[HN Gopher] Android phones are sending significant amount of use... ___________________________________________________________________ Android phones are sending significant amount of user data with no opt-out [pdf] Author : giuliomagnifico Score : 309 points Date : 2021-10-11 16:52 UTC (1 days ago) (HTM) web link (www.scss.tcd.ie) (TXT) w3m dump (www.scss.tcd.ie) | 2Gkashmiri wrote: | can i see this "exfiltration" out of an android using a pi-hole? | i have multiple androids at home and a etwork wide pi-hole so i | would love to see if there is something i can see and maybe block | rangerdan wrote: | Not unless you have a lot of free time to pour through | thousands of log lines manually. | eldaisfish wrote: | any DNS-based tool is going to tell you which IP address is | being contacted, not what is sent or how much. | | You can certainly block domains and that will prevent some | google telemetry but a DNS-based tool is not what you're | looking for. | sumtechguy wrote: | Has anyone played with adding a cert and using a squid proxy | to help log what is going on? | [deleted] | noja wrote: | Install NetGuard. | elevaet wrote: | I use Android because of the walled-garden approach to data that | Apple tries to funnel its users into. The privacy issues give me | pause however. | [deleted] | ir77 wrote: | it's always amazing to me that a typical android user tells me | they hate iOS because it's locked down and android is much more | open -- whenever i follow up with what apps they've actually side | loaded they don't know what i'm talking about, never mind about | whether their phone is rooted and they're running a rom. | | yet a majority of them use very expensive handsets that compete | in a premium space to iOS devices and ciphen data not only back | to google to to their respective manufacturers and anyone else | that puts bloat on their phone -- bloat that they can't remove on | their "much more open devices". | | what was the silly movie that had the quote "the greatest trick | the devil made was to convince the world that he didn't exist.". | detaro wrote: | Of course anecdotal here too, but it seems highly unlikely that | that's a _typical android user_ perspective. Even among fellow | nerds that argument is not that overwhelming, and they are a | tiny group of people. | imwillofficial wrote: | You are correct. I have the same experience often. | | *siphon | | "The Usual Suspects", Keyser Soze | nicoburns wrote: | > whenever i follow up with what apps they've actually side | loaded they don't know what i'm talking about, never mind about | whether their phone is rooted and they're running a rom. | | An android phone is more open even without side-loading or | rooting because Google's play store much less restrictive than | Apple's app store. | doc_gunthrop wrote: | A distinction needs to be made clear here with regards to the | data being transmitted to Google by LineageOS in this study. | | In the cited paper (https://www.scss.tcd.ie/Doug.Leith/Android_pr | ivacy_report.pd...), the device used to test LineageOS was a | Google Pixel 2 running LineageOS 17.1 which also included an | installation of _OpenGapps 10.0 nano_. | | It's not the OS that is transmitting the data over to Google, but | rather OpenGapps (ie. Google Play). OpenGapps is software that | can be _optionally_ installed after the initial installation of | LineageOS (but before first boot). A user can still use LineageOS | without OpenGapps, though they just won 't have the benefits (and | drawbacks) that come with it (such as being able to use apps that | require GSF). The user can instead opt for an app manager like | F-droid or possibly Aurora Store. | | In addition, there exists an alternative to OpenGapps called | MicroG. This is like Google Play but allows users the option to | anonymize themselves. One can find custom LineageOS builds that | include MicroG from the MicroG website (as the members of the | LineageOS project do not advocate for its use, instead giving | preference to OpenGapps). Keep in mind, however, that there are | fewer devices supported by those builds. | xanaxagoras wrote: | > One can find custom LineageOS builds that include MicroG | | Why bother? Just use Calyx. | JasonFruit wrote: | I'm using LineageOS with neither OpenGapps nor MicroG, and can | confirm that Aurora works without. There are numerous apps | available from Aurora that will not function, of course, and | many other inconveniences of varying severity, but it's overall | a good experience. | CountDrewku wrote: | Yep MicroG is the route I'm going on Pixel3a I just bought. You | don't need to sign into any Google services to use them. For | now I'm just using maps. I found a nice Reddit article on de- | googling even more as well. If you install OpenGapps you might | as well forget it- | | https://www.reddit.com/r/fossdroid/comments/clg2ca/how_to_de... | cookiengineer wrote: | Technically, the Internet Connectivity Check on LineageOS also | sends your position/IP to Google, and also avoids a VPN tunnel | because it's lower down the stack. | | I can recommend LineageOS, however be aware that lots of | malware infected builds have made it to xda dev in the past, so | you should build it yourself if possible (or use the official | downloads). | | Regarding the Connectivity Check: You can add all google | related domains to /system/etc/hosts if you have root/sudo | access. | | Additionally I'd recommend everyone to use RethinkDNS as a DNS | adblocker and app firewall - and AppWarden to patch out the | Analytics parts of proprietary Apps. | thrtewgg66 wrote: | you can disable captiveportal and block everything else with | netguard | | (check Netguard thread on xda) | yjftsjthsd-h wrote: | > however be aware that lots of malware infected builds have | made it to xda dev in the past, | | Can you point me to some? How were they caught? I knew this | was a possibility, but I hadn't seen it actually happen | before. | kekebo wrote: | One used to be able to change the captive portal url using | adb [0], although I'm not sure that's still the case in | current android builds. | | [0] https://gist.github.com/tonyseek/bc5b72197ddb15418c614060 | 617... | commoner wrote: | I can confirm this used to work, but I'm not sure if that's | the case now. These were the instructions I used: | | https://android.stackexchange.com/a/186995 | johnbrodie wrote: | I can't recall the exact settings to push via ADB, but the | Internet Connectivity Check is "easy" to fix. Create a server | that's always up that responds with a 301 (or whatever the | check expects), and push the address to the phone. Done. | | It's a shame that Google's servers are the default, and I | wish it were at least called out by Lineage. That said, I | doubt they want to cover hosting costs of such a service | (although I'd think they'd be fairly minimal). | commoner wrote: | For anyone trying to implement this, the HTTP status code | that Android looks for is 204. | | https://android.stackexchange.com/a/186995 | twobitshifter wrote: | This internet connection check actually caused problems for | us when we started having users in China on android. Our | code was checking for a connection before transmitting data | and android thought the device was disconnected due to the | great firewall. I think there's just a hack around it for | now that disabled the android connection check for those | users. | commoner wrote: | Some Android flavors, including /e/[1] and GrapheneOS,[2] | don't use Google servers for the internet connectivity check | by default. | | [1] https://gitlab.e.foundation/e/backlog/-/issues/268#note_1 | 809... | | [2] https://grapheneos.org/faq#default-connections | 1vuio0pswjnm7 wrote: | Looking through the GrapheneOS source, the servers may not | be Google servers but the system is still designed to phone | home. As such, have they solved the problem or is this just | another case of "Dont' trust them, trust us instead." | | Has anyone succeeded in running multiboot on "smartphone" | hardware, i.e., where the user can boot into a choice of | kernel/userland. One choice might be Android, another might | be GrapheneOS/LineageOS, another might be an OS that does | not rely on any third parties whatsoever (no conveniences, | "app stores", "connectivity checks", etc.) and is fully | controlled by the user. In other words, the third choice | lets the pocket-sized computer be used more like a pre- | smartphone era desktop/laptop OS. Basic functionality. | kaba0 wrote: | For your later linked