this is still legal as far as regulations are concerned as the router and router SIM now provide the IMSI/phone number combination.
My phones also gain extra privacy from the fact that they're rooted, one can use the many Xposed Framework tools and such to improve privacy, nuke ads etc.
On the matter of firewalls, I normally use one on the smartphone itself rather than say installed in the router for purely practical reasons in that it's easy. The drawback of course is that if the firewall stops for any reason, which on occasions does happen (especially so after a full restart), then any apps that have a collection of data will use the opportunity to send it (my default is that no apps have internet access unless it's specifically needed as part of the app's function and the firewall is set accordingly—this also acts as extra method of nuking ads although I mostly use F-Droid's ad-free apps). This risk can be essentially eliminated with a rooted phone but I've not time to go into that here. BTW, I use several Android firewalls apps (not on the same phone of course) but I've found the easiest to use is Karma Firewall.
Re my dumb phone, I've been using an Aspera F28: https://asperamobile.com/phones/easy-phones/aspera-f28/ and its later incarnation the R30 but I'd not recommend them and they're unlikely to be available in many places. Their batteries are too small and of inferior quality and have to be replaced often (at least they're removable). Nor would I recommend other Aspera phones for similar reasons. I doubt that they use KaiOS, if they do then I've seen no sign of it. I reckon you're right to be worried about KaiOS especially so since Google has invested millions into the project.
Incidentally, I've other better flip phones such as Motorola ones that I can no longer use as they're only 2G (which is ideal for dumb phones) but unfortunately where I live they've now killed 2G. Doro dumb/feature phones may be worth considering as they've have always had a reasonable reputation (in the past I've thought about getting one but I've no practical experience of them). I know that Doro used to use their own OS but I cannot tell you much more than that except to say they do use KaiOS on at least some of their phones, the 7050/7060 for instance.
Of course, much depends on what you actually want to do. As I've mentioned in my previous post to 1vuio0pswjnm7 that carrying three devices instead of one can be rather inconvenient as there's more bulk to carry around and also the chances of losing one of the devices is potentially higher—one needs sufficiently large pockets to carry them thus size and bulk matters. As a person who's always carrying around lots of technical junk this is a hobbyhorse of mine and I'll address it in more detail when I reply to Iolaum.
The time service is enabled by default but can be disabled.
"An HTTPS connection is made to https://time.grapheneos.org/ to update the time from the date header field."
"Network time can be disabled with the toggle at Settings System Date & time Use network-provided time."
Connectivity checks are enabled by default but can be disabled.
"Connectivity checks designed to mimic a web browser user agent are performed by using HTTP and HTTPS to fetch standard URLs generating an HTTP 204 status code."
"You can change the connectivity check URLs via the Settings Network & internet Advanced Internet connectivity check setting. At the moment, it can be toggled between the GrapheneOS servers (default), the standard Google servers used by billions of other Android devices or disabled."
Why these are enabled by default, i.e., opt-out instead of opt-in, is strange considering this OS is aimed at technical, security and privacy-conscious users. Users who would surely know what services they want and be capable of enabling them.
* Usability: An OS without network connectivity checks and time sync might not be usable by non-geeks
* Obscurity: The threat from these pings is low. The threat of having a phone that behaves differently than "billions of other Android devices", indicating that it's GrapheneOS or some other security-oriented OS, is arguably higher.
GrapheneOS doesn't rely on any third-parties I'm aware of. The only service provided is over-the-air security updates. It doesn't even come with an app store (although you can install F-Droid).
For that reason, GrapheneOS alone fits all three categories you mentioned: It is Android, it is GrapheneOS, and it is fully controllable / doesn't ship bloatware.
Connectivity check / time servers
I'm not sure what you mean by this. All apps run in a sandbox and you can deny permissions if you like.
>Root is not offered
Root access on Android is a security hole.
But as for the microG/GApps question, GrapheneOS provides a sandbox for the actual GApps, so that almost everything can run properly, with very strong control over what is seen by Google.
I check in every now and then, but I need it to be where current Lineage/Graphene are. I don't need trivial software (games et al), but I need it to be automatic enough* that I don't have to spend an evening or weekend unbreaking things – and reliable all the same.
