privacytools / privacytools.io

🛡🛠 You are being watched. Protect your privacy against global mass surveillance.
https://www.privacyguides.org
Creative Commons Zero v1.0 Universal
3.11k stars 384 forks source link

Suggestion: mention XPrivacyLua #399

Closed ghost closed 6 years ago

ghost commented 6 years ago

XPrivacyLua is an Android open source xposed module which blocks access to personal data by feeding fake data to apps instead of revoking permissons, I think it should be added to the "worth mentioning" section of "Mobile Operating Systems". Github: https://github.com/M66B/XPrivacyLua Website: https://lua.xprivacy.eu/ Support: https://forum.xda-developers.com/xposed/modules/xprivacylua6-0-android-privacy-manager-t3730663 It requires the Xposed Framework which is open source too.

hugoncosta commented 6 years ago

This is in line with the #338. The plugin seems great though, I can't understand how it's done, but I am a fan of security by obfuscation.

@kewde, @Shifterovich, what do you think if we create a subsection under Mobile OS with useful plugins/add-ons, just like with Firefox (https://www.privacytools.io/#addons)?

ghost commented 6 years ago

Sounds great, but someone has to do the work. I'm very busy lately.

hugoncosta commented 6 years ago

Awesome, I'll start hacking at it, I'll see which other add-ons there are that we've been speaking about in the other issues.

hugoncosta commented 6 years ago

@pietropacchio I'm currently a user of AFWall, would you say that the big difference is that Netguard requires no root?

I think I'll do two trees - one with and one without root access.

Namnodorel commented 6 years ago

First things first, a correction I'd like to see on privacytools.io: XPrivacyLua DOES NOT require Root to work, or Magisk for that matter. That is just the most common way of getting it. But XPL itself only requires the Xposed framework, which can be installed standalone from the recovery without root.

Before you say anything: This still voids your warranty, because it is not Root access that makes it void but unlocking the Bootloader, which you need to do in order to install Xposed. And yes, it still breaks SafetyNet (which is by the way NOT meant to secure your device, it is meant to secure the data/integrity of companies like Netflix). But that can be fixed on a lot of cases by using microG - with its implementation of SafetyNet, phones with Xposed up and running have passed the test, and with a little luck, yours will too.

About Root being a security issue: Not really, just like Xposed. But like anything powerful, it is a two-edged blade, and if you're dumb enough to cut yourself with it, then that's on you. If you really want to make it "safe for average users", I'm sure it wouldn't be a big problem to create a version of the Xposed Manager App that only lets you enable XPrivacyLua and nothing else - problem solved.

You seriously want people using the module because (2000 ... let's say 10k people have same ID) vs how many million others? Since MAC can't be spoofed you still are not less unique anyway even if you fake things like Browser referer etc. I already gave an example that in real-world it's not helpful, you refuse to accept the valid tracking point.

You are confused about how this works. It's either I share a unique ID with 2000 people that use XPL, or I share it...wait for it...not with millions, not with thousands...not even with hundreds...with nobody! And, as adressed many times before in the XPL thread, the MAC adress can't be accessed by apps in recent versions of Android. Yes, there are more identifiers that XPL doesn't cover. But it does cover the most important ones. Most apps that use tracking only use those, since they're usually all that is required to identify a user. Besides, the majority of all apps doesn't even use any tracking itself, but instead relies on libraries that do it for them, of which - surprise, surprise! XPrivacyLua can disable the most used ones.

Recommend XprivacyLua even if there alternatives are available which don't need root, also ignoring the fact that the XprivacyLua developer warns us that there is no support for rooted apps.

There are no alternatives available that can do the same thing, much less without root. The default Android permissions don't nearly cover everything, and all apps expect them and are able to react to being denied those permissions.

Apps also can detect with the same method if you're behind Xposed, Xposed Lua or other apps.

That everyone gets same data which uses XPrivacyLUA is also a con not a pro, since this can be used to flag all users so an attacker can build a strategy in order to bypass it's 'functions'.

No, definetely not with the same method. Apps can technically detect whether they are being restricted by XPrivacyLua - but none I know of do, because the portion of users using XPrivacyLua is insignificant to them. And if some app really starts to block features because of this: Too bad, soon there'll be additional hooks bypassing that. App developers can't fight Xposed because Xposed has full control over the app. To use a metaphor, they can try to hide in a castle, but Xposed can simply make that castle disappear. They can only try to make it a little harder.

it's like saying I recommend you to use repair 3 out of 4 wheels when it's obvious that a car needs 4 in order to drive. Pointless right?