examples, those can be changed. | | But as for the microG/GApps question, GrapheneOS provides | a sandbox for the actual GApps, so that almost everything | can run properly, with very strong control over what is | seen by Google. | bubblethink wrote: | Eh, if you want an airgapped phone, use it in airplane | mode. Obviously, the phone needs some network infra for | things like updates or timekeeping. You can route it over | vpn if you don't trust your isp, and you can build | everything yourself and host all the servers yourself too | if you so prefer. This type of pedantry is more harmful | than useful to casual users who would be far better | served with grapheneos than some non-existent ideal | phone. | 1vuio0pswjnm7 wrote: | Looking at the FAQ provides more details on various ways | GrapheneOS phones home by default. Thankfully, some of | these "services" can be disabled. | | The time service is enabled by default but can be | disabled. | | "An HTTPS connection is made to | https://time.grapheneos.org/ to update the time from the | date header field." | | "Network time can be disabled with the toggle at Settings | System Date & time Use network-provided time." | | Connectivity checks are enabled by default but can be | disabled. | | "Connectivity checks designed to mimic a web browser user | agent are performed by using HTTP and HTTPS to fetch | standard URLs generating an HTTP 204 status code." | | "You can change the connectivity check URLs via the | Settings Network & internet Advanced Internet | connectivity check setting. At the moment, it can be | toggled between the GrapheneOS servers (default), the | standard Google servers used by billions of other Android | devices or disabled." | | Why these are enabled by default, i.e., opt-out instead | of opt-in, is strange considering this OS is aimed at | technical, security and privacy-conscious users. Users | who would surely know what services they want and be | capable of enabling them. | dyndos wrote: | Did you actually find any examples of GrapheneOS phoning | home? | | GrapheneOS doesn't rely on any third-parties I'm aware | of. The only service provided is over-the-air security | updates. It doesn't even come with an app store (although | you can install F-Droid). | | For that reason, GrapheneOS alone fits all three | categories you mentioned: It is Android, it is | GrapheneOS, and it is fully controllable / doesn't ship | bloatware. | 1vuio0pswjnm7 wrote: | "The only service provided is over-the-air security | updates." | | Connectivity check / time servers | | https://grapheneos.org/articles/grapheneos- | servers#grapheneo... | | Amongst others. | [deleted] | aboringusername wrote: | The issue with Android is it's extremely restrictive from a | firewall perspective, I guess exactly as designed. | | I cannot dictate what apps chat over the internet or to what IP's | (say, a setting to only allow EU-only addresses). | | Of course this means - rightfully or wrongly - you have to move | this to another layer - probably PiHole or router level, but even | then there could be gaps (can it use mobile data with you | unaware?). | | I am surprised major OS' still don't allow users to configure | this yet. it's pretty basic stuff. | autoexec wrote: | Last I checked the default keyboard samsung installs on their | phones was collecting what you typed and sharing/selling that | data with third parties. I try not to store or access any | personal information on my cell phones when i can avoid it, but | at a certain point, just having one is enough to seriously | compromise your privacy. Strong regulation with real sharp teeth | is the only thing that can fix this situation. | ibeckermayer wrote: | Strong regulation by whom? The organization that brought us the | CIA, NSA, FBI, and the rest of the alphabet soup of "security" | bureaucracies that spy on us arbitrarily? | | Strong regulation could easily worsen the problem, as it can | lead to a ratcheting up of the regulatory burden until only | mega corps like Apple and Google could afford to make phones, | and upstarts like Purism and Pinephone get squeezed out. | | How about before getting so gung ho with pointing the | government gun at everyone's head, we consider the option of | rolling back the unjust regulations that already exist which | give the mega corps undue government privilege (patents are a | good place to start), and encouraging (by voting with our | wallets) organic alternatives to emerge, like they already are | doing. | autoexec wrote: | > The organization that brought us the CIA, NSA, FBI, and the | rest of the alphabet soup of "security" bureaucracies that | spy on us arbitrarily? | | Which origination do you think that is? you think they all | came from the same place? Every one of these agencies came | into existence under very different circumstances at | different times and they fall under different branches and | operate in different areas. | | Yes, it's a horrible thing that these agencies are being used | to spy on all American citizens in violation of our freedoms, | but that fact doesn't mean that we shouldn't allow any | government agency anywhere enforce regulations. How that does | that make any sense at all? You could say the same for | literally anything. "Who should regulate the amount of lead | in our drinking water? The organization that brought us the | CIA, NSA, FBI, and the rest of the alphabet soup of | "security" bureaucracies that spy on us arbitrarily?" | | > Strong regulation could easily worsen the problem, as it | can lead to a ratcheting up of the regulatory burden until | only mega corps like Apple and Google could afford to make | phones, and upstarts like Purism and Pinephone get squeezed | out. | | It literally couldn't worsen the problem of our privacy being | violated and used against us by cell phone companies. If it's | illegal for Google to do it, and we had regular independent | verification that they were not violating those laws, than it | wouldn't matter if the only cell phones that existed on the | whole of Earth were made by Google. Google still wouldn't be | doing the bad thing we're trying to stop. | | Yes, I'd prefer to have more choices but there's zero | requirement that regulations make it prohibitively expensive | for any company even an upstart. In fact, because this would | be regulation against collecting, securing, maintaining, | analyzing, marketing, and selling our personal data it'd | actually save companies tons of money since they'd no longer | be dong any of those things. Established companies who are | currently exploiting consumers won't get to profit off of | them as they are currently, but they will still save a lot of | time and money not exploiting the public. | | > How about before getting so gung ho with pointing the | government gun at everyone's head, we consider the option of | rolling back the unjust regulations that already exist which | give the mega corps undue government privilege (patents are a | good place to start) | | This isn't an either/or type of thing. There's a lot of great | and important things we should be doing. This is one of them. | Let's do them all. | | > and encouraging (by voting with our wallets) organic | alternatives to emerge, like they already are doing. | | If "the market" were going to solve this problem, if it were | capable of solving this problem, it would have been solved | already. It's not. Until strong regulations are in place | there will continue to be a very very strong perverse | incentive to not solve this problem. We're coming up on 50 | years of mobile phone technology and at present there are no | comparable options for cell phones and mobile networks that | preserve privacy. None. It's not regulations forcing Google | and Apple to collect our personal data. They are choosing to | do it. They could stop tomorrow if they wanted to. They don't | want to. They won't stop until they are forced to stop. | hungryforcodes wrote: | Hi! I have a Samsung and I looked around online and couldn't | find any real info on this topic. I don't doubt it's quite | possible, but where is your source from? It's been hard for me | to confirm. A good point, though, I'll look at the open source | options.... | autoexec wrote: | Samsung's own privacy policy and those of the 3rd parties | they use. It's been over a year and checking now some things | have already changed, but if you click on the gear icon from | within the keyboard you can select "about sumsung keyboard" | which should