Slashdot Mirror

← Back to Stories (view on slashdot.org)

Amazon Suspends Sales of Blu Android Phones Due To Privacy Concerns (cnet.com)

Posted by msmash on from the privacy-worries dept.

CNET reports: Amazon just put budget phone maker Blu in the penalty box. The online retailing giant told CNET that it was suspending sales of phones from Blu, known for making ultra-cheap Android handsets, due to a "potential security issue." The move comes after security firm Kryptowire demonstrated last week how software in Blu's phones collected data and sent it to servers in China without alerting people. Blu defended the software, created by a Chinese company called Shanghai Adups Technology, and denied any wrongdoing. A company spokeswoman said at the time it "has several policies in place which take customer privacy and security seriously." She added there had been no breaches. Blu said it was in a process of review to reinstate the phones at Amazon.

36 of 66 comments (clear)

  1. I use LineageOS by bluefoxlucid · · Score: 3, Interesting

    First thing I do with a new phone, I wipe it and install LineageOS. Somebody else builds the ROM and I don't have the time or resources to personally-inspect the source code, so it's mostly a more-trusted quantity; and everybody sees it and sees the build process, so there are at least a dozen primary developers, a couple hundred bored hobbyists, and the occasional security researcher looking at the built ROM and the source code. Between the diff against Android and the massive number of eyes on Android's source trees, a lot of people have to be involved in a conspiracy to mess with my phone for there to be anything intentionally-malicious in there.

    I like OnePlus, but I'm not going to run their OS just so it can repeatedly try to sell themes to me. If there was a Lineage ChromiumOS, I'd put that on my Chromebook.

    --
    Support my political activism on Patreon.
    1. Re:I use LineageOS by rickb928 · · Score: 1

      "I don't have the time or resources to personally-inspect the source code"

      "everybody sees it and sees the build process,"

      So you don't trust or inspect the code, you rely on others to do that. In other words, choose one community over the other.

      Ok, in other words, you trust that community more than you trust the manufacturer and Amazon.

      Which I understand, but I'm curious - You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?

      Not that they can be presumed to be nefarious, but when I write that I 'understand', I do not necessarily agree or approve.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    2. Re:I use LineageOS by bluefoxlucid · · Score: 2

      You have some rational basis for that trust, beyond the size and presumed motivations/ethics/history of that COMMUNITY?

      One community is a corporate culture that builds an OS image in-house, publishes it for their particular phone, and gets scrutiny when someone decides to try to dismantle the binary image on their particular phone or snoop what's going out the cellular radio. Their OS can hide what's going out the radio, so they need a logic analyzer or specialized radio equipment (lots of effort, not necessarily lots of cost, enormous technical expertise). They can start with an open-source asset and modify it to their taste, and mostly restrict inspection--especially of their own source repositories--to a small number of eyes. You can even have most developers not know about some parts of the code, because they simply have no reason to inspect the entire code base.

      The other is working out in the open. They publish binary images for hundreds of different phones, built from the same source. They're liable to inject the same Trojan horse into several, if not all, models if they're being nefarious. Their repositories are open, and so we can do a spot-check of differences between their code repositories and the official repositories. The official repositories are high-profile; the derived, open-source repositories are also high-profile, but less-so; even security researchers are significantly interested in what's going on with this stuff, and have the ready opportunity to examine it. Hiding things is more-difficult.

      The likelihood of getting caught is higher for one of these than the other.

      --
      Support my political activism on Patreon.
    3. Re:I use LineageOS by JohnFen · · Score: 1

      This.

      Any smartphone that I haven't placed my own OS on is a smartphone that cannot be trusted to even a minimal extent.

    4. Re:I use LineageOS by JohnFen · · Score: 1

      Ok, in other words, you trust that community more than you trust the manufacturer and Amazon.

      I do, too. It's a matter of a combination of incentives and track records.

      Commercial corporations have no incentive to make my personal well-being and privacy a priority. They prioritize profit. And the track record of commercial entities makes it very clear that they adhere to those priorities.

      Hobbyist communities have very different incentives and priorities. I don't think that they can be trusted completely, either, but the track record for them is vastly better than for companies.

  2. BLU, Adups, and MediaTek by Zombie+Ryushu · · Score: 1

    I have a BLU Studio 5.0C, an, its rooted, and I removed ADUPS. However the version of Adups it used was not the version that was stealing people's info. I really like the quality of the Phone I have. I don't like that it has a MediaTek Chipset for which there is no Lineage OS Build.

    BLU Needs to cough up Specs and Drivers to the Lineage OS Community, and start selling LineageOS on their phones, and don't put ADUPS on their Phones. They need to make amends with the Android Community. Because what they have been doing is selling people's personal info to the Chinese by using ADUPS.

    1. Re:BLU, Adups, and MediaTek by JohnFen · · Score: 2

      However the version of Adups it used was not the version that was stealing people's info.

      It's not the version that made the news, perhaps, but do you have any reason to think it's any different in terms of spying?

  3. What they mean by Zontar_Thing_From_Ve · · Score: 3, Insightful

    "All user data is obtained without their permission, sure, but it's sent securely via encrypted transmission methods. Further, I assure all of our customers that the Chinese Communist Party servers that keep and analyze this data are under the highest security standards and the CCP does not share its data or findings with outside parties. So there is nothing to worry about. Our phones are doing exactly what our masters in the CCP are requiring them to do and doing so in a very secure manner."

    1. Re:What they mean by thegarbz · · Score: 1

      I actually feel a bit better about this than say a Samsung TV sending your data unencrypted to anyone willing to cough up a dollar.

  4. Re:Nanny-State Amazon by Oswald+McWeany · · Score: 4, Insightful

    News at 11. Amazon is going to suspend sales of Amazon Echo; followed by suspending their entire online shopping site due to "potential" security issues. Almost everything has potential security issues (other than a block of concrete 10 feet under), but as a customer, it's my right to make that trade-off.

    As a customer it is your right to make that trade-off. You don't have the right to demand that Amazon be the one to sell it to you though.

    It's your right to buy clam chowder but McDonalds doesn't have to sell it. It's your right to drive a Toyota Corolla, but your Honda dealership doesn't have to stock them. You're perfectly in your right to buy and wear a Rolex, but walmart doesn't have to have one waiting for you to buy.

    Amazon has the right to choose not to sell BLU phones just as McDonalds has the right to not sell Clam Chowder.

    I'm sure they don't want to be associated with spyware, or have negative customer satisfaction from people that buy those phones and incorrectly blame Amazon for selling them a spyware ridden phone. You may not blame Amazon but plenty of less tech savvy people would.

    --
    "That's the way to do it" - Punch
  5. Obviously: what about the rest? by houghi · · Score: 2

    ALL the phones phone home. So are they going to block them as well, or is that OK, because it is not China, but companies.

    TBJ, I am not sure if it is better to give my data to China or to Google/Apple/Windows/Amazon/....

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re:Obviously: what about the rest? by JohnFen · · Score: 1

      You're engaging in a false equivalency. All spying is bad, but some is worse than others. In this case, what Adups does is far worse than what any other company, even Google, does (that I'm aware of). It has nothing to do with being Chinese.

      In fact, it wasn't all that long ago that a firestorm erupted when it was discovered that several US carriers had installed very similar software in US phones.

    2. Re:Obviously: what about the rest? by antdude · · Score: 1

      I wished we had installable and controllable firewalls. I use firewalls on my home computers that let me customize rules for the networks. I hate softwares that phone home for no reasons.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    3. Re:Obviously: what about the rest? by thegarbz · · Score: 1

      or is that OK, because it is not China

      Well ... yeah. Security and privacy are not binary. There are many things I couldn't care less about one non-descript entity knowing that none the less I would not want sent to another.

      Some spying is worse than others.
      Some actors doing the spying are worse than others.

    4. Re:Obviously: what about the rest? by postbigbang · · Score: 1

      It's Google's handy design flaw of Android. Oops, little leak there.

      Indeed, should you check with AppThority and others, you'll find that the misbehavior is mindboggling.

      But here's the part that makes me crazy: no one gives a shit. They believe it's the price they pay. The technologists have been shown time and time again that people are sheep. They follow the herd. The herd hasn't the capacity fathom what data mining in China means, and so because it goes over their heads, it's a whoooosh situation. So the fuckers keep doing it, and each day, a few heads rise up and yell, WTF? Those heads make easy targets.

      --
      ---- Teach Peace. It's Cheaper Than War.
  6. Re:Breaking News! by __aaclcg7560 · · Score: 1

    Not sure. But the Amazon Dot were selling like hotcakes on Prime Day.

  7. Re:I may be wrong about this... by Zombie+Ryushu · · Score: 4, Informative

    BLU Phones are Easily Rootable, and until the R1 HD, did NOT have locked bootloaders that prevented the installation of TWRP Recovery. However, Because they used MediaTek Chipsets instead of QualComm, they were GSM Exclusive. (Meaning: No CDMA because QualComm has a Patent on it in the US.)

    That means ATT and T-Mobile only (and their Associated MVNO carriers.) No Verizon, and no Sprint. CDMA is very pervasive in the US.
    Most LineageOS (formerly Cyanogen Mod) Programmers are from the US, so because of that MediaTek based Phones are a Tiny, Tiny, Tiny Minority. Wal-Mart Stopped carrying BLU Phones in the US because People would buy them, find out they were on a CDMA Carrier, (Sprint, Verizon) and then Wal-Mart would be swamped with Returns.)

    BLU started locking the Bootloaders with the R1 HD due to the Lock Screen ads. People removed the ads, and denying them ad revenue seemed like theft to BLU.

  8. BLU is a POS by Khyber · · Score: 1

    The ONLY thing good about most BLU phones is that the touchscreen still functions after the screen cracks.

    Oh, and the FM radio is at least guaranteed to work.

    BT support sucks, hardware is RAM-starved, they rarely not do system updates, the list goes on and on...

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:BLU is a POS by AvitarX · · Score: 1

      The "high end" BLU phones are pretty decent and a great price.

      I got a Studio Energy 2 for $120 or so new, and it worked fine with it's 1.5GB

      I currently have a Life one X 2, and it has 4GB, and fast charge, was $180

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  9. Amazon doesn't know what it's talking about. by freeze128 · · Score: 1

    Amazon stopped selling the phone because of "a potential security issue" because an app on the phone collects data and sends it to China without the user's consent. Well, obviously, that's a *PRIVACY* issue, not a *SECURITY* issue.

    1. Re:Amazon doesn't know what it's talking about. by Teckla · · Score: 2

      Seems to me that privacy issues are a subset of security issues.

    2. Re:Amazon doesn't know what it's talking about. by JohnFen · · Score: 1

      that's a *PRIVACY* issue, not a *SECURITY* issue.

      Privacy issues are security issues.

  10. Re:Nanny-State Amazon by fph+il+quozientatore · · Score: 2

    I'm sure they don't want to be associated with spyware

    You mean the Amazon that is marketing a device with a permanently-on microphone that listens to what you are saying and sends it to their servers? Yeah, I am sure they don't want to be associated with spyware.

    --
    My first program:

    Hell Segmentation fault

  11. There are gradiations by XXongo · · Score: 5, Insightful

    There are gradations in privacy. The fact that I'm ok with having some small portion of my data used by corporations whose services I utilize does not mean that I'm ok with massive violation of privacy without any notice at all by some other corporation.

    What the Blu phone does is way over the line. They are not only secretly sending data to China, they have "a command-and-control channel that can execute code on a user’s phone as a system user."

    This is not merely "spyware"-- this is actual spying, by a foreign power.

    http://www.cbsnews.com/news/researchers-find-phones-secretly-sending-data-china/

    1. Re:There are gradiations by JohnFen · · Score: 1

      This is not merely "spyware"-- this is actual spying, by a foreign power.

      Agreed, although I'm not sure that "by a foreign power" is actually meaningful. Spying is spying, and it doesn't matter much whether the entities doing it are part of the same nation as you.

      It does matter a little, though. If I have to be spied on, I'd rather it be by China (who has no real power or authority over me) than the US (who does).

    2. Re:There are gradiations by Kernel+Kurtz · · Score: 2

      If I have to be spied on, I'd rather it be by China (who has no real power or authority over me) than the US (who does).

      Exactly! If you are the government, or a corporation then foreign spies are indeed the biggest concern, but if you are an individual, your own government has far greater potential to mess with your life than most any foreign country. The Russians and the Chinese don't care if you order bongs online or donate money to radical groups or gamble on illegal sports or whatever.

      Only your own government is uniquely positioned to use their spying against you.

    3. Re:There are gradiations by Kernel+Kurtz · · Score: 1

      The NSA and CIA have their hands full trying to spy on the entire ME, China, NK, Russia, Europe, and just about any other country of note and hardly have the time to spy on a bunch of twits who also claim using Facebook qualifies as a technical job skill.

      Actually we all know the NSA and CIA happily share information they obtain by mass spying with local law enforcement agencies for offences that have nothing at all to do with national security.

      The police call them "anonymous tips".

    4. Re:There are gradiations by JohnFen · · Score: 2

      There is a 99.999% chance that you never do anything that would warrant anyone spying on you

      True, but that doesn't stop them. The US, for example, isn't at all shy about the fact that they spy on all of us.

      Google represents the number one threat to everyone's privacy. After them come the 10000's of commercial companies who either collect your data themselves or just buy your life story from some other commercial enterprise that has better capture technology.

      Exactly correct! Although I'm at a loss as to why you're so eager to give Microsoft a pass on their spying. There's no such thing as "anonymized", and the amount they try to collect is the exact opposite of "small" -- although they, like Google, etc., graciously allow you to reduce -- but not eliminate -- the scope of their spying.

      Also, just because some entities spy more than others doesn't mean that it's OK for anybody to do it. I reject your implication otherwise.

  12. Re:Nanny-State Amazon by cfalcon · · Score: 2

    > calling them out as huge hypocrites when they sell plenty of other privacy invasive products

    I don't think it is hypocrisy. The really invasive companies such as Google and Amazon have written in a lot of stuff, and spent a lot of money on lawyers, to handle data in aggregate, in ways that aren't supposed to invade our privacy, but still let them do targeted ads. This nuance is lost on you and I, sure (I, and probably you, want nothing to do with their endless parade of data hoarding), but it's still a real cost that they pay and it represents real restrictions on what they do with their data. Without even this basic assurance, it's a non-hypocritical position for a data conglomerate like Amazon to have issues with a company that does any of this secretly, and with open ended data usage (again, from a perspective like Google's, their data usage is not open ended, it is very constrained).

  13. Bold Like Us by spinitch · · Score: 1

    Part of the Bold experience, how to boldly offer a less expensive device. FaceBook and many of Google offerings also free- gee how generous, except the free is really a mutual exchange your info for their experience. Just be upfront about it.

  14. Android is the worst thing ever. by Anonymous Coward · · Score: 1

    Truly horrible garbage. Any idiot who walks around with a brick of spyware in their pocket is no geek, but a buffoon.

    1. Re:Android is the worst thing ever. by OneHundredAndTen · · Score: 2

      Such an informed, well-measured, deep and balanced comment has all but convinced me, and probably millions of others.

  15. Re:This is hilarious by JohnFen · · Score: 1

    But it's not exactly the same. None Amazon, Facebook, Microsoft, Google, etc., all tell you they're doing it (so you're making an informed choice if you use their services), and amount of data they collect isn't as comprehensive.

  16. Shanghai Adups by slapout · · Score: 1

    Shanghai Adups = "Shanghai American Dups"?

    --
    Coder's Stone: The programming language quick ref for iPad
  17. Punctuation is critical. by 517714 · · Score: 2

    Fixed that for you: A company spokeswoman said at the time it "has several policies in place which take customer privacy and security, seriously."

    --
    The US government have made it clear that we have no inalienable rights; any we do not defend vigorously will be taken.
  18. Go ahead by MoarSauce123 · · Score: 1

    As if the Chinese have other means of stealing our data. I was well aware of that security issue and still bought an unlocked 50$ Blü phone, which is kick ass awesome. Others make flagship phones for 10 times the price and still collect all data. Would I rather not have gazillion companies and services spy on me? Sure, but US companies are not any better. Even the electric and gas companies insist on installing the meters outside of the house. They used to be inside and they had no problem driving by in their van to read them out. Now the world knows how much power and gas I use. How is that for privacy?