Nope, not at all. Because I got other tools that are able to cover the 4th wheel. If you want a solution that protects 100% of your privacy, the only possible way to do that is to destroy your phone and every digital device you own. You always have to use multiple tools that each cover their own part. And if you really want XPrivacyLua to be the lord and savior of your privacy, go ahead and write some custom hooks! That way you can actually cover everything...

The program is limited by itself via the Android API which means it doesn't cover any data which are outside this official api, especially malware programs not often use 'their standards' in order to bypass certain things.

True, but again, XPrivacyLua doesn't have to cover everything in order to be useful. And what is also noteworthy: Google will remove these alternative pathways in future Android versions. So it's just a matter of time until this argument becomes irrelevant.

You still don't give any proof that faking information prevents any tracking/data 'giveaway' since there is no proof on this 'theory', which means that's already the end of the discussion.

Let me think about this... You're saying there is no proof that when I restrict the contacts an app has access to my privacy is valued more than when I just let it access everything? I don't yee what you don't understand about this - information we don't give an app can't be abused by it, and that XPrivacyLua does feed fake values instead of the real ones is 100% proven.

You also talk about some things about battery usage, background processes and network access that have nothing to do at all with what XPrivacyLua does so I'm not going to write anything about that.

Namnodorel commented 6 years ago

XPL is not a security manager or an app which helps on the matter.

I agree 100%. Because it isn't intended to. You're talking again and again about an attacker exploiting stuff, but that is simply not what XPL tries to protect you against. Assuming that XPL will do anything for your or your devices security is wrong, because it doesn't even try to.

the upper layer definitely needs root.

Please read my text again. I didn't say the app itself doesn't need root therefore nothing needed root (although it is also true that XPL itself doesn't need root). XPL only requires Xposed. And Xposed does ALSO not. require. root. (mind = blown... right? Nah, not really). What Xposed requires is the ability to flash ZIPs aka modify the /system partition. That is NOT root, that is an unlocked bootloader. Root means that there are binaries placed in /system that allow apps to acces the su-command during runtime. Xposed does not need that. Xposed only needs to replace binaries once, and that's it. It doesn't access su to work. You can have an unrooted phone with Xposed. It will still usually break SafetyNet, but it won't be rooted. Do you have a modded Android? If not, I suggest you to try it or at least read some articles/tutorials on the internet about it. That'll give you a better idea what a locked/unlocked Bootloader, Root, and Xposed is and what relation they have to each other.

MicroG is another topic, you btw can't fix spying with it

I never said you could fix spying with it. Just that it allows you to bypass SafetyNet even with Xposed.

The reason why root is disabled is exactly due security reasons.

Yes and no. It is due to security reasons, but much more because the average user can't be trusted with that much power over their own system. I mean, you can literally delete your phones system files with root while it's running. You don't want a user thinking "Oh, what are all these weird files on my phone? I didn't put them there, so I don't need them! Let's just delete it all!"

XprivacyLUA also doesn't cover everything, so to recommend a 'solution' which tries to fix Android's problem is incredibly stupid. You try to fix a weak system with another weak module, that will never work, and proven with the entire AV industry argumentation.

IMO, Android is stronger in this regard than many other systems simply by having a permissions manager in place. On Windows, Linux or really any Desktop OS, when you run an application, you give it access to all your user data without any further restrictions. You have to trust the binary, which in many cases you can't. Buut that's a discussion for another day.

Spreading misinformation that XPL can't be compromised is wrong

I never said it can't be compromised. But again, you appear to have a different attack model.

never said something that XPL is not useful, I said I see it as pointless, due the fact that it doesn't cover all aspects or my argumentations.

So for you it's all or nothing? You do you, but I'd rather have most of the data and sensors on my phone private than none of them.

There is no evidence that faking data doesn't prevent e.g. the application to transmit it directly How would an application transmit information directly that it doesn't have? This may be true for network-related information, but if I deny an application access to my contacts, no amount of network requests will change that.

