Recently at work I received a task from the manager: make sure that the android phone does not merge data with Google. You can imagine my delight (and anticipation) because after 2 weeks of tests I already felt like a person who was flashing phones on the radio market (nothing personal, just not my profile). I read an excellent article and, having gained experience, decided to add a little. By the way, the article is excellent, I recommend reading it.
Let's look at several alternative operating systems supposedly without Google services, and find out if they really don't communicate with Google. I prepared for the word thoroughly, I even bought a "pixel 3" device for tests, since GrapheneOS only works with devices from google.
I also wanted to test:
- /e/
- PostmarketOS
- PinePhone . youtube, , , .
GrapheneOS
. :
- root
- Google:
- HTTPS: https://www.google.com/generate_204
- HTTP: http://connectivitycheck.gstatic.com/generate_204
- HTTP fallback: http://www.google.com/gen_204
- HTTP other fallback: http://play.googleapis.com/generate_204
, Captive portal 4 . root . google. , , , ( )
LineageOS
LineageOS . . . , . 3 , , .
google:
- firewall. afwall+, f-droid aurora store,
- , . . google.
root . , , . magisk
firewall
, , . , ( AFwall+ root ). android 10 Network Stack Permission Config module. . 
. Pixel 3, google hardware . . .
:
- DNS
- Captive Portals
- WebView
- Hostfile
DNS
LineageOS dns 8.8.8.8, cloudflare 1.1.1.1. vpn , wifi dns. magisk "CloudflareDNS4Magisk", - , . dns, .
Captive Portals
Captive portal — , . , . - google.
, root magisk
USB, (linux;macos) shell, ./adb shell, su. : permission denied, magisk shell .
. google f-droid
settings put global captive_portal_mode 0
settings put global captive_portal_detection_enabled 0
settings put global wifi_watchdog_on 0
settings put global wifi_watchdog_background_check_enabled 0
settings put global captive_portal_server f-droid.org
settings put global captive_portal_https_server "https://f-droid.org"
settings put global captive_portal_http_server "http://f-droid.org"
settings put global captive_portal_fallback_url "http://f-droid.org"
settings put global captive_portal_other_fallback_urls "http://f-droid.org"
. ,
http://captiveportal.kuketz.de
http://elementary.io/generate_204
http://httpstat.us/204WebView
"duck go browser" aurora store
Hosts
google.com/gen_204
accounts.google.com:443
connectivitycheck.gstatic.com/generate_204
google.com:443
s3.amazonaws.com:433
collector-hpn.ghostery.net:443
cmp-cdn.ghostery.com:443
api.ghostery.net:443
cdn.ghostery.net:433
updates.signal.org:433
googleads.g.doubleclick.net:433
fonts.googleapis.com:433
api.cleanapk.org:433
clientservices.googleapis.com:443
ssl.google-analytics.com:443
bahn.de:443
deutschebahn.sc.omtrdc.net:443
assets.adobedtm.com:443
cdn.optimizely.com:443
settings.crashlytics:443
firebaseremoteconfig.googleapis.com:433
graph.facebook.com:433
http://xtrapath1.izatcloud.net/xtra3grcej.bin
http://xtrapath2.izatcloud.net/xtra3grcej.bin
http://xtrapath3.izatcloud.net/xtra3grcej.bin:
A huge amount of information is merged even with custom firmwares that position themselves as free from google. But in fact, when you take a traffic dump, you are surprised, to put it mildly.
PS
If you choose the second method, then all the same, do not neglect the use of a firewall, I checked the data from the router for a week, tried different options (what will happen if you block this service, and what if this one). It turned out that this is the most reliable way. As with any firewall setting, we block everything, unblock it as needed.
PPS
I studied the issue of privacy and decided to share with Habr, since Habr often shares with me. Maybe it will be useful to someone. Thanks for reading to the end.