[Guide] Setup a private android with banking apps functioning and no red flags

Privacy and Security Guides
1

If you have a pixel, kindly use grapheneOS (sandboxed google play services) , otherwise this guide is pretty useful.

  1. Unlock bootloader. (If your ROM is too privacy invading / bloated)
  2. Install any custom OS that gives pixel experience, I use PixelOS.
  3. Switch off permissions (unlocked) of google apps in settings . (Show system → search google )
  4. Switch off their background network connectivity in settings.
  5. Revoke Special Permissions via Settings → Apps & Notifications → Advanced → Special App Access.
  6. Use adb to uninstall bloatware.
  7. Use adb to switch off locked permissions.

Pro Tip: You can just disable google apps, then enable them when you need to get those banking apps see google in your phone.

switch on android debugging

get into android shell via:

adb shell

you can list all google apps by:

pm list packages | grep google

you can list dangerous permissions by

dumpsys package com.google.android.gms | grep permission | grep true 

pm list permissions -g -d | awk -F: '/permission:/ {print $2}'

list google privileged permissions by:

pm list permissions -g -d | awk -F: '/permission:/ {print $2}' | grep google

then revoke by

for i in "READ_CONTACTS" "READ_SMS" "WAKE_LOCK" "PROCESS_OUTGOING_CALLS" "BLUETOOTH_SCAN" "USE_BIOMETRIC" "READ_MEDIA_AUDIO" "READ_MEDIA_VIDEO" "READ_MEDIA_IMAGES" "BLUETOOTH_CONNECT" "BLUETOOTH_ADVERTISE" "NEARBY_WIFI_DEVICES" "ACCESS_RESTRICTED_SETTINGS"; do appops set com.google.android.gms $i ignore  ; done

for i in "READ_CONTACTS" "READ_SMS" "WAKE_LOCK" "PROCESS_OUTGOING_CALLS" "BLUETOOTH_SCAN" "USE_BIOMETRIC" "READ_MEDIA_AUDIO" "READ_MEDIA_VIDEO" "READ_MEDIA_IMAGES" "BLUETOOTH_CONNECT" "BLUETOOTH_ADVERTISE" "NEARBY_WIFI_DEVICES" "ACCESS_RESTRICTED_SETTINGS"; do appops set com.android.vending $i ignore  ; done

for i in "READ_CONTACTS" "READ_SMS" "WAKE_LOCK" "PROCESS_OUTGOING_CALLS" "BLUETOOTH_SCAN" "USE_BIOMETRIC" "READ_MEDIA_AUDIO" "READ_MEDIA_VIDEO" "READ_MEDIA_IMAGES" "BLUETOOTH_CONNECT" "BLUETOOTH_ADVERTISE" "NEARBY_WIFI_DEVICES" "ACCESS_RESTRICTED_SETTINGS"; do appops set com.google.android.googlequicksearchbox $i ignore  ; done

for i in "READ_CALENDAR" "WRITE_CALENDAR" "CAMERA" "READ_CONTACTS" "WRITE_CONTACTS" "GET_ACCOUNTS" "ACCESS_FINE_LOCATION" "ACCESS_COARSE_LOCATION" "RECORD_AUDIO" "READ_PHONE_STATE" "READ_PHONE_NUMBERS" "CALL_PHONE" "ANSWER_PHONE_CALLS" "READ_CALL_LOG" "WRITE_CALL_LOG" "ADD_VOICEMAIL" "USE_SIP" "PROCESS_OUTGOING_CALLS" "BODY_SENSORS" "SEND_SMS" "RECEIVE_SMS" "READ_SMS" "RECEIVE_WAP_PUSH" "RECEIVE_MMS" "READ_EXTERNAL_STORAGE" "WRITE_EXTERNAL_STORAGE" "ACCESS_MEDIA_LOCATION" "ACCEPT_HANDOVER" "ACCESS_BACKGROUND_LOCATION" "ACTIVITY_RECOGNITION"; do pm revoke com.google.android.gms $i; done

for i in "READ_CALENDAR" "WRITE_CALENDAR" "CAMERA" "READ_CONTACTS" "WRITE_CONTACTS" "GET_ACCOUNTS" "ACCESS_FINE_LOCATION" "ACCESS_COARSE_LOCATION" "RECORD_AUDIO" "READ_PHONE_STATE" "READ_PHONE_NUMBERS" "CALL_PHONE" "ANSWER_PHONE_CALLS" "READ_CALL_LOG" "WRITE_CALL_LOG" "ADD_VOICEMAIL" "USE_SIP" "PROCESS_OUTGOING_CALLS" "BODY_SENSORS" "SEND_SMS" "RECEIVE_SMS" "READ_SMS" "RECEIVE_WAP_PUSH" "RECEIVE_MMS" "READ_EXTERNAL_STORAGE" "WRITE_EXTERNAL_STORAGE" "ACCESS_MEDIA_LOCATION" "ACCEPT_HANDOVER" "ACCESS_BACKGROUND_LOCATION" "ACTIVITY_RECOGNITION"; do pm revoke com.android.vending $i ; done

