[HN Gopher] Android phones are sending significant amount of use...
___________________________________________________________________
Android phones are sending significant amount of user data with no
opt-out [pdf]
Author : giuliomagnifico
Score : 309 points
Date : 2021-10-11 16:52 UTC (1 days ago)
(HTM) web link (www.scss.tcd.ie)
(TXT) w3m dump (www.scss.tcd.ie)
| 2Gkashmiri wrote:
| can i see this "exfiltration" out of an android using a pi-hole?
| i have multiple androids at home and a etwork wide pi-hole so i
| would love to see if there is something i can see and maybe block
| rangerdan wrote:
| Not unless you have a lot of free time to pour through
| thousands of log lines manually.
| eldaisfish wrote:
| any DNS-based tool is going to tell you which IP address is
| being contacted, not what is sent or how much.
|
| You can certainly block domains and that will prevent some
| google telemetry but a DNS-based tool is not what you're
| looking for.
| sumtechguy wrote:
| Has anyone played with adding a cert and using a squid proxy
| to help log what is going on?
| [deleted]
| noja wrote:
| Install NetGuard.
| elevaet wrote:
| I use Android because of the walled-garden approach to data that
| Apple tries to funnel its users into. The privacy issues give me
| pause however.
| [deleted]
| ir77 wrote:
| it's always amazing to me that a typical android user tells me
| they hate iOS because it's locked down and android is much more
| open -- whenever i follow up with what apps they've actually side
| loaded they don't know what i'm talking about, never mind about
| whether their phone is rooted and they're running a rom.
|
| yet a majority of them use very expensive handsets that compete
| in a premium space to iOS devices and ciphen data not only back
| to google to to their respective manufacturers and anyone else
| that puts bloat on their phone -- bloat that they can't remove on
| their "much more open devices".
|
| what was the silly movie that had the quote "the greatest trick
| the devil made was to convince the world that he didn't exist.".
| detaro wrote:
| Of course anecdotal here too, but it seems highly unlikely that
| that's a _typical android user_ perspective. Even among fellow
| nerds that argument is not that overwhelming, and they are a
| tiny group of people.
| imwillofficial wrote:
| You are correct. I have the same experience often.
|
| *siphon
|
| "The Usual Suspects", Keyser Soze
| nicoburns wrote:
| > whenever i follow up with what apps they've actually side
| loaded they don't know what i'm talking about, never mind about
| whether their phone is rooted and they're running a rom.
|
| An android phone is more open even without side-loading or
| rooting because Google's play store much less restrictive than
| Apple's app store.
| doc_gunthrop wrote:
| A distinction needs to be made clear here with regards to the
| data being transmitted to Google by LineageOS in this study.
|
| In the cited paper (https://www.scss.tcd.ie/Doug.Leith/Android_pr
| ivacy_report.pd...), the device used to test LineageOS was a
| Google Pixel 2 running LineageOS 17.1 which also included an
| installation of _OpenGapps 10.0 nano_.
|
| It's not the OS that is transmitting the data over to Google, but
| rather OpenGapps (ie. Google Play). OpenGapps is software that
| can be _optionally_ installed after the initial installation of
| LineageOS (but before first boot). A user can still use LineageOS
| without OpenGapps, though they just won 't have the benefits (and
| drawbacks) that come with it (such as being able to use apps that
| require GSF). The user can instead opt for an app manager like
| F-droid or possibly Aurora Store.
|
| In addition, there exists an alternative to OpenGapps called
| MicroG. This is like Google Play but allows users the option to
| anonymize themselves. One can find custom LineageOS builds that
| include MicroG from the MicroG website (as the members of the
| LineageOS project do not advocate for its use, instead giving
| preference to OpenGapps). Keep in mind, however, that there are
| fewer devices supported by those builds.
| xanaxagoras wrote:
| > One can find custom LineageOS builds that include MicroG
|
| Why bother? Just use Calyx.
| JasonFruit wrote:
| I'm using LineageOS with neither OpenGapps nor MicroG, and can
| confirm that Aurora works without. There are numerous apps
| available from Aurora that will not function, of course, and
| many other inconveniences of varying severity, but it's overall
| a good experience.
| CountDrewku wrote:
| Yep MicroG is the route I'm going on Pixel3a I just bought. You
| don't need to sign into any Google services to use them. For
| now I'm just using maps. I found a nice Reddit article on de-
| googling even more as well. If you install OpenGapps you might
| as well forget it-
|
| https://www.reddit.com/r/fossdroid/comments/clg2ca/how_to_de...
| cookiengineer wrote:
| Technically, the Internet Connectivity Check on LineageOS also
| sends your position/IP to Google, and also avoids a VPN tunnel
| because it's lower down the stack.
|
| I can recommend LineageOS, however be aware that lots of
| malware infected builds have made it to xda dev in the past, so
| you should build it yourself if possible (or use the official
| downloads).
|
| Regarding the Connectivity Check: You can add all google
| related domains to /system/etc/hosts if you have root/sudo
| access.
|
| Additionally I'd recommend everyone to use RethinkDNS as a DNS
| adblocker and app firewall - and AppWarden to patch out the
| Analytics parts of proprietary Apps.
| thrtewgg66 wrote:
| you can disable captiveportal and block everything else with
| netguard
|
| (check Netguard thread on xda)
| yjftsjthsd-h wrote:
| > however be aware that lots of malware infected builds have
| made it to xda dev in the past,
|
| Can you point me to some? How were they caught? I knew this
| was a possibility, but I hadn't seen it actually happen
| before.
| kekebo wrote:
| One used to be able to change the captive portal url using
| adb [0], although I'm not sure that's still the case in
| current android builds.
|
| [0] https://gist.github.com/tonyseek/bc5b72197ddb15418c614060
| 617...
| commoner wrote:
| I can confirm this used to work, but I'm not sure if that's
| the case now. These were the instructions I used:
|
| https://android.stackexchange.com/a/186995
| johnbrodie wrote:
| I can't recall the exact settings to push via ADB, but the
| Internet Connectivity Check is "easy" to fix. Create a server
| that's always up that responds with a 301 (or whatever the
| check expects), and push the address to the phone. Done.
|
| It's a shame that Google's servers are the default, and I
| wish it were at least called out by Lineage. That said, I
| doubt they want to cover hosting costs of such a service
| (although I'd think they'd be fairly minimal).
| commoner wrote:
| For anyone trying to implement this, the HTTP status code
| that Android looks for is 204.
|
| https://android.stackexchange.com/a/186995
| twobitshifter wrote:
| This internet connection check actually caused problems for
| us when we started having users in China on android. Our
| code was checking for a connection before transmitting data
| and android thought the device was disconnected due to the
| great firewall. I think there's just a hack around it for
| now that disabled the android connection check for those
| users.
| commoner wrote:
| Some Android flavors, including /e/[1] and GrapheneOS,[2]
| don't use Google servers for the internet connectivity check
| by default.
|
| [1] https://gitlab.e.foundation/e/backlog/-/issues/268#note_1
| 809...
|
| [2] https://grapheneos.org/faq#default-connections
| 1vuio0pswjnm7 wrote:
| Looking through the GrapheneOS source, the servers may not
| be Google servers but the system is still designed to phone
| home. As such, have they solved the problem or is this just
| another case of "Dont' trust them, trust us instead."
|
| Has anyone succeeded in running multiboot on "smartphone"
| hardware, i.e., where the user can boot into a choice of
| kernel/userland. One choice might be Android, another might
| be GrapheneOS/LineageOS, another might be an OS that does
| not rely on any third parties whatsoever (no conveniences,
| "app stores", "connectivity checks", etc.) and is fully
| controlled by the user. In other words, the third choice
| lets the pocket-sized computer be used more like a pre-
| smartphone era desktop/laptop OS. Basic functionality.
| kaba0 wrote:
| For your later linked examples, those can be changed.
|
| But as for the microG/GApps question, GrapheneOS provides
| a sandbox for the actual GApps, so that almost everything
| can run properly, with very strong control over what is
| seen by Google.
| bubblethink wrote:
| Eh, if you want an airgapped phone, use it in airplane
| mode. Obviously, the phone needs some network infra for
| things like updates or timekeeping. You can route it over
| vpn if you don't trust your isp, and you can build
| everything yourself and host all the servers yourself too
| if you so prefer. This type of pedantry is more harmful
| than useful to casual users who would be far better
| served with grapheneos than some non-existent ideal
| phone.
| 1vuio0pswjnm7 wrote:
| Looking at the FAQ provides more details on various ways
| GrapheneOS phones home by default. Thankfully, some of
| these "services" can be disabled.
|
| The time service is enabled by default but can be
| disabled.
|
| "An HTTPS connection is made to
| https://time.grapheneos.org/ to update the time from the
| date header field."
|
| "Network time can be disabled with the toggle at Settings
| System Date & time Use network-provided time."
|
| Connectivity checks are enabled by default but can be
| disabled.
|
| "Connectivity checks designed to mimic a web browser user
| agent are performed by using HTTP and HTTPS to fetch
| standard URLs generating an HTTP 204 status code."
|
| "You can change the connectivity check URLs via the
| Settings Network & internet Advanced Internet
| connectivity check setting. At the moment, it can be
| toggled between the GrapheneOS servers (default), the
| standard Google servers used by billions of other Android
| devices or disabled."
|
| Why these are enabled by default, i.e., opt-out instead
| of opt-in, is strange considering this OS is aimed at
| technical, security and privacy-conscious users. Users
| who would surely know what services they want and be
| capable of enabling them.