give you a list of policies including gify and | tenor (both used for gifs I guess) but i didn't even check | those. The one you want is the legal info which tells you | that in addition to samsung's privacy policy (which outright | says it's collecting and selling everything it can get their | hands on (see | https://www.computerworld.com/article/3514999/samsung- | sellin...) you also have to accept the policy of a 3rd party | called Nuance which they use for "language data". | | The wall of legal text there eventually links to their | privacy privacy which opens in the browser. They collect and | store things like "your choice of words, speech and writing | patters, how you use your keyboard, custom words you add, the | number of charters you type, your typing speed, etc. and they | share (read sell) that data to affiliates, subsidiaries, | vendors, subcontractors, etc (pretty much anyone they feel | like). They specifically state they use this data to draw | inferences reflecting your characteristics, behavior, | abilities, preferences and aptitudes all of which they can | sell to anyone at any time without even telling you about it | because what they learn about you by going over all your data | is their data and they don't have to tell you anything at all | about what they do with their data. | nimbius wrote: | https://play.google.com/store/apps/details?id=org.dslul.open... | | OpenBoard is a 100% foss keyboard based on AOSP, with no | dependency on Google binaries, that respects your privacy. | hbcondo714 wrote: | Thanks for this, just installed it and when I click to enable | in my settings, I get an Attention message: | | "OpenBoard may be able to collect all the text you type, | including personal data such as passwords and credit card | numbers" | | This appears to be from Samsung, trying to deter users from | using keyboards other than their own. | commoner wrote: | That's a generic warning that shows up on all flavors of | Android, including AOSP and LineageOS, when you enable any | new input method. | autoexec wrote: | I'm glad they let people know it's possible, a keyboard | isn't something you should install without some careful | consideration because they can be used as keyloggers. I | just wish they'd been as clear about that with the keyboard | already installed on the phones when they ship. Anyone | seeing that warning might easily think it's safer not to | replace their stock keyboard even though it's already doing | the very thing they fear a new keyboard might do. | autoexec wrote: | Once I realized what samsung was doing I switched to | AnySoftKeyboard and I'm pretty happy with it. It's got a lot | of options. | | https://f-droid.org/en/packages/com.menny.android.anysoftkey. | .. | ignoramous wrote: | One may replace the keyboard, but the underlying "input | method" framework is still under OEM's (in this case, | Samsung's) control: That is (afaik), they could key-log | just fine regardless of whatever keyboard one may install / | use. | brodock wrote: | I've tried both anysoftkeyboard and openboard, and liked | openboard layout better but wanted swiftkey like support | from anysoftkeyboard. Looking at reddit fossdroid I | discovered the one fitted me better as a closer to | openboard with swiftkey support : FlorisBoard | commoner wrote: | FlorisBoard is really nice. Among all of the FOSS Android | keyboards, I've found the gesture typing on FlorisBoard | to be the most accurate. | | https://github.com/florisboard/florisboard | padraic7a wrote: | Thanks, I'll check that out. | | I've been using Swiftkey since before Microsoft bought it, | and really enjoying it. | | I know I shouldn't be surprised but I feel really betrayed | that they use it to track app usage and link it to IMEI and | the Google advertising id. | aqfamnzc wrote: | I was also a long-time fan of Swiftkey, and switched to | OpenBoard a few months ago. The main differences are lack | of swipe input which I miss dearly, and slightly less | intuitive correction. I think since switching I've put a | little more effort into being more accurate which has | helped. | SV_BubbleTime wrote: | There are lines in the sand, and a default key logger sending | data to undisclosed third parties should be a pretty easy one | everyone can agree on. | atatatat wrote: | This isn't the sort of news that wins on people's Facebook or | Instagram feeds. | frankenst1 wrote: | > Last I checked the default keyboard samsung installs on their | phones was collecting what you typed and sharing/selling that | data with third parties. | | How did you check? Do you have a source/link? | autoexec wrote: | as stated elsewhere: | | Samsung's own privacy policy and those of the 3rd parties | they use. It's been over a year and checking now some things | have already changed, but if you click on the gear icon from | within the keyboard you can select "about sumsung keyboard" | which should give you a list of policies including gify and | tenor (both used for gifs I guess) but i didn't even check | those. The one you want is the legal info which tells you | that in addition to samsung's privacy policy (which outright | says it's collecting and selling everything it can get their | hands on (see | https://www.computerworld.com/article/3514999/samsung- | sellin...) you also have to accept the policy of a 3rd party | called Nuance which they use for "language data". | | The wall of legal text there eventually links to their | privacy privacy which opens in the browser. They collect and | store things like "your choice of words, speech and writing | patters, how you use your keyboard, custom words you add, the | number of charters you type, your typing speed, etc. and they | share (read sell) that data to affiliates, subsidiaries, | vendors, subcontractors, etc (pretty much anyone they feel | like). They specifically state they use this data to draw | inferences reflecting your characteristics, behavior, | abilities, preferences and aptitudes all of which they can | sell to anyone at any time without even telling you about it | because what they learn about you by going over all your data | is their data and they don't have to tell you anything at all | about what they do with their data. | MattGrommes wrote: | It seems worth talking about the fact that it appears to be the | vendor of the phone putting this kind of snooping in place. | Blaming Android is missing the real culprit. Like they say in the | article, we need stronger controls on people's data for whoever | happens to make the phone's OS. | closeparen wrote: | For practical purposes Android is not just the open source | codebase but also the economic institution, where various | middlemen get to do sketchy and low-rent stuff in between the | trusted brand and the consumer. That is the "openness" that | sets it apart from its competitor. | 3np wrote: | There's still data sent to Google as part of Android except for | currently obscure ones like /e/ and Graphene. | | It's like a combination of the desktop Windows of the 90s | (malware preinstalled by vendors) and today (increasing | surveillance by the OS developers) with Apple (you need to | basically risk breaking the device and void the warranty to get | away from it) | Dutchie2020 wrote: | Does anyone here have any experience with the /e/OS mentioned in | the article? | COGlory wrote: | I purchased a Samsung Galaxy S9 (in the US) from them. My first | impression: Everything works. Apps (if it's not on their store, | which is a mix of F-Droid and other APKs, it's on Aurora), | Google services works without signing (MicroG), GPS works, OTA | updates work (with one click). | | My biggest complaint is that their App store isn't just | F-Droid, and their APKs are often out of date by 1-2 weeks. My | biggest compliment (besides everything just working to the | point I could recommend it to a relative), is that they are | active and engaged in their community, regularly reading their | forum, soliciting feedback, and posting weekly updates. | | https://community.e.foundation/t/week-41-development-and-tes... | Kototama wrote: | It's rather good and at some point they managed to have release | for my previous phone model when the lineageos stopped! | | I used it without their cloud services. Some of the pre- | installed apps cannot be removed (like email, pdf readers) | which is slightly annoying. They have their own | launcher/desktop but it's not that good, it even crashes time | to time. | | Last time I checked, it was not super transparent which