I'd like to throw NetGuard (Pro version) into the round. The app uses the VPN interface and works like a kind of firewall. You can then fine-grain block or allow all connections that the app sets up. The best way to do this is to use the whitelist principle. First block all the app's connections and then only allow the connections that are really necessary for the app to work. That way, you can block trackers.
Note, however, that this method requires a lot of patience and effort.
Apps and web sites can detect that ad-blocking is being used and can determine what's being blocked. This can be used as part of fingerprinting users. Using a widely used service like AdGuard with a standard block list is much less of an issue than a custom set of subscriptions / rules, but it still stands out compared to the default of not doing it.
Source: https://grapheneos.org/faq#ad-blocking
I would recommend you to use AdGuard Public DNS instead of NextDNS or AdGuard Private DNS.
Currently I use Adguard VPN with an Adguard DNS that blocks some trackers.
For a period of time I used an app called Tracker Control https://trackercontrol.org/. You can find it on F-Droid.
It will identify trackers for each app on your phone that has access to the internet and then categorize them into non-essential and essential trackers. You are given the choice of which individual trackers and categories of trackers you want to block, but I found each time if I tried to block the essential trackers for that app, the app would not work.
So it seems for most closed source / tracker infested apps you won't be able to block all trackers and have the app still work. I'm guessing the DNS solutions are also not blocking "essential trackers".
Its the enumerating badness argument. The best way to not get tracked by apps is to not use apps with trackers. I'm not being an absolutist here, I use DNS/VPN blocking and apps with trackers. Merely pointing out that the only to way to keep out all bad is to ensure you only let in the good.
Max-Zorin using this from more than 1 year
I trust that the OS blocks access to hardware IDs. If you can't deny app network access, give it storage scopes and make sure you don't store sensitive info in shared folders. Apps with trackers and analytics store their analytics data in their respective Android/data/ folders. Have a look what info they collect and whether you're happy with it. If you aren't, find a more privacy friendly alternative. A lot of the times less is more (for the sake of simplicity and reducing of attack surface). I am thus far reluctant to use sandboxed Google Play. Very simply put but in my opinion there are things OS can't control and giving privacy invasive services such as Google Play, Meta, Microsoft infrastructure and so on network access is already half way to disaster.
This is incorrect information.
give it storage scopes and make sure you don't store sensitive info in shared folders
Storage Scopes is an alternative to granting storage permissions. Enabling Storage Scopes doesn't reduce access compared to not granting permissions. Contact Scopes works the same way. These are alternatives to permissions, not something that restricts apps further than not enabling either.
Apps with trackers and analytics store their analytics data in their respective Android/data/ folders. Have a look what info they collect and whether you're happy with it.
Android/data is only for data stored in the largely legacy scoped external storage directory. Internal storage directories are where most data is stored. Neither has much to do with analytics/telemetry.
Very simply put but in my opinion there are things OS can't control and giving privacy invasive services such as Google Play, Meta, Microsoft infrastructure and so on network access is already half way to disaster.
It's not clear what you mean by "things OS can't control".
Not using sandboxed Google Play doesn't mean you aren't using Google apps and services. Every app depending on sandboxed Google Play uses the Google Play SDK and libraries which run as part of the app. Sandboxed Google Play doesn't run in a special sandbox. It runs in the standard app sandbox with all the standard GrapheneOS privacy/security improvements. It doesn't have any special access or capabilities. It's a misconception that it's a special sandboxing approach. The compatibility layer teaching it how to run in the standard app sandbox is what we provide.
poubellier You're looking at inaccurate lists of permissions and trackers from Aurora Store or Exodus Privacy. Those apps do not correctly represent the standard Android permissions requested by an app, and do not account for the fact that permissions being requested does not mean they're granted. Their detection of trackers is simply hard-wired detection for certain third party libraries they deemed to be privacy invasive without clear guidelines and it's often clearly incorrect. Lack of these libraries detected by those apps does not mean apps are privacy respecting. Presence of most of those libraries doesn't mean they are privacy invasive. An app can do everything that these "trackers" can do without them. The "trackers" are simply certain third party code that the app developer has chosen to include which runs within their app within the app sandbox for it. Apps can send data to their own server from their app and can send data to services from their own server. In fact, this is considered best practice for most services because doing it client side within the app requires leaking your API keys.
@[deleted] That YouTuber posts highly inaccurate content and it shouldn't be linked here.
GrapheneOS please stop with this silly practice. You reply to a post and then go on to hide it so we lose context of what you're replying to. Thank you. "Historical inaccuracies" Just to add, I would like to know which youtuber posts in your opinion inaccurate content so I am wary of it.
Blocking trackers is badness enumerated, so basically the app developer can change where the tracking data is sent to. For example, a app dev is aware of blocking list for their app, the dev says "oh the domain I use for my main api is not blocked by the blocking tools, I will expand it in future update to add analytics to my app & API" Bypassing the badness enumeration of the block lists that are ever changing.
The best way to block is reduce the data the app has, using sandboxed google play, file and contact scopes in grapheneos and secondary profile for these apps.
GrapheneOS What YouTuber? I'm curious.
By the way, blocking trackers in apps is useless.
You shouldn't have deleted the post that you're referring to.
Why don't you tell us which YouTuber, in your opinion, posts inaccuracies?
[deleted] hmm? Why do you say this? I haven't been doing the privacy thing for very long, but part of my process for a new app is to run Exodus and block domains for trackers. I then watch NextDNS logs while using the app to see where else it may be pinging and block those domains so long as they don't break any functionality I want.
I figured if an app is using these trackers they're probably NOT also serving the same data from their own company servers to those domains.
Is this a waste of time?
treequell
Yes, that's correct, but by using NextDNS you can see how often the selectable lists are updated.
I have selected all lists with regular updates and it works fine.
You can test the success with online tools like this: https://d3ward.github.io/toolz/adblock.html
BTW: if a website/app have issues with NextDNS, you can set their domain in the Allowlist and don't worry, which block list is the case for the issue. Allowlist has higher priority as all other rules.