* barring basic things like package manager updates
"Unlike AOSP or the stock OS on the supported devices, GrapheneOS stops making network time connections when using network time is disabled rather than just not setting the clock based on it."
"... rather than just not setting the clock based on it."
Wow, that is really sneaky and deceptive. The user thinks she has disabled the constant connections to the tech company time servers but in truth the connections persist.
The time checks are equally as annoying as the connectivity checks.
Can you point me to some? How were they caught? I knew this was a possibility, but I hadn't seen it actually happen before.
I only found out by coincidence of another dev asking me to verify the build. The nature of how Android is built (with all its hundreds of repositories) isn't made for verifiable builds, so it's really hard to prove or audit.
From what I've found usually the builds with custom UIs or skins on top are infected with stuff either the person packaging it doesn't know about (benefit of the doubt) or do, but it comes out a year later when someone skeptical checks for it.
Verification is especially hard because everybody on xda dev is using some paid adfly links or some google storage or dropbox links that will change in intervals (depending on how much traffic they produce they'll get blocked quickly).
So yeah, I think the need for a hash based end to end verification tool is kind of there.
But honestly I have no idea how to build it because even the partition setup of old flash storage using devices is so messed up that there can be side effects when an apk is put in /emulated storage folders.
I think the only future proof way to do this is going mainline like the postmarketOS devs try to do. But until we're there I'm probably dead of old age already. I don't believe in the Android ecosystem anymore, because this is a governance coordination problem that's not easily fixable. Hosting all outdated kernels alone with all the custom drivers is way too much traffic for any open source project to pay for.
It's a shame that Google's servers are the default, and I wish it were at least called out by Lineage. That said, I doubt they want to cover hosting costs of such a service (although I'd think they'd be fairly minimal).
> You can add all google related domains to /system/etc/hosts if you have root/sudo access.
Root access is harder to get with each new Android release - Google don't like adblockers.
the last (stock) android phone i touched had an option to change the url used for the check. i was pleasently surprised - comments here suggest this is not "normal"?
> or use the official downloads
ime the meaning of the word "official" has been severely diluted esp. in the android community
(check Netguard thread on xda)
I assume that my carrier sees location data on my device, but as I have learned to live within F-Droid on my daily driver, I assume that I am immune from this Google intrusion.
I do have an older stock phone that keeps my Google login for when I need access to Google services. If it is powered down for a month, I am assuming that I am free of Google for that month.
Google is a destructive force upon their customer base. Abandoning Google is always the correct action.
Did you transition or quit cold turkey? I switched to Lineage OS with micog. Actually, now that I look through what I installed via Aurora, I'm surprised how few apps there are. 3 required for work. I guess I could reduce that to one with some effort. A few financial / shopping apps that are nice to have vs using their website. Google maps (not sure the replacement to that is).
I've found it to be more than good enough. There's also various OSM based apps:
Try HERE WeGo: https://play.google.com/store/apps/details?id=com.here.app.m...
It’s not quite as polished as Google Maps, but I use it as my primary maps app and have mostly not been disappointed.
I keep an iPhone 7 for corporate apps, but I'm on a Pixel 3a XL that hasn't talked to Google since I bought it.
OsmAnd~ is great :-)
I uses a separate app called GPS Coordinates. I give it an address and it gives me lat/long which I paste into OSM. I'm sure there's gotta be a better way.
Why bother? Just use Calyx.
- Osmand(FOSS) for maps (supports being fully offline!)
- Signal and Discord for messaging (Discord is sandboxed)
- Newpipe(FOSS) for Youtube
- F-droid(FOSS) for my FOSS appstore
- APKmirror for the few non-free apps I need
- Libretorrent(FOSS) and VLC(FOSS) for watching movies
- Firefox(FOSS) and Vanadium(FOSS) for browser
- K9 Mail(FOSS) for email
- Infinity(FOSS) for Reddit
- Secur(FOSS) for 2FA
- Taskkeeper(FOSS) for reminders
Almost everything you need is in the F-droid FOSS app repository. It all works, and it works well. You can buy a used Pixel 3a for around $80 on Ebay and have a better experience in every category than iOS, hardware and software.