| dyndos wrote:
| Did you actually find any examples of GrapheneOS phoning
| home?
|
| GrapheneOS doesn't rely on any third-parties I'm aware
| of. The only service provided is over-the-air security
| updates. It doesn't even come with an app store (although
| you can install F-Droid).
|
| For that reason, GrapheneOS alone fits all three
| categories you mentioned: It is Android, it is
| GrapheneOS, and it is fully controllable / doesn't ship
| bloatware.
| 1vuio0pswjnm7 wrote:
| "The only service provided is over-the-air security
| updates."
|
| Connectivity check / time servers
|
| https://grapheneos.org/articles/grapheneos-
| servers#grapheneo...
|
| Amongst others.
| [deleted]
| aboringusername wrote:
| The issue with Android is it's extremely restrictive from a
| firewall perspective, I guess exactly as designed.
|
| I cannot dictate what apps chat over the internet or to what IP's
| (say, a setting to only allow EU-only addresses).
|
| Of course this means - rightfully or wrongly - you have to move
| this to another layer - probably PiHole or router level, but even
| then there could be gaps (can it use mobile data with you
| unaware?).
|
| I am surprised major OS' still don't allow users to configure
| this yet. it's pretty basic stuff.
| autoexec wrote:
| Last I checked the default keyboard samsung installs on their
| phones was collecting what you typed and sharing/selling that
| data with third parties. I try not to store or access any
| personal information on my cell phones when i can avoid it, but
| at a certain point, just having one is enough to seriously
| compromise your privacy. Strong regulation with real sharp teeth
| is the only thing that can fix this situation.
| ibeckermayer wrote:
| Strong regulation by whom? The organization that brought us the
| CIA, NSA, FBI, and the rest of the alphabet soup of "security"
| bureaucracies that spy on us arbitrarily?
|
| Strong regulation could easily worsen the problem, as it can
| lead to a ratcheting up of the regulatory burden until only
| mega corps like Apple and Google could afford to make phones,
| and upstarts like Purism and Pinephone get squeezed out.
|
| How about before getting so gung ho with pointing the
| government gun at everyone's head, we consider the option of
| rolling back the unjust regulations that already exist which
| give the mega corps undue government privilege (patents are a
| good place to start), and encouraging (by voting with our
| wallets) organic alternatives to emerge, like they already are
| doing.
| autoexec wrote:
| > The organization that brought us the CIA, NSA, FBI, and the
| rest of the alphabet soup of "security" bureaucracies that
| spy on us arbitrarily?
|
| Which origination do you think that is? you think they all
| came from the same place? Every one of these agencies came
| into existence under very different circumstances at
| different times and they fall under different branches and
| operate in different areas.
|
| Yes, it's a horrible thing that these agencies are being used
| to spy on all American citizens in violation of our freedoms,
| but that fact doesn't mean that we shouldn't allow any
| government agency anywhere enforce regulations. How that does
| that make any sense at all? You could say the same for
| literally anything. "Who should regulate the amount of lead
| in our drinking water? The organization that brought us the
| CIA, NSA, FBI, and the rest of the alphabet soup of
| "security" bureaucracies that spy on us arbitrarily?"
|
| > Strong regulation could easily worsen the problem, as it
| can lead to a ratcheting up of the regulatory burden until
| only mega corps like Apple and Google could afford to make
| phones, and upstarts like Purism and Pinephone get squeezed
| out.
|
| It literally couldn't worsen the problem of our privacy being
| violated and used against us by cell phone companies. If it's
| illegal for Google to do it, and we had regular independent
| verification that they were not violating those laws, than it
| wouldn't matter if the only cell phones that existed on the
| whole of Earth were made by Google. Google still wouldn't be
| doing the bad thing we're trying to stop.
|
| Yes, I'd prefer to have more choices but there's zero
| requirement that regulations make it prohibitively expensive
| for any company even an upstart. In fact, because this would
| be regulation against collecting, securing, maintaining,
| analyzing, marketing, and selling our personal data it'd
| actually save companies tons of money since they'd no longer
| be dong any of those things. Established companies who are
| currently exploiting consumers won't get to profit off of
| them as they are currently, but they will still save a lot of
| time and money not exploiting the public.
|
| > How about before getting so gung ho with pointing the
| government gun at everyone's head, we consider the option of
| rolling back the unjust regulations that already exist which
| give the mega corps undue government privilege (patents are a
| good place to start)
|
| This isn't an either/or type of thing. There's a lot of great
| and important things we should be doing. This is one of them.
| Let's do them all.
|
| > and encouraging (by voting with our wallets) organic
| alternatives to emerge, like they already are doing.
|
| If "the market" were going to solve this problem, if it were
| capable of solving this problem, it would have been solved
| already. It's not. Until strong regulations are in place
| there will continue to be a very very strong perverse
| incentive to not solve this problem. We're coming up on 50
| years of mobile phone technology and at present there are no
| comparable options for cell phones and mobile networks that
| preserve privacy. None. It's not regulations forcing Google
| and Apple to collect our personal data. They are choosing to
| do it. They could stop tomorrow if they wanted to. They don't
| want to. They won't stop until they are forced to stop.
| hungryforcodes wrote:
| Hi! I have a Samsung and I looked around online and couldn't
| find any real info on this topic. I don't doubt it's quite
| possible, but where is your source from? It's been hard for me
| to confirm. A good point, though, I'll look at the open source
| options....
| autoexec wrote:
| Samsung's own privacy policy and those of the 3rd parties
| they use. It's been over a year and checking now some things
| have already changed, but if you click on the gear icon from
| within the keyboard you can select "about sumsung keyboard"
| which should give you a list of policies including gify and
| tenor (both used for gifs I guess) but i didn't even check
| those. The one you want is the legal info which tells you
| that in addition to samsung's privacy policy (which outright
| says it's collecting and selling everything it can get their
| hands on (see
| https://www.computerworld.com/article/3514999/samsung-
| sellin...) you also have to accept the policy of a 3rd party
| called Nuance which they use for "language data".
|
| The wall of legal text there eventually links to their
| privacy privacy which opens in the browser. They collect and
| store things like "your choice of words, speech and writing
| patters, how you use your keyboard, custom words you add, the
| number of charters you type, your typing speed, etc. and they
| share (read sell) that data to affiliates, subsidiaries,
| vendors, subcontractors, etc (pretty much anyone they feel
| like). They specifically state they use this data to draw
| inferences reflecting your characteristics, behavior,
| abilities, preferences and aptitudes all of which they can
| sell to anyone at any time without even telling you about it
| because what they learn about you by going over all your data
| is their data and they don't have to tell you anything at all
| about what they do with their data.
| nimbius wrote:
| https://play.google.com/store/apps/details?id=org.dslul.open...
|
| OpenBoard is a 100% foss keyboard based on AOSP, with no
| dependency on Google binaries, that respects your privacy.
| hbcondo714 wrote:
| Thanks for this, just installed it and when I click to enable
| in my settings, I get an Attention message:
|
| "OpenBoard may be able to collect all the text you type,
| including personal data such as passwords and credit card
| numbers"
|
| This appears to be from Samsung, trying to deter users from
| using keyboards other than their own.
| commoner wrote:
| That's a generic warning that shows up on all flavors of
| Android, including AOSP and LineageOS, when you enable any
| new input method.
| autoexec wrote:
| I'm glad they let people know it's possible, a keyboard
| isn't something you should install without some careful
| consideration because they can be used as keyloggers. I
| just wish they'd been as clear about that with the keyboard
| already installed on the phones when they ship. Anyone
| seeing that warning might easily think it's safer not to
| replace their stock keyboard even though it's already doing
| the very thing they fear a new keyboard might do.
| autoexec wrote:
| Once I realized what samsung was doing I switched to
| AnySoftKeyboard and I'm pretty happy with it. It's got a lot
| of options.
|
| https://f-droid.org/en/packages/com.menny.android.anysoftkey.
| ..
| ignoramous wrote:
| One may replace the keyboard, but the underlying "input
| method" framework is still under OEM's (in this case,
| Samsung's) control: That is (afaik), they could key-log
| just fine regardless of whatever keyboard one may install /
| use.
| brodock wrote:
| I've tried both anysoftkeyboard and openboard, and liked
| openboard layout better but wanted swiftkey like support
| from anysoftkeyboard. Looking at reddit fossdroid I
| discovered the one fitted me better as a closer to
| openboard with swiftkey support : FlorisBoard
| commoner wrote:
| FlorisBoard is really nice. Among all of the FOSS Android
| keyboards, I've found the gesture typing on FlorisBoard
| to be the most accurate.
|
| https://github.com/florisboard/florisboard
| padraic7a wrote:
| Thanks, I'll check that out.
|
| I've been using Swiftkey since before Microsoft bought it,
| and really enjoying it.
|
| I know I shouldn't be surprised but I feel really betrayed
| that they use it to track app usage and link it to IMEI and
| the Google advertising id.
| aqfamnzc wrote:
| I was also a long-time fan of Swiftkey, and switched to
| OpenBoard a few months ago. The main differences are lack
| of swipe input which I miss dearly, and slightly less
| intuitive correction. I think since switching I've put a
| little more effort into being more accurate which has
| helped.
| SV_BubbleTime wrote:
| There are lines in the sand, and a default key logger sending
| data to undisclosed third parties should be a pretty easy one
| everyone can agree on.
