Suggestion: mention XPrivacyLua #399
Comments
|
This is in line with the #338. The plugin seems great though, I can't understand how it's done, but I am a fan of security by obfuscation. @kewde, @Shifterovich, what do you think if we create a subsection under Mobile OS with useful plugins/add-ons, just like with Firefox (https://www.privacytools.io/#addons)? |
|
Sounds great, but someone has to do the work. I'm very busy lately. |
|
Awesome, I'll start hacking at it, I'll see which other add-ons there are that we've been speaking about in the other issues. |
|
@pietropacchio I'm currently a user of AFWall, would you say that the big difference is that Netguard requires no root? I think I'll do two trees - one with and one without root access. |
ghost
closed this as 
|
First things first, a correction I'd like to see on privacytools.io: XPrivacyLua DOES NOT require Root to work, or Magisk for that matter. That is just the most common way of getting it. But XPL itself only requires the Xposed framework, which can be installed standalone from the recovery without root. Before you say anything: This still voids your warranty, because it is not Root access that makes it void but unlocking the Bootloader, which you need to do in order to install Xposed. And yes, it still breaks SafetyNet (which is by the way NOT meant to secure your device, it is meant to secure the data/integrity of companies like Netflix). But that can be fixed on a lot of cases by using microG - with its implementation of SafetyNet, phones with Xposed up and running have passed the test, and with a little luck, yours will too. About Root being a security issue: Not really, just like Xposed. But like anything powerful, it is a two-edged blade, and if you're dumb enough to cut yourself with it, then that's on you. If you really want to make it "safe for average users", I'm sure it wouldn't be a big problem to create a version of the Xposed Manager App that only lets you enable XPrivacyLua and nothing else - problem solved.
You are confused about how this works. It's either I share a unique ID with 2000 people that use XPL, or I share it...wait for it...not with millions, not with thousands...not even with hundreds...with nobody! And, as adressed many times before in the XPL thread, the MAC adress can't be accessed by apps in recent versions of Android. Yes, there are more identifiers that XPL doesn't cover. But it does cover the most important ones. Most apps that use tracking only use those, since they're usually all that is required to identify a user. Besides, the majority of all apps doesn't even use any tracking itself, but instead relies on libraries that do it for them, of which - surprise, surprise! XPrivacyLua can disable the most used ones.
There are no alternatives available that can do the same thing, much less without root. The default Android permissions don't nearly cover everything, and all apps expect them and are able to react to being denied those permissions.
No, definetely not with the same method. Apps can technically detect whether they are being restricted by XPrivacyLua - but none I know of do, because the portion of users using XPrivacyLua is insignificant to them. And if some app really starts to block features because of this: Too bad, soon there'll be additional hooks bypassing that. App developers can't fight Xposed because Xposed has full control over the app. To use a metaphor, they can try to hide in a castle, but Xposed can simply make that castle disappear. They can only try to make it a little harder.
Nope, not at all. Because I got other tools that are able to cover the 4th wheel. If you want a solution that protects 100% of your privacy, the only possible way to do that is to destroy your phone and every digital device you own. You always have to use multiple tools that each cover their own part. And if you really want XPrivacyLua to be the lord and savior of your privacy, go ahead and write some custom hooks! That way you can actually cover everything...
True, but again, XPrivacyLua doesn't have to cover everything in order to be useful. And what is also noteworthy: Google will remove these alternative pathways in future Android versions. So it's just a matter of time until this argument becomes irrelevant.
Let me think about this... You're saying there is no proof that when I restrict the contacts an app has access to my privacy is valued more than when I just let it access everything? I don't yee what you don't understand about this - information we don't give an app can't be abused by it, and that XPrivacyLua does feed fake values instead of the real ones is 100% proven. You also talk about some things about battery usage, background processes and network access that have nothing to do at all with what XPrivacyLua does so I'm not going to write anything about that. |
I agree 100%. Because it isn't intended to. You're talking again and again about an attacker exploiting stuff, but that is simply not what XPL tries to protect you against. Assuming that XPL will do anything for your or your devices security is wrong, because it doesn't even try to.
Please read my text again. I didn't say the app itself doesn't need root therefore nothing needed root (although it is also true that XPL itself doesn't need root). XPL only requires Xposed. And Xposed does ALSO not. require. root. (mind = blown... right? Nah, not really). What Xposed requires is the ability to flash ZIPs aka modify the /system partition. That is NOT root, that is an unlocked bootloader. Root means that there are binaries placed in /system that allow apps to acces the
I never said you could fix spying with it. Just that it allows you to bypass SafetyNet even with Xposed.
