Some Low-Cost Android Phones Come at a Price -- Your Privacy (cnet.com) 89
Cheap phones are coming at the price of your privacy, security analysts discovered. From a report: At $60, the BLU R1 HD is the top-selling phone on Amazon. Last November, researchers caught it secretly sending private data to China. Shanghai Adups Technology, the group behind the spying software on the BLU R1 HD, called it a mistake. But analysts at Kryptowire found the software provider is still making the same "mistake" on other phones. At the Black Hat security conference in Las Vegas on Wednesday, researchers from Kryptowire, a security firm, revealed that Adups' software is still sending a device's data to the company's server in Shanghai without alerting people. But now, it's being more secretive about it. "They replaced them with nicer versions," Ryan Johnson, a research engineer and co-founder at Kryptowire, said. "I have captured the network traffic of them using the Command and Control channel when they did it." An Adups spokeswoman said that it had resolved the issues in 2016 and that the issues "are not existing anymore." Kryptowire said it has observed the company sending data without telling users on at least three different phones.
Wow, color me 'surprised'! (Score:1)
Implying that ANY smartphone is going to be ANY better in this regard
Ha! (Score:1)
we have privacy? what a joke, I haven't laughed this hard since the dotcom boom.
Re: (Score:2, Insightful)
If you want privacy, you have to be willing to pay for it. Most people want free. Free Facebook, Free Google, Free videos, Free Free Free.
You are the product if you think you are getting something for free.
Yet if I were to say 'my iPhone doesn't do this because I pay a boatload of money for it' people get all bent because Apple.
Yet Apple doesn't have this kind of problem and Android phones do.
Free: you just got what you paid for.
Re:Ha! (Score:5, Insightful)
Free: you just got what you paid for.
Unfortunately you can't necessarily trust non-free products either. Not even expensive ones.
Re: (Score:2)
Actually Apple has been documented doing this too in the past, despite overcharging for their phones.
As for the pay vs free thing... which one is known to invade your privacy more, Windows 10 (which, contrary to popular belief is in fact paid software) or OpenBSD (free software)
There are literally thousands of examples of paid for products that invade your privacy, the whole IOT craze is pretty much there. There are also tons and tons of free things that don't (most of the open source movement)
If you think
Re: Ha! (Score:3)
Re: (Score:2)
People aren't paying for their Android phones?
Loss leader? (Score:2)
Loss leader? I'm wondering if these low priced phones are actually subsidized by the Chinese government. How nice it would be if a similar priced phone could be offered with verifiable open source firmware. (Ok, from here in just call me Captain Obvious.)
Re: (Score:1)
It doesn't need to be sponsored by the Chinese government ... skimming your private data, and potentially any banking information, is likely pretty lucrative on its own.
Asshole sales people are the same everywhere -- they don't give a fuck about you, and will do anything they can do further their own ends.
Chinese companies are pretty blatantly "whatever the hell we want to do". You know, like putting melamine in baby formula.
Do the world a favor, stab a salesman or a CEO today!!
Re: (Score:2)
It doesn't need to be sponsored by the Chinese government...
But it probably is, notwithstanding your other valid points.
They act like the 800 dollar phones... (Score:3, Insightful)
Don't come with spyware.
The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality.
If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.
Re: (Score:2)
Don't come with spyware. The real purchasing decision should be which phones allow rooting without blowing an efuse or disabled marketed functionality. If you can unlock the phone via usb and adb and maybe a password and it doesn't do anything funny, it is a good phone. Everything else should be treated as suspect.
Right. It just goes to prove, the only viable path forward is verifiable, user modifiable open source.
Re: (Score:1)
iPhones don't.
The FBI had a hard time getting into one and apple did not cooperate. That was on a much older device and new ones are far more secure than back then.
Apple is in the business of selling your hardware, not selling your personal privacy out for profit.
Re: (Score:3)
"new ones are far more secure than back then."
No they are not. They're susceptible to the exact same physical attack that got past the i5.
It's like you know nothing about hardware engineering. If it can be made, it can be broken.
Re: (Score:2)
Go into any iPhone repair shop, moron. You can get the repair schematics for cheap and you can see very clearly its all the same shit.
Re: They act like the 800 dollar phones... (Score:1)
Re: (Score:2)
Honestly, I don't care if it blows an efuse, I only care whether I can root it without losing functionality. They can have their efuse, doesn't make any difference to me.
