The Magic Mask for Android. Contribute to topjohnwu/Magisk development by creating an account on GitHub.
I have OnePlus 7 Pro that I successfully flashed with LineageOS 21 with MicroG.
Do you have some interesting apps or ideas to take advantage of it? I thought of some Magisk modules. Maybe someone is more experience than me! This is the spare smartphone, the main one is GrapheneOS, so I don't mind breaking stuff.
AFWall+ firewall to allow list apps to internet using your preferred method (e.g. VPN, wifi, data, etc)
PcapDroid to help monitor and analyze packets, or to just confirm things aren't communicating unexpectedly
AdAway if you're not using your own dedicated dns over a permanent VPN connection
If not all 3 of these, AFWall is probably the best to go with. Having a way to not only block Apps, but also define your own custom firewall rules is very powerful. For example, I redirect all DNS requests to my own DNS with a custom rule (for apps, like Termux, using hardcoded DNS lookups instead of what the phone is set to)
I'll have to check out TrackerControl, that's a new one to me!
I have seen app manager but currently use AppOps. I didn't recommend AppOps above because I'm not sure it's still supported or not, and it's also not really Foss. It's treated me well over the years, but I'm definitely interested in finding a better alternative. The last time I checked app manager, it wasn't as good... But maybe that's changed as it's been several years now so I think I might be due for looking at it again!
My wireguard connection on my phone connects to my home network to an pi hosting my internal VPN... But the network is completely covered by a mullvad VPN through opnsense. I've got pihole setup using the mullvad anti-trackkng private DNS. With this setup, the only real need I have for root on my phone is because I do some pretty low level automation on it through crond and some backups of core app data that I'd really hate to lose... And the complex firewall rules lol.
This is where rooting the phone is required. I use wireguard without root and have AFWall granted with root at bootup so it doesn't require acting as a VPN