June 5, 2013 By: Pulser_G2
Welcome to Part 2 of our Say Sayonara to Google series, raising awareness of the options for using Android without Google services. Today, we look at alternative “cloud” services that are Open Source and can be installed on your own server. While there are no doubt many of these available, one that has gained significant attention recently is OwnCloud. OwnCloud is developed totally in the open (you can even clone and run directly from their Github repositories if you so desire, though this is obviously not recommended for running on a production system), in contrast to the “pseudo-open” development carried out on AOSP by Google.
What is OwnCloud About?
OwnCloud aims to offer an extendable online storage system including synchronization, to allow for contacts, calendars, files and bookmarks to be synchronized across multiple devices while retaining control of your data in the process. When using OwnCloud, all of your data is stored on a system within your control, with an Open Source backend (as opposed to a closed system such as Google).
How can I get Started?
You can set up and run your own OwnCloud instance for free on your own existing server by following the instructions from the OwnCloud website. It is strongly advisable to use an SSL certificate with this though, which may come at a small cost. Additionally, if you trust the third parties, there are a handful of providers offering free OwnCloud installations. Obviously in light of the fact that if you’re doing this, you likely don’t “trust” Google with your data. Thus, I’d suggest you consider these services merely for testing.
OK, so Contact Sync?
Yep. Unfortunately though, CardDav isn’t natively supported in Android. It might be supported in your third party variant of Android. (I’m sure I remember seeing this in an older version of TouchWiz.) It’s most likely that you’ll need to use a third party alternative client to sync your contacts. To get this application (which is free), you’ll need to use the Play Store unfortunately, as the developer has only published the free version there. The free Beta version is available here, although the developer has stated he will Open Source the application when he has the application ready for 1.0 release and the code has been tidied up.
Presuming you have set up OwnCloud (which is fairly straightforward if you have your own server etc, and which I believe to be outwith the scope of this article, unless enough readers want a guide), you can configure the CardDav sync client fairly simply by installing the above linked application, and entering the URL of your OwnCloud server (hopefully you are using SSL!), followed by “remote.php/carddav/” (see the developer’s wiki for more details of syncing with OwnCloud).
Once this is done, you can configure syncing. I suggest you disable the “one-way only” sync option, although be aware of the risks of doing this (i.e. if something goes wrong on your phone, it could overwrite server contacts). Presuming you have a backup strategy in place (which you should already have), you should be fine. By enabling two-way contact sync, you should have full contact syncing, like with Google’s own contacts sync service.
Unfortunately, it appears HTC are being deliberately obstructive on using third party contact syncing, so you may have issues on the HTC One using Sense UI. Let us know if you do manage to get it working though. Apparently the bug is a “feature…” Good one, HTC. One more reason to avoid the One (pun intended).
Your phone should upload all your existing contacts to your CardDav server at this point. Alternatively, if you are setting up your phone from scratch (recommended) to purge Google from it, you could export your Google contacts as a VCF file and import them into OwnCloud’s web interface.
At this point, it’s worth ensuring that you are no longer syncing contacts with Google by going to the Accounts and Sync menu and disabling contact sync for your Google accounts. If you wish to erase your contacts from Google, head over to Gmail in your browser and delete the contacts from the web interface.
Congratulations, you are now syncing your contacts between devices, only using your own server. We unfortunately have to use one non-Open Source application at present. However, hopefully once Marten Gajda completes his application, it will be open-sourced, offering Android users a way to sync their contacts using entirely open software and server systems.
As promised, the first in our series of “Say Sayonara to Google” articles is about the Play Store. Love it or loathe it, the Play Store is popular. It is so popular, in fact, that it is often berated for the poor quality of apps contained within. While Google is making strides to improve this via their Bouncer malware screening platform, at the end of the day, the Play Store is built on fairly shaky security grounds.