Comment removed (Score:4, Informative)
Re: (Score:3)
If I can't install slimroms or lineageos, it's not on my purchase list.
Not surprising... (Score:4, Interesting)
There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)
[1]: It is interesting to see what both Apple and Android device makers stick in the root CA store. It is wise to reduce that number.
Re:Not surprising... (Score:5, Funny)
There have been processes for behavioral tracking for years now. The trick is to root the device, yank the Chinese certificates out of your root CA store [1], add outgoing blocks on the iptables level to ensure that it doesn't phone home, add some ad blocking, and you will have a decent phone for a cheap price. Ideally, install an OS like LineageOS (if available.)
It's so easy, anyone can do it!
Re: (Score:2, Funny)
You could always use an iOS device, which has never had a single incident of malware in the wild, and it is impossible for rogue software to track users. More expensive, but security is worth the price.
Re: (Score:2)
I would hope so, but it's so hard to tell because that ridiculous nonsense is spouted so often as truth among the Apple fan base that it's hard to believe they don't actually believe it despite all evidence to the contrary.
Re: (Score:1)
Re: (Score:2)
Even if iPhones are spying-free, you'd still have the problem of being forced to use an iPhone.
Personally, that's a nonstarter. iPhones are too locked down to be terribly useful to me.
Re: (Score:1)
Have lineageOS, and am happy with it. Note it still includes all the WoSign/Honkong Post certs (which I turned off straight away).
Now if all the bloody app makers would just start adding lineageOS to the compatible devices lists.. I have hit about 3 of 4 apps that used to install from the Play Store for CyanogenMod on this same phone, now won't...
Re: (Score:2)
Yes to all of this.
I will not use a phone I can't replace the OS on, mostly for these reasons.
Re: (Score:2)
This is technically untrue. I can replace the broadband system with any of several options. What is true, though, is that all of the options are still proprietary binary blobs so from a security point of view it's a difference without a distinction.
But perfect security is impossible with anything, so we all make tradeoffs. My tradeoff is that I accept that I need to run that binary blob and can therefore not completely trust the device.
But I can, at least, minimize the issue by ensuring that the blob is the
Re: (Score:1)
It doesn't matter if you can replace the OS if $ADVCO pwns your firmware and the closed source binary blobs.
You are permitted the illusion for the masses. No more.
Re: (Score:2)
It still matters, because it reduces the number of entities that can spy. Your stance is the same as saying that if security can't be perfect then it isn't worth doing. That's an unsupportable position.
Re: (Score:3)
[1]: It is interesting to see what both Apple and Android device makers stick in the root CA store.
. . . it would be interesting to see what both Apple and Android device makers stick in the hidden root CA store.
Re: Cheap phones as bait. That doesn't make sense (Score:2, Informative)
My lab manager is pretty wealthy, between him and his wife (she is a surgeon) they are worth 7-digits. He broke his phone and ordered the absolute cheapest android phone he could find. I think it needed up being a Blu.
I tried to talk him out of it, but he simply doesn't care. On the flip side, he spent $15k on a carbon-fiber mountain bike a couple weeks ago.
Re: (Score:2)
Nothing wrong with that. Regardless of how wealthy you are, it's smart to recognize what is really important to you and to cheap out on everything else.
Comment removed (Score:3)
Cheap chinese phones may be compromised? (Score:1)
I've just shat myself with surprise!
Who didn't automatically assume this was the case?
Seriously.
Re: (Score:3)
and people think the expensive ones are somehow any different?
Re: (Score:1)
Hillary sent emails containing Top Secret info to her aid Huma's home computer to print because they couldn't figure out how to get the secure fax machine to work
Uh, no she did not. You are just mindlessly repeating half-baked conspiracy theories. And when I say half-baked I mean literally half - a bunch of highly motivated partisans latched on to a couple of vague facts and then made up a bunch of non-facts to produce a story that, surprise, surprise, was an exact fit for their preconceptions.
If she had actually done what you claim it would have been the smoking gun of intent that Comey needed to prosecute her.
Now you may proceed with more conspiracy theory logic
Re: (Score:2)
going for a +1 funny?