The only limitation is push notifications, which isn't a problem because FOSS apps like Signal bundle their own notification system that does not use Google Play Services. Discord however, does not get push notifications (which I wouldn't want anyway)
Really? I tried GrapheneOS on a Pixel 4A, and without exaggerating or trying to come off sensationalist the experience was really tepid compared to iOS, and even "normal" Android. Stuttering and jerky UI (which often also wanted to take a brief nap), very poor GPU hardware acceleration support, notably worse battery life, loads of things that just didn't work well (or at all) without Gapps, and trying to get Play Services shoe-horned into GrapheneOS was still quite the bug-ridden hassle. Additionally, the Open Camera app produced rubbish results compared to Google's native Android camera app, which matters a lot to me.
I agree the default camera app of Graphine isn't great, but it's picture quality better than the iPhone I came from (iPhone SE gen1)
You should be able to get GCam via Aurora Store by setting the spoofing to a Pixel device, but newer versions of GCam check for something that cannot be spoofed with an app (issue #22 in above github) so you have to get a modded GCam app if you want to user newer versions and use an android rom that does not spoof this.
Also, if you are using a Pixel phone with a non-default flavor of Android, the Google Camera app still works if you download it manually. APKMirror is a trustworthy app source run by Android Police:
(For Pixel phones using an older Android version, you may have to use an older version of Google Camera if the current version does not work.)
Going back to iPhone as soon as I've got some free time to get everything set up again.
Unrelated, but I'm still very surprised there's no standard way of doing live photos on Android. They really do add a lot to the experience of reviewing old memories and Google has had at least 5 years to catch up.
Pretty sure GrapheneOS doesn't do anything to change GPU h/w acceleration.
The tethering seems to be pretty flakey as well with me often having to reboot the phone.
Maybe it's something to do with OpenGapps? I never installed it or microG, I'm perfectly happy with just Fdroid.
It seems like what you're looking for is CalixOS + microG.
Both are rather strict on having a clean, non rooted, non modified phone. Currently, they both work without any caveats, but I had to install magisk, add them to magisk hide, and use the magisk renaming feature to have them work.
Personally I wouldn't suggest having banking apps on a phone.
You can always use the web browser if you absolutely must access those accounts.
Visa and Mastercard also introduced 3DSecrue system which piggybacks on the same system of confirmations. Vendors are incentivised to adopt it by lower rates.
In essence when paying with card or making a wire transfer (or using some instant transfer method, for example Blik in Poland), you get notification on you phone asking you to confirm operation, even if you initiate it from your account in the browser.
In essence Bank apps became 2FA devices.
The only way to avoid it is to opt-out of the App 2FA and use paper one-time code pad.
You regularly then get sent a list of codes by snail mail, which you have to type to confirm operations.
They can and do. There are a number of banks where you have absolutely no choice.
Basically, there's a common (government-backed) user identification system which hooks up to interfaces that banks provide. When you're logging in to an online service that requires strict identification of the user (such as ones that would require an official id document if done in person), you first pick the bank you're using, and the service forwards you to the bank's website. Once you log in with your bank credentials, the original requesting website gets informed that you've provided valid login information, and the identity that the login matches with.
I don't know the exact technical details of how that works, but essentially the bank also acts as a user identification service for various official and governmental online services. It's treated as similar to proving your identity with a document, or to signing a document with your signature.
I don't know if this is a common thing in other European countries, but if it is, that might be a reason why the EU has an interest in enforcing 2FA.
You're not strictly required to use a smartphone, as at least my bank has other means of 2FA that satisfy the regulatory requirements, but they are more cumbersome.
Do you live in Denmark perchance?
> I don't know if this is a common thing in other European countries
There is a similar system implemented in Poland and works very well.
There are some rules here that are nonsense, such as know-your-customer laws that force me to enter my home address even when the product or service (say, a concert or train ticket) is delivered to me entirely electronically.
Most of the move to purely electronic payment is driven by the market and the large banks; e.g. in the Netherlands we actually never had laws that force shops to accept cash as payment.
So it's possible to do that with some of the banking apps.
FYI in New Zealand a few banks can provide a device (e.g. RSA SecurID) for proper non-bank 2 factor auth with consumer accounts. However some major banks only use phones for 2FA (app or SMS).
The norms seem to vary considerably depending on country.
Yes, I'm bitter. If there's ever a bank that puts end-user automation first, I'll switch in a second.
However when I really wanted a solution i build a small service that receives the confirmation SMS most banks offers and pushes my balance in a small API.
Vanguard works on my completely google-free phone, although I had to change the OS language to English because w/ Android set to French their app would force the use of commas as the cents separator, then complain that commas are not a valid character. Another fun thing was it uses its own internal camera app, which would focus the preview, then completely ignore the focus setting and take a blurry photo of the check. Eventually I figured out the camera's default focus length and take the photo from that distance.
in addition, you don't need to copy a sim. you can copy a cell tower. which the authorities do all the time, without any warrants, and capture data en-masse. The fake cell tower fits in a backpack.
But it's not just the cops capturing your cell data. It's anyone, they've been doing it for over a decade, and it's cheap and easily accessible.
It's basically 2FA for online transactions, which seems very sensible to me.
Edit: to clarify, my comment is about the UK, and it does not happen with most card transactions; "usually" here refers instead to card transactions being the usual trigger (in my experience) for this app-based authentication flow.
Huh? This is not a real thing.
> You can buy a used Pixel 3a for around $80 on Ebay
It's worth noting that GrapheneOS recommend Pixel 4a or newer for best support: https://grapheneos.org/faq#recommended-devices
I also recommend CutTheCord as a Discord client. It's not FOSS because it's based on the official client but it's privacy oriented.
Both Shelter and Insular are effective for isolating your files, contacts, and phone logs in each profile. If you are using a VPN, it is limited to the profile that the VPN app is installed on, and you need to install and run it again on the other profile to cover the apps in that profile.
- Organic Maps which is cleaner than Osmand
- KeepassDX for password management
- AntennaPod for podcasts
- I have a Tutanota email address. Their app is fully open source, downloadable on FDroid's main repos.
I can also recommend BRouter (with OSMand) for bike navigation. It's ugly and hacky, but once it works, bike navigation is much, much better than Gmaps'. E.g. it's not sending you down cobblestone roads all the time.
It's happened to me a lot of times with Google's Maps (with regard to how frequent I use Google's Maps) that I'm looking for something, I KNOW it's there, I'm searching for it (like "groceries" for a grocery store), and the only way Google's Maps would ever show it to me is by zooming it until the ONLY thing on screen is building, and then it does display it.
(Perhaps WhatsApp might work as well, since, IME, it can be sideloaded and will work without a functional Google Play Services.)
I'm confident Whatsapp will work, but I have not tried. Push notifications will not work without Google Play Services.
Discord works perfectly with microG, and has a 3/4 rating without it since notifications will only work if you have microG.
Push notifications are bad and it drains significantly more battery.
- LeafPic Revived: https://f-droid.org/en/packages/com.alienpants.leafpicrevive...
- Simple Gallery Pro: https://f-droid.org/en/packages/com.simplemobiletools.galler...
If you are looking for a hosted service to back up your photos, Stingle is an end-to-end encrypted photo hosting service. Alternatively, you can use Nextcloud to self-host. Both are FOSS on the client side, and Nextcloud is also FOSS on the server side.
- Stingle: https://stingle.org
- Les Pas gallery app for Nextcloud: https://github.com/scubajeff/lespas
Newpipe loads videos much slower than the official app and occasionally fails completely (likely because YouTube changed something).
F-droid (regular, non-root install) shows me notifications to update apps, then when I tap them, I get a "there was a problem parsing the package" - this is a bug that has remained unfixed for over 5 years (https://gitlab.com/fdroid/fdroidclient/-/issues/669).
It's not impossible to use a FOSS phone, but it's truly painful.
Osmand really isn't bad, sure it's a little bit slower to render but we're talking maybe 500-1000ms on a Pixel 3a.
Regarding F-Droid you're right it is quite buggy, but thankfully once you've got the apps you want you don't really need to use it except to update.
In my personal case though, I would still not use MicroG, and would just leave the app open until I am done using it. This is easier on Android because apps are not suspended in the same manner iOS apps are.
