What Are the Best Ideas for Using LineageOS with Root and microG? ( github.com )

Mikelius , 4 days ago

1. AFWall+ firewall to allow list apps to internet using your preferred method (e.g. VPN, wifi, data, etc)
2. PcapDroid to help monitor and analyze packets, or to just confirm things aren't communicating unexpectedly
3. AdAway if you're not using your own dedicated dns over a permanent VPN connection

If not all 3 of these, AFWall is probably the best to go with. Having a way to not only block Apps, but also define your own custom firewall rules is very powerful. For example, I redirect all DNS requests to my own DNS with a custom rule (for apps, like Termux, using hardcoded DNS lookups instead of what the phone is set to)

Psyhackological OP , 4 days ago

So you're suggesting more "network" control. I like it.

AFWall+

I use NetGuard, but I don't see any benefits from having root in it.

PcapDroid

Hmm, interesting, I think the closest thing that I use now is TrackerControl.

AdAway

I'm using my VPN "socket" with TrackerControl.

define your own custom firewall rules is very powerful

Yeah, and also easy to mess up connections so they no longer work properly. 😆

I redirect all DNS requests to my own DNS with a custom rule (for apps, like Termux, using hardcoded DNS lookups instead of what the phone is set to)

That seems cool. For now, I'm using Mullvad's public DNS service. See their dns-blocklists.

I also know App Manager, and I'm using it and with root it with ease blocks any necessary trackers and other things. Have you tried it?

Mikelius , 3 days ago

I'll have to check out TrackerControl, that's a new one to me!

I have seen app manager but currently use AppOps. I didn't recommend AppOps above because I'm not sure it's still supported or not, and it's also not really Foss. It's treated me well over the years, but I'm definitely interested in finding a better alternative. The last time I checked app manager, it wasn't as good... But maybe that's changed as it's been several years now so I think I might be due for looking at it again!

My wireguard connection on my phone connects to my home network to an pi hosting my internal VPN... But the network is completely covered by a mullvad VPN through opnsense. I've got pihole setup using the mullvad anti-trackkng private DNS. With this setup, the only real need I have for root on my phone is because I do some pretty low level automation on it through crond and some backups of core app data that I'd really hate to lose... And the complex firewall rules lol.

sunzu , 3 days ago

How do you make AFwall and vpn working together, when i tried it said one or the other.

Mikelius , 3 days ago

This is where rooting the phone is required. I use wireguard without root and have AFWall granted with root at bootup so it doesn't require acting as a VPN

BlastboomStrice , 5 days ago

Have you tried apatch as an alternative to magisk?

It ~combines rhe advantages of magisk and kernelsu

GolfNovemberUniform , 5 days ago

KernelSU is unsafe. Is apatch the same?

BlastboomStrice , 4 days ago

I think it may be based on ksu, but also uses superkeys with passwords or something. I don't know much about its security, you may want to check the issues tab on github or generally the project itself.

Psyhackological OP , 4 days ago

From the security standpoint, I think rooting is always against the security. That's why DivestOS and GrapheneOS are against it, and it shouldn't be tried. However, I was interested in Shizuku that also is some another hole to patch up when exploited.

Psyhackological OP , 4 days ago

KernelSU is unsafe

Is any root safe though?

GolfNovemberUniform , 4 days ago

Not really but KSU is less safe than Magisk

Psyhackological OP , 4 days ago

In what way?

GolfNovemberUniform , 4 days ago

Read their own official documentation. They officially said they didn't have anyone responsible for security and it's not what they cared about. This combined with basically giving the whole system root permission is very bad for security

Psyhackological OP , 4 days ago

No, I have never heard of it. Thanks!

I don't even know what Kernelsu is. Magisk is already applied to the phone, never thought there are alternatives.

BlastboomStrice , 4 days ago

Oh oke oke. I had issues with magisk a few months before I switch. I think there were incompatibility issues between magisk and lsposed manager, so I did a full reset, I upgraded the rom (from a beta version from November 2021 of the rom xiaomi.eu miui 12.6/android 11, I went to xiaomi.eu hyperOS/android13) and installed apatch so that I dont have incompatibikity issues (plus, it hides root much better).

