Have you ever refused to install an app because it wants too many permissions? Yeah, a lot of people have, and we don't blame them. A little too much trust can lead to stolen information, mysterious charges on your cellular bill, or worse. Thanks to developer M66B, we've got a simple way to lock down potentially misbehaving software. His new mod, XPrivacy, can block several types of activities and queries, despite the permissions granted at installation. It can even substitute GPS coordinates and your MAC address, with plans to add support for more types of data in the future. This is a lot like the upcoming Incognito Mode in CyanogenMod, but it can be used with almost any rooted ROM, including those from OEMs.

2013-06-22 23.30.232013-06-22 17.05.222013-06-22 20.34.20

XPrivacy requires a fairly simple manual process to install, and you'll need a rooted device running Android 4.1 or above (sorry, MIUI is incompatible). The app also relies on the Xposed framework, a platform similar to the recently released Cydia Substrate, which makes it possible to deeply modify how software runs on Android.

The interface is really simple to use, but you will probably stumble a bit at first because some common conventions are ignored. Tapping almost anywhere on a row toggles the restriction for only the current category/permission. You will have to specifically tap on the app icon to configure all of its specific permissions. At least there are some helpful indicators for apps with Internet access (globe), the given Permission (green checkmark), and if APIs have been used (warning triangle) for that category since XPrivacy had been installed. Keep in mind, denying access to certain features may cause some apps to be unstable or hang completely. In my experience, most apps worked as expected, but a few froze or became unusable.

Here is a current list of restrictions that can be imposed:

  • Accounts (Google, Facebook, etc.)
  • Browser (bookmarks / history)
  • Calendar
  • Calling (phone, SMS, MMS)
  • Contacts
  • Identification (device)
  • Internet
  • Location (fine/coarse)
  • Media (audio, photo, video)
  • Messages (SMS, MMS)
  • Network (addresses)
  • Phone (ID, numbers, calls)
  • External storage (SD card)
  • Shell (commands, superuser)
  • System (installed apps)
  • View (browser)

It's important to remember, XPrivacy is not a substitute for common sense, so readers are advised to remain cautious with potentially malicious software. All the same, this is a great tool for trying out apps without exposing things like your contact list and browser history to prying eyes. It can also be helpful for reining in particularly data-hungry apps by shutting down their Internet access or blocking individual apps from abusing the GPS (great idea abqnm).

Again, the software is free to install, but there is an unlock key on the Play Store that allows users to import and export configurations across devices. Please remember to make backups and read all instructions carefully. Happy modding!

Source: XPrivacy thread & Github Repository

Thanks, Joseph John!

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • Morrissex

    It isn't "free to install". Even in the XDA thread a download file is not included.

    • Donatom3

      You gotta click on the installation link in the thread and it'll take you to goo.im to download the apk.

      • Morrissex

        @Danatom3/Cody : Thanks, I'm checking on right now. Is it necessary to use Xposed Framework?

        • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

          Yes, this is a mod built on top of the Xposed Framework.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      The thread was different when I started writing this last night, but if you look at Github, it's clearly linked in the install instructions.

  • Daniel Velazco

    Fix typo in "Location (fine/course)" -- it's COARSE.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Fixed. Thanks

  • abqnm

    Finally a way to be able to have the Facebook app on my phone without it being able to access the GPS CONSTANTLY.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Great idea!

  • WossMan

    No thanks, I'm staying far away from the Xposed Framework thanks to this article: http://blog.itsnotfound.com/2013/04/xposed-framework/. I'll stick to common sense and gut instinct when installing apps.

    • jcase

      This vulnerability here is not in xposed, but in the fact that people will allow any damn app root privileges

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      I'm not a security expert, and I'm not about to debate the potential security implications of Xposed (or Substrate). However, that article isn't exposing any significant vulnerability. It describes a scenario where the user grants root privileges to a malicious application which then exploits the framework, but common sense would point out that any root app could just as easily duplicate the functionality of Xposed without having already installed it. Once you grant root, it is irrelevant if Xposed is installed or not. There are likely to be other vulnerabilities in Xposed (and again, Substrate), but this is not one.

    • fishbrainmemory2

      What's the difference with giving xposed root and access to all your stuff over giving google access to everything you have? I'm really getting confused with people now.. I btch and complain about the peeping tom peeking in my window at night.. yet let a massive corporation follow my every foot step to the inch....

  • GraveUypo

    i use lucky patcher for this

    • Flick


  • hyperbolic

    I wonder which one is better, LBE or the one above

    • flosserelli

      XPrivacy is open source. LBE is a closed app from Chinese developers. So there's that.

      • Josh Flowers

        and LBE sends m 4.2.2 gnex into a bootloop (last i used it) as it's not configured for 4.2.2

      • fishbrainsformemory

        I trust the chinese over the americans anyday.

  • Joris

    I'm using OpenDroid right now, seems to have the same concept but optionally spoofs data instead of denying access, so apps won't crash. Why should I switch?

    • SetiroN

      You have no reason to switch.
      This one, being an Xposed framework addon, will work on any rom, including non-AOSP based ones.

    • Cerberus_tm

      I haven't tried Open Pdroid yet, but I read that it still has bugs: it makes GPS very slow, it prevents any application from accessing cell-tower info, and one other bug that I forgot. How does it perform in your experience? What phone and what ROM are you using?

  • Christopher Robert

    Tried yo install this on Note2 running JediX14 ROM and it got stuck in a boot loop after flashing the Android 4.1.x / CM10: Xposed_fix_4.1.zip. Has anyone had any luck using this on a Note2?

  • tim

    Android people ur gay as he'll how can u say we can't do app oops I mean we pay are done bill and pay 6 to 700 dollars for talks done so give us Wat we want I mean y should u care if we fuck up our fone fuck sake I will never buy a android again