non- | FOSS store they used. | | Overall I think the experience with LineageOS is better but /e/ | comes with MicroG so it's practical if you need a few | proprietary apps. | hellisothers wrote: | And yet we have articles that say iOS is similar if not worse and | people pile in to "both sides" it (1). Why is it I feel it's | clear that fundamentally iOS favors privacy (for profit) and | Android eschews it (for profit) yet it's somehow debatable still? | | (1) https://news.ycombinator.com/item?id=28819318 | rangerdan wrote: | iOS is just as bad, if not worse. See | https://gist.github.com/iosecure/357e724811fe04167332ef54e73... | JohnWhigham wrote: | How anyone can say iOS favors privacy with a straight face | after the CSAM debacle is beyond me. | mattnewton wrote: | Is it possible the feeling is at least in part the result of | marketing? Not trying to be inflammatory, but apple does spend | a lot of money running excellent ads about how iPhones are | private. | margalabargala wrote: | Do you have any evidence the iOS operating system is better in | any significant way? The article you linked focused on the apps | available in the store, not the phone OS itself (which is what | this article is about). | hellisothers wrote: | Apps draft off what the OS allows, iOS keeps adding features | at the OS level (do not track, "app tracking health" metrics, | advertising opt out, etc). At best Android grudgingly offers | some of this after the fact, at worst does what this article | offers. | shkkmo wrote: | iOS collects and transmits all MAC addresses on the local | network even with location services off, there is no way to | disable this: | | > iOS shares with Apple the handset Bluetooth UniqueChipID, the | Secure Element ID (associated with the Secure Element used for | Apple Pay and contactless payment) and the Wifi MAC addresses | of nearby devices e.g. of other devices in a household of the | home gateway. When the handset location setting is enabled | these MAC addresses are also tagged with the GPS location.[0] | | [0] https://www.scss.tcd.ie/doug.leith/apple_google.pdf | | So the answer is clearly that while they are both bad for | privacy with the default configuration, some Android devices | provide more control over the device and thus options for | disabling telemetry. | smoldesu wrote: | If iOS were an open-source project, we wouldn't need to spend | so long speculating what code is running on the devices that we | own. | commoner wrote: | One area that iOS can improve on is the linking of app | downloads to Apple IDs. I don't want every app I've ever | downloaded on iOS to be permanently recorded in my Apple ID. | With Android, I can use Aurora Store or sideload apps that were | originally published on the Play Store without needing a Google | account at all. Apple should implement a way to anonymously | download free apps, whether from the App Store or from | elsewhere. | johnthuss wrote: | I don't think this is news to anyone (in general), but it is | increasingly becoming the differentiating factor between Android | and iOS. | | Apple is all-in on customer privacy and Google hasn't really been | able to respond on that front since their business model depends | on targeted advertising based on data collected about their | users. | | The question is whether regular people really care about privacy | more than they do about the price of a phone. And so far it seems | that the lower priced phones are winning. | Tenoke wrote: | Price and privacy are hardly the only differentiating factors | between the two. And even if they were, those who care most | about privacy have more options on Android at the extreme end. | a_imho wrote: | Wasn't CSAM the hot topic just a couple of weeks ago? | BiteCode_dev wrote: | Apple is just better at pretending being all in. | | They were part of PRISM. | | They recently added a systematic scan, compare and report | routine to all your pictures. | | They forces you to tie your phone to an Apple account just to | use it. My android phone doesn't have an account, or even an | email linked to it. | | Apple now has an entire mesh network of BT devices constantly | looking up each others, even if some of them are not connected | to internet. | | The microphone on the Apple device is always on, to answer to | hey siri. | | Finally, you can't install a real alternative browser on iOS, | so no real privacy addons. | | They make big claims about privacy nobody can check because | everything is closed source. So you have to just trust them. | | "But apple doesn't have an ad business" | | Oh but they do. And they don't have to play by their own rules | in the app store, and have the right to track users, gather | device informations, location, etc. Fun thing is, they start | the list of information they collect | (https://www.apple.com/legal/privacy/data/en/apple- | advertisin...) by stating "Apple-delivered advertising helps | people discover apps, products, and services while respecting | user privacy". | | I don't think they are any better, just different. And better | at PR. | chuckee wrote: | > The question is whether regular people really care about | privacy more than they do about the price of a phone. And so | far it seems that the lower priced phones are winning. | | To find that out, the privacy intrusions would have to be | advertised as prominently as the price. | micah94 wrote: | So is the data collected by Google from Huawei phones a function | of their OS based on Android 10? I thought Huawei was prevented | from talking to Google. | aritmo wrote: | Android takes snapshots (screenshots) of apps as soon as you | switch to another app. When you view the app list, it already has | the last view of each app. | | But the Xiaomi/MIUI Android sends over those screenshots back to | the company is new information. | AuthorizedCust wrote: | I had a Pixel. That it took a screenshot when I switched apps | makes sense. It allows the task switcher to open immediately | and show the most recent state of all my apps. A screenshot of | some sort is mandatory for the OCR functionality that allowed | me to select text from these tiles in the task switcher (super | handy!). | | I'm now on iOS 15 on an iPhone 12 Pro Max. I _think_ I've seen | movement on the tiles in its task switcher, so I'm not clear if | it takes screenshots. But the fact that the task switcher opens | with no delay suggests that screenshots might be used? | | I'm only defending taking screenshots. Transmitting them to | other parties is problematic. | rootusrootus wrote: | > I think I've seen movement on the tiles in its task | switcher, so I'm not clear if it takes screenshots. | | In my experience, it seems like only the app you were in when | you brought up the task switcher continues to update the | screen. If you go somewhere else, like just back to the home | screen, it goes static like all the rest. | marcellus23 wrote: | This is correct. iOS snapshots the app as soon as it's | moved into the background, and that snapshot is what you | see. When you bring up the switcher, the foreground app | isn't backgrounded yet -- that only happens if you go to | the home screen or actually switch apps. | numair wrote: | As I understand it, each iOS application is sort of like its | own 3D plane within a larger environment, hence why the | launcher shows up without any lag. | | I hope someone can do the work of pasting the original Aqua | framework overview that's probably still hiding somewhere on | the Apple website. The manner in which the combination of | OpenGL (Metal?) and PDF work to render UI and elements on OS | X and iOS is really quite remarkable. I think even now, 20 | years later, there isn't anything comparable being done by | Android/Linux or Windows. I would love to be proven wrong, | however (I haven't followed this closely for the past few | years). | kitsunesoba wrote: | Yeah the iOS multitasking view tracks all the way back to | windows in OS X 10.5 Expose being actual windows instead of | snapshots, and the parlor trick of QuickTime player windows | continuing to play video when minimized to the dock all the | way back in 10.0 (and perhaps the 10.0 public beta, I | forget). It's the kind of thing that family of operating | systems has handled well for a long time. | nitrogen wrote: | Compiz and all subsequent compositing managers do the same | thing for Linux (each app has its own surface in the GPU | and can be composited in 3D), and I believe the compositing | in Windows Vista and later