The first security issue with the Play Store is that of remote control. Imagine someone told you the following:
I am able to remotely install arbitrary software to your phone or tablet, which can make use of any permissions available to an app, without prompting you on your device. So I can get access to your GPS location, or access files on your SD card, or access your contacts, and upload all this through the internet
If that were said, I’d hope you would be rather concerned. It’s also true; anyone with access to your Play Store account (i.e. your Google Account) can remotely install software onto your phone from the web interface. And while the Android platform itself has some precautions recently put in place (e.g. since ICS, apps cannot trigger themselves to run until you (the user) have run them once), this is hardly foolproof. Simply install a rogue app with the same icon and title as an app the user already uses, and you have a 50% chance they will open it. Most users would not panic at seeing a second copy of the icon, with power users presuming it a launcher bug.
The attacker who has access to your Play Store web account also knows what apps you have installed (making identification of a suitable app to spoof trivial). While this remote install feature can also be handy if you lose your pre-ICS phone, the ability to remote install software onto your Android device should probably raise a few concerns in the security-conscious mind.
F-Droid is a catalogue of alternative applications, all FOSS (Free, Open Source Software). By default, F-Droid doesn’t contain any applications with ads or attempt to make use of user tracking via analytics engines and the like. It also hides applications that encourage non-free add-ons, and even which promote or make use of non-free network services or require such other applications in order to function.
Applications you download from F-Droid are (for the most-part) compiled from sources by the F-Droid servers, directly from the source code repository provided by the project. While this does entail a level of trust (though again it is worth noting all the F-Droid server software is fully open source too!), it’s also easy to download the application directly from the developer, or to compile it yourself from source (a link is given to the source).
You can see what is available in the F-Droid catalogue using their web interface, and take a look at what’s available. While the variety of apps available is nowhere near that available on Google Play, the quality of Open Source equivalent apps is often well in excess of their commercial rivals. Some apps worth a look include K9 Mail Beta (which has been recently updated to Holo UI) and Agit (an Android git browser).
Either way, the choice of free, Open Source applications is not to be sniffed at, with F-Droid offering an ever-expanding variety to choose from, all delivered using the open source client and built on the Open Source server. If you are a developer who makes Open Source applications, perhaps consider adding your app to the F-Droid repository.
What is freedom? This is a big question being asked by people around the world over the past few years. Many of us believe (and often rightly so) that we are fairly free. Arguably, this is correct in many countries throughout the world. You have political freedoms and many many more. But do you have electronic freedom?
For almost everyone reading this article, it is likely you have a Google Account. This means you have a Gmail account. It’s tied deeply into Android via the Google Apps package of proprietary applications (they are not open sourced, unlike the core Android operating system), and rely on closed back-end systems. The problem with such closed systems is:
This last part is significant. Even if you decide that you can trust Google (and I remind everyone of the flaws of the concept of trust—it is much wiser to trust no-one), they can change their legal policies such that they are no longer effectively trustworthy. Google’s own terms of service are a long read, and definitely worth taking a look at. Try and decipher them for yourself, and figure out what applies to which services.
At this point it’s worth being clear. This is not meant to be a “Google is evil” article. Google does make efforts to care about user privacy; take a look at your Google Dashboard. The company is quite transparent about the information retained. The trouble is that there’s no easy way for you to say, “No. I don’t want you to store this.” Google is a company that makes money from knowing everything it can; it’s not in the company’s interest to encourage you to make this more difficult for them! And while it is commendable Google wants to let you see what they know about you, the company doesn’t really help you adjust information such as how to remove Android devices you no longer want listed as being associated with you, including IMEIs and so on.
Over the course of this series of articles, we’ll look at ways you can move away from being so heavily reliant upon Google services. At all times, we’ll try to use Open Source solutions, which are free to use and modify. As a bonus for security, open source code is able to be scrutinized by anyone who wants to take a look at it. Per the popular Open Source advocate’s expression, “Many eyes make all bugs shallow,” which tends to improve security.
In the upcoming first article of the series, we’ll take a look at how to reduce our reliance on the Google Play Store and why we’d want to do that.