Ever wanted to degoogle and not have it be too much of a pain in the behind? Ever wonder what your loosing by spending too much time on social media? Digital health is important. I think one of the partial solutions to digital health is to degoogle.

Let’s examine this but first a link to the rest of community posts on it

GEK (no longer with us)

Old Snake (historical post)

Long off topic discussion of it

Wendell

Heimdallr

Im sure there is more. so without further ado my mobile device is a Google Pixel 3XL. I would say to degoogle you have a ton more choice than you used to. You have OnePlus (great choice for flagships), pinephone (search the forum for content), nexus (older devices but solid ask @Adubs about his nexus 6P), and of course the Pixel line up. The best pixel phone for this operation are the Pixel 3 XL and the Pixel 3a XL.

I plan on keeping the 3 XL until 5G is mainstream and they are getting ready to beta test 6G. The way I have done this is I have gotten an armor case and a 5 pack of oleophobic thick tempered glass screen protectors and a camera lens protector. I purchased a wireless charger and wireless IEMs so to minimize the use of my phones port. This phone will remain pristine so long as I have it. (Before the stop being poor comments come. Its not because I cant afford its because I have no need for more.) Untill I can no longer access 4G speeds (which suffice) or can no longer update and exploit mitigate android, there is no need for excess. Its a gorgeous phone with a beautiful camera. It has excellent specs and its the 128 GB version. I will never use that much storage ever.

So whats it like to use the botnet (Google). I loved it. I have zero shame admitting the convenience of those features however I have realized their impracticality and I dont really want them spying on me for security and privacy reasons. I want people to know what I tell them and not much more. This isnt to avoid cell tower based tracking as one can never avoid cell location and GPS. These services always no where you are but at least this can turn off any capability of turning on the device remotely etc mainly due to the ROM used.

De-Google Step 1: Identify a ROM.

The objective is clear either find a hardened ROM or find a AOSP ROM easy to use a base. This gave me two options. Lineage OS or https://grapheneos.org/ to which I have built lineage from source but graphene allowed me an interesting path to take my phone. A non SU enabled ROM from a security standpoint is better and this used and leveraged the Titan M chip to verify the boot process. So graphene it was.

De-Google Step 2: BUILD IT FROM SOURCE! woot!

So nobody ever accused me of being a sane individual. Lets build this security focused for my phone. You cant build this for other devices easily because of a few reasons. Not to completely rip off the author but this ROM needs devices need to be meet the standards of the project in order to be considered as potential targets. The developer himself has made this a stricter set of characteristics to which suprisingly google held them selves up to in the PIXEL line and NOT THE NEXUS line. In addition to support for installing other operating systems, standard hardware-based security features like the hardware-backed keystores, verified boot, attestation and various hardware-based exploit mitigations need to be available. This is actually what the Titan M chipset is for and google is offering a bounty to who can hack it: https://www.wired.com/story/google-titan-m-security-chip-pixel-3/

The devices also need to have decent integration of IOMMUs for isolating components such as the GPU, radios, media decode / encode, image processor, etc. as if the hardware / firmware support is missing or broken, there’s not much that the OS can do to provide an alternative. The Pixel 3XL is built to this rather crazy standard. You can utterly isolate any part of the board if you want to. This is what made the Pixel 3XL my choice of phone. Its one of the more secure phones out there and few people realize this on a hardware level. As we should all know hardware, firmware and software specific to devices like drivers play a huge role in the overall security of a device. The goal of the project is not to slightly improve some aspects of insecure devices and supporting a broad set of devices would be directly counter to the values of the project. A lot of the low-level work also ends up being fairly tied to the hardware. So lets build this software shall we

I am build for : aosp_crosshatch aka the Pixel 3 XL. (I love its nickname, crosshatch, someone was a car nut). This will take a lot of bandwidth and space. Few people realize what it takes to compile a ROM. Have at least 16 GB of RAM and 75+ GB of space just to be safe.

The author gives instructions just find the latest version and compile.

IF youve ran arch linux you can SO build android for your device. Its a very enlightening experience. Then go OTA from there.

De-Google Step 2 (LOL): Acquiring and installing the ROM

So your likely already downloading your ROM. Flash it using TWRP and what you need to. My guide here applies only to the Pixels.

Enable OEM unlocking in device developer settings and reboot to fastboot from the advanced menu.

Then when in fastboot mode unlock the bootloader by fastboot flashing unlock

unzip crosshatch-factory-*.zip
cd crosshatch-pq3a.190605.003
SUDO ./flash-all.sh

You must be in sudo to flash it. In my case I had built it and not zipped it so I had everything I needed to flash it already unzipped.