is similar. | extr wrote: | How have you found the transition to iOS? For me, the task | switcher OCR feature is absolutely killer, one of the main | things still keeping me on Android. Does iOS have anything | similar? | AuthorizedCust wrote: | I find the Pixel experience to be superior. But I took each | of the areas where Pixel is better, item by item, and | scored their value, and came out with a score recommending | I keep the iPhone: https://www.arencambre.com/iphones-are- | inferior-to-android-p... | | Context: I made that right after I got an iPhone 12 Pro | Max. It was running iOS 14. iOS 15 may bias the score | towards Apple even more with the current phone, and iPhone | 13 biases it a bit more. | | I still like Android better. | marcellus23 wrote: | iOS 15 now OCRs text across the OS, including screenshots. | So you can take a screenshot and get OCR'd text from there. | AuthorizedCust wrote: | That's more of a process than simply selecting text on | the task manager tile. | marcellus23 wrote: | I guess. You have to hit the screenshot combo and then | tap the screenshot, versus hitting the app-switcher | button. Are you doing this often enough for that 1 extra | step to be a big deal? | extr wrote: | For me, yeah this would be a much different experience. I | use this feature all the time, to select anything from | the title of a song on Spotify to a phone number embedded | in an image on the web. | marcellus23 wrote: | In the latter case, you could just select the text in the | image directly. How often do you use this feature per | day? | AuthorizedCust wrote: | I'm increasingly finding great value in reducing | complexity of simple tasks. I thought the push button | rear door closer on my minivan was silly, but it came | with it, so (shrug). I've grown to like it! | | Reducing from a few steps plus a major context switch to | just one step is valuable. | marcellus23 wrote: | Where's the context switch? | aero-glide2 wrote: | The article doesn't mention screenshots at all. | jand wrote: | > System apps on several handsets upload details of user | interactions with the apps on the handset (what apps are used | and when, what app screens are viewed, when and for how | long). | | I am too far away from Android development to make any claim | about what "app screens" are. Is that android-lingo? Could | someone please clarify? | Arnt wrote: | Sounds like an attempt at phrasing for the general public. | | Android apps have zero or more activities, each of which | may be thought of as a single screen and a single Intent, | which is a bit like a URL (and sometimes very much like a | URL). A messenger or email app will typically have a main | activity, an activity to view a single message, an activity | to view a conversation with someone, perhaps an activity to | view a single attached image, probably an activity to view | and edit the application's settings, and so on. | | What is sent is perhaps the app's name and a class name | within the app for each activity that's started. | dr_kiszonka wrote: | Exactly right. And you don't have to be a system app to | access this information. Any app with sufficient | permissions granted explicitly by a user can access these | data (no root needed), and it may have legitimate reasons | for doing it. | alickz wrote: | It sounds a lot like the screen events Firebase reports (a | library by Google for analytics, among other things) | | It allows you to know which screens a user views, but not | the data on the screen. A pseudo-example would be like | "User opened LoginScreen/LoginActivity at yyyy-mm-dd and | stayed on that screen for X seconds" | | Not an actual screenshot of said screen | jpm_sd wrote: | What is the actual value of all this privacy invasion? Is the | data even useful to anyone? Or is it just getting collected | endlessly for no reason? | dylan604 wrote: | To the people collecting the data that can sell it, it is | useful only in that someone will buy it. Once it is sold, they | don't care one bit about how/where/why it is used. | criddell wrote: | Where can you buy it? | jpm_sd wrote: | But are the third parties buying the data actually getting | anything useful out of it? | dylan604 wrote: | I'm not sure why you'd think it's not useful to someone | somewhere. | | Game devs see how much time you play games, what type of | games, if you purchase IAPs, etc. News feed apps sell what | kind of news stories you read/follow/subscribe. Commerce | apps sell what kind of things you buy, the prices you pay, | the items you look at but don't buy etc. | | From all of that "metadata", one can build up a profile | about you that's pretty accurate. If you can't imagine why | that is useful to someone, then I'd posit you're not trying | hard enough. | streamofdigits wrote: | How far are we from a phone that: ships fully formed - no | flashing and stuff, has reliable supply chain and production, is | open source only, usable on a daily basis (stable, normal battery | life, all basic apps, easy upgrades) and ideally repairable / | recyclable as much as possible? | | I would leave "high-end" specs and price constraints out of scope | to make this a reality sooner than later. | | There are several contenders and combos /e/, lineageOS, | pinephone, fairphone etc and I wish them all godspeed (also other | small efforts out there I am not aware of), but its not clear | which one is ready for just the simple, honest, society and | environment friendly mobile computing that we should have had all | along and it is really a crime that we don't. | jmnicolas wrote: | Far in never. There's no (real) money to be made, manufacturers | don't care. | | I use GrapheneOS. It's rough but at least it gives me peace of | mind. | streamofdigits wrote: | Why is there no money to be made? I would at least pay to buy | the hardware and possibly for ongoing software support as | well (depending on how they structure such support or any | other "soft" features). E.g. I think its a jolly good idea if | somebody really checked for a living all those open source | apps. | | In any case if there is really no viable business model for | private mainstream mobile computing we have been duped big | time: This is not a consumer device, it is track-and-trace | machinery. | PeterisP wrote: | In order to have a reasonable, stable supply chain at all, | you need quite large scale; and even then your phone would | have much smaller scale than the mainstream competitors and | so would be be significantly more expensive than their | models with similar hardware, both because it's targeting a | niche and also because all this tracking&targeting does | result in some revenue stream for the manufacturers. | | It indeed is a jolly good idea if somebody really checked | for a living all those open source apps, however the math | works out only if you allocate the salary of those people | over a million phones, not if you have only 10000 | customers. | | Perhaps _you_ would actually be willing to pay a large | premium for that, but the vast majority people are not. | Perhaps a meaningful number of people would be willing to | pay a _small_ premium like 10-20%? But that 's not what's | reasonably achievable, the differences are much larger as | soon as you go off mass market production or start needing | software modifications which are a large fixed cost that is | cost-effective only if you're distributing it over very | many phones. | | There have been many companies in the past which have found | out the hard way that few people really care about privacy | _that_ much (or they care but can 't really afford much, | which has the same effect), but for a recent example, you | can look at the troubles of Librem 5; IMHO it's trying to | do similar things, but its price/performance is suffering | because of that and you be the judge whether their business | model looks viable. And if you want a _trustworthy_ supply | chain, then your (already high) costs literally double, | again, Librem 5 "USA" model is an example of that - a $2k | phone where the _core_ functionality (excluding the | privacy) is essentially the same or worse as a $200 phone | from a Chinese brand. | thrtewgg66 wrote: | there was a mass market sailfish phone in India but it was a | flop. ofcourse it has Android emulator that used to send just | as much crap out as tthe original... but atleast you could stop | that. | COGlory wrote: | This has been my experience with e os. Everything just works | joemazerino wrote: | Always mind blowing. I