| atatatat wrote:
| This isn't the sort of news that wins on people's Facebook or
| Instagram feeds.
| frankenst1 wrote:
| > Last I checked the default keyboard samsung installs on their
| phones was collecting what you typed and sharing/selling that
| data with third parties.
|
| How did you check? Do you have a source/link?
| autoexec wrote:
| as stated elsewhere:
|
| Samsung's own privacy policy and those of the 3rd parties
| they use. It's been over a year and checking now some things
| have already changed, but if you click on the gear icon from
| within the keyboard you can select "about sumsung keyboard"
| which should give you a list of policies including gify and
| tenor (both used for gifs I guess) but i didn't even check
| those. The one you want is the legal info which tells you
| that in addition to samsung's privacy policy (which outright
| says it's collecting and selling everything it can get their
| hands on (see
| https://www.computerworld.com/article/3514999/samsung-
| sellin...) you also have to accept the policy of a 3rd party
| called Nuance which they use for "language data".
|
| The wall of legal text there eventually links to their
| privacy privacy which opens in the browser. They collect and
| store things like "your choice of words, speech and writing
| patters, how you use your keyboard, custom words you add, the
| number of charters you type, your typing speed, etc. and they
| share (read sell) that data to affiliates, subsidiaries,
| vendors, subcontractors, etc (pretty much anyone they feel
| like). They specifically state they use this data to draw
| inferences reflecting your characteristics, behavior,
| abilities, preferences and aptitudes all of which they can
| sell to anyone at any time without even telling you about it
| because what they learn about you by going over all your data
| is their data and they don't have to tell you anything at all
| about what they do with their data.
| MattGrommes wrote:
| It seems worth talking about the fact that it appears to be the
| vendor of the phone putting this kind of snooping in place.
| Blaming Android is missing the real culprit. Like they say in the
| article, we need stronger controls on people's data for whoever
| happens to make the phone's OS.
| closeparen wrote:
| For practical purposes Android is not just the open source
| codebase but also the economic institution, where various
| middlemen get to do sketchy and low-rent stuff in between the
| trusted brand and the consumer. That is the "openness" that
| sets it apart from its competitor.
| 3np wrote:
| There's still data sent to Google as part of Android except for
| currently obscure ones like /e/ and Graphene.
|
| It's like a combination of the desktop Windows of the 90s
| (malware preinstalled by vendors) and today (increasing
| surveillance by the OS developers) with Apple (you need to
| basically risk breaking the device and void the warranty to get
| away from it)
| Dutchie2020 wrote:
| Does anyone here have any experience with the /e/OS mentioned in
| the article?
| COGlory wrote:
| I purchased a Samsung Galaxy S9 (in the US) from them. My first
| impression: Everything works. Apps (if it's not on their store,
| which is a mix of F-Droid and other APKs, it's on Aurora),
| Google services works without signing (MicroG), GPS works, OTA
| updates work (with one click).
|
| My biggest complaint is that their App store isn't just
| F-Droid, and their APKs are often out of date by 1-2 weeks. My
| biggest compliment (besides everything just working to the
| point I could recommend it to a relative), is that they are
| active and engaged in their community, regularly reading their
| forum, soliciting feedback, and posting weekly updates.
|
| https://community.e.foundation/t/week-41-development-and-tes...
| Kototama wrote:
| It's rather good and at some point they managed to have release
| for my previous phone model when the lineageos stopped!
|
| I used it without their cloud services. Some of the pre-
| installed apps cannot be removed (like email, pdf readers)
| which is slightly annoying. They have their own
| launcher/desktop but it's not that good, it even crashes time
| to time.
|
| Last time I checked, it was not super transparent which non-
| FOSS store they used.
|
| Overall I think the experience with LineageOS is better but /e/
| comes with MicroG so it's practical if you need a few
| proprietary apps.
| hellisothers wrote:
| And yet we have articles that say iOS is similar if not worse and
| people pile in to "both sides" it (1). Why is it I feel it's
| clear that fundamentally iOS favors privacy (for profit) and
| Android eschews it (for profit) yet it's somehow debatable still?
|
| (1) https://news.ycombinator.com/item?id=28819318
| rangerdan wrote:
| iOS is just as bad, if not worse. See
| https://gist.github.com/iosecure/357e724811fe04167332ef54e73...
| JohnWhigham wrote:
| How anyone can say iOS favors privacy with a straight face
| after the CSAM debacle is beyond me.
| mattnewton wrote:
| Is it possible the feeling is at least in part the result of
| marketing? Not trying to be inflammatory, but apple does spend
| a lot of money running excellent ads about how iPhones are
| private.
| margalabargala wrote:
| Do you have any evidence the iOS operating system is better in
| any significant way? The article you linked focused on the apps
| available in the store, not the phone OS itself (which is what
| this article is about).
| hellisothers wrote:
| Apps draft off what the OS allows, iOS keeps adding features
| at the OS level (do not track, "app tracking health" metrics,
| advertising opt out, etc). At best Android grudgingly offers
| some of this after the fact, at worst does what this article
| offers.
| shkkmo wrote:
| iOS collects and transmits all MAC addresses on the local
| network even with location services off, there is no way to
| disable this:
|
| > iOS shares with Apple the handset Bluetooth UniqueChipID, the
| Secure Element ID (associated with the Secure Element used for
| Apple Pay and contactless payment) and the Wifi MAC addresses
| of nearby devices e.g. of other devices in a household of the
| home gateway. When the handset location setting is enabled
| these MAC addresses are also tagged with the GPS location.[0]
|
| [0] https://www.scss.tcd.ie/doug.leith/apple_google.pdf
|
| So the answer is clearly that while they are both bad for
| privacy with the default configuration, some Android devices
| provide more control over the device and thus options for
| disabling telemetry.
| smoldesu wrote:
| If iOS were an open-source project, we wouldn't need to spend
| so long speculating what code is running on the devices that we
| own.
| commoner wrote:
| One area that iOS can improve on is the linking of app
| downloads to Apple IDs. I don't want every app I've ever
| downloaded on iOS to be permanently recorded in my Apple ID.
| With Android, I can use Aurora Store or sideload apps that were
| originally published on the Play Store without needing a Google
| account at all. Apple should implement a way to anonymously
| download free apps, whether from the App Store or from
| elsewhere.
| johnthuss wrote:
| I don't think this is news to anyone (in general), but it is
| increasingly becoming the differentiating factor between Android
| and iOS.
|
| Apple is all-in on customer privacy and Google hasn't really been
| able to respond on that front since their business model depends
| on targeted advertising based on data collected about their
| users.
|
| The question is whether regular people really care about privacy
| more than they do about the price of a phone. And so far it seems
| that the lower priced phones are winning.
| Tenoke wrote:
| Price and privacy are hardly the only differentiating factors
| between the two. And even if they were, those who care most
| about privacy have more options on Android at the extreme end.
| a_imho wrote:
| Wasn't CSAM the hot topic just a couple of weeks ago?
| BiteCode_dev wrote:
| Apple is just better at pretending being all in.
|
| They were part of PRISM.
|
| They recently added a systematic scan, compare and report
| routine to all your pictures.
|
| They forces you to tie your phone to an Apple account just to
| use it. My android phone doesn't have an account, or even an
| email linked to it.
|
| Apple now has an entire mesh network of BT devices constantly
| looking up each others, even if some of them are not connected
| to internet.
|
| The microphone on the Apple device is always on, to answer to
| hey siri.
|
| Finally, you can't install a real alternative browser on iOS,
| so no real privacy addons.
|
| They make big claims about privacy nobody can check because
| everything is closed source. So you have to just trust them.
|
| "But apple doesn't have an ad business"
|
| Oh but they do. And they don't have to play by their own rules
| in the app store, and have the right to track users, gather
| device informations, location, etc. Fun thing is, they start
| the list of information they collect
| (https://www.apple.com/legal/privacy/data/en/apple-
| advertisin...) by stating "Apple-delivered advertising helps
| people discover apps, products, and services while respecting
| user privacy".
|
| I don't think they are any better, just different. And better
| at PR.
| chuckee wrote:
| > The question is whether regular people really care about
| privacy more than they do about the price of a phone. And so
| far it seems that the lower priced phones are winning.
|
| To find that out, the privacy intrusions would have to be
| advertised as prominently as the price.
| micah94 wrote:
| So is the data collected by Google from Huawei phones a function
| of their OS based on Android 10? I thought Huawei was prevented
| from talking to Google.
| aritmo wrote:
| Android takes snapshots (screenshots) of apps as soon as you
| switch to another app. When you view the app list, it already has
| the last view of each app.
|
| But the Xiaomi/MIUI Android sends over those screenshots back to
| the company is new information.
| AuthorizedCust wrote:
| I had a Pixel. That it took a screenshot when I switched apps
| makes sense. It allows the task switcher to open immediately
| and show the most recent state of all my apps. A screenshot of
| some sort is mandatory for the OCR functionality that allowed
| me to select text from these tiles in the task switcher (super
| handy!).
|
| I'm now on iOS 15 on an iPhone 12 Pro Max. I _think_ I've seen
| movement on the tiles in its task switcher, so I'm not clear if
| it takes screenshots. But the fact that the task switcher opens
| with no delay suggests that screenshots might be used?
|
| I'm only defending taking screenshots. Transmitting them to
| other parties is problematic.
| rootusrootus wrote:
| > I think I've seen movement on the tiles in its task
| switcher, so I'm not clear if it takes screenshots.
