XPrivacy: How to Control Your Android Privacy

Android doesn’t allow you to control what permission to forbid during installation, but you can do it after apps are installed. XPrivacy is here, if you would like to save some privacy, while using your preferred app.

As we all know, Android apps can declare as many permissions as the developer likes. As users, we can only view the permission details but can’t deny them if we still want to keep the apps. Furthermore, some developers lack the sense of privacy, or there’s no alternative for the certain app, abuse of permissions does happen from time to time. Big companies do not only care about your privacy, but also make a fortune from it. To increase the security of your web session, transmitted data, financial transactions and personal information online use a VPN service.

To tackle with those disobedient developers, some tools have been developed to restrict the requested permissions. However, apps can be designed in a way if a null or invalid value is returned, it forces closes, with or without intention. There was a solution before (PDroid), but it was all geeky matter: merge changes into your ROM, which involves understanding of terminal, programming and debugging. A computer is also required for this job. It had fairly limited support and most of mobile phones were (and are) not supported.

Thanks to Xposed Framework, you can now make low-level changes with the knowledge of common Android usage. As mentioned, Xposed framework and XPrivacy module proper installation and enabling is the only prerequisite.

XPrivacy Main UIXPrivacy has two versions: general and Pro. The latter asks for donation, another way for developers to replace the price with a good-sounding word.

Picture on the left is the main UI of XPrivacy. The first checkbox is to decide whether to restrict permissions, the second checkbox is on-demand toggle. Once you enabled on-demand restriction, you may make XPrivacy ask you to grant or deny as the app asks for it. This mode fits the need if you wish to capture when the permission you care about is accessed.

XPrivacy new app notificationI personally prefer not to enable it but to assign explicitly what permissions apps have access to when the installation of the app is completed. As you finish installing an app, XPrivacy will prompt if you want to specify restrictions, set/generate fake data, or to clear restrictions.

It’s optional to make the notification appear as apps update, but it can be a bit irritating if they are updated frequently.

XPrivacy TemplateYou can edit the default template which is immediately applied after a new app is installed. I limited the access of Accounts, Calendar, Contacts and Messages. Generally, few apps should read my personal contents, and except Accounts, these permissions are rather easy to identify who I am, while an app doesn’t (and shouldn’t) know this much.

The reason that I didn’t restrict Identification is that, identification is used by many apps that is hard to set as disposable. If you do this, many apps consider you have changed a phone or so. Some may trigger security check. While identification is for determining the device, not personal information, I only limit certain unfriendly apps.

XPrivacy SettingsThere’s a page of settings which you can customize the data you return to the app, mostly about identification. There’re two Settings pages, global and app-specific. App-specific settings take precedence over global ones.

There’re three statuses for each field in Fake Data section:

  • Blank: XPrivacy will return device’s real information.
  • Box checked: XPrivacy will generate fake data on each access.
  • Text: XPrivacy will return the text you entered.

XPrivacy also allows you to generate randomized data or clear filled fields with a click. You can also randomize the data on boot.

XPrivacy usageYou can check the usage data in two different window: also global and app-specific. By checking usage data, you have a clue of how an app fetch sensitive data. You can also filter to find what matters most.

Identification info are in two-level style. Tap on function name will bring you to the respective app permission list. The logs which are colored red are so-called “dangerous permissions”, some common ones that are used by many apps and can be unstable if limited.

XPrivacy is a must module for Xposed Framework users because:

  1. XPrivacy is the lowest-cost app compared with other similar apps. Integrated into low level of system, Xposed almost does the work in a passive way.
  2. Most powerful tool which can safely generate fake info. Other similar apps can’t return fake data even if root privilege is granted.
  3. Support for online template downloading/uploading.
  4. And ad-free. Purchasing optional.

And the cons:

  1. Can’t run on Android L+. Due to temporary lack support of Lollipop, Xposed can’t run, yet.
  2. The first-time set up takes some time as delicate template, rules and fake data needed to be initialized.

In the next article, let’s see what XPrivacy can do with its fake data return function.