It's important to remember this is only a concern on non-free apps. The FOSS apps have very low power background services that check for notifications without the app running.
But the Xiaomi/MIUI Android sends over those screenshots back to the company is new information.
I’m now on iOS 15 on an iPhone 12 Pro Max. I think I’ve seen movement on the tiles in its task switcher, so I’m not clear if it takes screenshots. But the fact that the task switcher opens with no delay suggests that screenshots might be used?
I’m only defending taking screenshots. Transmitting them to other parties is problematic.
In my experience, it seems like only the app you were in when you brought up the task switcher continues to update the screen. If you go somewhere else, like just back to the home screen, it goes static like all the rest.
Messages does this, as you will notice that an active conversation tends to be up-to-date in the app switcher
I hope someone can do the work of pasting the original Aqua framework overview that’s probably still hiding somewhere on the Apple website. The manner in which the combination of OpenGL (Metal?) and PDF work to render UI and elements on OS X and iOS is really quite remarkable. I think even now, 20 years later, there isn’t anything comparable being done by Android/Linux or Windows. I would love to be proven wrong, however (I haven’t followed this closely for the past few years).
Context: I made that right after I got an iPhone 12 Pro Max. It was running iOS 14. iOS 15 may bias the score towards Apple even more with the current phone, and iPhone 13 biases it a bit more.
I still like Android better.
Reducing from a few steps plus a major context switch to just one step is valuable.
For the interested, here's info on where those are stored: https://android.stackexchange.com/questions/172913/where-doe...
i looked in the paper but could not corroborate this
I am too far away from Android development to make any claim about what "app screens" are. Is that android-lingo? Could someone please clarify?
Android apps have zero or more activities, each of which may be thought of as a single screen and a single Intent, which is a bit like a URL (and sometimes very much like a URL). A messenger or email app will typically have a main activity, an activity to view a single message, an activity to view a conversation with someone, perhaps an activity to view a single attached image, probably an activity to view and edit the application's settings, and so on.
What is sent is perhaps the app's name and a class name within the app for each activity that's started.
It allows you to know which screens a user views, but not the data on the screen. A pseudo-example would be like "User opened LoginScreen/LoginActivity at yyyy-mm-dd and stayed on that screen for X seconds"
Not an actual screenshot of said screen
OpenBoard is a 100% foss keyboard based on AOSP, with no dependency on Google binaries, that respects your privacy.
"OpenBoard may be able to collect all the text you type, including personal data such as passwords and credit card numbers"
This appears to be from Samsung, trying to deter users from using keyboards other than their own.
To be frank, Android should not allow input methods access to internet/filesystem in the first place. But that would have hindered Google's own keylogger, so...
The general shape of input methods that let you produce 汉字 is that you provide some type of input that hints at the character(s) you want, the input method displays a menu of options that match your input, and you select the correct option from the menu. For example, if I'm using pinyin entry and I type `shi`, I can choose from 是, 时, 事, 使, 试, 世, 市, 十, 式, 师, 石, 室, ......, which are all pronounced shi. (And heck, those are just the top 12 suggestions. They mean things like "ten", "be", or "stone". The `shi`s go on for several pages.)
You can enter more than one character at once. If I type `bhys`, I'll see the suggestion 不好意思 ("sorry").
The presented options are chosen based on what the input method predicts I'm most likely to want. They are context-sensitive -- the order of suggestions will change depending on what I typed just beforehand -- and the likelihoods and the phrases are collected from what people elsewhere in the world type. Suggestions can be quite current! Without an internet connection, this would be a much worse experience; the predictions would be wrong or useless much, much more often.
So you'd type shi and click the first choice for 是, second choice for 时, etc without even needing to read the options since they'll always be in that slot. If there's a word you use frequently but is listed late in the list you can change that in the settings file. Same for shortcuts like bhys and you can always add your own shortcut.
The Chinese keyboard I use does not have internet access and only does prediction based on set phrases - eg if you type 时 it'd offer 間, 代, 事, 空 etc; if you type tmd it'd give you you-know-what, and I prefer it over the Google keyboard since my muscle memory can do most of the work instead of my eyes.
I've been using Swiftkey since before Microsoft bought it, and really enjoying it.
