Android app trackers

Hello all, I tried posting in r/privacy but a mod suggested I try here instead, since mentioning a VPN goes against their policy.

I run GrapheneOS (a hardened, privacy-centric version of Android), and therefore cannot and will not root my phone. I also run a very good VPN.

I’d like to stop app trackers. If you go to https://reports.exodus-privacy.eu.org/en/ and search for an app, it will list the app’s trackers and permissions. The trackers bit is what I’d like to stop, I don’t want them phoning home or analyzing my usage.

I ideally would like a FOSS solution, so I’ve tried a few from F-Droid: TrackerControl (didn’t work, since the app uses a pseudo-VPN and Android allows for only 1 VPN… meaning I’d have to compromise my very good VPN in lieu of their fake one) and AdAway (freezes at the Welcome screen, every time).

I guess I could consider a Pi-Hole, but it seems from what I gather, it works at the LAN-level and not on the mobile data band.

I still contend r/privacy might be a better community for my situation, but I’m following their mod’s suggestion to post here.

So, what do you all think?

The problem lies with the trackers and how much these apps depend on them. Bugsnag or Sentry are fairly easy to block without issue, but some apps will lose key functionality or simply crash if you block trackers like Google Firebase Analytics.

Then there’s the matter of certain trackers phoning home to a perpetually expanding pool of IP addresses. WhatsApp and AliBaba are notorious in this regard.

If you frequent r/privacy then is it safe to assume your “very good VPN” is one of the three* listed on the PG site?

As the other comment stated, Pi-Hole (or Adguard Home, or a DNSCrypt proxy) on a VPS would work. The other option would be something like NextDNS. You’ll need to check the logs (make sure you’ve set up your NextDNS account so that logs are stored in Switzerland) to see what’s being let through and what’s not, and what app functionality is breaking in the process.

Any specific domain name or IP address that you’ve determined a particular app phones home to but isn’t blocked, you can add to your Denylist (do note that changes to Allow/Deny lists take around 10 minutes to take effect).

All in all, a lot of trial&error required, and this is before you realize that the level of filtering you’ve settled on for neutering the app spying also prevents most websites from functioning in your web browser, so you’ll then need to have said web browser employ a less aggressive DNS filtering profile (Bromite can do it with its Secure DNS feature, so I assume Graphene’s Vanadium can too) and augment that with stronger browser-based blocking (Bromite can, not sure about Vanadium) to fill in the gaps.

You mentioned you run GrapheneOS. Are you at least running these apps within the provided Google Play Sandbox? I’m not sure what kind of rules you can assign to that sandbox, since I don’t own a Pixel (not available where I live, importing brings no warranty coverage). Have you checked if it’s possible to have a different DNS option running for just the sandbox? That way you can be as aggressive as possible within the sandbox and be a bit more lenient for the apps outside of it.

*of those three VPNs, I’ve only used two. One of them (the one based in Gibraltar) allows you to input DoH strings in its app’s Custom DNS setting so you can easily fill in your NextDNS profile string and have your DNS queries with their associated filtering happen within the secure tunnel. The other one (based in Sweden) only allows for IP addresses, so it’s trickier. You’ll have to use the official WireGuard app and input the DoH address in a custom config. I’ve got no experience with the third provider (the Swiss one) so don’t know how you’d go about with that one.

I truly thank you for your time and insight. You’ve given me a lot of food for thought, I haven’t really paid any mind to the default sandbox, so that is something else I should educate myself on. It appears there’s not currently a FOSS app that answers to what I’m looking for, and it appears I may have to use an alternative approach like you’ve demonstrated. Thanks again for the insight, looks like I have more research ahead of me.

Thank you for your time and insight. I wonder if my old 2012 Raspberry Pi Model B (512 MB of RAM, 700MHz CPU, and 100 Mbps eth) is usable in this regard…

One FOSS app comes to mind - Shelter - but I’m not quite sure how you’d adapt it to your specific needs and threat model. You’ll have to check yourself.