Secret Backdoor in Some U.S. Phones Sent Data to China, Analysts Say
mobile.nytimes.comYou cannot have privacy and security without free/libre software. While such doesn't doesn't guarantee privacy or security, operating systems that make an effort to build the system entirely from source without any proprietary components are much less likely to have a problem like this slip through the cracks of a large, active development community.
Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.
Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:
http://blog.replicant.us/2016/08/replicant-6-early-work-upst...
We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.
Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.
Regarding more secure versions of Android, what are your (or anyone's) thoughts on the following?
* CopperheadOS
* OmniROM
* PrivatOS, on Silent Circle Blackphones AFAIK
* The version on Blackberry Priv phones
.
I've also come across these, but don't know much about them:
* Cryptogenmod: I'm not sure this project ever went anywhere
* Chamelephon: http://chamelephon.com/
* GuardianROM: Discontinued?
* KeyROM by Mocana: Seems aimed at businesses that need secure Android. https://www.mocana.com/iot-security/keyrom
* Privacy phone by FreedomPOP: https://www.freedompop.com/theprivacyphone
.
And a couple probably not available to the public:
* OK:Android by General Dynamics: http://gdmissionsystems.com/cyber/products/trusted-computing...
* The OS on Boeing Black smartphones: http://www.boeing.com/defense/boeing-black/index.page
That's the old open source argument.
And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...
OS code bases are huge.
How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
Not very, I think.
If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.
The source code is not the only condition for security. However it drastically decreases the threshold for the audits. People can even make a crowdfunding campaign and pay to professionals like it was done with TrueCrypt.
But even without such a campaign, evil developers would be in a constant danger that someone may discover a backdoor. It is a very unstable situation: just one person is enough to make a lot of noise, and everyone could be this person. And yes, people do read the sources:
https://www.fsf.org/blogs/community/who-actually-reads-the-c...
It's all about defense in depth:
https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...
> That's the old open source argument.
Indeed, so it's unfortunate that it doesn't get more discussion in situations such as these.
> How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
More difficult than it would be with proprietary software, where anyone at any time can add malicious code that may never even be discovered over the lifetime of the device.
Free software doesn't prevent malicious actors from contributing malicious code, but it certainly improves chances. It also makes such a move very risky. Just as laws are a deterrent for many crimes, so is public scrutiny.
> How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
In a fully free OS, this app would have been built from source. So the same arguments apply.
> If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Again, it improves changes. Here's a good example from Replicant:
http://redmine.replicant.us/projects/replicant/wiki/SamsungG...
> Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
Sure, but that's not an excuse to throw our hands up and not worry about the security of the software running on it. The OS might even be able to itself mitigate certain things (e.g. the Samsung backdoor mentioned above).
This issue also exists on PCs:
The promise of reproducible builds divides-and-conquers the system, allowing us to validate individual components. From there, we need to be concerned about how well the source code for each component is managed.
Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.
Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.
I have a chinese Android phone. Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send. There were attempts to connect to Google servers and chinese manufacturer's servers. The data sent to China was supposed to contain sensitive information like phone number or SIM card identifier.
It also has an auto-update (read: backdoor) feature that cannot be disabled.
I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.
We need a law against this.
"And I can use it only at home."
In other words you can use it only on a network you control.
In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Correct?
What if you had a portable gateway, one that could travel with you?
We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.
We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).
But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.
To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.
It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.
The aim with these efforts is control, not impressive hardware specs.
Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.
But to get those things, the user has to sacrafice some control.
> In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Yes.
> What if you had a portable gateway, one that could travel with you?
I can rent a VPS and connect through it using "Always-on VPN" option (I did it once and it worked). But then I have to pay for a server monthly in addition to the mobile plan. It is not that expensive but I would prefer just having access to iptables and being able to install my firewall on a phone.
I might be wrong but on Windows you can at least install a firewall. At least you could on earlier versions.
> I can rent a VPS and connect through it using "Always-on VPN" option...
Still though, you have to worry that the hosting provider is taking adequate measures to protect your data, as well as also not secretly spying on you. I've worked with enough hosting sysops making trivial errors with their OVZ/KVM setups to realize that some VPS providers are about as secure and resilient as a power grid made from discarded toasters with forks shoved in them.
The OP instead of doingall these, could get another phone supported by AOSP or Cyanogemnod ROMs.
As a consumer I am very disappointed and feel being deceived by Google.
Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?
And Google advertises Android as free, open source, linux-based OS. "open" is supposed to mean I can do whatever I want with it but in fact I cannot even access the iptables.
Jailbreak a phone and you can surely do whatever you want on it. Other than that it's not Google's fault how a manufacturer customizes the software.
If it is an Android phone with Google Play store then it is definitely Google's fault. Maybe Google should stop manufacturers from installing Android on their phones when they are doing things like this.
You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible and in return they get more advertising dollars.
The phone has Google Services including Play Store (which I never used because it needs a Google Account, so I download software either from F-droid or from apkpure). But I don't know if it is licensed. It is noname chinese manufacturer that probably doesn't care much about american copyright (and GPL too because I could not find any links to linux kernel source code at their website).
> You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible
Google could allow controlling firewall on Android (and getting root access). The only reason they don't do it is because then users will be able to block tracking and advertisement.
> If it is an Android phone with Google Play store then it is definitely Google's fault. Maybe Google should stop manufacturers from installing Android on their phones when they are doing things like this.
If it's GMS Certified, sure.
It's possible (common even) for some shady OEMs to install Google Play Store, despite not being GMS certified. Asking them to prevent that is a lot like demanding a stop to all software piracy.
because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible and in return they get more advertising dollars.
And why exactly is that bad?
Because Google has no incentive to fix the issue.
It's not their issue to fix.
Do you demand Microsoft take action because say Lenovo installs superfish?
You make Lenovo fix it instead of a tangentially related company like Microsoft.
Same thing here. It's not a Google issue.
Microsoft has to address the amount of crapware vendors ship and the permissions they have and deffinitely plays some games of chicken with them to try to keep windows market share.
While it makes sense to hit the vendors directly to the extent possible, it also costs these platforms trust when most of the ways users end up with them have them compromised from day one. I.e. do I give relatives a list of vendors I think might be safe to use without a complete wipe and fresh install? For windows that is impossible.
Unlike Google (that "is not evil") Microsoft allows user to gain administrator access and install firewall on Windows.
"Open" means the re-distributor can do whatever they want with it, as long as they pass along the source under the same license. Software licenses with strings attached like "you must let end-users access the iptables" are emphatically nonfree.
Actually, licenses like the GPLv3 have been actively trying to prevent this in certain cases [1]
Upvoting because you are absolutely 100% correct (and because I'm trying to help prevent HN from becoming more like Reddit where everyone "downvotes to oblivion" statements they don't like).
Google could provide easy ways to control Internet traffic and to gain root access. For example, they could grant access to builtin linux iptables which doesn't cost anything to implement. And Google is easier to influence than noname chinese company.
Or they could not to sell Android license to companies not repecting consumer's privacy.
Even if I got refunded, what would I buy instead? Free market doesn't work here and all major manufacturers have some form of tracking and preinstalled software built in. It looks like the only way is to buy a backdoored proprietary device and replace a ROM (and then solve all kinds of problems with hardware not working properly or battery getting drained).
> Google could provide easy ways to control Internet traffic and to gain root access. For example, they could grant access to builtin linux iptables which doesn't cost anything to implement. And Google is easier to influence than noname chinese company.
And the manufacturer could simply unroot the phone and lock its bootloader. At the end of the day it's the phone manufacturer that controls the product, even if Google tries to prohibit such practices in its contracts.
My phone has an option to unlock a bootloader. But it would take time to find or build a custom ROM and install it and solve all kinds of problems with drivers and hardware.
And generally it is pretty decent model. It sends some data home but at least it doesn't have preinstalled adware like another chinese tablet I saw (that displays an ad over browser window and tries to disguise it as a part of a web page).
Then do not buy such hardware. Do your homework or search or ask xda before buying phone/tablet. Or just get nexus or see copperheadOS
> Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send
How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).
Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
A VPN with a firewall might be easier.
I imagine you just turn cellular off and only use Wi-Fi or LTE. A lot of these backdoors are poorly constructed and wouldn't check to see if they're on a cellular connection.
I used Windows laptop with bluetooth and linux machine in VirtualBox (that also provides a virtual internal network). I physically disconnected a laptop from the Internet and used standard Windows "share Internet connection" feature to "share" virtual network via bluetooth. So Windows thought that linux VM is an Internet gateway and provided DHCP service to bluetooth network. The phone connected via bluetooth, got an IP address and all its traffic was redirected to a virtual machine by Windows. Once you get traffic to go to linux machine everything gets easy (if your host OS is linux you could skip some steps and obviously you don't need VirtualBox).
I used Wireshark on Windows to check that everythink is set up correctly and to see what kind of requests the phone makes.
You can use WiFi instead of bluetooth the same way. You only need to use "hotspot" option and provide DHCP to a phone and set your linux machine as a gateway. Probably you can do that with a router too, for example if you connect its WAN port to your linux machine or set up traffic redirection.
On linux I redirected traffic from phone to localhost with ports 53 (DNS), 80/443 (HTTP) and rejected any other traffic (there were some requests to time servers, that were sent by drm component of Android). I also ran a DNS server (dnsmasq) and Squid HTTP proxy that can process redirected traffic (Squid can also generate certificates to decrypt HTTPS traffic which was very useful though it took some time to find correct settings). I set up dnsmasq and squid to serve requests based on white and black lists.
After I did some tests I found another, easier way to capture traffic from Android phone. Android has a useful "Always-on VPN" feature that sends all traffic through specified host (and doesn't allow any network access until VPN connection is set up). You only need to set up ipsec on a linux box (I used strongswan). I used "Always-on VPN" feature to redirect traffic to my VPS while using mobile internet connection.
> Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage?
I physically disconnected a laptop from the Internet and monitored the traffic on a bluetooth interface with Wireshark. The phone did not have a SIM card inside so it could not connect to a mobile network.
> For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
This can be detected using my setup. But if software is programmed to send some data only via mobile network and not via WiFi/bluetooth then it is more difficult to detect. You would need to set up a fake BTS (using OpenBTS for example) to capture that traffic. You would need special (not very expensive) SDR hardware in this case.
> A VPN with a firewall might be easier.
I ended up with the same idea. I even wrote a simple PHP app to manage black and white lists and view logs.
Thanks for such a helpful and detailed response; I really appreciate it and I bet I'm not the only one.
Where did you buy that phone from and what brand was it?
I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?
The manufacturer's name is Shenzhen Huafurui Technology if it tells you anything. The brand name is Cubot. I do not live in US but one can buy such kind of phone on Amazon (if you search manufacturer's name there you can find it is even cheaper now).
It is good to hear that in some countries importing such phones is not allowed.
Is there any real difference between buying on Amazon with an non-major brand and buying at Alibaba?
Seems like for items that involve things you care about (kids, your personal data), you take your chances buying from a vendor who might be an fly-by-night and in a jurisdiction that doesn't care about your local country's laws.
Did u search in the web to see if there is a clean AOSP or Cyanogenmod recompileable ROM before buying?
Sorry to hear your experience. Next time you'd be better off buying from a more established brand if you going to buy a phone of Chinese brand. Chances are, if they are officially selling outside China, they would have met some the requirements from the respective countries. I know Europe and US has strict privacy laws and that's why you can't buy such phones through official channels.
Unless you've purchased phones from all the "more established" brands and verified whether they're sending data, this is hardly sound advice.
"More established" brands have a history of leaving secret backdoors and phoning home just the same as the Chinese devices.
One was discovered in a range of Samsung devices just a couple years ago. Lenovo, same story, spyware and garbage hidden deep within their gadgets.
The only solution is to take a chance, buy a device, test it. If it's backdoored, return it if you can, and call them out on HN/Amazon reviews, etc.
That seems rather pessimistic. If you really don't trust any brands, what's wrong with directly buying from the tech companies instead of the manufacturers? Like Google Nexus (Pixel), Microsoft Windows Phone and iPhone. They are supposed to the industrial standards for how to do privacy correctly.
When a simple Google search reveals the exact pattern mentioned occurring again and again, not just with phones but with networking gear, laptops, TV's, IoT devices, CDs (Sony rootkit anyone?), and websites loaded to the max with trackers and secret downloads onto people's machines, it moves from pessimism to "this is just how it works."
The price of freedom is eternal vigilance. You want crap free gadgets, make them sell crap free gadgets by ratting them out when they sell gadgets loaded with crap.
I am okay with the skepticism you have here but is there really a reason to create two throwaway accounts just to reply to me?
Do you happen to know me in real life? I can't think of another reason for this.
No one should have to justify wanting to remain private/anonymous.
What standards are you talking about? I don't know of any. AFAIK, the standard is to monitor users and collect as much data on them as possible. The whole Internet runs on that model.
The market could be driving that. If you don't spy on a user then your competitor would do and get ahead of you (and get additional profit from selling the data or showing relevant advertisement).
Microsoft didn't have any telemetry in earlier days. Now they turned to a dark side.
Even if I bought a Samsung (that is established brand, isn't it) or Apple phone I still would have to trust the manufacturer that it would not spy on me even if requested by NSA. I know that Samsung adds additional software into Android, they might have some kind of analytics too.
Have you not heard of OnePlus?
Yes, I know. I mean most brands, notably ZTE and Huawei. I am sure OnePlus is an exception here and does not fall into the category of phones with such capabilities otherwise it would have faced similar destinies as ZTE and Huawei. Anyway, I edited my comment to reflect that.
Is OnePlus a good phone? Been wanting an Android phone but can't seem to settle on one
Yes. I replaced my Nexus6 with a OnePlus3 ($400) because paying the Pixel's price ($950) would have made me feel like a sucker. The screen is excellent, and there is a wide variety of ROMs to choose from.
Where on earth did you get that impression?
Are there are any consumer protection laws that would help here, for example, to obtain a full refund if it is proven that a manufacturer and retailer sold you a product full of spyware?
I am not a lawyer. Ususally consumer protection laws protect only from not providing advertised features. There might be something related to privacy laws but I am not sure how they work internationally.
I'm not sure what device you have, but there is a better than even chance that simply changing your rom will remove the spyware.
I am considering this but is would take time to find and configure all necessary drivers and build the ROM.
You feel deceived by Google for buying a cheap Chinese made phone? What other things do you feel deceived by Google? Buying a car from Ford that always breaks down?
Google is developing software for cars so maybe soon it will be inside Ford cars too. Of course with Google Analytics preinstalled.
Elephant in the room is of course the amount of data that is sent to the u.s. from phones in the rest of the world. Hardly a surprise that China is getting in on the action too.
Exactly. When an address book is sent to every company that makes an app it's business!
When the same is sent to China, it's outrage?
Ditto with auto-updates.
I'd be glad if I could control much more of my data exposure. But business.
I am also a little curious about what the manufacturer (or by extension the PRC government) could do with data from a phone in the US? I actually prefer my backdoors to open to Beijing... they aren't likely to share, and they aren't in a position to do anything to me (I would obviously feel differently if I was a Chinese citizen).
Well before smart phones, computers all over the world have been calling home (to the USA).
Does anyone regularly audit devices and apps with something similar to a web proxy, to see where they talk to during the course of normal usage? This seems like a decent low-hanging fruit (well, relatively speaking).
I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.
Yes, they do. You can use Fiddler or similar as a web proxy for mobile apps. Stuff has been found like this - https://www.troyhunt.com/controlling-vehicle-features-of-nis... and I recall there's been several more but I can't recall the details.
We can do better. Auditable open source and reproducible builds are security and privacy differentiators. They make shenanigans like these more difficult to pull off and easier to investigate.
Hardware and firmware are still usually closed though.
You need to start.
H guys, I'm one of the researchers with kryptowire if you have any questions
How can someone detect if their phone has this backdoor installed?
The thing is these are system apps so not easy to analyze unless you're root. What you can do is use observe your device traffic and see if any of these domains are pinged:
Then check the content of the POST request (usually to url/mobileupload.do )bigdata.adups.com (primary) bigdata.adsunflower.com bigdata.adfuture.cn bigdata.advmob.cnSir, this is HN. You may assume we are root.
This seems very similar (or perhaps even worse) than the fact pattern in the HTC/Carrier IQ case. https://www.ftc.gov/news-events/blogs/business-blog/2013/02/...
Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?
We did work with DHS and notify all the parties ahead of the press release. We also remember carrierIQ ! We have a comparison table here: http://www.kryptowire.com/adups_security_analysis.html
So you didn't tell the Federal Trade Commission, even though they previously investigated (and punished) HTC for doing something similar?
Curious, do security researchers typically liaise with the FTC when vulnerabilities are discovered? This and your parent comment seem to imply a 'yes' but this doesn't seem like an obvious connection (to me at least). I would expect the first point of contact at DHS to flag this for other agencies' attention if they felt it was necessary. Should DHS feel territorial about this and be reluctant to contact outside agencies that's on them, not the researcher.
I wonder if many security researchers know to routinely shop their findings to multiple agencies independently. It doesn't seem like this is common knowledge.
DHS is a law enforcement agency, which regularly uses surveillance techniques, some of which exploit security flaws in devices and software. When you share information about security flaws with DHS, you're sharing them with ICE and the Secret Service.
The FTC, in contrast, is a consumer protection agency. They don't kick down doors and they don't arrest people.
And yes, many security researchers have shared their prepublication research with the FTC.
From the article: "Kryptowire took its findings to the United States government. It plans to make its report public as early as Tuesday."
Can you share the report yet?
Not sure about our policy for sharing the report but we have a slightly more technical version on our blog: http://www.kryptowire.com/adups_security_analysis.html
Hey duked. I just returned from Hong Kong (on vacation) and used two BLU Advance 5.0 phones as burners for use while in-country. I take precautions whenever I travel overseas.
I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.
Hi, our findings are specific to the BLU R1HD. What you can do is have man in the middle proxy for your device and look at the traffic. Funny enough we actually bought the R1HD for the same reason as you... We had a conference in Taiwan and wanted a burner and BLU looked awesome for the price ;)
That was my thinking as well.
I do INFOSEC for a living and needed to make sure I wasn't bringing back any compromised devices when I returned. So far, the two phones have remained powered down while I come up with a plan to examine them.
It would be interesting to see if they are loaded with malware out of the box or if there is something going on when they are used in country.
You can start by not buying cheap Chinese Android phones and hoping for the best.
Slightly off topic: but doesn't backdoor mean that there's a particular party that has control over the backdoored software? Here it sounds like the device is calling home... or is that sufficient to be called backdoor?
Yeah, backdoor usually means that the device accepts credentials from a third party, and not sending them reports.
I suppose you could interpret this "backdoor" as third-party access to the data, rather than to the device.
I used to analyze mobile malware and the line of what was OK and what wasn't really came down to how big the company was. If it was an unknown firm set up as analytics / advertising, it was fine to block. If it was a mega analytics / advertising it was not malware because it was a massive company.
Funny how this follows right after this: https://www.theguardian.com/world/2016/nov/14/china-threaten...
>Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...
Consent. The big difference is consent.
Do not use the Internet. Do not use phones. Do not use bank accounts. Do not travel by plane. Do not enter public spaces. Do not show your face.
Otherwise you accept our Terms of Service.
Thank you for trusting us.
(Is it just me or is it actually very hard to figure out whom I've given consent to do something with something that is mine?)
>(Is it just me or is it actually very hard to figure out whom I've given consent to do something with something that is mine?)
Reading and understanding EULAs for every tool you use is a full time job that requires a law degree.
Even in the age of the internet there is still a thing called the "warranty of merchantability" which says the thing you buy should be the thing you expected to buy. A stereo should play music, a phone should be a phone, a pizza should be a pizza.
Somehow the USA manages that almost every key IT corporation has their headquarters in the states sooner or later.
I think that's because market is more mature and people adopt thing quicker, so it's easier to sell more at the beginning of a business.
The big market and financial strength is one important factor but I believe that there are quite a few other forces at work which are not so obvious.
Do you have any hypothesis on the potential forces at work?
Sorry, I can't provide you with any good hypothesis. I'm just looking at what is known assuming that if something is of statistical significance without an obvious cause, that there is probably something going on that we don't see. Yet, correlation is no proof auf causation.
Its actually easier to believe this was by accident because in China there is no expectation of privacy.
If we don't really object to sharing our data with a wide range of u.s. companies, why would we care if it is shared with China or anyone else also?
Chinese companies are harder to monitor and learn about. More importantly, they are not bound by and/or are unlikely to follow any data privacy laws.
On the other hand, American companies don't seem to be bound by the laws that we think they are either.
As example, I'll submit PRISM (while admitting that we're still not 100% clear on that) and the retroactive immunity provided to telecom companies.
Question for HN: I'm in the market for a new Android phone. If I want to avoid this sort of thing, are there manufacturers I should steer clear of?
> I'm in the market for a new Android phone.
Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.
Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.
To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.
If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.
I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.
I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].
[0] http://forum.xda-developers.com
"If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want."
I wouldn't count on that either.. It depends on how "interesting" you are for them, given their reach, I would be really surprised if some of these agencies doesn't have zero-days and/or backdoors stockpiled for high value targets.
Heck, or they even have cooperation from Apple. Apple claims they dont have a backdoor, and the FBI moans that they can't hack current iPhones.
But honestly, who can ensure to me that there is no national security letter (or other mechanism I don't know about) forcing Apple to cooperate, with a gag order forcing them to keep silent?
Who can ensure me that the NSA et al have are not bribing, blackmailing, or using court orders on the three or four vocal security experts I can name (like Bruce Schneier, tptacek, Moxie Marlinspike, ...). Everything they say on this topic might be manipulated, who knows.
There could be backdoors everywhere, in apps, hardware, routers, lamps, whatever. Occam's razor suggests that this is crazy, but then people found spam sending wifi chips in clothes irons, so I guess nothing is too far fetched.
If you suspect "they" might be out to get you, the only thing you can really do is to stay under the radar, and hope they don't notice you and target you individually.
If we turn completely cynical and tell everyone that all manufacturers are equal, we take away all incentives for them to actually try to protect their users' privacy.
Apple deserves some recognition for their attempts. At some point they were fighting several lawsuits seeking to protect their users, and were under massive attack by some politicians because one of the cases was a terrorist. That's quite risky – with the current political climate, being associated with one of the parties has the potential to cut your revenue in half.
The FBI may have ultimately gotten the data after buying a zero-day exploit, which is unfortunate. But Apple seemed to be winning in court at that time and the gov may have been quite happy to find a way to drop the lawsuits without losing face.
Apple also uses https://en.wikipedia.org/wiki/Warrant_canary, which may or may not be useful.
I keep wondering the same. And I keep thinking that by the time I became privacy conscious, I am already like 20-30 years late...
What can we do?
If your threat model includes a three letter agency, then don't use a phone.
I spent a day battling with getting a custom ROM on my Redmi 3 and gave up. In case anyone reads this: Xioami make amazing phones for the price. This $120 USD phone outperforms my S3. But getting a custom ROM on a Xioami is getting increasingly difficult - you have to ask for permission, jump through hoops to unlock the phone and sometimes it just does not work. Xioami is the Apple of China - great UI but increasingly closed ecosystem. Their OS is called MIUI, which is basically Android with more customization options (necessary for the markets they serve). It is a great phone and OS, but it is more complex than just flashing CyanogenMod (unfortunately).
This does not blanket apply to all Xiaomi devices. There are official builds of CM available for the Mi3, Mi4, Redmi Note 3, and a fully open source unofficial build for the Mi4C and Mi4S.
Unlocking their bootloader can be done officially through a request, or unofficially. Changing the recovery by replacing a single file in the EDL and retaining bootloader lock is also possible.
It took me couple hours to get an unlock granted, then the unlock was done in couple minutes - it does require to read the instructions though.
After the unlock:
fastboot flash recovery twrp.img
fastboot boot twrp.img
<Couple swipes to Install the previously downloaded .zip>
Same as Nexus.
Sounds great! Does Android 7 run smoothly and stable-y on this device?
Custom roms never run stable from my experience and that is why I have stuck with Google Nexus devices in the past.
Maybe if the phone is past its supported update lifespan then I would consider custom roms, otherwise I don't want to have to deal with these frustrations on a brand new device.
YMMV obviously but having used CyanogenMod for the past few years on various devices I've found it to generally exceed the stability of vendor-provided Android. Not to mention the better user experience and more rapid security patching.
"Custom roms never run stable from my experience and that is why I have stuck with Google Nexus devices in the past."
Coincidentally enough, the custom ROMs for the N4 and N5 are ubiquitous & surprisingly stable. My N4 running CM 10.1.3 has yet to crash or freeze w/out my fiddling with Privacy Guard(been fiddling with it for 2 years, became daily phone only recently). The Sailfish OS ROM has come a long way and is still actively updated. Sure they're dated & SFOS is somewhat limited(and trust isn't quite on par w/ Maemo) but what else is there? Yeah, Neo900 was an admirable reboot attempt, but roadblocks have put them even further behind the curve.
Funny that, my experience is quite the opposite.
Nexus 6P (Marshmallow); any time I lost phone signal the messaging app would get itself stuck in a tight loop until it had to be force stopped. You'd think they would have tested that on a brand new device..
Cyanogen Mod has been great in the past, as you say, to extend the life of old phones. Quite stable too.
I have a custom ROM on my oneplus 2, it's smooth like butter.
That's interesting - which ROM are you using?
Latest cyanogenmod 13 with google play minimal installed.
Not quite yet. There are still some issues to be worked out. [0]
It runs Android 6 (CM13) great, just in my opinion Nougat isn't polished enough for daily use.
[0] http://forum.xda-developers.com/redmi-2/development/rom-cyan...
Get a phone that supports CyanogenMod. Sure, baseband still remains a blackbox and possibly backdoored, but at least you can get rid of most spyware/adware that comes preinstalled with Android. While we don't have fully open source OS with open drivers for smartphones, you cannot trust any manufacturer.
Baseband concerns are legitimate. A good tinfoil hat approach is to use an iPod touch running an end-to-end encrypted messaging/calling app of your choice, connected to a secure hotspot. Cuts out most baseband vulnerabilities (since your data is encrypted before touching any hardware or software connected to a potentially compromised baseband).
All other concerns raised elsewhere here still apply, but the baseband threat is mitigated. Worth it...? Check that threat model again.
"A good tinfoil hat approach is to use an iPod touch running an end-to-end encrypted messaging/calling app of your choice, connected to a secure hotspot."
Yes, but it's not much of a phone if it's WiFi only. You could use any laptop for such scenario as well.
You could, though the attack surface on a laptop is arguably much larger than that on an iPod. And considering most security-conscious users are unlikely to use a classical cellular phone call for a sensitive conversation, it's actually pretty comparable to a phone, considering your hotspot can be as dumb as you like. An iPod + a prepaid portable hotspot is a damn sight more usable on the go than a laptop.
Or simply skip that step and get a phone that comes with CyanogenOS installed.
How do you know then that CyanogenOS itself was not modified to include unwanted software?
I guess one could believe the commercial companies whose revenue depends on the trust and on the ethics, such as https://tehnoetic.com/mobile-devices.
Like this exact article/submission that we're all commenting on, where a commercial company did exactly that?
Not exactly. I would not say their revenue depended on ethics...
All of them except phones made/designed/whatever by Google. That leaves you the Nexus and Pixel lines only. There's a fair bit more oversight there and no shady third-party ROM with 'helpful' spying applications shipped by default (and often uninstallable). Nor do carriers get to modify the ROM themselves or install their own apps.
Android is pretty much a wasteland outside of the Nexus/Pixel line. Ignoring security and privacy, you just have a lot of shovelware involved along with a lack of commitment to timely, or if any, updates.
I would feel confident a Nexus/Pixel is a secure and nonsense free as a phone running CyanogenMod. Of course, that's difficult to prove, but historically we haven't seen anything like this on a Nexus/Pixel device.
I will have to disagree. AFAIK, the recent Qualcomm exploits don't affect Samsung's Exynos SoC. I have an Exynos S7 Edge and it ships with a feature to disallow (read: kill) apps trying to work in the background. After I fine-tuned this list, the phone's battery life improved noticeably.
Battery life has actually been slowly and steadily improving after each update by Samsung. I imagine this is a sign of Samsung not liking Google's spyware very much and trying their best to limit background activity.
None of us has solid proof of course, but judging by observable facts (and by the pretty awful battery life of the Nexus 6P and the Pixels -- compared to the Exynos S7 Edge at least), I'd say mine aren't that crazy.
Pixel ? The phone which advertises/ships with a data collection assistant ?
Maybe phones that support Cyanogenmod or Replicant?
Perhaps device makers that know how to compile source and host the updates themselves are more likely to have more control over the firmware. So we might ask, what the update policy is, do they provide updates?
