Slashdot Mirror
Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com)
Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)
[1]: It is interesting to see what both Apple and Android device makers stick in the root CA store. It is wise to reduce that number.
Don't come with spyware.
The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality.
If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.
If you want privacy, you have to be willing to pay for it. Most people want free. Free Facebook, Free Google, Free videos, Free Free Free.
You are the product if you think you are getting something for free.
Yet if I were to say 'my iPhone doesn't do this because I pay a boatload of money for it' people get all bent because Apple.
Yet Apple doesn't have this kind of problem and Android phones do.
Free: you just got what you paid for.
When the spyware comes along...
You must root it!
plug a cable in the phone
you can root it!
https://theunlockr.com/2013/11...
Good people go to bed earlier.
Free: you just got what you paid for.
Unfortunately you can't necessarily trust non-free products either. Not even expensive ones.
My lab manager is pretty wealthy, between him and his wife (she is a surgeon) they are worth 7-digits. He broke his phone and ordered the absolute cheapest android phone he could find. I think it needed up being a Blu.
I tried to talk him out of it, but he simply doesn't care. On the flip side, he spent $15k on a carbon-fiber mountain bike a couple weeks ago.
and people think the expensive ones are somehow any different?
Apparently you didn't read the summary where it says exactly this, that it was reported long ago, and the manufacturer claimed they'd changed, and have now been proven to still be up to the same old tricks.
As for "most android devices harvest data", why limit it to Android? it's well known that iPhones do it too, and if anyone had ever used a Windows phone, I'm sure it was set up the same.
The only real difference is in who the recipient of the data is.
I'm pretty sure all high-cost phones, including not-Android, send data to Google/Apple/MS. If only "some" of these low-cost ones are doing the same, that almost sounds like a worthy gamble.
(And yes, I realize that they mean "in addition to already sending your data to the OS makers" rather than "instead of." I'm just calling out the headline's phrasing..)
one example: https://www.wired.com/2011/04/...
another: http://www.businessinsider.com...
Apple has also stated publicly "We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
There are lots of valid reasons for an iPhone to communicate with Apple servers, you know. There are a bunch of integrated services, as well as security updates, etc. It would be a bit strange, IMO, if an iPhone actually never talked to Apple. The trick is whether or not you trust a company to slurp up and use your private data in ways you don't approve of.
So, Apple vs Random Chinese Company privacy showdown. In the end, you have to look at things like this pragmatically. Apple is making billions and billions off of iPhone and store sales, and their reputation for protecting privacy is likely worth much more to them than any sort of ad revenue they might get from trying to actively exploit their users' data. Random Chinese Company? Probably operating on very slim margins, and reputation isn't much to them - just price.
But I do agree with the general sentiment. Apple is probably a rarity in the tech world simply due to their current insane profit margins. Hell, even manufacturers of robotic vacuum cleaner are discussing how to monetize the fucking floor plan of your own home. It's beyond absurd at this point.
Irony: Agile development has too much intertia to be abandoned now.
So basically, you trust Apple, but think all Android phones can't be trusted.
Nope, didn't say that at all. I trust Apple MORE than I trust the Chinese manufacturer. But I actually have an Android phone, because I like the extra control it gives me. My next phone will probably be a Pixel.
From Apple's site on privacy:
We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.
Is that the "admission"? Apple is up-front about what they do with your data. When I talk about "trust", I mean that I trust them not to abuse that data in a way I wouldn't be comfortable with, such as selling it to a third party. As far as ads, we're probably talking about ads you might see on the App store, which knows which apps you have installed, and so can perhaps show you more relevant ones. I'm actually okay with that. I have no such confidence in any Chinese company, manufacturer or no, to show such restraint.
Irony: Agile development has too much intertia to be abandoned now.
"Android phones" don't have this problem, certain phones from shady manufacturers do. And if you think iOS (and OS X for that matter) are free and clear of phone-home, the reality distortion field has really got you. Personally, I don't find mobile banking or money-spending functions on my phone to be worth $500, or even $100. I can wait until I get to a real computer when I need to do something securely.