Let's get something straight before the rest of this blog post is read: if you want true privacy, you are best off not having a smart phone of any sort at all... Even with the tools and steps outlined in this post, you still have a device capable of recording, locating and even taking pictures of you without your knowledge. If you think of how much you have your phone on or around you this can be quite a sobering thought - it's as simple as that. If, however, you are interested in trying to minimise the possibility of this information leaking in to the greater domain of the outside world then read on.
My OS of choice on a mobile device is Android, part of the reason for that is for it's extreme customisation, something you're not trusted with in the realms of the Apple iOS ecosystem. And as a part of the customisation afforded to you through Android, is the ability to run exactly the software you want. This means you don't even need to run any software that is created or linked to a google account. It is also somewhat open source. That is to say, whilst some of the underlying, basic parts of the OS are open source, a lot of apps require to have proprietary bits of Google code on your phone - bits that only Google will know what they're doing.
So what's the problem with a default Android OS install? Google Play Services Framework, these services may sound fairly harmless, maybe even helpful, like they're supposed to serve you somehow. Well they're not, they are accountable for allowing apps you install on your phone to access the proprietary Google APIs, and as said before we don't know what is really happening in these bits of code. We just have to trust Google not to do anything 'bad' within this code. And given recent stories about Facebook, you may not want to risk that.
Let's just put a custom ROM like LineageOS (formally known as CyanogenMod) on my phone and be done with it! Easy tiger, unfortunately it isn't that simple. Whilst a new install of LineageOS does not install the google play services or any Google related apps by default, many apps rely upon Google Play Services to run properly. And you obviously won't have the Google Play Store anymore either. Until recently I didn't know there was a way around these problems, that was before I started looking around the privacy and privacytools.io subreddits. It was there that I first learnt about a solution to this problem.
What is this solution - you may ask? Fortunately there are some very clever people out there who have created an Open Source alternative to these services called the microG Project. To get apps without having to use the Google Play Store look at f-droid. In their repositories they have an app called "Yalp Store" which allows you to download apks (the plain application file) of apps from the Google Play Store without having to sign in to a Google account. Don't worry, I will go through a summarised overview of what I did to get this all working on my phone, as always though your mileage may vary on your device and I bear no responsibility if your device doesn't work anymore.
Before getting on and maximising privacy, it should be noted that as with anything in life, there are positives and negatives in utilising these alternatives on a factory default phone. One of the major drawbacks for a lot of people will be the fact that microG does not offer an alternative to the Google Cast API, this means that you will not be able to cast to Google Chromecast devices. Another problem is that microG does not offer an alternative for Google pay either, so if you use your phone to pay for things, you won't want to go forward with this.
On the bright side, location information can be keep to your device only as there are alternatives to the Google Maps and Location APIs, this was a major bonus to me. It goes without saying that if you do this, you will not have access to Google assistant etc. Though you could perhaps install it after the fact, though that would kind of defeat the point of going through all this trouble. If you have bought a lot of apps on the play store, you may not want to do this either as you may not be able to access those apps.
At the end of the day you have to decide whether you think the positives outweigh the negatives.
Some helpful guidance
Disclaimer: I am not responsible for any damage to any of your devices if you decide to try this and it doesn't work out. If you do not know what you are doing, or are not confident enough to do it after doing some research - DON'T DO IT.
There are some pre-requisites in order to be able to install microG on a phone, these include:
- - An Android phone - for obvious reasons.
- - An unlocked bootloader - how to do this will vary from device to device.
- - Custom recovery software for you phone, like TWRP.
- - A custom Android ROM that supports signature spoofing - a list of which can be found here. Workarounds can be afforded to ROMs which don't support this (more on that later).
- - For bonus points, whilst you're doing all this you could also root your phone - I currently use Magisk.
First you'll need to unlock the bootloader and install your ROM of choice on your phone. If you're stuck and need help a good place to look for all things android customisation wise is the xda forums. If you already have a custom ROM installed and have some sort of root access, but it doesn't support signature spoofing, don't worry you can install the xposed framework and the FakeGApps module. Handily enough, if you use Magisk, there is even a module for the xposed framework that will automagically install xposed for you.
If you've never installed a custom rom before and are worried when your phone restarts and you don't see the play store or any other Google apps, don't worry. Download f-droid, and then you can install microG through their f-droid repositories as well as any other FLOSS goodness. If you want access to a an alternative to the Google Play Store you can install the Blank Store, however, I did not bother with this and just installed the default FakeStore.apk from microG and then installed the Yalp Store through f-droid. The Yalp Store allows you to download and install apks available from the play store without having to sign in to your Google account.
After you've installed these parts of the microG platform you should have a microG settings app on your launcher, open it and Enable the Google device registration and Google Cloud Messaging (push notifications) as you see fit. I have disabled Google device registration but enabled Google Cloud Messaging. You'll also need to Configure the UnifiedNlp Settings. Once that is done, you can reboot your device and finally ensure that Battery optimisation is disabled for microG Services core in android System Settings > Battery > Burger Menu > Battery Optimisation. In doing so you would have completed a setup of the microG platform on your device.
To ensure it is all working properly you can perform a Self-Check from within the microG settings app, there should be tick marks by every criteria.
A Small Bonus
If you have installed the xposed framework on your phone during this endeavour I would like to point out a great module which will help obfuscate private data usage in apps, XPrivacyLua. When you don't grant permissions to some apps in android it can cause them to crash, what this module cleverly does is allow you to grant the permissions, but instead of giving the app your real world data, it will feed it fake data. Be it fake GPS co-ordinates, fake IMEI numbers, blocking camera usage. Whilst not related to microG, it is just another part of a greater, privacy toolkit.
I thought it would be worth ending this post with a remark about compromises - they're an important part of living as a human being. I have just gone over a fairly esoteric way to claim back some privacy from big corporations. With all this being said, I still have a tablet which has all the Google apps installed and their relative frameworks which leak private data everywhere. However, this tablet is not always on me and almost always stays in one room within my house. This allows me to use a Google home mini on some recent home automation projects I have been working on which I wouldn't be able to access from my phone, because as mentioned before when you use microG you loose the ability to communicate with the Google Cast API which the google home app relies upon.
This was a compromise I decided was worth it. My phone is almost always on me, and I thought it would be a good compromise to shut down as much data leaked from it as I could by using the above tools. Just think about it for a minute, a modern smartphone has a microphone which can record conversations, a GPS system which can record where you are, cameras which can record what you see. Data which has the potential to be uniquely tied to you and used by however a company who has it sees fit, never mind any other agencies. I do however know that my tablet and Google Home mini are not always with me, and I am comfortable with them sending data they have from the little amount I use them compared to my phone.
Find a compromise that works for you, if you don't care about data privacy then don't spend the time to worry about it (also sorry for wasting 10 minutes of your life, but why are you reading this anyway?). If you want to obscure data from a device that you may carry around with you, then look at options out there, you don't have to live in a lead lined shed wearing a tin-foil hat...
One final comment in case people are wondering out there about privacy on Android compared to Apple devices. iOS devices probably do offer better privacy out of the box than their Android counterparts. If the Android device is running a custom rom and no Google Play Services, then it would win out over an iOS device.