|
| In my experience, it seems like only the app you were in when
| you brought up the task switcher continues to update the
| screen. If you go somewhere else, like just back to the home
| screen, it goes static like all the rest.
| marcellus23 wrote:
| This is correct. iOS snapshots the app as soon as it's
| moved into the background, and that snapshot is what you
| see. When you bring up the switcher, the foreground app
| isn't backgrounded yet -- that only happens if you go to
| the home screen or actually switch apps.
| numair wrote:
| As I understand it, each iOS application is sort of like its
| own 3D plane within a larger environment, hence why the
| launcher shows up without any lag.
|
| I hope someone can do the work of pasting the original Aqua
| framework overview that's probably still hiding somewhere on
| the Apple website. The manner in which the combination of
| OpenGL (Metal?) and PDF work to render UI and elements on OS
| X and iOS is really quite remarkable. I think even now, 20
| years later, there isn't anything comparable being done by
| Android/Linux or Windows. I would love to be proven wrong,
| however (I haven't followed this closely for the past few
| years).
| kitsunesoba wrote:
| Yeah the iOS multitasking view tracks all the way back to
| windows in OS X 10.5 Expose being actual windows instead of
| snapshots, and the parlor trick of QuickTime player windows
| continuing to play video when minimized to the dock all the
| way back in 10.0 (and perhaps the 10.0 public beta, I
| forget). It's the kind of thing that family of operating
| systems has handled well for a long time.
| nitrogen wrote:
| Compiz and all subsequent compositing managers do the same
| thing for Linux (each app has its own surface in the GPU
| and can be composited in 3D), and I believe the compositing
| in Windows Vista and later is similar.
| extr wrote:
| How have you found the transition to iOS? For me, the task
| switcher OCR feature is absolutely killer, one of the main
| things still keeping me on Android. Does iOS have anything
| similar?
| AuthorizedCust wrote:
| I find the Pixel experience to be superior. But I took each
| of the areas where Pixel is better, item by item, and
| scored their value, and came out with a score recommending
| I keep the iPhone: https://www.arencambre.com/iphones-are-
| inferior-to-android-p...
|
| Context: I made that right after I got an iPhone 12 Pro
| Max. It was running iOS 14. iOS 15 may bias the score
| towards Apple even more with the current phone, and iPhone
| 13 biases it a bit more.
|
| I still like Android better.
| marcellus23 wrote:
| iOS 15 now OCRs text across the OS, including screenshots.
| So you can take a screenshot and get OCR'd text from there.
| AuthorizedCust wrote:
| That's more of a process than simply selecting text on
| the task manager tile.
| marcellus23 wrote:
| I guess. You have to hit the screenshot combo and then
| tap the screenshot, versus hitting the app-switcher
| button. Are you doing this often enough for that 1 extra
| step to be a big deal?
| extr wrote:
| For me, yeah this would be a much different experience. I
| use this feature all the time, to select anything from
| the title of a song on Spotify to a phone number embedded
| in an image on the web.
| marcellus23 wrote:
| In the latter case, you could just select the text in the
| image directly. How often do you use this feature per
| day?
| AuthorizedCust wrote:
| I'm increasingly finding great value in reducing
| complexity of simple tasks. I thought the push button
| rear door closer on my minivan was silly, but it came
| with it, so (shrug). I've grown to like it!
|
| Reducing from a few steps plus a major context switch to
| just one step is valuable.
| marcellus23 wrote:
| Where's the context switch?
| aero-glide2 wrote:
| The article doesn't mention screenshots at all.
| jand wrote:
| > System apps on several handsets upload details of user
| interactions with the apps on the handset (what apps are used
| and when, what app screens are viewed, when and for how
| long).
|
| I am too far away from Android development to make any claim
| about what "app screens" are. Is that android-lingo? Could
| someone please clarify?
| Arnt wrote:
| Sounds like an attempt at phrasing for the general public.
|
| Android apps have zero or more activities, each of which
| may be thought of as a single screen and a single Intent,
| which is a bit like a URL (and sometimes very much like a
| URL). A messenger or email app will typically have a main
| activity, an activity to view a single message, an activity
| to view a conversation with someone, perhaps an activity to
| view a single attached image, probably an activity to view
| and edit the application's settings, and so on.
|
| What is sent is perhaps the app's name and a class name
| within the app for each activity that's started.
| dr_kiszonka wrote:
| Exactly right. And you don't have to be a system app to
| access this information. Any app with sufficient
| permissions granted explicitly by a user can access these
| data (no root needed), and it may have legitimate reasons
| for doing it.
| alickz wrote:
| It sounds a lot like the screen events Firebase reports (a
| library by Google for analytics, among other things)
|
| It allows you to know which screens a user views, but not
| the data on the screen. A pseudo-example would be like
| "User opened LoginScreen/LoginActivity at yyyy-mm-dd and
| stayed on that screen for X seconds"
|
| Not an actual screenshot of said screen
| jpm_sd wrote:
| What is the actual value of all this privacy invasion? Is the
| data even useful to anyone? Or is it just getting collected
| endlessly for no reason?
| dylan604 wrote:
| To the people collecting the data that can sell it, it is
| useful only in that someone will buy it. Once it is sold, they
| don't care one bit about how/where/why it is used.
| criddell wrote:
| Where can you buy it?
| jpm_sd wrote:
| But are the third parties buying the data actually getting
| anything useful out of it?
| dylan604 wrote:
| I'm not sure why you'd think it's not useful to someone
| somewhere.
|
| Game devs see how much time you play games, what type of
| games, if you purchase IAPs, etc. News feed apps sell what
| kind of news stories you read/follow/subscribe. Commerce
| apps sell what kind of things you buy, the prices you pay,
| the items you look at but don't buy etc.
|
| From all of that "metadata", one can build up a profile
| about you that's pretty accurate. If you can't imagine why
| that is useful to someone, then I'd posit you're not trying
| hard enough.
| streamofdigits wrote:
| How far are we from a phone that: ships fully formed - no
| flashing and stuff, has reliable supply chain and production, is
| open source only, usable on a daily basis (stable, normal battery
| life, all basic apps, easy upgrades) and ideally repairable /
| recyclable as much as possible?
|
| I would leave "high-end" specs and price constraints out of scope
| to make this a reality sooner than later.
|
| There are several contenders and combos /e/, lineageOS,
| pinephone, fairphone etc and I wish them all godspeed (also other
| small efforts out there I am not aware of), but its not clear
| which one is ready for just the simple, honest, society and
| environment friendly mobile computing that we should have had all
| along and it is really a crime that we don't.
| jmnicolas wrote:
| Far in never. There's no (real) money to be made, manufacturers
| don't care.
|
| I use GrapheneOS. It's rough but at least it gives me peace of
| mind.
| streamofdigits wrote:
| Why is there no money to be made? I would at least pay to buy
| the hardware and possibly for ongoing software support as
| well (depending on how they structure such support or any
| other "soft" features). E.g. I think its a jolly good idea if
| somebody really checked for a living all those open source
| apps.
|
| In any case if there is really no viable business model for
| private mainstream mobile computing we have been duped big
| time: This is not a consumer device, it is track-and-trace
| machinery.
| PeterisP wrote:
| In order to have a reasonable, stable supply chain at all,
| you need quite large scale; and even then your phone would
| have much smaller scale than the mainstream competitors and
| so would be be significantly more expensive than their
| models with similar hardware, both because it's targeting a
| niche and also because all this tracking&targeting does
| result in some revenue stream for the manufacturers.
|
| It indeed is a jolly good idea if somebody really checked
| for a living all those open source apps, however the math
| works out only if you allocate the salary of those people
| over a million phones, not if you have only 10000
| customers.
|
| Perhaps _you_ would actually be willing to pay a large
| premium for that, but the vast majority people are not.
| Perhaps a meaningful number of people would be willing to
| pay a _small_ premium like 10-20%? But that 's not what's
| reasonably achievable, the differences are much larger as
| soon as you go off mass market production or start needing
| software modifications which are a large fixed cost that is
| cost-effective only if you're distributing it over very
| many phones.
|
| There have been many companies in the past which have found
| out the hard way that few people really care about privacy
| _that_ much (or they care but can 't really afford much,
| which has the same effect), but for a recent example, you
| can look at the troubles of Librem 5; IMHO it's trying to
| do similar things, but its price/performance is suffering
| because of that and you be the judge whether their business
| model looks viable. And if you want a _trustworthy_ supply
| chain, then your (already high) costs literally double,
| again, Librem 5 "USA" model is an example of that - a $2k
| phone where the _core_ functionality (excluding the
| privacy) is essentially the same or worse as a $200 phone
| from a Chinese brand.
| thrtewgg66 wrote:
| there was a mass market sailfish phone in India but it was a
| flop. ofcourse it has Android emulator that used to send just
| as much crap out as tthe original... but atleast you could stop
| that.
| COGlory wrote:
| This has been my experience with e os. Everything just works
| joemazerino wrote:
| Always mind blowing. I recall a video from Copperhead showing the
| difference between a gApps enabled phone vs no-gApps.
|
| https://m.youtube.com/watch?v=zemRALtU4OY
| dont__panic wrote:
| Does anybody know if alternatives like GrapheneOS + microG
| mitigate these issues? Or should I just switch back to a 2005
| flip phone at this point?
| bennettnate5 wrote:
| It definitely helps--the vast majority of snooping comes from
| Google Play Services, so options like GrapheneOS + microG or
| CalyxOS resolve that issue quite nicely. They also have app-
| specific firewall abilities, so you can disable background or
| foreground network connectivity on any app you're suspicious
| of.