The only good choice may be https://neo900.org.
> 990 EUR Before taxes (VAT, etc.)
So this is the threshold I'll have to pass to get a chance for true privacy?
A throw-away phone without ID bound to it would be my way to go then.
We have to start somewhere. I am asking anyone who can to go for it (I have no connection to this company). We can hope that later it will become more affordable.
I wish you luck. For all of us :)
"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.”"
Seems to be some work ahead if you want to find out which phone doesn't use this service. And we're only talking about this particular service.
If you are in the US, the same phone has different submodels for each US operator, and some of these submodels (likely from AT&T and Verizon) may have a locked bootloader, preventing you from installing custom ROMs.
For example, Samsung Galaxy S5 from T-Mobile (SM-G900T) you can put Cyanogenmod on, but Samsumg Galaxy S5 from AT&T (SM-G900A) you can not.
This is why some users are going real paranoid. So somebody decided that their first and only Android device will not have access to the Internet. Instead, it's sole role is to function as a camera.
linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-the-internet/
From the article: "A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store."
Google hates it when a program phones home to someplace other than Google.
> Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.
This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.
The app is bad because it does the function without consent, not because it's made by Chinese.
If it's only sms then that's not that bad. Are the SoC setup in a way to make crypto practically impossible on these ?
Didnt we all knew this would happen eventually?
Easy to avoid: just buy a phone that was built in your country.. oh, wait...
Por isso uso pombo correio
This can also be read outside the states as follows:
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.
[EDIT: Fixed formatting]
Well, actually, the US has backdoored the entire Internet :(
This is largely correct but you are wrong about the price.
Huawei routers used in Indian govt offices were found to be sending data to China. They were banned after the discovery. Wont be surprised if cellular components that are made in China send back data quietly.
People at HN would appreciate the corresponding links...
I can find references to a ban based on 'security concerns' but not one that found actual evidence of snooping. I only had a brief look however. I too would be grateful to the GP for links.
Don't assume malice. This would be considered completely normal in China, both legally and culturally. You would a have hard time explaining the concept of privacy to them. This is likely not some big conspiracy.
The flip side of that argument is that the fastest way to explain the concept of privacy to a manufacturer that spies on you, is to stop buying their devices. Consumers don't need to assume a conspiracy in order to communicate their preferences.
I wish Amazon would stop selling Android devices that can't be loaded with vanilla Android.
Except they know they are exporting thus have to tailor their product to local law. The idea that all these Chinese leaks are just accidental oversights is fairly naive, especially in the light of China's industrial espionage efforts.
What's the big deal? Google does this on a much bigger scale and of course shares its data with the US government when asked. Why is it suddenly scary when a Chinese company does the same?
That's cute. You make it sound as if Apple doesn't share your data with the US government when asked. Oh, look what do we have here:
>In one of the leaked emails sent by Apple Environment, Policy and Social Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly stated that the current methods of encryption in place allows the firm to essentially send an unlimited amount of personal and sensitive user data to law enforcement.
>Jackson further emphasized that Apple already has a 24-hour live team established for the sole purpose of handling law enforcement and government requests. “Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process,” Jackson stated. “We have a team that responds to those requests 24 hours a day. Strong encryption does not eliminate Apple’s ability to give law enforcement meta-data or any of a number of other very useful categories of data.”
You have to love that 24 hour live team whose sole purpose is to provide customer data to law enforcement and government people.
That's not at all what I meant, but whatever.
Despite its many flaws, the US government is still held accountable for its actions by voting citizens.
How do I, as a non-US but otherwise voting citizen, hold the US government accountable?
Either Google or an unknown company in another country could do something unwelcome with my data. However the type of thing either entity may do with it differs. For instance, unknown actors controlling malware on your phone might misuse banking or social media credentials to steal my money or post spam. Google is unlikely to do that.
Because you agreed to it of course, after reading EULA of the OS, provider and your Google account very diligently, deciphering the lawyer speak and considering the implications.
cough
Pah, nothing to hide, nothing to fear, what's the big deal eh?
I do hope Eric Schmidt and Trent Lott have been using one of these phones/devices.
And Zuckerberg
I wish we could have disposable phones in Germany...
This is just a Chinese hoax to scare us like that global warming bullshit.... right... am I right...??? .... /cry