Make sure to LOCK the bootloader if you dont plan to root. I dont plan to root because of im security and privacy focused. Its why I use secure boot in the UEFI and sign my kernels

fastboot flashing lock

Then disable OEM unlocking and your back to a very secure environment and the TITAN M is preventing exploitation. If your bootloader is unlocked you lose ALL the security of this device.

Want more info on graphenes security see here: https://grapheneos.org/usage which talks about a part I especially like. Exec spawning and hardened malloc:

`You may notice that cold start app spawning time takes a bit longer 
(i.e. in the ballpark of 100ms) than stock Android, along with higher app 
memory usage. This is due to security centric exec spawning model used by 
GrapheneOS to provide each application with a unique address space layout, 
random hardened_malloc heap layout and unique keys / seeds for other 
probabilistic exploit mitigations like stack canaries, setjmp protection and 
future features like randomized memory tags. Exec spawning doesn't cause a 
performance cost after launching an app, and similarly doesn't cause any extra 
latency for app spawning if the app was already running / cached in the background.
It isn't very noticeable on flagship devices with a high end CPU like a Pixel 3, and is 
a lot more noticeable on a lower end device like a Pixel 3a.

Alright now that I am on a firmly degoogled ROM. Lets acquire F-Droid our open source store and also a means of aquiring open source play store apps that doing have an Fdroid repo yet. Yes they exist and no they dont use GoPlServ

https://f-droid.org/

I needed a banking app which functions fine. I dont mind my bank intruding on my privacy. They already do it in so many other ways.

I need maps and a way to navigate so I grabbed OSMAnd~ which is an amazing offline and online maps navigation. You can do what most of google does save some updated address youll have to grab from duckduckgo.

https://osmand.net/

This leads me to search. Duck Duck go is what I prefer. Its really just google but it does protect us more.

For cloud. Host Next Cloud 17. Its an amazing piece of software. See wendel’s video on it . The swiss army knife of having your calendar, contacts, etc all syncd to it. I use DAV with it. I also have the server E2E encrypted which is a solid benefit for cloud security.

I also use a few more apps. I still use spotify which is a little broke but still works for content discovery. I love the platform but hate how much it knows my music. I am in the process of migrating to this alongside my nextcloud

I needed a replacement for last pass. I really searched hard and found bitwarden. Its awesome. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256. For me I love that they are open about their security like this instead of claiming little to no breaches like leakypass LOL.

https://bitwarden.com/

https://help.bitwarden.com/security/

What does my android setup look like? As black as possible without being too ugly. It really does help AMOLED conserve energy.

Screenshot_20191208-140427.jpg1440×2960 1020 KB

Screenshot_20191208-140439.png1440×2960 750 KB

The project comes with Vanadium which is more secure than bromite if you need something based on chromium. Personally I like firefox better. Here are my plugins to keep it from being too broke on mobile.

Screenshot_20191208-153430.png1440×2960 205 KB

You can use the advanced permissions of any good ROM to act like a firewall to forgo root for AFWall+. This rom allows you to deny access to connectivity for any ROM so its similar to a firewall built in. It also prevents the apps from accessing location in the background.

For email I use FairMail. I like this app because I can integrate GPG with Open Keychain easier. See you can still use google private. Just send GPG messages. Google cant read those.

Frost- As you saw in the picture is used for facebook however im considering decentralized social media if anybody is down to share.

Camera

BTW I never lost the Pixel Visual Core camera’s awesome image processing. Open Camera can use it

What to do if locked into other platforms

1. evaluate why you use them and if you get the benefits suggested?
2. Evaluate exit routes. Get out of using it. Migrate what you need and move away
3. Find a way to use it without google?
4. Dont switch now, wait until you have something that suits your lifestyle.

Journey In progress

At the end of the day its a journey of self and tech discovery. Evaluate your digital health. Should you be stuck to social media or should you read and strive to learn more and self better. This was my reasoning for going this route. My principles say tech shouldnt be this invasive. It should be a tool. To each their own on what that means.

Will update as I continue to use and discover new things. Thanks for stopping by and seeing what I do.

French Proverb:

“Praise the God of all, drink the wine, and let the world be the world.”

no pls

Regarding custom ROMs, make sure that you check the actual build number of the cellphone you are buying vs the build supported by the ROM (or even TWRP) itself. I just bought an Asus Zenfone Max Pro M2 few days ago and it turns out fastboot wont flash the TWRP into the recovery partition (bootloader was unlocked).

I tried rolling back the firmware through the service center (which I paid for because unlocking the bootloader voids the warranty). It still wont flash. I am down to installing Win 10 to a laptop as per the Lineage OS build dev suggested. F me if this will not work. I would have wasted money on a cellphone. Previously I had no problems with Oneplus.

Did you seek help on XDA?

