Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security Android Businesses China Privacy

Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com) 89

Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
This discussion has been archived. No new comments can be posted.

Some Low-Cost Android Phones Come at a Price -- Your Privacy

Comments Filter:
  • by Anonymous Coward
    ..and I'm supposed to have a smartphone, why, again?

    Implying that ANY smartphone is going to be ANY better in this regard

  • by Anonymous Coward

    we have privacy? what a joke, I haven't laughed this hard since the dotcom boom.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If you want privacy, you have to be willing to pay for it. Most people want free. Free Facebook, Free Google, Free videos, Free Free Free.
      You are the product if you think you are getting something for free.
      Yet if I were to say 'my iPhone doesn't do this because I pay a boatload of money for it' people get all bent because Apple.
      Yet Apple doesn't have this kind of problem and Android phones do.
      Free: you just got what you paid for.

      • Re:Ha! (Score:5, Insightful)

        by chipschap ( 1444407 ) on Wednesday July 26, 2017 @02:36PM (#54884765)

        Free: you just got what you paid for.

        Unfortunately you can't necessarily trust non-free products either. Not even expensive ones.

      • by green1 ( 322787 )

        Actually Apple has been documented doing this too in the past, despite overcharging for their phones.
        As for the pay vs free thing... which one is known to invade your privacy more, Windows 10 (which, contrary to popular belief is in fact paid software) or OpenBSD (free software)

        There are literally thousands of examples of paid for products that invade your privacy, the whole IOT craze is pretty much there. There are also tons and tons of free things that don't (most of the open source movement)

        If you think

      • "Android phones" don't have this problem, certain phones from shady manufacturers do. And if you think iOS (and OS X for that matter) are free and clear of phone-home, the reality distortion field has really got you. Personally, I don't find mobile banking or money-spending functions on my phone to be worth $500, or even $100. I can wait until I get to a real computer when I need to do something securely.
      • People aren't paying for their Android phones?

  • Loss leader? I'm wondering if these low priced phones are actually subsidized by the Chinese government. How nice it would be if a similar priced phone could be offered with verifiable open source firmware. (Ok, from here in just call me Captain Obvious.)

    • by Anonymous Coward

      It doesn't need to be sponsored by the Chinese government ... skimming your private data, and potentially any banking information, is likely pretty lucrative on its own.

      Asshole sales people are the same everywhere -- they don't give a fuck about you, and will do anything they can do further their own ends.

      Chinese companies are pretty blatantly "whatever the hell we want to do". You know, like putting melamine in baby formula.

      Do the world a favor, stab a salesman or a CEO today!!

      • It doesn't need to be sponsored by the Chinese government...

        But it probably is, notwithstanding your other valid points.

    • by Anonymous Coward

      Don't come with spyware.

      The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality.

      If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.

      • Don't come with spyware. The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality. If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.

        Right. It just goes to prove, the only viable path forward is verifiable, user modifiable open source.

      • by Anonymous Coward

        iPhones don't.

        The FBI had a hard time getting into one and apple did not cooperate. That was on a much older device and new ones are far more secure than back then.

        Apple is in the business of selling your hardware, not selling your personal privacy out for profit.
         

        • by Khyber ( 864651 )

          "new ones are far more secure than back then."

          No they are not. They're susceptible to the exact same physical attack that got past the i5.

          It's like you know nothing about hardware engineering. If it can be made, it can be broken.

      • by green1 ( 322787 )

        Honestly, I don't care if it blows an efuse, I only care whether I can root it without losing functionality. They can have their efuse, doesn't make any difference to me.

        • Then buy an Alcatel phone as they have built in rooting capability with no external software required. For those that want to know how this is how you do it and I've tested in on my own phone (Alcatel Flint) and it works and takes less than 2 minutes...