| dont__panic wrote:
| Thanks! I'm still using an old iPhone SE (2016) as my daily
| driver, but sooner or later iOS support is going to drop and
| I'll have to find a decent upgrade path. Considering my size,
| headphone jack, and fingerprint reader preferences, I think
| the Pixel 4a is the only device that seems viable to me on
| the market today... hopefully I'll still be able to pick one
| up in a year or two and slap GrapheneOS on it.
| deathjester wrote:
| I think it's a bit misleading to say Lineage OS sends data,
| because it doesn't. It's just the GApps installed with Lineage OS
| that sends data to Google. But you don't need to install GApps,
| then it doesn't send anything just like /e/OS does...
| thastings wrote:
| This is the exact thing I was wondering about. As far as I
| understood, they flashed GApps, even though GApps is not part
| of the default installation. I wonder what the findings
| would've been like on LineageOS without the GApps.
| salusinarduis wrote:
| I use GraphineOS and LineageOS without Google Play Services. They
| are great and are suitable replacements for Apple and Google.
|
| - Osmand(FOSS) for maps (supports being fully offline!)
|
| - Signal and Discord for messaging (Discord is sandboxed)
|
| - Newpipe(FOSS) for Youtube
|
| - F-droid(FOSS) for my FOSS appstore
|
| - APKmirror for the few non-free apps I need
|
| - Libretorrent(FOSS) and VLC(FOSS) for watching movies
|
| - Firefox(FOSS) and Vanadium(FOSS) for browser
|
| - K9 Mail(FOSS) for email
|
| - Infinity(FOSS) for Reddit
|
| - Secur(FOSS) for 2FA
|
| - Taskkeeper(FOSS) for reminders
|
| Almost everything you need is in the F-droid FOSS app repository.
| It all works, and it works well. You can buy a used Pixel 3a for
| around $80 on Ebay and have a better experience in every category
| than iOS, hardware and software.
| [deleted]
| [deleted]
| websap wrote:
| I hope you have recurring donations setup for all these FOSS
| apps. FOSS still means that developers need to eat.
| websap wrote:
| It's unbelievable that I'm getting downvoted for asking
| people to pay for software on a platform where a large % of
| users are involved with technology. No wonder opensource
| based businesses are dissatisfied with how they are treated.
| Throwaway808808 wrote:
| Seconded. The downvote button is for comments that detract
| from the conversation, not because somebody disagrees. This
| place is turning into another Reddit.
| _V_ wrote:
| How does "I hope you at least pay for these apps" adds
| anything even remotely relevant to the thread about what
| apps someone uses as part of their de-googled phone?
|
| Yeah, developers do need to eat, but this (IMO) snarky
| comment is hardly relevant to the OP.
| websap wrote:
| The way I read this submission is:
|
| 1. Google is tracking you. They track you because they
| need this data to target better ads, this is how they
| make money.
|
| 2. The OP for this comment, says they use FOSS apps to
| get around Google's tracking.
|
| My comment is about - if you are against the idea of
| being tracked from profit, it would be a good idea to
| vote with your wallet to help open source developers get
| paid and to show that there is a viable business model
| for other individual developers.
| CountDrewku wrote:
| Just bought a pixel to test lineageOS out. Worth mentioning
| that if you want less Google and still want to use normal
| Android services in the OS you need to install the MicroG
| lineageOS ROM. Otherwise, you're still sending Google a lot of
| info through Gapps or MindTheGapps.
|
| Graphene or lineage without any of those is also an option but
| you'll be missing a lot of the normal everyday apps you use.
| IMO if you're going that far though you might as well just go
| back to a flip phone.
| salusinarduis wrote:
| I don't agree regarding your flip phone comment, that's
| silly. I don't use any form of Google Play Services (No
| OpenGapps or MicroG even) and my phone works completely fine.
|
| The only thing that doesn't work is push notifications, which
| isn't a problem because FOSS apps like Signal bundle their
| own notification system that does not use Google Play
| Services. Discord however, does not get push notifications
| (which I wouldn't want anyway)
| CountDrewku wrote:
| Regardless of what software you put on the phone it is a
| tracking device. It has gps, audio, cameras, and web
| browsers that are all vulnerable to being hacked or used
| for tracking. I signed into gmail via the Bromite browser
| on my Pixe3a. I immediately received an email from google
| about my new Pixel device. They now know what device I use,
| what browser etc.
|
| I don't care how locked down and FOSS you make your smart
| phone it's not going to be as secure as a dumb phone.
| There's a reason criminals don't use smart phones.
| salusinarduis wrote:
| GraphineOS constantly spoofs the device's MAC so that
| argument is not valid (I also don't know how a website
| based email client is getting your MAC). It's also
| extremely easy to spoof the device's name. The way they
| are getting that is simply your browser's User Agent, or
| if it's an app, your phones root properties. There may be
| some other identifying properties about the device they
| can collect though, I agree with you on that.
|
| Also, I agree with your argument about phones being
| tracking devices. Anything with a radio that connects to
| cell towers is going to be logged and tracked in perfect
| detail.
| CountDrewku wrote:
| You're correct about the MAC address. However, the rest
| of the information collected is plenty to build a profile
| of any person.
| snypher wrote:
| If you think Google is adversarial then don't use Gmail;
| It seems strange to avoid using their 'apps' but
| continuing to use their products? I think you just handed
| them that information when you logged into their website.
| CountDrewku wrote:
| >I think you just handed them that information when you
| logged into their website.
|
| Obviously and that's my point. You are not going to avoid
| Google if you use the web. The best you can do is limit
| exposure.
|
| >Google is adversarial then don't use Gmail
|
| This is ignorant and unhelpful. Do you think I just
| decided not to consider that option? I don't have an
| option. I have to use it for work. This is the problem
| with the "don't use it" crowd. Most people are not going
| to get away from the major email provider options. The
| best I can do is sign in via browser or a 3rd party app.
| pessimizer wrote:
| > Obviously and that's my point. You are not going to
| avoid Google if you use the web. The best you can do is
| limit exposure.
|
| That couldn't have been your point. It's very easy to
| avoid having a gmail account.
|
| > This is ignorant and unhelpful.
|
| People here don't know you personally, or your needs.
| Most people don't need gmail for work. If your job
| requires you to use google products, it's going to be
| difficult for you to avoid google. But, again, your
| situation is not representative of the vast majority of
| people.
| CountDrewku wrote:
| >That couldn't have been your point. It's very easy to
| avoid having a gmail account.
|
| Did you miss the part where I told you we have Google
| Workspace (GSuite) and I have to use it for work? What
| part of getting rid of that is easy? I cannot stop using
| it end of story.
|
| >People here don't know you personally, or your needs.
| Most people don't need gmail for work.
|
| I feel like you're not aware of the fact that Gmail is
| used in corporate environments through Google Workspace.
| You need to research before spouting off stuff that's
| obviously misinformed. It's a direct competitor to Office
| 365 and MS Outlook servers.
|
| https://www.cnbc.com/2020/04/07/google-g-suite-
| passes-6-mill...
| dont__panic wrote:
| Consider Fennec instead of Firefox -- I just switched
| yesterday, and I _think_ the only difference is that Fennec is
| usually a couple of versions behind because it removes some
| Mozilla crapware.
| colordrops wrote:
| What about Firefox Focus? It's private by default and VERY
| unbloated. The ephemeral nature of sessions also forces me to
| not leave a hundred tabs open.
| salusinarduis wrote:
| Does it support extensions? I can't go anywhere without
| uBlock Origin :D
| COGlory wrote:
| It does
| dont__panic wrote:
| There's a workaround to support pretty much any FF
| extension at this point -- but you have to create a
| "collection" with your firefox account and then point your
| Android FF install at that collection. Not too hard, but a
| little bit of a PITA. If you're like me and maintain the
| same couple dozen extensions on every FF install, though,
| it actually works pretty well.
| aqfamnzc wrote:
| FWIW, Mozilla has worked with devs of some popular
| extensions to get them working on "new" mobile FF,
| including uBo.
| commoner wrote:
| Nowadays, Fennec F-Droid is usually on the same version as
| the release channel of Firefox, or at most a version behind
| for a week or so.
|
| https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/
|
| Fennec also lets you install any add-on from
| addons.mozilla.org through a tedious process,* which is still
| an improvement over Firefox release/beta on Android. The only
| channel of Firefox that supports this process on Android is
| the nightly channel.
|
| * https://blog.mozilla.org/addons/2020/09/29/expanded-
| extensio...
| _V_ wrote:
| What do you use as Dialer/SMS/Contact app?
|
| I tried to switch myself from iPhone and almost everything was
| OK but these were the worst to get right... I ended up using
| suite from Tibor Kaputa (Simple Dialer etc) but I ran into some
| rather annoying issues.
|
| Also, do you use phone recoding? This was actually my breaking
| point, because i have an iPhone w/ jailbreak that enables me to
| record phone conversations (for my use only, not trying to get
| into the legal discussion). I did not find _anything_ for
| GrapheneOS (or Android in general) - just some info that I need
| to root my phone to get this working and with that I just
| reverted to my jailbroken iPhone.
| commoner wrote:
| The only functional FOSS call recording app for Android that
| I'm aware of is the Call Recorder app on F-Droid:
|
| - Call Recorder: https://f-droid.org/en/packages/com.github.a
| xet.callrecorder...