Also anybody serious about ROMs buys the phones mentioned in my post

Update: 1

Firefox likes to perform telemetry for good reasons. It helps them fix a ton of stuff and perform.experiments which they view as beneficial for the open source user. Open source != private. So lets tweak Firefox a bit. In order to disable telemetry completely and experiments. Works on both mobile and desktop.

Find these keys and make them false

browser.newtabpage.activity-stream.feeds.telemetry

browser.newtabpage.activity-stream.telemetry

browser.ping-centre.telemetry

toolkit.telemetry.archive.enabled

toolkit.telemetry.bhrPing.enabled

toolkit.telemetry.enabled

experiments.activeExperiment

experiments.enabled

experiments.supported

network.allow-experiments

toolkit.telemetry.firstShutdownPing.enabled

toolkit.telemetry.hybridContent.enabled (you may not see this one)

toolkit.telemetry.newProfilePing.enabled

toolkit.telemetry.reportingpolicy.firstRun

toolkit.telemetry.shutdownPingSender.enabled

toolkit.telemetry.unified

toolkit.telemetry.updatePing.enabled

Simple easy beautiful open source configurable software. No frills, no worries.

I have these plugins going BTW. Open to more good suggestions:

Screenshot_20191210-082103.png1440×2960 233 KB

Ghostery spies on what you disable. Do not use ghostery for anti tracking. Dont enable DNS over https or TLS in browser. Do it via androids private DNS feature

Screenshot_20191210-082330.png1440×2960 120 KB

Dont forget Mac randomization is good for anybody serious about avoiding tracking. In Wi-Fi settings

The randomized MAC address option is configured for each wireless connection, so there is no way to configure this globally unless you build it into the ROM which I added to this lovely graphene ROM. Once you connect to a wireless network, here’s how to make sure the device is using a random MAC address (instead of the device MAC address).

Open the Settings app.
Tap Network & Internet.
Tap Wi-Fi.
Tap the gear icon associated with the wireless connection to be configured.
Tap Advanced.
Tap Privacy.
Tap Use Randomized MAC

In my case its always enabled

Screenshot_20191210-083713.png1440×2960 158 KB

My WiFi also has probe sequence number randomization and per network association Mac randomization and hostname randomization. You have to manually build this into lineage OS if your on lineage. Plenty of guides out there on it

Upon further consideration I made an adjunct post to making Firefox a bit better

Firefox Hardening Tips 2019

I wish GrapheneOS had more devs! The single dev seems stressed out and he isn’t really social enough to ask for help… It would have to be a special person to work with him.

Aye, Crocker’s Rules compliance would be a must I think.

I do, however, suspect he may be correct not to explicitly ask for help; I imagine someone with the appropriate passion and skills for a project like GrapheneOS will be drawn in by looking at the code themselves far more than by explicit request. A “devs needed” post would probably draw in more “noise” than “signal”, and the original developer could end up fruitlessly trying to bring prospective devs up to speed, only for those devs to realise this is not their cup of tea, and leave. Better for the project to grow organically I think.

There’s a reason why “introverted” programmers’ social lives don’t “grow organically” as well as socially normal people… Perhaps there are many engineers who like the project, would be willing to help, but all experienced bystander’s apathy. You can clearly tell by his posts that he’s sick of it and at his limits. Pretty easy for me to make arguments that it is good to ask for help on his behalf, if we want to see it around in years.

I chose a similar path but there are still a few things I can’t figure out: How to get decent adblocking on GrapheneOS? Using the DNS-based (AdGuard & NextDNS) ad blocking doesn’t work in so many cases (i.e. YouTube). Vanadium doesn’t support extensions. And the GOS developer & security expert (Daniel) says that regular browser-based adblocking is terrible for security and dissuades us from using it… So what should we do? We can just ignore him and use a Fennec + ublock extension, I suppose.

Another issue is that I’ve not gotten automatic updates in F-DROID or AuroraStore to work. I have to do them manually each time.

I’m curious - have you tried using the GOS backup feature and then restoring to another phone and seeing how much stuff you lose? It seems every program needs care as to what it might need to backup.

Use your own recurssive DNS server with DNS o TLS + pihole hosting and point android private DNS to the pihole … SEE
Infrastructure Series -- Recursive DNS and Adblocking DoT w/NGINX

I left graphene OS due to a lack of core development. I am on lineage OS currently so unfrotunately no

I value my social life. Not an unsocial nerd. So I kept a lot of stuff like whatsapp and signal and stuff. I still have instagram. data mine what I give you thats fine. I just wont give you what I dont want to. I have sufficient knowledge on how to do that.

