Amazon Suspends Sales of Blu Android Phones Due To Privacy Concerns

CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a "potential security issue." The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon.

pot calling kettle black

So when Amazon, Google, Apple, and Microsoft send your data without people knowing because it's in the fine print of a 30 page clickthrough agreement it's all OK? hah.... Or when they constantly hammer you to turn on features and put at the bottom in fine print you're automatically agreeing to that 30 pages of legal mumbo jumbo so that one day you accidentally hit it... i guess that's ok too..

Re:pot calling kettle black

the fact that you are commenting on means that it does not happen without our knowledge. BLU has been doing this all along and now, continues to do so.
Who owns BLU and what is the data used for?

I use LineageOS

[bluefoxlucid]

First thing I do with a new phone, I wipe it and install LineageOS. Somebody else builds the ROM and I don't have the time or resources to personally-inspect the source code, so it's mostly a more-trusted quantity; and everybody sees it and sees the build process, so there are at least a dozen primary developers, a couple hundred bored hobbyists, and the occasional security researcher looking at the built ROM and the source code. Between the diff against Android and the massive number of eyes on Android's source trees, a lot of people have to be involved in a conspiracy to mess with my phone for there to be anything intentionally-malicious in there.

I like OnePlus, but I'm not going to run their OS just so it can repeatedly try to sell themes to me. If there was a Lineage ChromiumOS, I'd put that on my Chromebook.

Re:I use LineageOS

[rickb928]

"I don't have the time or resources to personally-inspect the source code"

"everybody sees it and sees the build process,"

So you don't trust or inspect the code, you rely on others to do that. In other words, choose one community over the other.

Ok, in other words, you trust that community more than you trust the manufacturer and Amazon.

Which I understand, but I'm curious - You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?

Not that they can be presumed to be nefarious, but when I write that I 'understand', I do not necessarily agree or approve.

Re:I use LineageOS

[bluefoxlucid]

You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?

One community is a corporate culture that builds an OS image in-house, publishes it for their particular phone, and gets scrutiny when someone decides to try to dismantle the binary image on their particular phone or snoop what's going out the cellular radio. Their OS can hide what's going out the radio, so they need a logic analyzer or specialized radio equipment (lots of effort, not necessarily lots of cost, enormous technical expertise). They can start with an open-source asset and modify it to their taste, and mostly restrict inspection--especially of their own source repositories--to a small number of eyes. You can even have most developers not know about some parts of the code, because they simply have no reason to inspect the entire code base.

The other is working out in the open. They publish binary images for hundreds of different phones, built from the same source. They're liable to inject the same Trojan horse into several, if not all, models if they're being nefarious. Their repositories are open, and so we can do a spot-check of differences between their code repositories and the official repositories. The official repositories are high-profile; the derived, open-source repositories are also high-profile, but less-so; even security researchers are significantly interested in what's going on with this stuff, and have the ready opportunity to examine it. Hiding things is more-difficult.

The likelihood of getting caught is higher for one of these than the other.

Re:I use LineageOS

[JohnFen]

This.

Any smartphone that I haven't placed my own OS on is a smartphone that cannot be trusted to even a minimal extent.

Re:I use LineageOS

[JohnFen]

Ok, in other words, you trust that community more than you trust the manufacturer and Amazon.

I do, too. It's a matter of a combination of incentives and track records.

Commercial corporations have no incentive to make my personal well-being and privacy a priority. They prioritize profit. And the track record of commercial entities makes it very clear that they adhere to those priorities.

Hobbyist communities have very different incentives and priorities. I don't think that they can be trusted completely, either, but the track record for them is vastly better than for companies.

Re:I use LineageOS

That is all good but let me ask you this: why the phones lack a hardware switches to disconnect the mic, speakers, GPS, WiFi and Bluetooth? And I mean real hw switches without any means to bypass them with software.

You would not need to personally inspect much if the phone had its tracking and listening devices physically disconnected.

Breaking News!

Aren't these things pushed heavily on Prime Day? When was that, and what is the return policy?

Re:Breaking News!

[__aaclcg7560]

Not sure. But the Amazon Dot were selling like hotcakes on Prime Day.

Re:Breaking News!

And your cock eggs will be sold on Amazon Creime Day.

Re:Breaking News!

let's go Russian dick fishing

I may be wrong about this...

But isn't BLU one of the companies that is good about allowing the user to root their phone without needing to call the company?

Re:I may be wrong about this...

[Zombie+Ryushu]

BLU Phones are Easily Rootable, and until the R1 HD, did NOT have locked bootloaders that prevented the installation of TWRP Recovery. However, Because they used MediaTek Chipsets instead of QualComm, they were GSM Exclusive. (Meaning: No CDMA because QualComm has a Patent on it in the US.)

That means ATT and T-Mobile only (and their Associated MVNO carriers.) No Verizon, and no Sprint. CDMA is very pervasive in the US.
Most LineageOS (formerly Cyanogen Mod) Programmers are from the US, so because of that MediaTek based Phones are a Tiny, Tiny, Tiny Minority. Wal-Mart Stopped carrying BLU Phones in the US because People would buy them, find out they were on a CDMA Carrier, (Sprint, Verizon) and then Wal-Mart would be swamped with Returns.)

BLU started locking the Bootloaders with the R1 HD due to the Lock Screen ads. People removed the ads, and denying them ad revenue seemed like theft to BLU.

Re:I may be wrong about this...

BLU Phones are Easily Rootable, and until the R1 HD, did NOT have locked bootloaders that prevented the installation of TWRP Recovery. However, Because they used MediaTek Chipsets instead of QualComm, they were GSM Exclusive. (Meaning: No CDMA because QualComm has a Patent on it in the US.)

That means ATT and T-Mobile only (and their Associated MVNO carriers.) No Verizon, and no Sprint. CDMA is very pervasive in the US. Most LineageOS (formerly Cyanogen Mod) Programmers are from the US, so because of that MediaTek based Phones are a Tiny, Tiny, Tiny Minority. Wal-Mart Stopped carrying BLU Phones in the US because People would buy them, find out they were on a CDMA Carrier, (Sprint, Verizon) and then Wal-Mart would be swamped with Returns.)

BLU started locking the Bootloaders with the R1 HD due to the Lock Screen ads. People removed the ads, and denying them ad revenue seemed like theft to BLU.

I think the word "they" which is emphasized is ambiguous in your post. I just want to clarify, so that others who have the similar problem as I did would understand. The word "they" should be replaced with "their phone plans" instead (because the word could be confused and referred to "BLU phones").

Re:I may be wrong about this...

There are unlocked 3g and 4g LTE "GSM" phones in BLU's current lineup... so you can avoid their CDMA ones. Target probably still sells a $55 one.
Then just compile current Android and install it on the phone.
Problem solved.

Re:I may be wrong about this...

My local Walmart sells unlocked BLU phones priced between $70 and $90 dollars. They are out in the open hanging on the rack.

Re:I may be wrong about this...

Then just compile current Android and install it on the phone.
Problem solved.

These are almost all Mediatek devices, so that is not so easily done. You're lucky if you can even find a bootloader for a Mediatek phone, to say nothing of the sources you'd need to actually build Android (current or not).

The first thing you should do when you think about buying a phone is to check out XDA developers for a page on said device. Look at some of those BLU phones and you'll surprised how months after launch it's still just people on there begging for someone to build a copy of TWRP or any ROM.

BLU, Adups, and MediaTek

[Zombie+Ryushu]

I have a BLU Studio 5.0C, an, its rooted, and I removed ADUPS. However the version of Adups it used was not the version that was stealing people's info. I really like the quality of the Phone I have. I don't like that it has a MediaTek Chipset for which there is no Lineage OS Build.