|
| To use this app, you'll need to root your phone using
| Magisk[1] and the install the Magisk module for Axet's Call
| Recorder.[2] Then, upgrade the Call Recorder app to the
| latest version in F-Droid. Note: do not enable "System Mixer
| Incall Recording" in Call Recorder, since it is not needed
| and may cause issues with recording.
|
| [1] https://github.com/topjohnwu/Magisk
|
| [2] https://github.com/Magisk-Modules-Repo/callrecorder-axet
|
| The default dialer and contact apps are both FOSS and
| functional, so I never felt the need to replace them. Signal
| can take over as the default SMS/MMS app, and there are
| alternatives with more features such as QKSMS:
|
| - QKSMS: https://f-droid.org/en/packages/com.moez.QKSMS/
| doc_gunthrop wrote:
| FairEmail is also a nice open-source, privacy-focused email
| client available on F-droid.
|
| https://f-droid.org/en/packages/eu.faircode.email/
| commoner wrote:
| FairEmail is really great, almost as fully featured as
| Thunderbird with the best support for multiple
| accounts/identities that I've seen on Android so far. The
| developer asks for a small donation to unlock a few advanced
| features,* which I recommend doing.
|
| * https://email.faircode.eu/donate/
| jonstaab wrote:
| Feeling quite smug about switching to CalyxOS earlier this week.
| ruph123 wrote:
| Same. It feels like the "have the cake and eat it" situation
| for me who switched over from iOS.
|
| I was worried that some apps might not work but that is not the
| case. Everything from banking apps to password managers just
| works fine with the only exception being NPR One (which is
| hilarious).
|
| They are really doing an outstanding job and I do not miss
| anything on here besides a Apple/Google Pay NFC solution. But
| that is quite ok.
| bennettnate5 wrote:
| Definitely on this boat. CalyxOS feels like it strikes a good
| balance between security/privacy and practical usability--the
| locked bootloader and app-specific firewall options are a huge
| plus, while MicroG ensures that I can still use every app I
| used to with the old Pixel-specific OS without ceding all of my
| data to Google Play Services.
|
| Invariably people bring up the signature spoofing needed for
| MicroG as some huge security hole, but from what I've seen it's
| really a non-issue--CalyxOS has tight restrictions to
| specifically allow only MicroG to use this, it's disabled for
| any other app.
| markenqualitaet wrote:
| Can I expect CalyxOS to support the Pixel 6 rather soon? Is
| e.g. camera performance dependent on closed source Google
| code/firmware? What are the limitations there?
|
| I was going for GrapheneOS, but tbh seeing that one main
| developer's personality issues turned me off big time. I don't
| care about technical advantages, if I have to trust in that
| guy's impulse control. Too small a project for that.
| xanaxagoras wrote:
| You can expect a dedicated team to start working on it once
| they're able to get their hands on some Pixel 6 devices. They
| don't get them early from Google you know, there's no
| cooperation there. They buy them when they're released just
| like we do, and it hasn't been released yet so work hasn't
| started.
|
| The general attitude towards GCam seems to be... Calyx isn't
| going to ship it but it's generally understood most people
| will be using it. The recommendation I got when I switched
| was to install the apk and disable all network access via
| Datura before I launched it for the first time. That works
| well, the pictures look great too. A recommendation I heard
| after I did that which I will be following next time is to
| extract the gcam apk from your new phone before you flash
| calyx and install that one (to avoid apkmirror or whatever).
| kaba0 wrote:
| GrapheneOS's main dev can come across as paranoid, but it is
| sort of understandable given the history of the project.
| Nonetheless, they are doing a spectacular job and I think
| using GCam with properly set permissions is the best of both
| words.
| kop316 wrote:
| Skimming through the article, they compare a few ROMs from
| significant phone manufacturers, LineageOS with Google Play, /e/,
| and Stock Android.
|
| It seems that LineageOS has GApps installed and /e/ does not
| (presumably since they use MicroG?), so it is looking like for
| LineageOS, it's really Google Play leaking this data.
| jeroenhd wrote:
| > It seems that LineageOS has GApps installed
|
| It doesn't come with GApps installed, you need to flash those
| packages manually. That said, LOS also comes without an app
| store whereas /e/ has a custom F-Droid-compatible store pre-
| installed.
|
| Combining LineageOS and MicroG is kind of hard (relatively),
| because LineageOS enforces signature validation, which MicroG
| needs disabled to properly fake the proper Google APIs. There
| are non-enforcing builds and build instructions available, but
| that's not the default. /e/ seems to have the necessary patches
| enabled by default, which makes using popular apps without
| flashing GApps a lot easier.
| Guest42 wrote:
| Can you recommend a couple phones that are compatible with
| LOS + microg? I looked on their sites and it wasn't quite
| clear
| commoner wrote:
| LineageOS for microG supports all phones that LineageOS
| does. Here's a spreadsheet of the full list along with the
| specs of each device:
|
| https://docs.google.com/spreadsheets/d/1bx6RvTCEGn5zA06lW_u
| Z...
|
| If you want a more specific recommendation, could you
| provide your budget and your requirements?
| Guest42 wrote:
| No budget restrictions although I'd like the ability for
| Bluetooth to run in the background and not go to sleep ,
| and ideally ip67 or ip68 water protection.
| commoner wrote:
| All of the LineageOS phones I've ever used have been able
| to maintain a Bluetooth connection in the background.
|
| If you're fine with a used phone, the OnePlus 8 has a
| high-end Snapdragon 865 processor and 8 GB RAM.[1] The
| carrier models have IP68, and unlocked models are
| manufactured similarly but don't have an official IP
| rating.[2] If you're getting the T-Mobile carrier model
| (which may be carrier unlocked at sale), you'll need to
| request a code and wait a week to unlock the bootloader
| before you can flash LineageOS.[3] Used models go for
| $200-300 on eBay depending on condition, and a new
| factory unlocked model is $399.
|
| If you're looking for a new phone, you may want to
| consider the Pixel 5a which manages to have both IP67 and
| a headphone jack for $449 new, but uses a mid-level
| Snapdragon 765G processor paired with 6 GB RAM.[4] The
| OnePlus 9 Pro is also available with a high-end
| Snapdragon 888 processor, 12 GB RAM, and IP68 for $969
| new or about $600-800 used.[5]
|
| [1] https://www.oneplus.com/8
|
| [2]
| https://9to5google.com/2020/04/14/oneplus-8-ip68-water-
| resis...
|
| [3] https://www.oneplus.com/support/answer/detail/op588
|
| [4] https://store.google.com/us/product/pixel_5a_5g
|
| [5] https://www.oneplus.com/9-pro
| toastal wrote:
| The irony of this being in a Google Spreadsheet
| dron57 wrote:
| I've been using the Pixel 4a 5G for about 6 months with
| MicroG and Lineage. Works really well. Other than Whatsapp
| and Google Maps I don't miss anything, but those apps have
| alternatives too.
| Guest42 wrote:
| Fantastic!!!!
| commoner wrote:
| If you're trying to combine LineageOS with microG, the most
| straightforward solution is "LineageOS for microG" which has
| everything set up for you:
|
| https://lineage.microg.org
|
| I know of two other Android flavors that have microG
| integrated. /e/ is one of them and CalyxOS is the other.
| rcMgD2BwE72F wrote:
| I've made a complaint to the police and my local privacy
| regulator (in France) more than a year ago, regarding blatant and
| widespread illegal data collection by Google on probably most
| Android devices on Earth. I have not yet heard back from them and
| I doubt they'll even consider this report. Here it is in a
| nutshell.
|
| 1. set up a brand new phone (Pixel, OnePlus or else)
|
| 2. do not connect to a Google account at first or if it is
| required, log out and remove the account as soon as possible
|
| 3. create a contact on your phone with any Contact application
| (with a name, email address and phone number). Do no enable sync
| for this application.
|
| 4. open the Play Store to download any application (e.g one from
| your government). You'll be asked to connect to a Google account
| at this stage, of course
|
| 5. now, try to log into your Google account to download the
| application but *not have Google automatically collect all your
| contacts' details* (stored locally).
|
| You can't!
|
| This is not possible because:
|
| 1. by default, adding the Google account will enable the
| automatic synchronization for all Google-related apps and
| services (incl. Contacts). You can disable this _before_ login.
|
| 2. You cannot stop the sync of these Contacts while connecting
| Google Play to your account. It is done in the background and by
| the time you switch from Google Play (or the login page) to the
| Settings menu of your device, the sync will have started (if not
| completed already).
|
| 3. You cannot do all this in airplane mode obviously, as it it's
| impossible to log into a Google account without an Internet
| connection.
|
| This is illegal per GDPR, because at no point you consent to have
| your data collected by Google. Also, Android does not inform you
| of this collection so it's up to you to discover this by browsing
| your device's settings, down a a sub-levels.
|
| It is a massive collection (and fraud) because most people have
| probably a hundreds contacts or more on their mobile device. Most
| mobile devices run Android. Google Play is almost impossible to
| avoid nowadays (Twitter, Facebook, Youtube, Whatsapp, Signal,
| Firefox, your bank's app, your employers' apps... they all
| require Google Play and Services to work correctly). Worst, your
| contacts' information isn't yours, but your contacts' too. Google
| simply helps themselves.