recall a video from Copperhead showing the | difference between a gApps enabled phone vs no-gApps. | | https://m.youtube.com/watch?v=zemRALtU4OY | dont__panic wrote: | Does anybody know if alternatives like GrapheneOS + microG | mitigate these issues? Or should I just switch back to a 2005 | flip phone at this point? | bennettnate5 wrote: | It definitely helps--the vast majority of snooping comes from | Google Play Services, so options like GrapheneOS + microG or | CalyxOS resolve that issue quite nicely. They also have app- | specific firewall abilities, so you can disable background or | foreground network connectivity on any app you're suspicious | of. | dont__panic wrote: | Thanks! I'm still using an old iPhone SE (2016) as my daily | driver, but sooner or later iOS support is going to drop and | I'll have to find a decent upgrade path. Considering my size, | headphone jack, and fingerprint reader preferences, I think | the Pixel 4a is the only device that seems viable to me on | the market today... hopefully I'll still be able to pick one | up in a year or two and slap GrapheneOS on it. | deathjester wrote: | I think it's a bit misleading to say Lineage OS sends data, | because it doesn't. It's just the GApps installed with Lineage OS | that sends data to Google. But you don't need to install GApps, | then it doesn't send anything just like /e/OS does... | thastings wrote: | This is the exact thing I was wondering about. As far as I | understood, they flashed GApps, even though GApps is not part | of the default installation. I wonder what the findings | would've been like on LineageOS without the GApps. | salusinarduis wrote: | I use GraphineOS and LineageOS without Google Play Services. They | are great and are suitable replacements for Apple and Google. | | - Osmand(FOSS) for maps (supports being fully offline!) | | - Signal and Discord for messaging (Discord is sandboxed) | | - Newpipe(FOSS) for Youtube | | - F-droid(FOSS) for my FOSS appstore | | - APKmirror for the few non-free apps I need | | - Libretorrent(FOSS) and VLC(FOSS) for watching movies | | - Firefox(FOSS) and Vanadium(FOSS) for browser | | - K9 Mail(FOSS) for email | | - Infinity(FOSS) for Reddit | | - Secur(FOSS) for 2FA | | - Taskkeeper(FOSS) for reminders | | Almost everything you need is in the F-droid FOSS app repository. | It all works, and it works well. You can buy a used Pixel 3a for | around $80 on Ebay and have a better experience in every category | than iOS, hardware and software. | [deleted] | [deleted] | websap wrote: | I hope you have recurring donations setup for all these FOSS | apps. FOSS still means that developers need to eat. | websap wrote: | It's unbelievable that I'm getting downvoted for asking | people to pay for software on a platform where a large % of | users are involved with technology. No wonder opensource | based businesses are dissatisfied with how they are treated. | Throwaway808808 wrote: | Seconded. The downvote button is for comments that detract | from the conversation, not because somebody disagrees. This | place is turning into another Reddit. | _V_ wrote: | How does "I hope you at least pay for these apps" adds | anything even remotely relevant to the thread about what | apps someone uses as part of their de-googled phone? | | Yeah, developers do need to eat, but this (IMO) snarky | comment is hardly relevant to the OP. | websap wrote: | The way I read this submission is: | | 1. Google is tracking you. They track you because they | need this data to target better ads, this is how they | make money. | | 2. The OP for this comment, says they use FOSS apps to | get around Google's tracking. | | My comment is about - if you are against the idea of | being tracked from profit, it would be a good idea to | vote with your wallet to help open source developers get | paid and to show that there is a viable business model | for other individual developers. | CountDrewku wrote: | Just bought a pixel to test lineageOS out. Worth mentioning | that if you want less Google and still want to use normal | Android services in the OS you need to install the MicroG | lineageOS ROM. Otherwise, you're still sending Google a lot of | info through Gapps or MindTheGapps. | | Graphene or lineage without any of those is also an option but | you'll be missing a lot of the normal everyday apps you use. | IMO if you're going that far though you might as well just go | back to a flip phone. | salusinarduis wrote: | I don't agree regarding your flip phone comment, that's | silly. I don't use any form of Google Play Services (No | OpenGapps or MicroG even) and my phone works completely fine. | | The only thing that doesn't work is push notifications, which | isn't a problem because FOSS apps like Signal bundle their | own notification system that does not use Google Play | Services. Discord however, does not get push notifications | (which I wouldn't want anyway) | CountDrewku wrote: | Regardless of what software you put on the phone it is a | tracking device. It has gps, audio, cameras, and web | browsers that are all vulnerable to being hacked or used | for tracking. I signed into gmail via the Bromite browser | on my Pixe3a. I immediately received an email from google | about my new Pixel device. They now know what device I use, | what browser etc. | | I don't care how locked down and FOSS you make your smart | phone it's not going to be as secure as a dumb phone. | There's a reason criminals don't use smart phones. | salusinarduis wrote: | GraphineOS constantly spoofs the device's MAC so that | argument is not valid (I also don't know how a website | based email client is getting your MAC). It's also | extremely easy to spoof the device's name. The way they | are getting that is simply your browser's User Agent, or | if it's an app, your phones root properties. There may be | some other identifying properties about the device they | can collect though, I agree with you on that. | | Also, I agree with your argument about phones being | tracking devices. Anything with a radio that connects to | cell towers is going to be logged and tracked in perfect | detail. | CountDrewku wrote: | You're correct about the MAC address. However, the rest | of the information collected is plenty to build a profile | of any person. | snypher wrote: | If you think Google is adversarial then don't use Gmail; | It seems strange to avoid using their 'apps' but | continuing to use their products? I think you just handed | them that information when you logged into their website. | CountDrewku wrote: | >I think you just handed them that information when you | logged into their website. | | Obviously and that's my point. You are not going to avoid | Google if you use the web. The best you can do is limit | exposure. | | >Google is adversarial then don't use Gmail | | This is ignorant and unhelpful. Do you think I just | decided not to consider that option? I don't have an | option. I have to use it for work. This is the problem | with the "don't use it" crowd. Most people are not going | to get away from the major email provider options. The | best I can do is sign in via browser or a 3rd party app. | pessimizer wrote: | > Obviously and that's my point. You are not going to | avoid Google if you use the web. The best you can do is | limit exposure. | | That couldn't have been your point. It's very easy to | avoid having a gmail account. | | > This is ignorant and unhelpful. | | People here don't know you personally, or your needs. | Most people don't need gmail for work. If your job | requires you to use google products, it's going to be | difficult for you to avoid google. But, again, your | situation is not representative of the vast majority of | people. | CountDrewku wrote: | >That couldn't have been your point. It's very easy to | avoid having a gmail account. | | Did you miss the part where I told you we have Google | Workspace (GSuite) and I have to use it for work? What | part of getting rid of that is easy? I cannot stop using | it end of story. | | >People here don't know you personally, or your needs. | Most people don't need gmail for work. | | I feel like you're not aware of the fact that Gmail is | used in corporate environments through Google Workspace. | You need to research before spouting off stuff that's | obviously misinformed. It's a direct competitor to Office | 365 and MS Outlook servers. | | https://www.cnbc.com/2020/04/07/google-g-suite- | passes-6-mill... | dont__panic wrote: | Consider Fennec instead of Firefox -- I