I know I shouldn't be surprised but I feel really betrayed that they use it to track app usage and link it to IMEI and the Google advertising id.
The wall of legal text there eventually links to their privacy privacy which opens in the browser. They collect and store things like "your choice of words, speech and writing patters, how you use your keyboard, custom words you add, the number of charters you type, your typing speed, etc. and they share (read sell) that data to affiliates, subsidiaries, vendors, subcontractors, etc (pretty much anyone they feel like). They specifically state they use this data to draw inferences reflecting your characteristics, behavior, abilities, preferences and aptitudes all of which they can sell to anyone at any time without even telling you about it because what they learn about you by going over all your data is their data and they don't have to tell you anything at all about what they do with their data.
Samsung could really make some advances on Apple by just being more clear on these aspects of their data collection. Even if they just said "We want to collect your data, but it's YOUR data, so we will always ask for your permission, and in case you are wondering what we collect, you can find it all here..."
And I don't think giffy or others are receiving your emails. This is probably just usage stats, but someone needs to check that.
Windows 10 start menu on the other hand send every keystroke to bing. You cannot turn it off either
How did you check? Do you have a source/link?
Strong regulation could easily worsen the problem, as it can lead to a ratcheting up of the regulatory burden until only mega corps like Apple and Google could afford to make phones, and upstarts like Purism and Pinephone get squeezed out.
How about before getting so gung ho with pointing the government gun at everyone’s head, we consider the option of rolling back the unjust regulations that already exist which give the mega corps undue government privilege (patents are a good place to start), and encouraging (by voting with our wallets) organic alternatives to emerge, like they already are doing.
Which origination do you think that is? you think they all came from the same place? Every one of these agencies came into existence under very different circumstances at different times and they fall under different branches and operate in different areas. Do you mean "government" in general?
Yes, it's a horrible thing that these agencies are being used to spy on all American citizens in violation of our freedoms, but that fact doesn't mean that we shouldn't allow any government agency anywhere enforce regulations. How that does that make any sense at all? You could say the same for literally anything. "Who should regulate the amount of lead in our drinking water? The organization that brought us the CIA, NSA, FBI, and the rest of the alphabet soup of “security” bureaucracies that spy on us arbitrarily?"
> Strong regulation could easily worsen the problem, as it can lead to a ratcheting up of the regulatory burden until only mega corps like Apple and Google could afford to make phones, and upstarts like Purism and Pinephone get squeezed out.
It literally couldn't worsen the problem of our privacy being violated and used against us by cell phone companies. If it's illegal for Google to do it, and we had regular independent verification that they were not violating those laws, than it wouldn't matter if the only cell phones that existed on the whole of Earth were made by Google. Google still wouldn't be doing the bad thing we're trying to stop.
Yes, I'd prefer to have more choices but there's zero requirement that regulations make it prohibitively expensive for any company even an upstart. In fact, because this would be regulation against collecting, securing, maintaining, analyzing, marketing, and selling our personal data it'd actually save companies tons of money since they'd no longer be dong any of those things. Established companies who are currently exploiting consumers won't get to profit off of them as they are currently, but they will still save a lot of time and money not exploiting the public.
> How about before getting so gung ho with pointing the government gun at everyone’s head, we consider the option of rolling back the unjust regulations that already exist which give the mega corps undue government privilege (patents are a good place to start)
This isn't an either/or type of thing. There's a lot of great and important things we should be doing. This is one of them. Let's do them all.
> and encouraging (by voting with our wallets) organic alternatives to emerge, like they already are doing.
If "the market" were going to solve this problem, if it were capable of solving this problem, it would have been solved already. It's not. Until strong regulations are in place there will continue to be a very very strong perverse incentive to not solve this problem. We're coming up on 50 years of mobile phone technology and at present there are no comparable options for cell phones and mobile networks that preserve privacy. None. It's not regulations forcing Google and Apple to collect our personal data. They are choosing to do it. They could stop tomorrow if they wanted to. They don't want to. They won't stop until they are forced to stop.
Fennec also lets you install any add-on from addons.mozilla.org through a tedious process,* which is still an improvement over Firefox release/beta on Android. The only channel of Firefox that supports this process on Android is the nightly channel.