Your example for Reddit although true does not make sense because, yet again, that is not what XPL is for. Especially with info like upvotes, which is completely ridiculous because you are giving that information to them on purpose.

you can't fake it's tracking which is designed to expose you. There some little benefit on your app/argumentation, e.g. when apps are in the background, sending statistics etc away without your knowledge

Yes I can. Do you know what Fabric is? In case you don't it's a very popular library you can include in any app for free that is meant solely for tracking. It starts with crash reports, but goes on to notify the developer of the app about your system specifics, exactly what things you did in the app (even if the apps purpose itself is completely offline) down to every click, scroll or swipe you do to build heatmaps. And XPL can snap completely disable all of its functionalities. There are also numerous apps/games that look harmless at first, but then while you're playing start recording with your mic without you noticing and sending that data to their servers. XPL can protect against that. So what it protects against is certainly not a niche. And that is the kind of attacker XPL wants to help against. Not people who want your IP adress, not people who want to exploit your phone and gain unwanted root access.

It seems you defend a product with ignoring the simple fact that the XPL integrated mechanism are too weak to get my recommendation and because it can't protect you against simply leakages I see no point to bring this to our attention.

Well, it seems to me that you are, after numerous explanations, still refusing to accept what the scope and intention of XPrivacyLua is and judge it for not doing things you want it to do. I personally don't need a research paper for seeing that it works, it's not some blind faith I have. But if you really need one to trust that your privacy is being protected better than before, nobody will stop you to fund someone to do the research.

Namnodorel commented 6 years ago

doesn't even has the guts to answer on his own topics/app

he did, you stopped responding

not even allowed issue tickets

for unrelated reasons you never asked about

XprivacyLua is a worthless try to 'secure' Android

It doesn't try or want to. Why do you not understand this?

If you're arrogant enough to say you need no research/audit in order to prove your words

The little word "personally" is very crucial here.

toxic community

you are the only one who's been insulting and, as you call it "bitching". Marcel was cooperative and friendly the whole time and I tried my best to do so as well.

M66B lost all credibility by lying straight into my face.

So your first thing to assume is that somebody is lying to you? Odds are it was either some kind of bug, or that he misunderstood something about the UI. But sure, it is definetely a lie against you, because it is absolutely in his interest to lie to you about something completely insignificant like that (that was sarcasm btw).

You don't wanna trust something that isn't backed up by whitepapers? Fine. But your whole text has proven to me that you have not understood anything about what XPrivacyLua is, what it is intended for and literally everything I've been trying to explain to you this whole time. I conclude that you are unwilling to listen or even think about anything that I said or will say and any further discussion is thus pointless. If you don't mind, I'm going down a waterslide now.

walrus543 commented 6 years ago

Seriously, why don't you want to understand that it does NOT require root...

capture

EDIT:

Requirements: Magisk

False!

Namnodorel commented 6 years ago

I'm not going to comment on your Root bs anymore. But I do agree that the current entry should be changed. The dependency on Magisk note should be removed, as well as the note on Root. What does make sense would be something like "The following add-ons require not completely stable software which has a chance of breaking your device. Proceed with caution and make use of backups!"

In fact I believe that the description undersells XPl by a bit, since yes, it does solve the mentioned problem of malfunctions, but it actually provides more restrictions than Android has to offer by default (some of which can be crucial for privacy-aware users). But I guess the current description is fine as well, if it catches the readers attention they will look into the details and learn more about the project themselves.

walrus543 commented 6 years ago

@CHEF-KOCH Neither Xposed nor XPrivacyLua has root access on my device and yet, XPrivacyLua works flawlessly. How do you explain that?

I think it simply should be stated that you lose warranty, need root in order to get the framework and all it's function working etc.

Unlocking the bootloader doesn't always void the warranty. It depends on your local laws and the manufacturers.

liudongmiao commented 6 years ago

@CHEF-KOCH You mention it as

Another things is that other modules can disable other apps/modules, a PoC is here.

Actually, it's not other modules. It's apps.

It's simple like this, xposed-art, xposedbridge, xposed modules, and the app-to-hook are in the same process, that's dalvikvm.

XposedBridge inject it into dalvikvm (art) by some hooks, and app-to-hook can also replace the hooks. And it's the base of XposedBridge native part, the only if xposed-art put the hooks to otp or so, otherwise, it can anti-hook. I won't show the source code, and, actually it's very easy for native hook developers.