BLU Needs to cough up Specs and Drivers to the Lineage OS Community, and start selling LineageOS on their phones, and don't put ADUPS on their Phones. They need to make amends with the Android Community. Because what they have been doing is selling people's personal info to the Chinese by using ADUPS.

Re:BLU, Adups, and MediaTek

[JohnFen]

However the version of Adups it used was not the version that was stealing people's info.

It's not the version that made the news, perhaps, but do you have any reason to think it's any different in terms of spying?

Re:BLU, Adups, and MediaTek

BLU Needs to cough up Specs and Drivers to the Lineage OS Community, and start selling LineageOS on their phones, and don't put ADUPS on their Phones. They need to make amends with the Android Community. Because what they have been doing is selling people's personal info to the Chinese by using ADUPS.

You're giving BLU way too much credit. They are really just a marketing company that sells rebranded Chinese phones in the US. They probably don't even have a team that could do any of the things you mentioned.

Nanny-State Amazon

News at 11. Amazon is going to suspend sales of Amazon Echo; followed by suspending their entire online shopping site due to "potential" security issues. Almost everything has potential security issues (other than a block of concrete 10 feet under), but as a customer, it's my right to make that trade-off.

Re:Nanny-State Amazon

[Oswald+McWeany]

News at 11. Amazon is going to suspend sales of Amazon Echo; followed by suspending their entire online shopping site due to "potential" security issues. Almost everything has potential security issues (other than a block of concrete 10 feet under), but as a customer, it's my right to make that trade-off.

As a customer it is your right to make that trade-off. You don't have the right to demand that Amazon be the one to sell it to you though.

It's your right to buy clam chowder but McDonalds doesn't have to sell it. It's your right to drive a Toyota Corolla, but your Honda dealership doesn't have to stock them. You're perfectly in your right to buy and wear a Rolex, but walmart doesn't have to have one waiting for you to buy.

Amazon has the right to choose not to sell BLU phones just as McDonalds has the right to not sell Clam Chowder.

I'm sure they don't want to be associated with spyware, or have negative customer satisfaction from people that buy those phones and incorrectly blame Amazon for selling them a spyware ridden phone. You may not blame Amazon but plenty of less tech savvy people would.

Re:Nanny-State Amazon

You're completely right that Amazon has the right to not sell me those products. But I also have the right to exercise my freedom of speech by calling them out as huge hypocrites when they sell plenty of other privacy invasive products. Likewise, spyware, that's pretty much Google's (and Facebook etc) entire business model -- I don't see Amazon is going to stop selling Android devices...do you?

Basically, McDonalds has a right not to sell Burger Kings. But if their proffered reason is that Burger King is unhealthy, then despite being true, it's still a bullshit reason.

Re:Nanny-State Amazon

[fph+il+quozientatore]

I'm sure they don't want to be associated with spyware

You mean the Amazon that is marketing a device with a permanently-on microphone that listens to what you are saying and sends it to their servers? Yeah, I am sure they don't want to be associated with spyware.

Re:Nanny-State Amazon

[cfalcon]

> calling them out as huge hypocrites when they sell plenty of other privacy invasive products

I don't think it is hypocrisy. The really invasive companies such as Google and Amazon have written in a lot of stuff, and spent a lot of money on lawyers, to handle data in aggregate, in ways that aren't supposed to invade our privacy, but still let them do targeted ads. This nuance is lost on you and I, sure (I, and probably you, want nothing to do with their endless parade of data hoarding), but it's still a real cost that they pay and it represents real restrictions on what they do with their data. Without even this basic assurance, it's a non-hypocritical position for a data conglomerate like Amazon to have issues with a company that does any of this secretly, and with open ended data usage (again, from a perspective like Google's, their data usage is not open ended, it is very constrained).

What they mean

[Zontar_Thing_From_Ve]

"All user data is obtained without their permission, sure, but it's sent securely via encrypted transmission methods. Further, I assure all of our customers that the Chinese Communist Party servers that keep and analyze this data are under the highest security standards and the CCP does not share its data or findings with outside parties. So there is nothing to worry about. Our phones are doing exactly what our masters in the CCP are requiring them to do and doing so in a very secure manner."

Re:What they mean

[thegarbz]

I actually feel a bit better about this than say a Samsung TV sending your data unencrypted to anyone willing to cough up a dollar.

Obviously: what about the rest?

[houghi]

ALL the phones phone home. So are they going to block them as well, or is that OK, because it is not China, but companies.

TBJ, I am not sure if it is better to give my data to China or to Google/Apple/Windows/Amazon/....

Re:Obviously: what about the rest?

Some are much better about it though. Huawei can hide it so much better for example.

Re:Obviously: what about the rest?

[JohnFen]

You're engaging in a false equivalency. All spying is bad, but some is worse than others. In this case, what Adups does is far worse than what any other company, even Google, does (that I'm aware of). It has nothing to do with being Chinese.

In fact, it wasn't all that long ago that a firestorm erupted when it was discovered that several US carriers had installed very similar software in US phones.

Re:Obviously: what about the rest?

[antdude]

I wished we had installable and controllable firewalls. I use firewalls on my home computers that let me customize rules for the networks. I hate softwares that phone home for no reasons.

Re:Obviously: what about the rest?

[thegarbz]

or is that OK, because it is not China

Well ... yeah. Security and privacy are not binary. There are many things I couldn't care less about one non-descript entity knowing that none the less I would not want sent to another.

Some spying is worse than others.
Some actors doing the spying are worse than others.

Re:Obviously: what about the rest?

[postbigbang]

It's Google's handy design flaw of Android. Oops, little leak there.

Indeed, should you check with AppThority and others, you'll find that the misbehavior is mindboggling.

But here's the part that makes me crazy: no one gives a shit. They believe it's the price they pay. The technologists have been shown time and time again that people are sheep. They follow the herd. The herd hasn't the capacity fathom what data mining in China means, and so because it goes over their heads, it's a whoooosh situation. So the fuckers keep doing it, and each day, a few heads rise up and yell, WTF? Those heads make easy targets.

BLU is a POS

[Khyber]

The ONLY thing good about most BLU phones is that the touchscreen still functions after the screen cracks.

Oh, and the FM radio is at least guaranteed to work.

BT support sucks, hardware is RAM-starved, they rarely not do system updates, the list goes on and on...

Re:BLU is a POS

[AvitarX]

The "high end" BLU phones are pretty decent and a great price.

I got a Studio Energy 2 for $120 or so new, and it worked fine with it's 1.5GB

I currently have a Life one X 2, and it has 4GB, and fast charge, was $180

Amazon doesn't know what it's talking about.

[freeze128]

Amazon stopped selling the phone because of "a potential security issue" because an app on the phone collects data and sends it to China without the user's consent. Well, obviously, that's a *PRIVACY* issue, not a *SECURITY* issue.

Re:Amazon doesn't know what it's talking about.

Amazon stopped selling the phone because of "a potential security issue" because an app on the phone collects data and sends it to China without the user's consent. Well, obviously, that's a *PRIVACY* issue, not a *SECURITY* issue.

Confidentially, Integrity and Availability

The CIA Security triad.

Cheers,

Re:Amazon doesn't know what it's talking about.

[Teckla]

Seems to me that privacy issues are a subset of security issues.

Re:Amazon doesn't know what it's talking about.

[JohnFen]

that's a *PRIVACY* issue, not a *SECURITY* issue.

Privacy issues are security issues.

Commie phones

Commie phones phone home

Re:Commie phones

Therefore, all smartphones are commie phones.

This is hilarious

because this is EXACTLY what Google, Amazon, Facebook, Microsoft etc. are doing with their customers. But when it's a Chinese company, then the propaganda mill starts churning out accusations of spying, privacy breach etc.

Pots and kettles.

