Initial Setup of Debian 10 on Digital Ocean (Part 1)

By Justin / Technology / Leave a Comment

Two people in front of laptops setting up a server.

This is part 1 of the Initial Setup of a Debian 10 server on Digital Ocean.

This is a complement to Initial Server Setup with Debian 10 over on the DigitalOcean tutorials page. The tutorial linked provides an excellent base setup for your to springboard off of on to your own customer setup. That being said, there are always settings, configurations, and utilities that will be helpful for almost any setup. Some of the information below comes from How To Secure A Linux Server and The Book of Secret Knowledge (this is one of favourite repos).

Note: I will do my best to introduce anything that we change so that you can understand what that change might affect. All setups are different so don’t install or configure anything that you don’t need or want. This will just lead to you forgetting about it, it becoming outdated and a security issue.
Text that is highlighted with purple text should be updated with your specific values.

Logging In

If you’re a Windows user then I recommend Solar-PuTTY as a Command Line Client. (Shout to Greg for the find). Otherwise you can use the built-in terminal on your MacOS or Linux OS. Here is how we connect to our server via command line interface (CLI).

 justin@home:/$ ssh root@111.133.134.199

Replace the IP Address with the IP of your new server.

At this point you’ll either a) be asked for the password that you set for the root account or b) the server will be expecting an SSH key if you chose to use SSH keys for logging in. If correct, you’ll be logged in.

Creating a User and Granting Administrator Privileges

You should only use the root account in special circumstances. It’s recommended that you create a standard account that has the ability to elevate to have administrative privileges, when necessary. We’re going to create a secondary account called bastion and then we’ll add it to the sudo group.

 justin@home:/$ adduser bastion
     Adding user `bastion' ...
     Adding new group `bastion' (1000) ...
     Adding new user `bastion' (1000) with group `bastion' ...
     Creating home directory `/home/bastion' ...
     Copying files from `/etc/skel' ...
       New password: <Enter Password>
       Retype new password: <Re-enter Password>
     passwd: password updated successfully
     Changing the user information for bastion
     Enter the new value, or press ENTER for the default
        Full Name []: Bastion
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
     Is the information correct? [Y/n] Y

You’ll be prompted to set and confirm a password on the new account. You can optionally add information such as a Room Number and Home Phone to the account.

 justin@home:/$ usermod -aG sudo bastion

The usermod command allows us to modify existing accounts. We use the -a switch to append to the account, and the -G switch allows us to to select the Group(s) in which to append to the account. Members of the sudo group (superuser do) are able to run commands with the security privileges of another user. By default, it’s the superuser account.

Now we can append sudo to the beginning of our commands when logged in as bastion. Commands that make system changes, including software installs and uninstalls require elevated privilege that a standard account normally wouldn’t have.

Setting Up The Uncomplicated Firewall

A basic firewall goes a long way. Uncomplicated Firewall or UFW is a simple software firewall for Linux. Let’s install it, and then add a firewall rule for SSH so that we can still access it remotely.

justin@home:/$ apt install ufw

 justin@home:/$ sudo apt install ufw

 justin@home:/$ sudo ufw app list
 
 justin@home:/$ sudo ufw allow OpenSSH

 justin@home:/$ sudo ufw enable
 Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
 Firewall is active and enabled on system startup

Once you’ve enabled UFW with that last command it will present you with a warning about losing your current SSH connection. As long as you allowed the OpenSSH app on line 3 above, you’re good. You can use the command sudo ufw status numbered to see the currently listed rules.

 justin@home:~# sudo ufw status numbered
 Status: active

      To                         Action      From
      --                         ------      ----
 [ 1] OpenSSH                    ALLOW IN    Anywhere
 [ 2] OpenSSH (v6)               ALLOW IN    Anywhere (v6)

Copying Existing SSH Keys

SSH is attacked all the time. It’s very, very common. If you’ve setup your accounts with SSH keys already, then you may wish to skip the next couple of sections. If you’re going to use the same SSH Keys that you created for your root account, read on.

SSH keys on the root account are stored at ~/.ssh/authorized_keys on your server. If you plan on using the same SSH keys on your bastion account you can simply copy this file over to your bastion account home directory and update the permissions of the .ssh folder recursively. (When copying from your root user, login as your root user)

 justin@home:/$ cp -r ~/.ssh /home/bastion
 

 justin@home:/$ chown -R bastion:bastion /home/bastion/.ssh

Creating SSH Keys (Using PuttyGen)

If you don’t have any SSH keys currently, or wish to create a new set a SSH keys for this new bastion user, we’ll use PuTTY Key Generator to do that. The image below shows the sequence of buttons you’ll press.

First, click the generate button. The Key window asks you to move your mouse around the blank Key area, randomly. This provides a pseudo-random input, kind of like an initial password to create the SSH key with. Once that’s done it will generate a key!

The Key fingerprint and Key comment are already filled in. A Key passphrase adds an additional layer of security to your SSH Key by requiring a passphrase every time that it’s used. The passphrase is optional, but may secure your SSH keys from being used, if they are ever stolen.

Copy the text in the ‘Public key for pasting into OpenSSH authorized_keys file’ field to a Notepad. Click Save public key and Save private key to save the respective key(s) to your computer. The file extensions don’t matter in this instance, however, you may wish to use the following extensions on your key files:

id_rsa.pub (Public Key)
id_rsa.key or id_rsa.ppk (Private Key)

Keep these safe and secure. Make sure that you keep backups.

Create a third-file called authorized_keys and paste the text that you saved in Notepad, previously.

Uploading SSH Keys

The easiest way to copy SSH keys to your server is by using the ssh-copy-id command, however, ssh-copy-id isn’t available on Windows. I’ll show you the ssh-copy-id way of uploading your SSH public key to your new server, as well as the scp command (Secure Copy).

SSH-copy-id

The ssh-copy-id command is by far the easiest method of moving your SSH public key from your local machine, to your new server. It handles all of the dirty work for us. Dirty work that you’ll see in the scp command below it.

 justin@home:/$ ssh-copy-id -i ~/.ssh/authorized_keys root@111.133.134.199



 justin@home:/$ ssh-copy-id -i ~/.ssh/authorized_keys bastion@111.133.134.199

 # We can also not utilize the -i switch and ssh-copy-id will attempt to find your keys for you, automatically.

 justin@home:/$ ssh-copy-id bastion@111.133.134.199

The ssh-copy-id command requires very little input. I’ve given it a path to my SSH public key, and then I finish the command with my root login @ my new server. You’ll be prompted for your password after pressing enter. Once it completes your public key will be dropped in the ~/.ssh/authorized_keys file for the user that you logged in with. This example is uploading a public key for the root user.

SCP (Secure CoPy)

Unlike ssh-copy-id, the secure copy (scp) command is available on both the Windows Command Prompt, and PowerShell. Also, unlike ssh-copy-id, the scp command will completely overwrite your authorized_keys file with the contents of your public key.

 justin@home:/$ scp C:\Users\Justin\.ssh\authorized_keys root@111.133.134.199:~/.ssh/

SSH Copy

Here is a third example of copying SSH keys to your server using the SSH command. This is the most explicit way of copying your SSH keys as you are going to be piping several simpler commands together.

 justin@home:/$ cat C:\Users\Justin\.ssh\id_rsa.pub | ssh root@111.133.134.199 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Secure Remote SSH

By default, the SSH service allows everyone to attempt to connect to it, and to attempt to login with a username and password. Since we’re now using SSH Keys for all of the potential remote users on our server there are several configurations that we now must do in order to secure SSH.

Disable Root Logins Using Passwords
Disable Password Authentication
Change the default SSH port

All of our the configuration for the SSH service is contained within /etc/ssh/sshd_config. Open that file with nano or your favourite editor and change the following settings. I’ve placed a comment character (#) next to the old setting.

# Port 22
Port 2222

# PermitRootLogin yes
PermitRootLogin without-password

# PasswordAuthentication may not be listed in your sshd_config file. If it’s missing, simply add the configuration line to the end of the file.
# PasswordAuthentication yes
PasswordAuthentication no

After you save ssd_config, you’ll want to allow traffic to the new port before restarting the SSH service.

 justin@home:/$ ufw allow 2222/tcp
 
 justin@home:/$ service ssh restart

You might be wondering why we’re changing the default SSH port? SSH is a commonly attacked service with the default port being 22. Servers and computers connected to the Internet are constantly being scanned to find out if this port is open. Changing the port doesn’t prevent attacks, but it adds an extra layer of difficulty as an attacker would need to identify the correct port and adjust their attacks appropriately. It’s not worth the effort to focus on one such server.

We’ll be digging into some more in depth system settings in part 2.

I highly recommend DigitalOcean if you’re looking for discount VPS.

Signal – Getting Started with Secure SMS

By Justin / Cybersecurity, Technology / Leave a Comment

You’ve probably heard of Signal lately; on the news, on Facebook, or somewhere else on the Internet. My sister “tried” to use it, but only ended up missing a bunch of text messages from me. So this post is for my sister and anyone else interested in securing their text messages.

Why Would I Want Secure Text Messages? Are People Really Reading My Texts?

These are two of the most common questions that I get about this. A lot of you Apple users just love your iMessage. Guess what?!? Signal is, for all intents and purposes, the same thing as iMessage except for the following very big differences:

It’s available on both iOS and Android, as well as your Desktop (Windows, Linux and MacOS).
The messages, photos, videos, and even the calls sent between users are only viewable by those users.
It’s Open Source. This means that the software code that was used to create it is freely viewable on the Internet, and anyone can contribute to the development of the program.

Getting Started with Signal

Getting started with Signal is easy. The application is available on both the Play! Store on Android and the App Store on iOS. Once you’ve set it up on your mobile device you can install it on your desktop computer to send messages to other Signal users.
When you first open Signal you’ll need to go through a basic registration where it will validate your phone number.

That’s it! You’re done.

You’ll want to send future texts using the Signal app so don’t forget to update the shortcuts on your phone screen. You may also need to make Signal your default SMS app, which it will prompt you to do when you launch the app.

What If My Friends Don’t Have Signal?

The Signal app allows you to send messages to everyone, even if they don’t have the Signal app. The only issue is that the messages between you and those people will not be secure, and functionality like video calling won’t work.

Easily Generate Security Keys With WordPress Salt Generator

By Justin / Cybersecurity, Technology, WordPress / Leave a Comment

I was migrating some WordPress websites this weekend on to our new Website Hosting platform at Rogue Security. Normally I wouldn’t do a lot of it manually, but was having an issue with one of the websites and realized it would be easier to install a fresh copy of WordPress. Well, while configuring the wp-config.php I was at the Authentication Keys block, and hidden in the comments of that block is a link to the WordPress Salt Generator.

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org sec$
 * You can change these at any point in time to invalidate all existing cookies. This will force all users $
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '<random-characters>' );
define( 'SECURE_AUTH_KEY',  '<random-characters>' );
define( 'LOGGED_IN_KEY',    '<random-characters>' );
define( 'NONCE_KEY',        '<random-characters>' );
define( 'AUTH_SALT',        '<random-characters>' );
define( 'SECURE_AUTH_SALT', '<random-characters>' );
define( 'LOGGED_IN_SALT',   '<random-characters>' );
define( 'NONCE_SALT',       '<random-characters>' );

What is a Salt?

Great question! a salt is random data/characters that is used as additional input for one-way hashing algorithms. Yeah, that was a lot so here is an example. When you create a new account on Facebook you must enter a username and password. After submitting that information, Facebook store the username in the database as it’s written in plain-text that is human-readable. However, Facebook takes the password that you entered and adds a salt to it, encrypts it using a hashing algorithm such as MD5 of SHA256 and then they store it in the database. It doesn’t matter how or where the salt is placed in the password.

A hashing algorithm will produce the same output given the same input. In other words, every time I use the SHA256 algorithm with my name as the input, it’s going to produce the exact same output. My Python script below shows that.

46df21c3bf897655ba14e556391adf6a78fc3c5cc681d883be97de47456488ed

No matter how many times I run this script with my name as the test_string it will never generate a different string, unless I change the hashing algorithm, of course.

The salt doesn’t change your password, it changes how your password is stored. Remember how my name will generate the same hash every time I check it? Well so will your password. If a malicious actor knows the hash of your password, it can still be just as useful as the actual password, more so if it hasn’t been salted prior to encryption.

WordPress Salt Generator

The WordPress Salt Generator is a simple page for generating a complete set of secret keys for your WordPress installation. If you’re using it for WordPress security purposes then you simply load up the page linked to above, and copy the generated keys into your wp-config.php file. These keys are also automatically generated during a standard installation so you only really need to do this if you are doing a manual install. If you don’t fill them out, they will be automatically generated for you during the first run.

Other Uses

So, how else might they be useful?

The page generates 8, 64-bit strings that are pseudo-random. You could easily connect to this page with a little Python, parse the data and have a quick subset of secret keys that can be used for just about anything. Need some quick licenses created? Pull up the page, copy a key. You have yourself randomly generated license keys (just make sure you check for duplicates).

Do you like complex passwords? I do. Some of my passwords are actually 64 random characters so this is perfect for that.

Setting Timezone In Ubuntu Command Line

By Justin / Cybersecurity, How-to, Technology / Leave a Comment

You may have just setup your new Ubuntu Server setup, or perhaps you have a Virtual Private Server on Digital Ocean that sets up with the default UTC time zone. Regardless of your reasoning you should always have your server(s) and user(s) system time set with the appropriate time zone, and preferably synced entirely for devices that exist on the same network, check out the Cybersecurity Breakout below for more info on that, or skip it for find out how to set the time zone in Ubuntu.

Please note, these instructions should apply to most, if not all, Debian-based operating systems.

Cybersecurity Breakout

Cyber attackers have found every way feasible to successfully infiltrate their targets. This has included the use of date/time based attacks that attackers can use to create behaviour, often undesirable, in software, such as the creation of a race condition. Your Windows and MacOS computer has settings that you can configure to either manually or automatically set your time zone. Depending on your network, you may even have a device (like a router) that actually has a built-in time server known as a Network Time Protocol (NTP) server

The timedatectl Command

The timedatectl software controls your system’s date and time. It has a variety of commands, but we’ll only be touching the few that are relevant to our query. Check out the man pages for more. Without further ado, let’s get started.

How-To Set Time Zone in Ubuntu via Command Line

The following instructions assume that you already have command line access to your Ubuntu device.

Total Time Needed :

Minutes

Steps to Setting The Time Zone In Ubuntu Via Command Line

Step 1 – Check Current Time Zone

You probably already know that the time zone is incorrect, but you need proof. Using the status command, you can find out how your current time is configured. (Running the timedatectl software without any commands will produce the same output.

bastion@server:~# timedatectl status

Step 2 – Set A New Time Zone

The timedatectl software has a command called set-timezone that can be used to modify the time zone of your Ubuntu server without having to modify any files. You’ll need the appropriate time zone format for the time zone that your device exists in. Make sure that if you’re device is in Toronto, then is gets the America/Toronto time zone even if you live in Phoenix, Arizona. You’re setting the time zone for the device, not yourself. You can find a list of time zones on the Ubuntu man pages.

bastion@server:~# timedatectl set-timezone America/Toronto

The set-timezone command will update the time zone as found in /etc/timezone. After running the set-timezone command you can review that file to ensure the proper changes were made.

bastion@server:~# cat /etc/timezone
America/Toronto

Step 3 – Turn On Time Sync

Setting your time zone is now done, but you may also wish to have your time synced with an external service like we mentioned previously. Not a problem, timedatectl, can help us with that too.
the show-timesync, and set-ntp commands will help us here.

bastion@server:~# timedatectl show-timesync

show-timesync provides you with details in regards to your current time sync configuration. You’ll want to confirm that you have servers listed under SystemNTPServers.

bastion@server:~# timedatectl set-ntp true

The set-ntp command turns time syncing with your NTP server, on.

Congratulations, you’re done! You don’t need to reboot for these changes to take effect, however, I always recommend you do so when making system changes.

WordPress Stuck in Maintenance Mode

By Justin / How-to, Technology / Leave a Comment

This one caught me a little off guard. I was working on updating a client WordPress site this morning; it had 2 themes that we hadn’t removed that needed an update. Instead of deleting them, I chose to update them. Without thinking I clicked away to another part of of the WordPress administrator area and ended up getting stuck with the following on every load and reload of the page. I even restarted NGINX in a desire to find a quick fix.

I’ve now learned that WordPress has a built-in maintenance mode that it kicks itself into during updating of plugins and themes. We would rarely ever see a reference to it as updates typically go very quickly, and without a problem. Except when they don’t. Luckily, the WordPress developers built a very simple mechanism for driving this maintenance mode that anyone with access to the WordPress website files can access.

How To fix wordpress stuck in built-in maintenance mode

In order to fix this error you must have access to the underlying WordPress website files. You may have access to these files via File Transfer Protocol (FTP) or through your Web Hosts Control Panel.
The solution to this problem is to delete the .maintenance file from the root folder of your WordPress install, in other words, the top most directory on your web host with WordPress files.

Total Time Needed :

Minutes

Steps to remove .maintenance file from wordpress

Step 1 – Navigate to your WordPress Directory

Login to your Web Hosting Control Panel, FTP Client, or SSH Client and navigate to the top-most WordPress directory that is hosting your website. On my web host, my files are located at /<server_directories>/roguesecurity.ca/public_html/.

Step 2 – Delete .maintenance file

Look for a file called .maintenance (The period before the word is required). Once found, simply delete this file from the directory.
Once you delete this file, return to your web browser and clear your browser cache, and reload your website.

Congratulations. That’s it! If your website is still displaying a maintenance mode message after deleting this file, double check that you’ve cleared your browsers cache. You can also try a different browser. If it works in a different browser then we know the fix worked, and the not working browser will correct itself over time.

mapping a network drive in Windows command line

By Justin / How-to, Technology / Leave a Comment

My friend Randy was always on me about using the command line more, and I’m glad that I listened to him. A command line interface (CLI) are often times so much more powerful then its graphical user interface (GUI) cousin, with less errors. I’ve leaned more towards using the command line for technical work as oppose to the GUI and that includes administration within Windows. Sometimes I’ll use the built-in CMD, and other times I’ll use PowerShell.

Mapping a network drive in Windows through the command line interface is not hard and anyone willing to take one step at a time. Without further ado, let’s dig into it.

How to Map a Network drive in windows from the command line

You may wish to map a network drive in Windows via the command line if you are having issues mapping it via the GUI, or if you prefer to take control of your setup and learn a few things while you are at it. Perhaps you’re adding a new network storage device and testing out different configurations. You’ll very likely want to single-pane view of the command line interface.

Total Time Needed :

Minutes

Steps to Map a network drive in windows from the command line

Step 1

In Windows search, located in the Windows Taskbar, type ‘cmd’ (without the quotes). The Command Prompt app should pop-up in the start menu. You will want to then click, Run as administrator, in order to launch the command prompt window with the appropriate privileges.

Step 2

At the command prompt, which will display a flashing white cursor when the command prompt window is selected, type in the following command to view current mapped drives.

C:\Users\User> net use

Make a note of any drive letters that are already in use. This information will be located in the Local column. You can’t map a new drive to a drive letter that is already in use. If you’d like to delete a mapping to re-use the drive letter, you can use the following command:

C:\Users\User> net use <driveLetter>: /delete

for example, the following command would delete the mapping to drive letter S.

C:\Users\Justin> net use s: /delete

Step 3(a) – Drive Mapping (no credentials)

Now we can map our network drive. You only need to select one way of mapping your drives from the 4 that I’ve outlines here, (a) through (d) below.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share>

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L.

C:\Users\Justin> net use L: \\Storage\Media\Movies

Step 3(b) – drive mapping with credentials

If you configured your shared drives to required a username and password, we can modify our command by adding the /user: switch.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /user:<username> <password>

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L, using justin as the username, and supersecurepassword1 as the password.

C:\Users\Justin> net use L: \\Storage\Media\Movies /user:justin supersecurepassword1

Step 3(c) – drive mapping with persistence

You probably don’t want to have to keep mapping or logging in to your new drive every time that you boot up your computer. That’s where the /persistence flag comes in.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /persistence: {yes|no}

Here is how the Microsoft Documentation describes the /persistence flag: (It) Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not persistent. Yes saves all connections as they are made, and restores them at next logon. No does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent connections.

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L, and maintain persistency across each reboot.

C:\Users\Justin> net use L: \\Storage\Media\Movies /persistent: yes

Step 3(d) – Complete drive mapping

In a perfect world you will want to have properly credentialed shares and any user that connects will do so with their own username and password, with persistency. Here is how we bring it all together.

C:\Users\User> net use <driveLetter>: \\<path>\<to>\<network>\<share> /user:<username> <password> /persistence: {yes|no}

The below command will map a network share that is located at \\Storage\Media\Movies to a new drive with the drive letter L. The connection will use justin as the username, and supersecurepassword1 as the password. Finally, the connection will be persistent so that user, justin, won’t have to login to the drive every time they log in and out of their Windows account.

C:\Users\Justin> net use L: \\Storage\Media\Movies /user:justin supersecurepassword1 /persistent: yes

That’s it! Once you’ve completed the steps you should be presented with a success message, and have your new drive mapped in Windows.

I hope you found this how-to helpful. If you did I’d love to hear about it. Leave a comment below!

Our Family Minecraft Server Setup

By Justin / Technology / Leave a Comment

If you haven’t heard of Minecraft you may want to check and make sure that you are not under a rock. All three of the kids in my household enjoy playing Minecraft, but I really don’t like them joining some of these random online servers. With some research it wasn’t difficult to put together a nice, safe, alternative that we host ourselves.

Server Info

VPS Specifications

We currently have a VPS setup on Digital Ocean with the following specifications:

Ubuntu 18.04 (LTS) x64
2 GB Memory
50 GB Disk Space

CLI Arguments for Minecraft Java on Digital Ocean

java -Xms1024M -Xmx1536M -d64 -server -XX:+AggressiveOpts -XX:ParallelGCThreads=3 -XX:+UseConcMarkSweepGC -XX:NewSize=84m -XX:+UnlockExperimentalVMOptions -XX:+UseParNewGC -XX:+ExplicitGCInvokesConcurrent -XX:MaxGCPauseMillis=10 -XX:GCPauseIntervalMillis=50 -XX:+UseFastAccessorMethods -XX:+OptimizeStringConcat -XX:+UseAdaptiveGCBoundary -XX:NewRatio=3 -Dfml.readTimeout=90 -Ddeployment.trace=true -Ddeployment.log=true -Ddeployment.trace.level=all -jar /<path>/<to>/<minecraft>/papermc.jar nogui

Server Software

In order to run the Minecraft server (and keep it running) we employ some additional software that was pretty easy to install.

PaperMC

There are plenty of different servers available for Minecraft Java. We went with PaperMC due to its stability and its mods compatibility with Bukkit and Spigot.

Crafty Controller

We’re also using an open source, secure by default software called Crafty Controller for the administration of our Minecraft worlds. I love the app, although I’m having some issues with keeping my world from crashing. I suspect this is because I setup the world outside of Crafty. I’ll create a new server and move over the save, eventually.

Plugins

We’re not doing much with plugins yet as I don’t take much time to set them up properly, but here are the plugins that we currently have running on our server.

Essentials

LuckPerms

Multiverse-Core, Multiverse-Inventories, Multiverse-NetherPortals, and Multiverse-Portals

Vault

WorldEdit

Dynmap

Epic Quest

In total, it costs us about $15 a month to operate a pretty custom Minecraft server with very little maintenance.

How To Get Every Android App for Free by Using Google Opinion Rewards

By Justin / Technology / Leave a Comment

You too, will never have to spend a dime on apps with a little bit of time and a little bit of patience. By completing surveys in the Google Opinion Rewards app, you’ll be able to collect Google Play Store credit (or actual moola if you’re an iOS user) that will be completely usable for everything available in the Play Store including apps, books, movies, and in-app purchases. No more buying Robux for the kids!

So How, Exactly, Does It Work?

Google collects our data. Yeah, sorry to be a downer, but this is one occasion where we can get some value back out of that data. Our Android phones collect location data, search data, and even videos that we watch on YouTube. This data is sent to Google where they use it to provide you with better and more personalized services (except when they don’t, I recommend reviewing the privacy and security on your Google Account every year.)

You’ll be receiving surveys based on that data so an example might be that I receive a survey because my location was set close enough to a Home Depot, and Home Depot contracted with Google to obtain opinions from its customers.

Getting started

installing and setting up google opinion rewards

Step 1

From your mobile device, open the app store and search for Google Opinion Rewards. Install the app once you find it.

Step 2

After installing the app, run it and you’ll be asked to login to your Google account, as well as fill out some basic information. You’ll also want to have Location History turned on in order to take the most advantage of opportunities.

Step 3

Wait for surveys. The app will notify you when you have a survey available. Most of the surveys that I’ve done have come from locations that I’ve visited. So start living your life.

Conclusion

I’ve been using this method to not pay for Android apps for many years now. I’ve earned more than $100 in Play Store credit since I started doing these surveys back in 2016. That’s money that I didn’t have to spend, while providing a little bit of Dopamine for my beautiful brain. Isn’t it satisfying getting to itch that Dopamine scratch without wasting all of your money? It’s a literal two-for-one!