I’m having no issues with Instagram, WhatsApp, and Signal on Graphene… But what I was saying about the DNS-based adblocking is that it doesn’t work. You’re saying a custom DNS server can do what NextDNS & AdGuard DNS can’t?

absolutely and you can extend it further. the underlying tech doesnt change. The part that does is you control it

Also it does work. Study how DNS and how ad serving works. If it doesnt work it means the end user set it up wrong. (period said done)

OK I will try again… Just found this thread:

Commendable effort by the dude. One flaw. Youtube just needs to change the IP which it has 1000s of.

Don’t give up on adblocking simply because you couldn’t get one site to work. Youtube is very tough and they are about to start serving ads through the TLD forcing ads no matter what if you access the page and videos. There won’t be a way to block that save never using youtube lol

Not sure might just be the adblocker?

Super… I basically just wanted to reach uBlock Origin + chromium on desktop-level of adblocking… If DNS-based can do that, plus the improvements from encrypting DNS, then that is two birds with one stone - great!

I exteneded it further. see the bottom of my signature thread in my profile

Content Blocking

My thoughts

My impression that Daniel Micay is actually very much in favour of browser-based blocking, but he sees issues with the methods that several browser extensions use, especially when they modify the page itself rather than the browser’s behaviour. A VPN-service-based app has similar issues, but a DNS-based blocking method can more cleanly and efficiently remove ads, albeit not all ads in all cases.

The extension-based method that Daniel Micay is decrying seems to be when an extension changes the webpage after the browser downloads it, but before the browser renders it. This is akin to a MITM (man-in-the-middle) attack taking place inside the browser. The VPN-service method in comparison is basically also a MITM attack, albeit one that is taking place outside the browser.

     Normal: browser[page load → rendering]
  Extension: browser[page load → manipulation → rendering]
VPN-service: manipulation → browser[page load → rendering]

These manipulations are kind of like someone adding a new <script> or <style> at the very top of the page, that runs before anything else on the page. This gives an extension total control over all the pages you look at, and a malicious extension like this would be in a position to do a lot of damage.

While the description on its wiki about types of blocking suggests uBlock Origin is using something more robust than this for its Network and Hosts filters, I do not know enough about the inner workings of browsers to know if that is actually a safe mechanism. Regardless, Android Chromium does not seem to support extensions anyway.

It looks like the eventual plan might be to add a filter list interface like iOS’s Safari to Vanadium. You can see some discussion about this in the Vanadium Github issue for content filtering using the built-in filtering engine.

In the meantime, Fennec with uBlock Origin seems like a good idea; I also saw mentions of Bromite as an ad-blocking alternative to Vanadium, but I have read very little about it so I would consider doing some research before using it.

If you want to stay with Vanadium, then at the moment all you can use are DNS blocking methods, which are the equivalent of only being able to use Host filters in uBlock Origin, so as an example:

https://example.com/goodpage for this good page
https://evil.ad/spooky.js we can block a bad domain
https://example.com/spooky.js but we cannot block only a particular path

GrapheneOS Dev Context

If you could provide a link next time, that would save me some time searching; anyway, I assumed you were referencing Daniel Micay’s Reddit comments here:

… People should not be trying to implement privacy and security by injecting code into the adversary’s code and hooking various APIs in a way that can be bypassed or detected. In general, browser extensions are not a good place to attempt implementing privacy and security features. APIs for browser extensions are not designed to provide robust or secure ways of doing these things, so extensions implement half-baked solutions or complete hacks involving injecting code and pretend they have working / robust approaches when they do not. Privacy and security features need to be built into browsers to work properly.

In Firefox, extensions are unintentionally constrained by the page’s Content-Security-Policy and sandbox attributes. This is an implementation bug with no solution in sight. …

While looking around, I noticed he also made some related comments in this GitHub issue,

The current API used by extensions is very broken. It’s not fail-safe but rather if it times out or the extension has an error it falls back to permitted the request. …

If you set up a strict Content-Security-Policy with report-uri / report-to , you’ll see that a substantial portion of users have malware / spyware extensions that are messing with your page content and injecting tracking, advertisements, themes creating vulnerabilities in the site, etc. They can and do remove the Content-Security-Policy header or make modifications to it, …

Also the GrapheneOS site itself warns about the flaws of app VPN-service-based blocking,

The approach of intercepting traffic is inherently incompatible with encryption from the client to the server. The AdGuard app works around encryption by supporting optional HTTPS interception by having the user trust a local certificate authority, which is a security risk and weakens HTTPS security …

Using the VPN service to provide something other than a VPN also means that these apps need to provide an actual VPN implementation or a way to forward to apps providing one, and very few have bothered to implement this.

Wow this is amazing. Mind making your own thread in connection with it. ?

You can link to my pihole DNS infrastructure wiki as well