Re:This is hilarious

[JohnFen]

But it's not exactly the same. None Amazon, Facebook, Microsoft, Google, etc., all tell you they're doing it (so you're making an informed choice if you use their services), and amount of data they collect isn't as comprehensive.

Re: This is hilarious

Odds are good that you use a Windows or osx pc. You might even use an android phone, iPhone or rarely a win phone. You probably use explorer edge, chrome or safari as your browser.

If so, Apple/Goole/MS already have the technical ability to illegally steal your data, ToS or no. There is no need to ADD another group to the list that can rip you off. That's the point. Just because your settled on boyfriend drills you up the ass doesn't mean you accept a Chinese drilling.

Re:This is hilarious

I don't think it is different. They tell you that they are doing something, but they most decidedly don't tell you what they are doing. Microsoft and Google have both been caught collecting when the setting was "disabled", or collecting more information than they claimed. There are less obvious violations of privacy as well; does Facebook inform and get consent from all web users regarding how the social buttons work, and how even if you aren't a facebook user you are being tracked across sites with them?

These companies mishandling your information, and lying about their privacy policies are the equivalent of you letting a friend grab a drink from your fridge, but then you notice that the whole fridge is gone.

Destroy this company.

They have no business in our country.

http://www.linuxjournal.com/content/adups-android-malware-infects-barnes-noble

There are gradiations

[XXongo]

There are gradations in privacy. The fact that I'm ok with having some small portion of my data used by corporations whose services I utilize does not mean that I'm ok with massive violation of privacy without any notice at all by some other corporation.

What the Blu phone does is way over the line. They are not only secretly sending data to China, they have "a command-and-control channel that can execute code on a user’s phone as a system user."

This is not merely "spyware"-- this is actual spying, by a foreign power.

http://www.cbsnews.com/news/researchers-find-phones-secretly-sending-data-china/

Re:There are gradiations

Foreign to which country? You must be a Murican - for me my iphone has spyware on it that is spying on me from a FOREIGN POWER no less.

Re:There are gradiations

[JohnFen]

This is not merely "spyware"-- this is actual spying, by a foreign power.

Agreed, although I'm not sure that "by a foreign power" is actually meaningful. Spying is spying, and it doesn't matter much whether the entities doing it are part of the same nation as you.

It does matter a little, though. If I have to be spied on, I'd rather it be by China (who has no real power or authority over me) than the US (who does).

Re:There are gradiations

" If I have to be spied on" There is a 99.999% chance that you never do anything that would warrant anyone spying on you except for an ex-spouse looking for a bigger alimony payoff. Way to many drama queens thinking their little lives are worth spying on. However, if you need to play the martyr there are people who pull out all the stops to spy on you every time you go online. Google represents the number one threat to everyone's privacy. After them come the 10000's of commercial companies who either collect your data themselves or just buy your life story from some other commercial enterprise that has better capture technology. We are talking some serious dollars wrapped around these activities and companies such as Google are at the forefront when it comes to developing the cutting edge technologies so they don't lose track of anyone. Googles is an advertising company that happens to use cutting edge technologies to increase their ad revenue.

MS transmits a small amount of anonymized system configuration data so they can determine the landscape their products are deployed in and people call this "spying" which is par for the course in the generation of idiots of think using Twitter qualifies as a technical skill. If you want to see real time spying in action just make sure your location is enable on your cell phone. I would rather have MS knowing the BIOS version and CPU I am running their software on than have someone following my every move and knowing exactly where I am within a 5 meter radius.

The NSA and CIA have their hands full trying to spy on the entire ME, China, NK, Russia, Europe, and just about any other country of note and hardly have the time to spy on a bunch of twits who also claim using Facebook qualifies as a technical job skill. If the government wanted to spy or invade someone's privacy they can just go to the person FB page that contains everything you may wan to know. And to top it off the government isn't very good at this whole clandestine and secret spying shit since classified data seems to be walking out the front door on a weekly basis. the NSA and CIA are not a for profit enterprise such as Google and making money is a bigger motivator than trying to track down some long beard on the other side of the world who may be strapping a custom suicide vest in preparation to storm a kindergarten to make the front page of the ISIS monthly magazine.