just switched | yesterday, and I _think_ the only difference is that Fennec is | usually a couple of versions behind because it removes some | Mozilla crapware. | colordrops wrote: | What about Firefox Focus? It's private by default and VERY | unbloated. The ephemeral nature of sessions also forces me to | not leave a hundred tabs open. | salusinarduis wrote: | Does it support extensions? I can't go anywhere without | uBlock Origin :D | COGlory wrote: | It does | dont__panic wrote: | There's a workaround to support pretty much any FF | extension at this point -- but you have to create a | "collection" with your firefox account and then point your | Android FF install at that collection. Not too hard, but a | little bit of a PITA. If you're like me and maintain the | same couple dozen extensions on every FF install, though, | it actually works pretty well. | aqfamnzc wrote: | FWIW, Mozilla has worked with devs of some popular | extensions to get them working on "new" mobile FF, | including uBo. | commoner wrote: | Nowadays, Fennec F-Droid is usually on the same version as | the release channel of Firefox, or at most a version behind | for a week or so. | | https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/ | | Fennec also lets you install any add-on from | addons.mozilla.org through a tedious process,* which is still | an improvement over Firefox release/beta on Android. The only | channel of Firefox that supports this process on Android is | the nightly channel. | | * https://blog.mozilla.org/addons/2020/09/29/expanded- | extensio... | _V_ wrote: | What do you use as Dialer/SMS/Contact app? | | I tried to switch myself from iPhone and almost everything was | OK but these were the worst to get right... I ended up using | suite from Tibor Kaputa (Simple Dialer etc) but I ran into some | rather annoying issues. | | Also, do you use phone recoding? This was actually my breaking | point, because i have an iPhone w/ jailbreak that enables me to | record phone conversations (for my use only, not trying to get | into the legal discussion). I did not find _anything_ for | GrapheneOS (or Android in general) - just some info that I need | to root my phone to get this working and with that I just | reverted to my jailbroken iPhone. | commoner wrote: | The only functional FOSS call recording app for Android that | I'm aware of is the Call Recorder app on F-Droid: | | - Call Recorder: https://f-droid.org/en/packages/com.github.a | xet.callrecorder... | | To use this app, you'll need to root your phone using | Magisk[1] and the install the Magisk module for Axet's Call | Recorder.[2] Then, upgrade the Call Recorder app to the | latest version in F-Droid. Note: do not enable "System Mixer | Incall Recording" in Call Recorder, since it is not needed | and may cause issues with recording. | | [1] https://github.com/topjohnwu/Magisk | | [2] https://github.com/Magisk-Modules-Repo/callrecorder-axet | | The default dialer and contact apps are both FOSS and | functional, so I never felt the need to replace them. Signal | can take over as the default SMS/MMS app, and there are | alternatives with more features such as QKSMS: | | - QKSMS: https://f-droid.org/en/packages/com.moez.QKSMS/ | doc_gunthrop wrote: | FairEmail is also a nice open-source, privacy-focused email | client available on F-droid. | | https://f-droid.org/en/packages/eu.faircode.email/ | commoner wrote: | FairEmail is really great, almost as fully featured as | Thunderbird with the best support for multiple | accounts/identities that I've seen on Android so far. The | developer asks for a small donation to unlock a few advanced | features,* which I recommend doing. | | * https://email.faircode.eu/donate/ | jonstaab wrote: | Feeling quite smug about switching to CalyxOS earlier this week. | ruph123 wrote: | Same. It feels like the "have the cake and eat it" situation | for me who switched over from iOS. | | I was worried that some apps might not work but that is not the | case. Everything from banking apps to password managers just | works fine with the only exception being NPR One (which is | hilarious). | | They are really doing an outstanding job and I do not miss | anything on here besides a Apple/Google Pay NFC solution. But | that is quite ok. | bennettnate5 wrote: | Definitely on this boat. CalyxOS feels like it strikes a good | balance between security/privacy and practical usability--the | locked bootloader and app-specific firewall options are a huge | plus, while MicroG ensures that I can still use every app I | used to with the old Pixel-specific OS without ceding all of my | data to Google Play Services. | | Invariably people bring up the signature spoofing needed for | MicroG as some huge security hole, but from what I've seen it's | really a non-issue--CalyxOS has tight restrictions to | specifically allow only MicroG to use this, it's disabled for | any other app. | markenqualitaet wrote: | Can I expect CalyxOS to support the Pixel 6 rather soon? Is | e.g. camera performance dependent on closed source Google | code/firmware? What are the limitations there? | | I was going for GrapheneOS, but tbh seeing that one main | developer's personality issues turned me off big time. I don't | care about technical advantages, if I have to trust in that | guy's impulse control. Too small a project for that. | xanaxagoras wrote: | You can expect a dedicated team to start working on it once | they're able to get their hands on some Pixel 6 devices. They | don't get them early from Google you know, there's no | cooperation there. They buy them when they're released just | like we do, and it hasn't been released yet so work hasn't | started. | | The general attitude towards GCam seems to be... Calyx isn't | going to ship it but it's generally understood most people | will be using it. The recommendation I got when I switched | was to install the apk and disable all network access via | Datura before I launched it for the first time. That works | well, the pictures look great too. A recommendation I heard | after I did that which I will be following next time is to | extract the gcam apk from your new phone before you flash | calyx and install that one (to avoid apkmirror or whatever). | kaba0 wrote: | GrapheneOS's main dev can come across as paranoid, but it is | sort of understandable given the history of the project. | Nonetheless, they are doing a spectacular job and I think | using GCam with properly set permissions is the best of both | words. | kop316 wrote: | Skimming through the article, they compare a few ROMs from | significant phone manufacturers, LineageOS with Google Play, /e/, | and Stock Android. | | It seems that LineageOS has GApps installed and /e/ does not | (presumably since they use MicroG?), so it is looking like for | LineageOS, it's really Google Play leaking this data. | jeroenhd wrote: | > It seems that LineageOS has GApps installed | | It doesn't come with GApps installed, you need to flash those | packages manually. That said, LOS also comes without an app | store whereas /e/ has a custom F-Droid-compatible store pre- | installed. | | Combining LineageOS and MicroG is kind of hard (relatively), | because LineageOS enforces signature validation, which MicroG | needs disabled to properly fake the proper Google APIs. There | are non-enforcing builds and build instructions available, but | that's not the default. /e/ seems to have the necessary patches | enabled by default, which makes using popular apps without | flashing GApps a lot easier. | Guest42 wrote: | Can you recommend a couple phones that are compatible with | LOS + microg? I looked on their sites and it wasn't quite | clear | commoner wrote: | LineageOS for microG supports all phones that LineageOS | does. Here's a spreadsheet of the full list along with the | specs of each device: | | https://docs.google.com/spreadsheets/d/1bx6RvTCEGn5zA06lW_u | Z... | | If you want a more specific recommendation, could you | provide your budget and your requirements? | Guest42 wrote: | No budget restrictions although I'd like the ability for | Bluetooth to run in the background and not go to sleep , | and ideally ip67 or ip68 water protection. | commoner wrote: | All of the LineageOS phones I've ever used have been able | to maintain a Bluetooth connection in the background. | | If you're fine with a used phone, the OnePlus 8 has a | high-end Snapdragon 865 processor and 8 GB RAM.[1] The | carrier models have IP68, and unlocked models are | manufactured similarly but don't have an official IP | rating.