for i in "READ_CALENDAR" "WRITE_CALENDAR" "CAMERA" "READ_CONTACTS" "WRITE_CONTACTS" "GET_ACCOUNTS" "ACCESS_FINE_LOCATION" "ACCESS_COARSE_LOCATION" "RECORD_AUDIO" "READ_PHONE_STATE" "READ_PHONE_NUMBERS" "CALL_PHONE" "ANSWER_PHONE_CALLS" "READ_CALL_LOG" "WRITE_CALL_LOG" "ADD_VOICEMAIL" "USE_SIP" "PROCESS_OUTGOING_CALLS" "BODY_SENSORS" "SEND_SMS" "RECEIVE_SMS" "READ_SMS" "RECEIVE_WAP_PUSH" "RECEIVE_MMS" "READ_EXTERNAL_STORAGE" "WRITE_EXTERNAL_STORAGE" "ACCESS_MEDIA_LOCATION" "ACCEPT_HANDOVER" "ACCESS_BACKGROUND_LOCATION" "ACTIVITY_RECOGNITION"; do pm revoke om.google.android.googlequicksearchbox $i ; done

note I have only listed app ops / permissions that I was able to change to ignore via adb.

Revoke android debug permissions, switch off android debugging. switch off developer options. Now all your banking apps should be working with least amount of privacy invasion, cheers :beers:

I have set this up in my test device, I will let you know if there are some problems in the coming week. Google apps switch on permissions automatically sometimes as they are privileged + these settings may be reversed by rebooting.

you can get all dangerous app ops in PC via:

wget -qO- https://raw.githubusercontent.com/aosp-mirror/platform_frameworks_base/android-9.0.0_r52/core/res/AndroidManifest.xml | grep -E 'protectionLevel=|<permission android:name=' | grep -B1 'protectionLevel=.*appop' | awk -F'"' '/permission/ {print $2}'

References:

https://android.stackexchange.com/questions/220292/list-of-adb-settable-permissions

5 Likes
2

You can build your own custom ROM with the sandboxed google play services via:

https://forum.xda-developers.com/t/guide-grapheneoss-sandboxed-play-services-in-your-rom.4340557

3 Likes
3

Sideload cromite with changed package name as com.android.browser and disable google chrome too.

Use apkmirror in browser not google play store wherever you can.

You can disable google app and google play store.

You can disable google play services as well after onboarding of banking apps if they don’t check on-start.

1 Like
4

Switch off permissions and data on google dialer, messages and files too.

1 Like
5

Hello thanks for your amazing guide i have already been using graphene os alongside zorin os

6

Lol this will kill windows.

Can you compare zorin with fedora?

1 Like
7

Yes zorin os is easier to use than fedora as well being actively updating to the newest security updates and has better wine support out of the box you should try it out its community based

8

Why use APKMirror when you can use the Aurora Store?

9

Atleast for me it has been unreliable, need to sign in with google account. Anonymous accounts seldom worked.

2 Likes
10

Had that issue some time ago, now they seem to have fixed it

11

I tested zenus bank app with the device.

You have to give network permission to google play services and play store.

Download the zenus app from google play store (signing verification?)

Zenus didn’t work so I made a new profile, and gave google account location and sim access in that profile and the app worked.

Probably zenus gets the location and sim details from the google plays services.

12

I respect whats said. I also observe the benefit of graphene. Frankly, in context of one’s opsec preferences, and threat model, i find that strategic compartmentalization can provide even better security and privacy relative to whatever one’s utility or convience preferences. Even with banking. Of course, i realize in the zeitgeist , a person choosing highly privatized behavior is incurring risks of being considered suspicious… and if a bank app or teller, or even google’s AI, or other AI interprets such human behavior, as a predictive threat… (in most cases it does)… then the chances of not only being placed under the new AI’s automated social/behavorial monitoring and deprivation scales is an obvious risk… the chances of legalized extrajudicial euthanasia is quite likely too… the usa’s rule 41, patriot act ,fisa, state secrecy expansion - analagous to nuremburg laws of 1933 Germany-… etc.

I digress. Appreciate your respects.

I say that as I recognize the potential aim of such tech is not just the provocation/creation of one crisis to foment another more sinister one… that’s a no brainer… the new cyber concentration/death camp is already here… the subjugation of human personality to a state or tech-state matrix is the end game… imho…

Even those supposes “private experts” run the risk of not just dehumanizing themselves by virtue of all thier girations to foment privacy (which inadvertantly places their selves in service to “working around threats” so much so, as to be enslaving thier personality to the tech state, etc).

As I digress I’ll leave this point off with the question has anybody watched the interview of Mark Zuckerberg and Lex Fridmsn a couple months ago? Where Mark talks about how God is something important to him (?) and Mark , imho, insinuated- though not explicitly said- that he feels like he’s doing the world and God a great service with his artificial intelligence and combating the war on terrorism…

So who do you think you really work for in the end?

I’ll leave you to investigate the beliefs of the owners of Google (Brin/page) and Mark Zuckerberg on your own…

As for the importance of spreading privacy to the masses, I think it transcends much more than just Tech…

As I insinuated in one of my other posts about what is the real underlying issue about security… or privacy for that matter…