Re:There are gradiations

[Kernel+Kurtz]

If I have to be spied on, I'd rather it be by China (who has no real power or authority over me) than the US (who does).

Exactly! If you are the government, or a corporation then foreign spies are indeed the biggest concern, but if you are an individual, your own government has far greater potential to mess with your life than most any foreign country. The Russians and the Chinese don't care if you order bongs online or donate money to radical groups or gamble on illegal sports or whatever.

Only your own government is uniquely positioned to use their spying against you.

Re:There are gradiations

[Kernel+Kurtz]

The NSA and CIA have their hands full trying to spy on the entire ME, China, NK, Russia, Europe, and just about any other country of note and hardly have the time to spy on a bunch of twits who also claim using Facebook qualifies as a technical job skill.

Actually we all know the NSA and CIA happily share information they obtain by mass spying with local law enforcement agencies for offences that have nothing at all to do with national security.

The police call them "anonymous tips".

Re:There are gradiations

[JohnFen]

There is a 99.999% chance that you never do anything that would warrant anyone spying on you

True, but that doesn't stop them. The US, for example, isn't at all shy about the fact that they spy on all of us.

Google represents the number one threat to everyone's privacy. After them come the 10000's of commercial companies who either collect your data themselves or just buy your life story from some other commercial enterprise that has better capture technology.

Exactly correct! Although I'm at a loss as to why you're so eager to give Microsoft a pass on their spying. There's no such thing as "anonymized", and the amount they try to collect is the exact opposite of "small" -- although they, like Google, etc., graciously allow you to reduce -- but not eliminate -- the scope of their spying.

Also, just because some entities spy more than others doesn't mean that it's OK for anybody to do it. I reject your implication otherwise.

Bold Like Us

[spinitch]

Part of the Bold experience, how to boldly offer a less expensive device. FaceBook and many of Google offerings also free- gee how generous, except the free is really a mutual exchange your info for their experience. Just be upfront about it.

Android is the worst thing ever.

Truly horrible garbage. Any idiot who walks around with a brick of spyware in their pocket is no geek, but a buffoon.

Re:Android is the worst thing ever.

[OneHundredAndTen]

Such an informed, well-measured, deep and balanced comment has all but convinced me, and probably millions of others.

Re:Android is the worst thing ever.

A drawback to open source Android. It comes in many flavors and so many craft it to what they want. Does Google even give a shit? Probably not.

Data mine

[DarkRookie]

Cant have a third party do it. Only Amazon is allowed to collect info for themselves. If they were making some amount of money on this, they wouldn't have stop selling it.

Shanghai Adups

[slapout]

Shanghai Adups = "Shanghai American Dups"?

That's how they make up loss

There is always a catch to something being cheaper then everyone else. Your data is valuable and worthy of collecting and selling. Kuddos to Amazon for stopping sales.

Punctuation is critical.

[517714]

Fixed that for you: A company spokeswoman said at the time it "has several policies in place which take customer privacy and security, seriously."

Before I knew their privacy issues

There was the simple fact that my Blu Life One X shit its pants after five months.

Go ahead

[MoarSauce123]

As if the Chinese have other means of stealing our data. I was well aware of that security issue and still bought an unlocked 50$ Blü phone, which is kick ass awesome. Others make flagship phones for 10 times the price and still collect all data. Would I rather not have gazillion companies and services spy on me? Sure, but US companies are not any better. Even the electric and gas companies insist on installing the meters outside of the house. They used to be inside and they had no problem driving by in their van to read them out. Now the world knows how much power and gas I use. How is that for privacy?

Go windows?

How hard is it to install windows mobile on the BLU hardware?
Many of their products already run it, such as Studio 5 as BLU Win HD.