|
| With 73% of mobile OS market share, around 99% of Android users
| being probably logged in just to access the Play Store, Google
| probably has collected the names, email addresses, phone numbers
| and lots of private information (birthday dates, home and work
| addresses, employers' names, job titles, digicodes, etc) of every
| person on Earth, and probably more than once. Without asking for
| permission.
|
| This is easy to reproduce, 100% illegal (at least per GDPR),
| everyone is affected and yet, _crickets_.
|
| If you're in the US and believe this is illegal there too, please
| contact a privacy organization or any entity that might do
| something about it, at least if you don't like having all your
| contact details collected by Google without consent.
| Tepix wrote:
| I'm wondering if Nokia phones with Android One are not snitching
| on their users like the others are.
| durnygbur wrote:
| Nokia licensed their mobile brand and now it's some Chinese
| producer slapping the logo on the devices. Probably on pair
| with Xiaomi and Huawei.
| commoner wrote:
| I don't think this is accurate. Microsoft acquired Nokia in
| 2014, but then spun off the brand to HMD Global (a new
| Finnish company) in 2017. HMD and Foxconn have a partnership
| in which both companies co-design the Nokia phones that are
| then manufactured by Foxconn in Taiwan.
|
| https://www.anandtech.com/show/10879/hmd-closes-nokia-
| brand-...
| uhtred wrote:
| I use /e/os and have found it to be a great experience.
| https://e.foundation/
| snvzz wrote:
| Companies like Google hold a lot of power over their users.
|
| It's all-or-nothing, and not being part of the Google ecosystem
| is extremely inconvenient as more and more services depend on it.
|
| Only legislation can give power back to the users. It shouldn't
| be necessary to put up with this level of surveillance by big
| corps in order to function in society.
| cute_boi wrote:
| you mean the legislation that forced banks to use google safety
| nets create hindrance in rooting the phone? I really find
| myself in hopeless position these days when Google can do
| anything freely because they have enough cash to lobby
| anything.
| winternett wrote:
| >Only legislation can give power back to the users. It
| shouldn't be necessary to put up with this level of
| surveillance by big corps in order to function in society.
|
| Don't worry, after about 7 years there will be a low key class
| action suit and we'll miss the $7 payout and lawyers will
| collect the leftover millions for the sake of symbolic justice.
| Then perhaps big industry won't ever learn it's lesson again.
|
| Congress has already proven that they're the Rip Van Winkle of
| IT awareness unless it pertains to boosting their personal
| investments.
| codefeenix wrote:
| Copperhead advert?
| salusinarduis wrote:
| I use GraphineOS and LineageOS without Google Play Services. They
| are great and are suitable replacements for Apple and Google.
|
| - Osmand(FOSS) for maps (supports being fully offline!)
|
| - Signal and Discord for messaging (Discord is sandboxed)
|
| - Newpipe(FOSS) for Youtube
|
| - F-droid(FOSS) for my FOSS appstore
|
| - APKmirror for the few non-free apps I need
|
| - Libretorrent(FOSS) and VLC(FOSS) for watching movies
|
| - Firefox(FOSS) and Vanadium(FOSS) for browser
|
| - K9 Mail(FOSS) for email
|
| - Infinity(FOSS) for Reddit
|
| - Secur(FOSS) for 2FA
|
| - Taskkeeper(FOSS) for reminders
|
| Almost everything you need is in the F-droid FOSS app repository.
| It all works, and it works well. You can buy a used Pixel 3a for
| around $80 on Ebay and have a better experience in every category
| than iOS, hardware and software.
|
| The only limitation is push notifications, which isn't a problem
| because FOSS apps like Signal bundle their own notification
| system that does not use Google Play Services. Discord however,
| does not get push notifications (which I wouldn't want anyway)
| gnull wrote:
| I just reinstalled my FP2 with LineageOS and microG after
| reading your post.
| daneel_w wrote:
| _> ...and have a better experience in every category than iOS,
| hardware and software._
|
| Really? I tried GrapheneOS on a Pixel 4A, and without
| exaggerating or trying to come off sensationalist the
| experience was _really tepid_ compared to iOS, and even
| "normal" Android. Stuttering and jerky UI (which often also
| wanted to take a brief nap), very poor GPU hardware
| acceleration support, notably worse battery life, loads of
| things that just didn't work well (or at all) without Gapps,
| and trying to get Play Services shoe-horned into GrapheneOS was
| still quite the bug-ridden hassle. Additionally, the Open
| Camera app produced rubbish results compared to Google's native
| Android camera app, which matters a lot to me.
| busterarm wrote:
| I run GrapheneOS on a 4A with TMobile and the frequent
| reports of people trying to call me telling me my line is out
| of service and days where calls won't initiate from my phone
| at all makes me want to run back to my iPhone.
|
| The tethering seems to be pretty flakey as well with me often
| having to reboot the phone.
| margalabargala wrote:
| I've been using GrapheneOS on a 4A with TMobile as my daily
| driver for over a year and have had none of these issues.
| Never had an out-of-service notice from someone calling me,
| never had a call not initiate, and tethering works great.
|
| Maybe it's something to do with OpenGapps? I never
| installed it or microG, I'm perfectly happy with just
| Fdroid.
| louloulou wrote:
| I'm running GrapheneOS on a 4a right now and it's smooth like
| butter - maybe you needed to wait for a few updates. The
| camera has improved a lot as well but is still not close to
| the stock google camera.
|
| It seems like what you're looking for is CalixOS + microG.
| commoner wrote:
| The mid-level processor on the Pixel 4a may just not be
| performing to your expectations. A phone with a high-end
| processor would perform better. For GrapheneOS, the fastest
| compatible phone available (used/refurbished) right now is
| the Pixel 4 (or Pixel 4 XL).
|
| Also, if you are using a Pixel phone with a non-default
| flavor of Android, the Google Camera app still works if you
| download it manually. APKMirror is a trustworthy app source
| run by Android Police:
|
| https://www.apkmirror.com/apk/google-inc/camera/
|
| (For Pixel phones using an older Android version, you may
| have to use an older version of Google Camera if the current
| version does not work.)
| salusinarduis wrote:
| I'm surprised to hear you say that. I've played the most
| demanding Android games on the Pixel 3a with no issues. I've
| never experienced anything but a butter smooth UI on Graphine
| or Lineage to be honest. The battery life has been all day
| for me even when using GBA emulators for multiple hours a
| day.
|
| I agree the default camera app of Graphine isn't great, but
| it's picture quality better than the iPhone I came from
| (iPhone SE gen1)
| 1vuio0pswjnm7 wrote:
| You mentioned Signal and Discord for "messaging". Can you or
| someone else confirm that _video calls_ work with GrapheneOS or
| LineageOS. I am getting ready to try these but I am still not
| sure video calling works. When reading about them I cannot find
| much discussion of this particular application.
| commoner wrote:
| I can confirm that video calls work in Signal on Android
| flavors that don't use Google Play Services, including both
| GrapheneOS and LineageOS.
| 1vuio0pswjnm7 wrote:
| Thank you. Much appreciated. :)
|
| (Perhaps WhatsApp might work as well, since, IME, it can be
| sideloaded and will work without a functional Google Play
| Services.)
| salusinarduis wrote:
| Signal is specifically designed to work without Google
| Play Services, so expect a 1:1 experience when using it
| with these privacy conscious distros.
|
| I'm confident Whatsapp will work, but I have not tried.
| Push notifications will not work without Google Play
| Services.
| commoner wrote:
| According to Plexus, WhatsApp works perfectly on Android
| without Google Play Services, whether or not you have
| microG installed.[1] I think they implement their own
| push notification system if you download directly from
| them,[2] though I haven't confirmed this.
|
| Discord works perfectly with microG, and has a 3/4 rating
| without it since notifications will only work if you have
| microG.
|
| [1] https://plexus.techlore.tech/applications/whats-app
|
| [2] https://www.whatsapp.com/android/
|
| [3] https://plexus.techlore.tech/applications/discord
| 1vuio0pswjnm7 wrote:
| IME, the notifications do work. I downloaded .apk
| directly from WhatsApp.
| tgsovlerkhgsel wrote:
| I've tried Osmand and found it way too slow/janky for everyday
| use (since it has to render the tiles locally and doesn't seem
| to pre-render for scrolling).
|
| Newpipe loads videos much slower than the official app and
| occasionally fails completely (likely because YouTube changed
| something).
|
| F-droid (regular, non-root install) shows me notifications to
| update apps, then when I tap them, I get a "there was a problem
| parsing the package" - this is a bug that has remained unfixed
| for over 5 years
| (https://gitlab.com/fdroid/fdroidclient/-/issues/669).
|
| It's not _impossible_ to use a FOSS phone, but it 's truly
| painful.
| salusinarduis wrote:
| If you don't like Newpipe you can use Youtube Vanced which is
| basically a pwned version of the native Youtube app. I've had
| some stutters with Newpipe but overall I like it.
|
| Osmand really isn't bad, sure it's a little bit slower to
| render but we're talking maybe 500-1000ms on a Pixel 3a.
|
| Regarding F-Droid you're right it is quite buggy, but
| thankfully once you've got the apps you want you don't really
| need to use it except to update.
| dgan wrote:
| Do banking applications work? I mean as in "I buy X online. It
| requires me to login to my bank application and press
| 'confirm'. I perform this sequence, and online purchase is
| completed. "?
| salusinarduis wrote:
| Some will, however I have heard some of these apps have janky
| hooks into Android's trust system which will break them on
| non-google distros.
|
| Personally I wouldn't suggest having banking apps on a phone.