Yes and no. It is due to security reasons, but much more because the average user can't be trusted with that much power over their own system. I mean, you can literally delete your phones system files with root while it's running. You don't want a user thinking "Oh, what are all these weird files on my phone? I didn't put them there, so I don't need them! Let's just delete it all!"
IMO, Android is stronger in this regard than many other systems simply by having a permissions manager in place. On Windows, Linux or really any Desktop OS, when you run an application, you give it access to all your user data without any further restrictions. You have to trust the binary, which in many cases you can't. Buut that's a discussion for another day.
I never said it can't be compromised. But again, you appear to have a different attack model.
So for you it's all or nothing? You do you, but I'd rather have most of the data and sensors on my phone private than none of them.
Your example for Reddit although true does not make sense because, yet again, that is not what XPL is for. Especially with info like upvotes, which is completely ridiculous because you are giving that information to them on purpose.
Yes I can. Do you know what Fabric is? In case you don't it's a very popular library you can include in any app for free that is meant solely for tracking. It starts with crash reports, but goes on to notify the developer of the app about your system specifics, exactly what things you did in the app (even if the apps purpose itself is completely offline) down to every click, scroll or swipe you do to build heatmaps. And XPL can snap completely disable all of its functionalities. There are also numerous apps/games that look harmless at first, but then while you're playing start recording with your mic without you noticing and sending that data to their servers. XPL can protect against that. So what it protects against is certainly not a niche. And that is the kind of attacker XPL wants to help against. Not people who want your IP adress, not people who want to exploit your phone and gain unwanted root access.
Well, it seems to me that you are, after numerous explanations, still refusing to accept what the scope and intention of XPrivacyLua is and judge it for not doing things you want it to do. I personally don't need a research paper for seeing that it works, it's not some blind faith I have. But if you really need one to trust that your privacy is being protected better than before, nobody will stop you to fund someone to do the research. |
he did, you stopped responding
for unrelated reasons you never asked about
It doesn't try or want to. Why do you not understand this?
The little word "personally" is very crucial here.
you are the only one who's been insulting and, as you call it "bitching". Marcel was cooperative and friendly the whole time and I tried my best to do so as well.
So your first thing to assume is that somebody is lying to you? Odds are it was either some kind of bug, or that he misunderstood something about the UI. But sure, it is definetely a lie against you, because it is absolutely in his interest to lie to you about something completely insignificant like that (that was sarcasm btw). You don't wanna trust something that isn't backed up by whitepapers? Fine. But your whole text has proven to me that you have not understood anything about what XPrivacyLua is, what it is intended for and literally everything I've been trying to explain to you this whole time. I conclude that you are unwilling to listen or even think about anything that I said or will say and any further discussion is thus pointless. If you don't mind, I'm going down a waterslide now. |
|
Seriously, why don't you want to understand that it does NOT require root...
EDIT:
False! |
|
I'm not going to comment on your Root bs anymore. But I do agree that the current entry should be changed. The dependency on Magisk note should be removed, as well as the note on Root. What does make sense would be something like "The following add-ons require not completely stable software which has a chance of breaking your device. Proceed with caution and make use of backups!" In fact I believe that the description undersells XPl by a bit, since yes, it does solve the mentioned problem of malfunctions, but it actually provides more restrictions than Android has to offer by default (some of which can be crucial for privacy-aware users). But I guess the current description is fine as well, if it catches the readers attention they will look into the details and learn more about the project themselves. |
|
@CHEF-KOCH Neither Xposed nor XPrivacyLua has root access on my device and yet, XPrivacyLua works flawlessly. How do you explain that?
Unlocking the bootloader doesn't always void the warranty. It depends on your local laws and the manufacturers. |
|
@CHEF-KOCH You mention it as
Actually, it's not other modules. It's apps. It's simple like this, xposed-art, xposedbridge, xposed modules, and the app-to-hook are in the same process, that's dalvikvm. XposedBridge inject it into dalvikvm (art) by some hooks, and app-to-hook can also replace the hooks. And it's the base of XposedBridge native part, the only if xposed-art put the hooks to otp or so, otherwise, it can anti-hook. I won't show the source code, and, actually it's very easy for native hook developers. |
and others
XPrivacyLua is an Android open source xposed module which blocks access to personal data by feeding fake data to apps instead of revoking permissons, I think it should be added to the "worth mentioning" section of "Mobile Operating Systems".
Github: https://github.com/M66B/XPrivacyLua
Website: https://lua.xprivacy.eu/
Support: https://forum.xda-developers.com/xposed/modules/xprivacylua6-0-android-privacy-manager-t3730663
It requires the Xposed Framework which is open source too.
The text was updated successfully, but these errors were encountered: