Slashdot Mirror

← Back to Stories (view on slashdot.org)

Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com)

Posted by msmash on from the privacy-woes dept.

Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.

55 of 89 comments (clear)

  1. Wow, color me 'surprised'! by Anonymous Coward · · Score: 1
    ..and I'm supposed to have a smartphone, why, again?

    Implying that ANY smartphone is going to be ANY better in this regard

  2. Ha! by Anonymous Coward · · Score: 1

    we have privacy? what a joke, I haven't laughed this hard since the dotcom boom.

    1. Re:Ha! by Anonymous Coward · · Score: 2, Insightful

      If you want privacy, you have to be willing to pay for it. Most people want free. Free Facebook, Free Google, Free videos, Free Free Free.
      You are the product if you think you are getting something for free.
      Yet if I were to say 'my iPhone doesn't do this because I pay a boatload of money for it' people get all bent because Apple.
      Yet Apple doesn't have this kind of problem and Android phones do.
      Free: you just got what you paid for.

    2. Re:Ha! by chipschap · · Score: 4, Insightful

      Free: you just got what you paid for.

      Unfortunately you can't necessarily trust non-free products either. Not even expensive ones.

    3. Re:Ha! by green1 · · Score: 1

      Actually Apple has been documented doing this too in the past, despite overcharging for their phones.
      As for the pay vs free thing... which one is known to invade your privacy more, Windows 10 (which, contrary to popular belief is in fact paid software) or OpenBSD (free software)

      There are literally thousands of examples of paid for products that invade your privacy, the whole IOT craze is pretty much there. There are also tons and tons of free things that don't (most of the open source movement)

      If you think overpaying for things will keep your privacy safe, you're delusional. Cost of an item has no correlation with the morality of it's creator.

    4. Re: Ha! by sound+vision · · Score: 2

      "Android phones" don't have this problem, certain phones from shady manufacturers do. And if you think iOS (and OS X for that matter) are free and clear of phone-home, the reality distortion field has really got you. Personally, I don't find mobile banking or money-spending functions on my phone to be worth $500, or even $100. I can wait until I get to a real computer when I need to do something securely.

    5. Re:Ha! by JohnFen · · Score: 1

      People aren't paying for their Android phones?

  3. Loss leader? by Tough+Love · · Score: 1

    Loss leader? I'm wondering if these low priced phones are actually subsidized by the Chinese government. How nice it would be if a similar priced phone could be offered with verifiable open source firmware. (Ok, from here in just call me Captain Obvious.)

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Loss leader? by Anonymous Coward · · Score: 1

      It doesn't need to be sponsored by the Chinese government ... skimming your private data, and potentially any banking information, is likely pretty lucrative on its own.

      Asshole sales people are the same everywhere -- they don't give a fuck about you, and will do anything they can do further their own ends.

      Chinese companies are pretty blatantly "whatever the hell we want to do". You know, like putting melamine in baby formula.

      Do the world a favor, stab a salesman or a CEO today!!

    2. Re:Loss leader? by Tough+Love · · Score: 1

      It doesn't need to be sponsored by the Chinese government...

      But it probably is, notwithstanding your other valid points.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  4. Not surprising... by ctilsie242 · · Score: 3, Interesting

    There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)

    [1]: It is interesting to see what both Apple and Android device makers stick in the root CA store. It is wise to reduce that number.

    1. Re:Not surprising... by 93+Escort+Wagon · · Score: 4, Funny

      There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)

      It's so easy, anyone can do it!

      --
      #DeleteChrome
    2. Re:Not surprising... by JohnFen · · Score: 1

      Yes to all of this.

      I will not use a phone I can't replace the OS on, mostly for these reasons.

    3. Re:Not surprising... by Anonymous Coward · · Score: 2, Funny

      You could always use an iOS device, which has never had a single incident of malware in the wild, and it is impossible for rogue software to track users. More expensive, but security is worth the price.

    4. Re:Not surprising... by PolygamousRanchKid+ · · Score: 2

      [1]: It is interesting to see what both Apple and Android device makers stick in the root CA store.

      . . . it would be interesting to see what both Apple and Android device makers stick in the hidden root CA store.

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    5. Re:Not surprising... by Anonymous Coward · · Score: 1

      It doesn't matter if you can replace the OS if $ADVCO pwns your firmware and the closed source binary blobs.

      You are permitted the illusion for the masses. No more.

    6. Re:Not surprising... by green1 · · Score: 1

      I would hope so, but it's so hard to tell because that ridiculous nonsense is spouted so often as truth among the Apple fan base that it's hard to believe they don't actually believe it despite all evidence to the contrary.

    7. Re:Not surprising... by Anonymous Coward · · Score: 1

      Have lineageOS, and am happy with it. Note it still includes all the WoSign/Honkong Post certs (which I turned off straight away).

      Now if all the bloody app makers would just start adding lineageOS to the compatible devices lists.. I have hit about 3 of 4 apps that used to install from the Play Store for CyanogenMod on this same phone, now won't...

    8. Re:Not surprising... by JohnFen · · Score: 1

      Even if iPhones are spying-free, you'd still have the problem of being forced to use an iPhone.

      Personally, that's a nonstarter. iPhones are too locked down to be terribly useful to me.

    9. Re:Not surprising... by JohnFen · · Score: 1

      This is technically untrue. I can replace the broadband system with any of several options. What is true, though, is that all of the options are still proprietary binary blobs so from a security point of view it's a difference without a distinction.

      But perfect security is impossible with anything, so we all make tradeoffs. My tradeoff is that I accept that I need to run that binary blob and can therefore not completely trust the device.

      But I can, at least, minimize the issue by ensuring that the blob is the only attack vector.

    10. Re:Not surprising... by JohnFen · · Score: 1

      It still matters, because it reduces the number of entities that can spy. Your stance is the same as saying that if security can't be perfect then it isn't worth doing. That's an unsupportable position.

  5. They act like the 800 dollar phones... by Anonymous Coward · · Score: 3, Insightful

    Don't come with spyware.

    The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality.

    If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.

    1. Re:They act like the 800 dollar phones... by Tough+Love · · Score: 1

      Don't come with spyware. The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality. If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.

      Right. It just goes to prove, the only viable path forward is verifiable, user modifiable open source.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:They act like the 800 dollar phones... by Anonymous Coward · · Score: 1

      iPhones don't.

      The FBI had a hard time getting into one and apple did not cooperate. That was on a much older device and new ones are far more secure than back then.

      Apple is in the business of selling your hardware, not selling your personal privacy out for profit.
       

    3. Re:They act like the 800 dollar phones... by green1 · · Score: 1

      Honestly, I don't care if it blows an efuse, I only care whether I can root it without losing functionality. They can have their efuse, doesn't make any difference to me.

    4. Re:They act like the 800 dollar phones... by Khyber · · Score: 2

      "new ones are far more secure than back then."

      No they are not. They're susceptible to the exact same physical attack that got past the i5.

      It's like you know nothing about hardware engineering. If it can be made, it can be broken.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    5. Re:They act like the 800 dollar phones... by c-A-d · · Score: 2

      If I can't install slimroms or lineageos, it's not on my purchase list.

      --
      some karma... and kinda lukewarm about it.
    6. Re:They act like the 800 dollar phones... by hairyfeet · · Score: 3, Informative

      Then buy an Alcatel phone as they have built in rooting capability with no external software required. For those that want to know how this is how you do it and I've tested in on my own phone (Alcatel Flint) and it works and takes less than 2 minutes...

      Alcatel has its own "system updates" app. If you tap the three dots in the right hand corner and then hit "Help", then hit the "Auto -Check Intervals" button a bunch, it will unlock "Advanced Mode." Go back and tap the three dots again and it will be under "help." When you go into this advanced mode, it will ask you for a "tester password". The pass is fotaapp*#1221#.

      And that is it, in under 2 minutes you will have a rooted phone you can do with what you will.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    7. Re:They act like the 800 dollar phones... by Khyber · · Score: 1

      Go into any iPhone repair shop, moron. You can get the repair schematics for cheap and you can see very clearly its all the same shit.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    8. Re: They act like the 800 dollar phones... by Brockmire · · Score: 1

      You don't know what you're talking about. Having schematics means fuck all. Sure, it's the start to reverse engineering, but if you think the schematics are enough, you're an idiot.

  6. crack that chip! by nimbius · · Score: 2

    When the spyware comes along...
    You must root it!
    plug a cable in the phone
    you can root it!
    https://theunlockr.com/2013/11...

    --
    Good people go to bed earlier.
  7. Cheap chinese phones may be compromised? by Gojira+Shipi-Taro · · Score: 1

    I've just shat myself with surprise!

    Who didn't automatically assume this was the case?

    Seriously.

    --
    "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
    1. Re:Cheap chinese phones may be compromised? by green1 · · Score: 2

      and people think the expensive ones are somehow any different?

  8. Re: Cheap phones as bait. That doesn't make sense by Anonymous Coward · · Score: 2, Informative

    My lab manager is pretty wealthy, between him and his wife (she is a surgeon) they are worth 7-digits. He broke his phone and ordered the absolute cheapest android phone he could find. I think it needed up being a Blu.

    I tried to talk him out of it, but he simply doesn't care. On the flip side, he spent $15k on a carbon-fiber mountain bike a couple weeks ago.

  9. Re:Expensive Android phones are much better! by green1 · · Score: 1

    going for a +1 funny?

  10. Re:how old is the article? by green1 · · Score: 2

    Apparently you didn't read the summary where it says exactly this, that it was reported long ago, and the manufacturer claimed they'd changed, and have now been proven to still be up to the same old tricks.

    As for "most android devices harvest data", why limit it to Android? it's well known that iPhones do it too, and if anyone had ever used a Windows phone, I'm sure it was set up the same.

    The only real difference is in who the recipient of the data is.

  11. Only some? by Altrag · · Score: 2

    I'm pretty sure all high-cost phones, including not-Android, send data to Google/Apple/MS. If only "some" of these low-cost ones are doing the same, that almost sounds like a worthy gamble.

    (And yes, I realize that they mean "in addition to already sending your data to the OS makers" rather than "instead of." I'm just calling out the headline's phrasing..)

  12. Re:Proof... by Anonymous Coward · · Score: 1

    Hillary sent emails containing Top Secret info to her aid Huma's home computer to print because they couldn't figure out how to get the secure fax machine to work

    Uh, no she did not. You are just mindlessly repeating half-baked conspiracy theories. And when I say half-baked I mean literally half - a bunch of highly motivated partisans latched on to a couple of vague facts and then made up a bunch of non-facts to produce a story that, surprise, surprise, was an exact fit for their preconceptions.

    If she had actually done what you claim it would have been the smoking gun of intent that Comey needed to prosecute her.

    Now you may proceed with more conspiracy theory logic to rationalize away your disappointment with the facts.

  13. Re:how old is the article? by Anonymous Coward · · Score: 1

    it's well known that iPhones do it too

    Care to link a citation for that?

  14. Re:how old is the article? by green1 · · Score: 2, Informative

    one example: https://www.wired.com/2011/04/...
    another: http://www.businessinsider.com...

    Apple has also stated publicly "We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."

  15. Re:FTFY by Dutch+Gun · · Score: 2

    There are lots of valid reasons for an iPhone to communicate with Apple servers, you know. There are a bunch of integrated services, as well as security updates, etc. It would be a bit strange, IMO, if an iPhone actually never talked to Apple. The trick is whether or not you trust a company to slurp up and use your private data in ways you don't approve of.

    So, Apple vs Random Chinese Company privacy showdown. In the end, you have to look at things like this pragmatically. Apple is making billions and billions off of iPhone and store sales, and their reputation for protecting privacy is likely worth much more to them than any sort of ad revenue they might get from trying to actively exploit their users' data. Random Chinese Company? Probably operating on very slim margins, and reputation isn't much to them - just price.

    But I do agree with the general sentiment. Apple is probably a rarity in the tech world simply due to their current insane profit margins. Hell, even manufacturers of robotic vacuum cleaner are discussing how to monetize the fucking floor plan of your own home. It's beyond absurd at this point.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  16. Re:FTFY by green1 · · Score: 1

    So basically, you trust Apple, but think all Android phones can't be trusted.

    I've got news for you, I don't trust Apple any further than I can throw their headquarters. Apple has admitted to collecting personal data for the express purpose of advertising (something you claim they would never do), and is well known to collect FAR more data than they need to provide the services they do.

    As for "random chinese company", they aren't random, they're the manufacturer. Most manufacturers put all sorts of stuff on their phones (Apple included) that phone home, just because you personally trust apple doesn't mean they don't do exactly this, and doesn't make them saints.

  17. FTFY by dbialac · · Score: 1

    All Android Phones Come at a Price -- Your Privacy

    Android is just a giant spyware ecosystem for Google.

  18. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  19. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  20. Re:FTFY by Dutch+Gun · · Score: 2

    So basically, you trust Apple, but think all Android phones can't be trusted.

    Nope, didn't say that at all. I trust Apple MORE than I trust the Chinese manufacturer. But I actually have an Android phone, because I like the extra control it gives me. My next phone will probably be a Pixel.

    From Apple's site on privacy:

    We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.

    Is that the "admission"? Apple is up-front about what they do with your data. When I talk about "trust", I mean that I trust them not to abuse that data in a way I wouldn't be comfortable with, such as selling it to a third party. As far as ads, we're probably talking about ads you might see on the App store, which knows which apps you have installed, and so can perhaps show you more relevant ones. I'm actually okay with that. I have no such confidence in any Chinese company, manufacturer or no, to show such restraint.

    --
    Irony: Agile development has too much intertia to be abandoned now.
  21. Re:FTFY by green1 · · Score: 1

    It's ok if Apple does it because they're the good guys, but I don't know the other company so they must be evil!

    ummmm... yeah... the mental gymnastics here are quite entertaining.

  22. Re:So I have a Blu R1 HD... by Nyder · · Score: 1

    I have a Blu R1 HD. I got it for the kids to play games with, but it has no SIM card. Any advice on how to check that it's secure (without burning/crushing/etc.)?

    If you bought the Amazon version, then it's supposed to be safe.

    But either way, check out: https://forum.xda-developers.c...

    You'll find what you need to know about rooting it and installed a different rom and getting rid of bloat and the spyware.

    --
    Be seeing you...
  23. I own the BLU R1 HD and it rocks! by Nyder · · Score: 1

    So apparently the Amazon version didn't have the spyware, only the ones you got from elsewhere. Those phones have been easy to root, there are custom firmware for it and it is a great phone for the $60.

    These days, if you can't root your phone and get full control, then you are just asking to be spied on.

    --
    Be seeing you...
  24. Bomb, Live Unit by OneAhead · · Score: 1

    I'm still waiting for them to name one of their phones BLU-82. And for the batteries to turn out to be faulty.

    ...

    I'll get my coat.

  25. What is this about? by houghi · · Score: 1

    This Privacy thing, what is this? Sounds like a good idea. Where can I get one?

    --
    Don't fight for your country, if your country does not fight for you.
  26. First it was the Russians... by mark_reh · · Score: 1

    and now the Chinese want a direct tap into Trump voters...

  27. Re: Cheap phones as bait. That doesn't make sense by JohnFen · · Score: 1

    Nothing wrong with that. Regardless of how wealthy you are, it's smart to recognize what is really important to you and to cheap out on everything else.

  28. Re:FTFY by JohnFen · · Score: 1

    Not Android-specific.

    Pretty much every product or service that has access to data about you does this. There are no angels.

  29. Re: FTFY by Brockmire · · Score: 1

    No, Windows 10 does not have that nickname. You're thinking "IoT" , mostly Linux boxes.