Psyhackological OP , 4 days ago

lsposed manager

I don't know what that is.

it hides root much better

To me, that's the funniest thing. I come from Linux and I want to have - let's say administrator (root) of my Android, which is also Linux as far I know. I know the Android is praised for its security, but come on, I wish to have control over my system as a working System Admin. That's the main purpose of my set-up. How come, any app can just check whether I have root or not? That's some bullshit.

1. Custom ROM - LineageOS
2. microG so I don't use proprietary Google Play Services
3. and root so I can have full control over my smartphone

BlastboomStrice , 4 days ago

Those "root checks" are a joke. ~Nobody raises a brow if you are an admin user with root privilages on windows, (desktop) linux or macos. But it's such a huuuge deal when you manage to actually own and use your own mobile device the way you want by breaking free from what they impose on you, ugh...

Any app that doesnt work when you have root access ~shouldn't be used at first place..

Lsposed is a magisk/ksu module that has its own modules too. Like a manager insude a manager giving you even more options.

I would like to help you with various stuff and customizations but I just don't have enough time to explain them all.😅

I'm just gonna list stuff you may find useful:

Apatch (root and magisk/kernel modules manager)

Mrepo (magisk modules manager)

Shizuku

Color blender (to tweak metarial you colors)

Droidify (fdroid alternative)

Aurora store (play store alterantive)

Total commander (closed source root file manager)

Canta (used to uninstall system apps, I just use it to see the descriptions of various apps and disable them)

Florisboard beta (I have made a very good copy of gboard with that, I can send you the files if you want)

Smartpack manager (info about the phone and more)

Appmanager (various detailed info about apps)

Hidden settings (settings your rom may not show, closed source)

Island (for dual apps)

Neobackup (root backups, has issues with work profile)

Databackup (root backups, I use it to backup work profile apps)

Sai (installer)

Roundsync (uses rsync or rclone I think)

PrimitiveFTP (to send/recieve files with ftp connections)

DroidFS (to encrypt files)

DiskUsage (to visalise storage usage)

Db viewer (to view databases of apps, closed source)

Termux (temrinal for android, too advanced for me)

UsageDirect (logs app usage)

Motionamate (logs steps)

Neutrinote ce (notes)

Fossify apps (gallery, sms, calendar etc.)

Librera (pdf, epub etc viewer)

Moneywallet (expense/income tracker)

Magisk modules:

• Adb and fastboot for android ndk

• Advanced charging controller

• Busybox for android ndk

• Lsposed-mod (maintained version of lsposed manager, after the original went archived)

• Zygisk mod

Lsposed modules/apps:

• Lucky patcher (hacking apps if you want to)

• Free notificiations to manage notifications

• Matrix rain (fancy effect with matrix background in notification shade)

• messengerEX (to disable adds in messenger app, in case you use it)

And many many more stuff

I was setting up my phone for about two weeks some months ago (the was a bug with xiaomi and work profile)😅

dwindling7373 , 2 days ago

I'm pretty sure Shelter is better than Island, but I forgot the reason xD

GPS Logger is neat if you want to keep track of your movements now that Google won't track you anymore.

BlastboomStrice , 2 days ago

Insular (the degoogled open source version of Island) has a page comparing Island, Shelter and Insular

https://secure-system.gitlab.io/Insular/faq.html

I don't know if its updated, but you can pick the ones that fits your needs.

I picked Island because I thought I may have issues with my notifications if I had chosen Insular. (Plus, there was this bug I was talking about and thought that it would fix it. Installing Island wasnt the solution, but I had already spent a lot of time/days setting up my phone multiple times and didnt want to try it again, with the possibility of problematic notifications.)

ElectroLisa , 5 days ago

Try passing the SafetyNet check

vikingtons , 4 days ago

Someone suggested to me the other day that safetynet was now (or will soon be) deprecated. I'm not sure what the situation is with regards to attestation, though I sort of dread to think about what will replace it.

BlastboomStrice , 4 days ago

I think the new "safetynet" is "Play integrity". I think you need playstore installed and activated to pass the test though.

At least, it seems like many apps are ok with passing only safetynet though, so probably not a big issue yet.

Psyhackological OP , 4 days ago

Google Play and their services are so tightly integrated with Android, no wonder GrapheneOS did their sandbox...
However, I thought of doing the same with microG.

Psyhackological OP , 4 days ago

Let's see how apps will adapt it.

Psyhackological OP , 4 days ago

Any guidance on this?