I tried to switch myself from iPhone and almost everything was OK but these were the worst to get right... I ended up using suite from Tibor Kaputa (Simple Dialer etc) but I ran into some rather annoying issues.
Also, do you use phone recoding? This was actually my breaking point, because i have an iPhone w/ jailbreak that enables me to record phone conversations (for my use only, not trying to get into the legal discussion). I did not find anything for GrapheneOS (or Android in general) - just some info that I need to root my phone to get this working and with that I just reverted to my jailbroken iPhone.
- Call Recorder: https://f-droid.org/en/packages/com.github.axet.callrecorder...
To use this app, you'll need to root your phone using Magisk and the install the Magisk module for Axet's Call Recorder. Then, upgrade the Call Recorder app to the latest version in F-Droid. Note: do not enable "System Mixer Incall Recording" in Call Recorder, since it is not needed and may cause issues with recording.
The default dialer and contact apps are both FOSS and functional, so I never felt the need to replace them. Signal can take over as the default SMS/MMS app, and there are alternatives with more features such as QKSMS:
- QKSMS: https://f-droid.org/en/packages/com.moez.QKSMS/
Graphene or lineage without any of those is also an option but you'll be missing a lot of the normal everyday apps you use. IMO if you're going that far though you might as well just go back to a flip phone.
The only thing that doesn't work is push notifications, which isn't a problem because FOSS apps like Signal bundle their own notification system that does not use Google Play Services. Discord however, does not get push notifications (which I wouldn't want anyway)
I don't care how locked down and FOSS you make your smart phone it's not going to be as secure as a dumb phone. There's a reason criminals don't use smart phones.
Obviously and that's my point. You are not going to avoid Google if you use the web. The best you can do is limit exposure.
>Google is adversarial then don't use Gmail
This is ignorant and unhelpful. Do you think I just decided not to consider that option? I don't have an option. I have to use it for work. This is the problem with the "don't use it" crowd. Most people are not going to get away from the major email provider options. The best I can do is sign in via browser or a 3rd party app.
That couldn't have been your point. It's very easy to avoid having a gmail account.
> This is ignorant and unhelpful.
People here don't know you personally, or your needs. Most people don't need gmail for work. If your job requires you to use google products, it's going to be difficult for you to avoid google. But, again, your situation is not representative of the vast majority of people.
Did you miss the part where I told you we have Google Workspace (GSuite) and I have to use it for work? What part of getting rid of that is easy? I cannot stop using it end of story.
>People here don't know you personally, or your needs. Most people don't need gmail for work.
I feel like you're not aware of the fact that Gmail is used in corporate environments through Google Workspace. You need to research before spouting off stuff that's obviously misinformed. It's a direct competitor to Office 365 and MS Outlook servers.
A lot of admins won't enable IMAP for security purposes though.
If you say that the best you can do is limit exposure, then do that!
Also, I agree with your argument about phones being tracking devices. Anything with a radio that connects to cell towers is going to be logged and tracked in perfect detail.
Yeah, developers do need to eat, but this (IMO) snarky comment is hardly relevant to the OP.
1. Google is tracking you. They track you because they need this data to target better ads, this is how they make money.
2. The OP for this comment, says they use FOSS apps to get around Google’s tracking.
My comment is about - if you are against the idea of being tracked from profit, it would be a good idea to vote with your wallet to help open source developers get paid and to show that there is a viable business model for other individual developers.
It's all-or-nothing, and not being part of the Google ecosystem is extremely inconvenient as more and more services depend on it.
Only legislation can give power back to the users. It shouldn't be necessary to put up with this level of surveillance by big corps in order to function in society.
Don't worry, after about 7 years there will be a low key class action suit and we'll miss the $7 payout and lawyers will collect the leftover millions for the sake of symbolic justice. Then perhaps big industry won't ever learn it's lesson again.
Congress has already proven that they're the Rip Van Winkle of IT awareness unless it pertains to boosting their personal investments.
You're saying some legislation made SafetyNet a legal requirement?!
You should try and elaborate on that.
I would leave "high-end" specs and price constraints out of scope to make this a reality sooner than later.