Re: (Score:3)
Apparently you didn't read the summary where it says exactly this, that it was reported long ago, and the manufacturer claimed they'd changed, and have now been proven to still be up to the same old tricks.
As for "most android devices harvest data", why limit it to Android? it's well known that iPhones do it too, and if anyone had ever used a Windows phone, I'm sure it was set up the same.
The only real difference is in who the recipient of the data is.
Re: (Score:1)
it's well known that iPhones do it too
Care to link a citation for that?
Re: (Score:3, Informative)
one example: https://www.wired.com/2011/04/... [wired.com]
another: http://www.businessinsider.com... [businessinsider.com]
Apple has also stated publicly "We may collect information such as occupation, language, zip code, area code, unique device identifier, location, and the time zone where an Apple product is used so that we can better understand customer behavior and improve our products, services, and advertising."
Re: (Score:1)
Not sure why you think this is Android specific... iPhones phone home too, I'm sure the solitary Windows phone in the wild does as well.
Really it's not even limited to phones either, my car sent reams of data back to the manufacturer on an ongoing basis until I rooted it and firewalled the manufacturer out. Many home internet routers do this, large percentages of IOT devices, really, anything with an internet connection these days should be assumed to be sending as much data as it possibly can gather back t
Re: (Score:3)
There are lots of valid reasons for an iPhone to communicate with Apple servers, you know. There are a bunch of integrated services, as well as security updates, etc. It would be a bit strange, IMO, if an iPhone actually never talked to Apple. The trick is whether or not you trust a company to slurp up and use your private data in ways you don't approve of.
So, Apple vs Random Chinese Company privacy showdown. In the end, you have to look at things like this pragmatically. Apple is making billions and b
Re: (Score:2)
So basically, you trust Apple, but think all Android phones can't be trusted.
I've got news for you, I don't trust Apple any further than I can throw their headquarters. Apple has admitted to collecting personal data for the express purpose of advertising (something you claim they would never do), and is well known to collect FAR more data than they need to provide the services they do.
As for "random chinese company", they aren't random, they're the manufacturer. Most manufacturers put all sorts of stuff on
Re: (Score:3)
So basically, you trust Apple, but think all Android phones can't be trusted.
Nope, didn't say that at all. I trust Apple MORE than I trust the Chinese manufacturer. But I actually have an Android phone, because I like the extra control it gives me. My next phone will probably be a Pixel.
From Apple's site on privacy:
We also use personal information to help us create, develop, operate, deliver, and improve our products, services, content and advertising, and for loss prevention and anti-fraud purposes.
Is that the "admission"? Apple is up-front about what they do with your data. When I talk about "trust", I mean that I trust them not to abuse that data in a way I wouldn't be comfortable with, such as selling it to a third party. As far as ads, we're probably talki
Re: (Score:2)
It's ok if Apple does it because they're the good guys, but I don't know the other company so they must be evil!
ummmm... yeah... the mental gymnastics here are quite entertaining.
Re: FTFY (Score:1)
Re: (Score:2)
Not Android-specific.
Pretty much every product or service that has access to data about you does this. There are no angels.
Only some? (Score:3)
I'm pretty sure all high-cost phones, including not-Android, send data to Google/Apple/MS. If only "some" of these low-cost ones are doing the same, that almost sounds like a worthy gamble.
(And yes, I realize that they mean "in addition to already sending your data to the OS makers" rather than "instead of." I'm just calling out the headline's phrasing..)
FTFY (Score:2)
Android is just a giant spyware ecosystem for Google.
Re: (Score:1)
Re: (Score:2)
I have a Blu R1 HD. I got it for the kids to play games with, but it has no SIM card. Any advice on how to check that it's secure (without burning/crushing/etc.)?
If you bought the Amazon version, then it's supposed to be safe.
But either way, check out: https://forum.xda-developers.c... [xda-developers.com]
You'll find what you need to know about rooting it and installed a different rom and getting rid of bloat and the spyware.
I own the BLU R1 HD and it rocks! (Score:2)
So apparently the Amazon version didn't have the spyware, only the ones you got from elsewhere. Those phones have been easy to root, there are custom firmware for it and it is a great phone for the $60.
These days, if you can't root your phone and get full control, then you are just asking to be spied on.
Re: (Score:2)
Re: (Score:2)
First it was the Russians... (Score:2)
and now the Chinese want a direct tap into Trump voters...