|
| You can always use the web browser if you absolutely must
| access those accounts.
| dgan wrote:
| I will try to do so with web account, however I doubt it
| will work..
| Kubuxu wrote:
| Most banks in EU require phone app based confirmations for
| transfers and other operations (according to PDS2
| directive).
|
| Visa and Mastercard also introduced 3DSecrue system which
| piggybacks on the same system of confirmations. Vendors are
| incentivised to adopt it by lower rates.
|
| In essence when paying with card or making a wire transfer
| (or using some instant transfer method, for example Blik in
| Poland), you get notification on you phone asking you to
| confirm operation, even if you initiate it from your
| account in the browser.
|
| In essence Bank apps became 2FA devices. The only way to
| avoid it is to opt-out of the App 2FA and use paper one-
| time code pad. You regularly then get sent a list of codes
| by snail mail, which you have to type to confirm
| operations.
| gpvos wrote:
| It depends per bank; mine discontinued the paper OTP pad
| as well as the SMS codes, and gave me a separate 2FA
| device when I didn't want to use their app. I don't think
| banks can force you to have a smartphone yet.
| bubblethink wrote:
| Does nobody in the EU do computers ? How do they pass
| asinine laws like this.
| robocat wrote:
| > separate 2FA device
|
| FYI in New Zealand a few banks can provide a device (e.g.
| RSA SecurID) for proper non-bank 2 factor auth with
| consumer accounts. However some major banks only use
| phones for 2FA (app or SMS).
|
| The norms seem to vary considerably depending on country.
| sorry_outta_gas wrote:
| I just use the website
| dylan604 wrote:
| What kind of purchase/checkout system works like this? I have
| never seen one, but if I had, I would not complete the
| transaction.
| Daniel_sk wrote:
| Most in EU do this or will do - it's part of EU bank
| regulation (PSD2). SMS isn't considered safe anymore and
| debit/credit card payments are confirmed through banking
| apps (you get a push and confirm).
| dgan wrote:
| amazon paysend many others do too. bank is Boursorama
| dylan604 wrote:
| Is this something more popular outside of the US where
| credit/debit cards are not as ubiquitous?
| Yizahi wrote:
| I think it's called 3D-Secure for debit/credit cards. In
| Ukraine for example it is pretty much a normal path for
| online payments. Also our "credit" cards aren't the same
| your "credit" cards. Ours are basically the same as debit
| cards but with added overdraft amount and different
| service fees. They are created by the same banks as debit
| cards, not by a separate corporations.
| dgan wrote:
| Maybe. I never owned a credit card, however I also
| basically didn't use cash for years, only debit card
| kevin_thibedeau wrote:
| I've had a US debit card where 3D secure was triggered.
| joshuaissac wrote:
| It usually happens when someone pays with a credit or
| debit card. If the confirmation is not given in the app
| within a certain time limit, the bank rejects the card
| transaction.
|
| Edit: to clarify, my comment is about the UK, and it does
| not happen with most card transactions; "usually" here
| refers instead to card transactions being the usual
| trigger (in my experience) for this app-based
| authentication flow.
| dylan604 wrote:
| "Usually" is a bit of sticky word here. Your usual is not
| my usual, hence my questioning of it. My experience is US
| centric, so I'm assuming non-US but non-US is a really
| big place.
| nicoburns wrote:
| Online purchases with UK bank accounts often require this.
| Some banks use an OAuth-style redirect instead. I think the
| merchants get lower rates if they enable this feature
| (called "3D secure") because it lowers the risk of fraud.
|
| It's basically 2FA for online transactions, which seems
| very sensible to me.
| slock83 wrote:
| I switched to /e/ rather recently, and it also just happen
| that I am in the process of switching banks, which means I
| currently have two banking apps on my phone.
|
| Both are rather strict on having a clean, non rooted, non
| modified phone. Currently, they both work without any
| caveats, but I had to install magisk, add them to magisk
| hide, and use the magisk renaming feature to have them work.
| thastings wrote:
| I use the exact same setup, works like a charm. I can
| definitely recommend it for anyone concerned with the privacy
| issues of current mobile OSes. Furthermore, it never feels
| limited after getting used to this suit of apps, which may take
| up to a week at most.
| Scramblejams wrote:
| What do you use for photo management?
| commoner wrote:
| The default Gallery app is functional, and there are other
| FOSS options such as LeafPic and Simple Gallery.
|
| - LeafPic Revived: https://f-droid.org/en/packages/com.alienp
| ants.leafpicrevive...
|
| - Simple Gallery Pro: https://f-droid.org/en/packages/com.sim
| plemobiletools.galler...
|
| If you are looking for a hosted service to back up your
| photos, Stingle is an end-to-end encrypted photo hosting
| service. Alternatively, you can use Nextcloud to self-host.
| Both are FOSS on the client side, and Nextcloud is also FOSS
| on the server side.
|
| - Stingle: https://stingle.org
|
| - Les Pas gallery app for Nextcloud:
| https://github.com/scubajeff/lespas
| mattl wrote:
| If you wanted to install something like WhatsApp or Lyft would
| it work?
| salusinarduis wrote:
| Yes they will work, however to get notifications when the
| apps are closed you would need to have to some form of Google
| Play Services. I suggest MicroG if you are intending to do
| this since it seems to be the least invasive.
|
| In my personal case though, I would still not use MicroG, and
| would just leave the app open until I am done using it. This
| is easier on Android because apps are not suspended in the
| same manner iOS apps are.
| dylan604 wrote:
| What about when the phone locks? My phone is set to
| autolock after 1 minute. Leaving an app open just to
| receive notifications seems like a waste of battery.
| uhtred wrote:
| I use /e/os. It is based on LineageOS, is completely de-
| googled and has MicroG integrated. MicroG means push
| notifications with apps like WhatsApp will work.
| https://e.foundation/
| salusinarduis wrote:
| If your phone is locked you will most likely not get the
| notifications, it just depends on the app. I do agree it
| can waste battery.
|
| It's important to remember this is only a concern on non-
| free apps. The FOSS apps have very low power background
| services that check for notifications without the app
| running.
| technerder wrote:
| Could you elaborate on what you mean by "Discord is sandboxed"?
| Are you using an app to sandbox it?
| Steltek wrote:
| Could be using [Shelter](https://github.com/PeterCxy/Shelter)
| to isolate apps. I don't know how effective it really is.
| commoner wrote:
| Insular is another app that activates the Android work
| profile: https://secure-system.gitlab.io/Insular/
|
| Both Shelter and Insular are effective for isolating your
| files, contacts, and phone logs in each profile. If you are
| using a VPN, it is limited to the profile that the VPN app
| is installed on, and you need to install and run it again
| on the other profile to cover the apps in that profile.
| deft wrote:
| There's an app available on f-droid called Aurora Store that
| lets you download apks from the Play Store directly, avoiding
| the need for stuff like APKMirror (where you don't know where
| or what happens to the apk you're downloading). On desktop you
| can use the program Raccoon for the same.
| salusinarduis wrote:
| Thanks for the suggestion!
| noja wrote:
| Please, technical people of HN, install NetGuard on your Android
| phone. You will be shocked where your data goes. GDPR? Ha!
| Graffur wrote:
| Based on your comment I have installed it and enabled
| notifications.. immediately it told me that Facebook attempted
| internet access. I have 432 other apps so it will be
| interesting to see what else is phoning home.
| aboringusername wrote:
| > immediately it told me that Facebook attempted internet
| access.
|
| I am not sure how that information is useful to you or anyone
| else, not trying to be snarky, but an internet app wanting
| internet access...is the expected behavior?
|
| Most apps and operating systems communicate over the internet
| for any number of reasons, heck, apps can even check if you
| _have_ internet access or not (and respond accordingly, such
| as caching content to send later on).
|
| Doesn't make it weird or suspicious...
| larrik wrote:
| Doesn't sound like he was in the Facebook app at the time,
| though.
| Graffur wrote:
| I have the FB app but rarely use it. Why would it be
| phoning home when I don't have it open?
| kaba0 wrote:
| To check for notifications? I'm fairly sure they haven't
| implemented a complex AI model to determine that "you are
| using it rarely", so the check it out each n minutes is a
| constant thing.
| ignoramous wrote:
| See also: https://github.com/offa/android-foss#-firewall (In
| particular, AfWall+ for _root_ ed device is quite powerful)
| aboringusername wrote:
| I was wondering if you could expand on your comment because I
| am confused. How is seeing what IP addresses an app
| communicates with a violation of GDPR? If I can't see the
| _content_ of the data it 's sending but just _where_ it 's
| going, that is not exactly a violation.
|
| It's not illegal to communicate with an IP address, there could
| be many reasons $app sends a request via a US server.
|
| Like a postman with an address and an envelope isn't enough to
| just assume a crime has been committed it works the same
| digitally...
| drclau wrote:
| Similarly, for iOS you can use the new "Record App Activity"
| functionality.
|
| See:
|
| https://news.ycombinator.com/item?id=28804174
|
| https://news.ycombinator.com/item?id=28838394
| silicon2401 wrote:
| Giving this a try based on your glowing recommendation. Thanks
| for suggesting it! I'm always interested in improving my
| privacy measures
| Factorium wrote:
| Your opt-out is to buy an iPhone.
| Gunax wrote:
| But I also don't approve of apple's control over what I install
| and I think it's stance on browsers in anti-competitive.
|
| Now I feel stuck.
___________________________________________________________________
(page generated 2021-10-12 23:01 UTC)