There are several contenders and combos /e/, lineageOS, pinephone, fairphone etc and I wish them all godspeed (also other small efforts out there I am not aware of), but its not clear which one is ready for just the simple, honest, society and environment friendly mobile computing that we should have had all along and it is really a crime that we don't.
I use GrapheneOS. It's rough but at least it gives me peace of mind.
In any case if there is really no viable business model for private mainstream mobile computing we have been duped big time: This is not a consumer device, it is track-and-trace machinery.
It indeed is a jolly good idea if somebody really checked for a living all those open source apps, however the math works out only if you allocate the salary of those people over a million phones, not if you have only 10000 customers.
Perhaps you would actually be willing to pay a large premium for that, but the vast majority people are not. Perhaps a meaningful number of people would be willing to pay a small premium like 10-20%? But that's not what's reasonably achievable, the differences are much larger as soon as you go off mass market production or start needing software modifications which are a large fixed cost that is cost-effective only if you're distributing it over very many phones.
There have been many companies in the past which have found out the hard way that few people really care about privacy that much (or they care but can't really afford much, which has the same effect), but for a recent example, you can look at the troubles of Librem 5; IMHO it's trying to do similar things, but its price/performance is suffering because of that and you be the judge whether their business model looks viable. And if you want a trustworthy supply chain, then your (already high) costs literally double, again, Librem 5 "USA" model is an example of that - a $2k phone where the core functionality (excluding the privacy) is essentially the same or worse as a $200 phone from a Chinese brand.
but somehow the numbers could/should add up at some point. If you think (ballpark) a billion devices in circulation and assume that 1-in-1000 people has a combination of awareness and ability to afford a private / open source device, that is your 1M right there.
this should be a very conservative estimate. it assumes that people (more precisely those who claim to represent their best interests) will continue with the inexcusable practice of governments "not interfering" with the "market" (in quotes because it not a real market when you have two options). While some governments slowly take legislative steps in the data privacy space, I have never seen any actual warning from official lips about privacy (the way they warn about assuming financial risk, being overweight, drunk driving, not getting vaccinated etc).
maybe the current business model only stands due to the "subsidy through silence"?
Not enough people care to use cut rate hardware that actually conforms to the 'wholly open' philosophy. Even Stallman couldn't maintain using fully open hardware. He had to switch to a Thinkpad with Coreboot.
People have expectations when using devices as complex as a phone or laptop to where, compared to even a desktop with Linux, having a smartphone that is fully open comes with serious drawbacks.
You could always get a LibrePhone or a Pinephone but you probably won't enjoy the experience.
it doesn't have to be "cut rate". I left the specs/price point open for that reason. But indeed thinking of it as a tool, not as a trend-following gadget with 12 cameras and the screen size of a laptop.
Just interested to see whether this approach is viable.
Spoiler alert: It's not. The better SOCs end up becoming more proprietary because it's the companies' own implementations that make them perform better. That leads to proprietary drivers/software.
Because we don't really know how much hardware costs anymore. Most hardware you buy is subsidized in one way or another through data collection, from phones to TVs. Building stuff is very capital intensive, and the world changes very rapidly. And most people don't really care about data collection because they don't understand the consequences, or they don't care at all (which I find baffling). This means you'll be always facing cheaper competition. It's very hard to keep a company like that afloat.
Incidentaly, I don't buy the "people don't care" argument. First of all, people do care. There is massive legislation in the EU (which represents half a billion people) towards data privacy. They are not freaks - well informed people obviously care about privacy. This touches also companies / commercial privacy and states (data sovereignty etc). But it is true that large numbers around the world are dazed and confused ("don't care") as nobody credible (and holding a large mouthpiece) is actually warning them.
But if you are right and its not viable (e.g why did blackberry not survive given companies at least should appreciate privacy) it is a baffling state to have degenerated into.
A lot of very informed people do really sincerely not care. A coworker of mine (IT professional) literally told me that the fact that his phone is constantly tracking him and that he could show me his whereabouts during the last week/month on google maps was a feature.
A lot of people really, truly don’t care. Is as baffling to me as it is to you.
it's true that you can't easily buy stuff online while on the move, but _life_ is happening outside and without a phone.