          Alcatel has its own "system updates" app. If you tap the three dots in the right hand corner and then hit "Help", then hit the "Auto -Check Intervals" button a bunch, it will unlock "Advanced Mode." Go back and tap the three dots again and it will be under "help." When you go into this advanced mode, it will ask you for a "tester password". The pass is fotaapp*#1221#.

          And that is it, in under 2 minutes you will have a rooted phone you can do with what you will.

      • by c-A-d ( 77980 )

        If I can't install slimroms or lineageos, it's not on my purchase list.

  • Not surprising... (Score:4, Interesting)

    by ctilsie242 ( 4841247 ) on Wednesday July 26, 2017 @02:25PM (#54884643)

    There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)

    [1]: It is interesting to see what both Apple and Android device makers stick in the root CA store. It is wise to reduce that number.

    • by 93 Escort Wagon ( 326346 ) on Wednesday July 26, 2017 @02:32PM (#54884713)

      There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)

      It's so easy, anyone can do it!

      • Re: (Score:2, Funny)

        by Anonymous Coward

        You could always use an iOS device, which has never had a single incident of malware in the wild, and it is impossible for rogue software to track users. More expensive, but security is worth the price.

        • Apple fanboy alert!!! Can we just ban the class c ip block you are on so hopefully we won't hear more rubbish?
        • Even if iPhones are spying-free, you'd still have the problem of being forced to use an iPhone.

          Personally, that's a nonstarter. iPhones are too locked down to be terribly useful to me.

      • by Anonymous Coward

        Have lineageOS, and am happy with it. Note it still includes all the WoSign/Honkong Post certs (which I turned off straight away).

        Now if all the bloody app makers would just start adding lineageOS to the compatible devices lists.. I have hit about 3 of 4 apps that used to install from the Play Store for CyanogenMod on this same phone, now won't...

    • Yes to all of this.

      I will not use a phone I can't replace the OS on, mostly for these reasons.

      • by Anonymous Coward

        It doesn't matter if you can replace the OS if $ADVCO pwns your firmware and the closed source binary blobs.

        You are permitted the illusion for the masses. No more.

        • It still matters, because it reduces the number of entities that can spy. Your stance is the same as saying that if security can't be perfect then it isn't worth doing. That's an unsupportable position.

    • [1]: It is interesting to see what both Apple and Android device makers stick in the root CA store.

      . . . it would be interesting to see what both Apple and Android device makers stick in the hidden root CA store.

  • by nimbius ( 983462 ) on Wednesday July 26, 2017 @02:30PM (#54884689) Homepage
    When the spyware comes along...
    You must root it!
    plug a cable in the phone
    you can root it!
    https://theunlockr.com/2013/11... [theunlockr.com]
  • I've just shat myself with surprise!

    Who didn't automatically assume this was the case?

    Seriously.

  • by Altrag ( 195300 ) on Wednesday July 26, 2017 @04:07PM (#54885661)

    I'm pretty sure all high-cost phones, including not-Android, send data to Google/Apple/MS. If only "some" of these low-cost ones are doing the same, that almost sounds like a worthy gamble.

    (And yes, I realize that they mean "in addition to already sending your data to the OS makers" rather than "instead of." I'm just calling out the headline's phrasing..)

  • All Android Phones Come at a Price -- Your Privacy

    Android is just a giant spyware ecosystem for Google.
  • I just saw his presentation at BH. He did his homework else those in the hall would have called him out.
  • So apparently the Amazon version didn't have the spyware, only the ones you got from elsewhere. Those phones have been easy to root, there are custom firmware for it and it is a great phone for the $60.

    These days, if you can't root your phone and get full control, then you are just asking to be spied on.

  • I'm still waiting for them to name one of their phones BLU-82 [wikipedia.org]. And for the batteries to turn out to be faulty.

    ...

    I'll get my coat.

  • This Privacy thing, what is this? Sounds like a good idea. Where can I get one?

  • and now the Chinese want a direct tap into Trump voters...

panic: kernel trap (ignored)

Working...