[2] If you're getting the T-Mobile carrier model | (which may be carrier unlocked at sale), you'll need to | request a code and wait a week to unlock the bootloader | before you can flash LineageOS.[3] Used models go for | $200-300 on eBay depending on condition, and a new | factory unlocked model is $399. | | If you're looking for a new phone, you may want to | consider the Pixel 5a which manages to have both IP67 and | a headphone jack for $449 new, but uses a mid-level | Snapdragon 765G processor paired with 6 GB RAM.[4] The | OnePlus 9 Pro is also available with a high-end | Snapdragon 888 processor, 12 GB RAM, and IP68 for $969 | new or about $600-800 used.[5] | | [1] https://www.oneplus.com/8 | | [2] | https://9to5google.com/2020/04/14/oneplus-8-ip68-water- | resis... | | [3] https://www.oneplus.com/support/answer/detail/op588 | | [4] https://store.google.com/us/product/pixel_5a_5g | | [5] https://www.oneplus.com/9-pro | toastal wrote: | The irony of this being in a Google Spreadsheet | dron57 wrote: | I've been using the Pixel 4a 5G for about 6 months with | MicroG and Lineage. Works really well. Other than Whatsapp | and Google Maps I don't miss anything, but those apps have | alternatives too. | Guest42 wrote: | Fantastic!!!! | commoner wrote: | If you're trying to combine LineageOS with microG, the most | straightforward solution is "LineageOS for microG" which has | everything set up for you: | | https://lineage.microg.org | | I know of two other Android flavors that have microG | integrated. /e/ is one of them and CalyxOS is the other. | rcMgD2BwE72F wrote: | I've made a complaint to the police and my local privacy | regulator (in France) more than a year ago, regarding blatant and | widespread illegal data collection by Google on probably most | Android devices on Earth. I have not yet heard back from them and | I doubt they'll even consider this report. Here it is in a | nutshell. | | 1. set up a brand new phone (Pixel, OnePlus or else) | | 2. do not connect to a Google account at first or if it is | required, log out and remove the account as soon as possible | | 3. create a contact on your phone with any Contact application | (with a name, email address and phone number). Do no enable sync | for this application. | | 4. open the Play Store to download any application (e.g one from | your government). You'll be asked to connect to a Google account | at this stage, of course | | 5. now, try to log into your Google account to download the | application but *not have Google automatically collect all your | contacts' details* (stored locally). | | You can't! | | This is not possible because: | | 1. by default, adding the Google account will enable the | automatic synchronization for all Google-related apps and | services (incl. Contacts). You can disable this _before_ login. | | 2. You cannot stop the sync of these Contacts while connecting | Google Play to your account. It is done in the background and by | the time you switch from Google Play (or the login page) to the | Settings menu of your device, the sync will have started (if not | completed already). | | 3. You cannot do all this in airplane mode obviously, as it it's | impossible to log into a Google account without an Internet | connection. | | This is illegal per GDPR, because at no point you consent to have | your data collected by Google. Also, Android does not inform you | of this collection so it's up to you to discover this by browsing | your device's settings, down a a sub-levels. | | It is a massive collection (and fraud) because most people have | probably a hundreds contacts or more on their mobile device. Most | mobile devices run Android. Google Play is almost impossible to | avoid nowadays (Twitter, Facebook, Youtube, Whatsapp, Signal, | Firefox, your bank's app, your employers' apps... they all | require Google Play and Services to work correctly). Worst, your | contacts' information isn't yours, but your contacts' too. Google | simply helps themselves. | | With 73% of mobile OS market share, around 99% of Android users | being probably logged in just to access the Play Store, Google | probably has collected the names, email addresses, phone numbers | and lots of private information (birthday dates, home and work | addresses, employers' names, job titles, digicodes, etc) of every | person on Earth, and probably more than once. Without asking for | permission. | | This is easy to reproduce, 100% illegal (at least per GDPR), | everyone is affected and yet, _crickets_. | | If you're in the US and believe this is illegal there too, please | contact a privacy organization or any entity that might do | something about it, at least if you don't like having all your | contact details collected by Google without consent. | Tepix wrote: | I'm wondering if Nokia phones with Android One are not snitching | on their users like the others are. | durnygbur wrote: | Nokia licensed their mobile brand and now it's some Chinese | producer slapping the logo on the devices. Probably on pair | with Xiaomi and Huawei. | commoner wrote: | I don't think this is accurate. Microsoft acquired Nokia in | 2014, but then spun off the brand to HMD Global (a new | Finnish company) in 2017. HMD and Foxconn have a partnership | in which both companies co-design the Nokia phones that are | then manufactured by Foxconn in Taiwan. | | https://www.anandtech.com/show/10879/hmd-closes-nokia- | brand-... | uhtred wrote: | I use /e/os and have found it to be a great experience. | https://e.foundation/ | snvzz wrote: | Companies like Google hold a lot of power over their users. | | It's all-or-nothing, and not being part of the Google ecosystem | is extremely inconvenient as more and more services depend on it. | | Only legislation can give power back to the users. It shouldn't | be necessary to put up with this level of surveillance by big | corps in order to function in society. | cute_boi wrote: | you mean the legislation that forced banks to use google safety | nets create hindrance in rooting the phone? I really find | myself in hopeless position these days when Google can do | anything freely because they have enough cash to lobby | anything. | winternett wrote: | >Only legislation can give power back to the users. It | shouldn't be necessary to put up with this level of | surveillance by big corps in order to function in society. | | Don't worry, after about 7 years there will be a low key class | action suit and we'll miss the $7 payout and lawyers will | collect the leftover millions for the sake of symbolic justice. | Then perhaps big industry won't ever learn it's lesson again. | | Congress has already proven that they're the Rip Van Winkle of | IT awareness unless it pertains to boosting their personal | investments. | codefeenix wrote: | Copperhead advert? | salusinarduis wrote: | I use GraphineOS and LineageOS without Google Play Services. They | are great and are suitable replacements for Apple and Google. | | - Osmand(FOSS) for maps (supports being fully offline!) | | - Signal and Discord for messaging (Discord is sandboxed) | | - Newpipe(FOSS) for Youtube | | - F-droid(FOSS) for my FOSS appstore | | - APKmirror for the few non-free apps I need | | - Libretorrent(FOSS) and VLC(FOSS) for watching movies | | - Firefox(FOSS) and Vanadium(FOSS) for browser | | - K9 Mail(FOSS) for email | | - Infinity(FOSS) for Reddit | | - Secur(FOSS) for 2FA | | - Taskkeeper(FOSS) for reminders | | Almost everything you need is in the F-droid FOSS app repository. | It all works, and it works well. You can buy a used Pixel 3a for | around $80 on Ebay and have a better experience in every category | than iOS, hardware and software. | | The only limitation is push notifications, which isn't a problem | because FOSS apps like Signal bundle their own notification | system that does not use Google Play Services. Discord however, | does not get push notifications (which I wouldn't want anyway) | gnull wrote: | I just reinstalled my FP2 with LineageOS and microG after | reading your post. | daneel_w wrote: | _> ...and have a better experience in every category than iOS, | hardware and software._ | | Really? I tried GrapheneOS on a Pixel 4A, and without | exaggerating or trying to come off sensationalist the | experience was _really tepid_ compared to iOS, and even | "normal" Android. Stuttering and jerky UI (which often also | wanted to take a brief nap), very poor GPU hardware | acceleration support, notably worse battery life, loads of | things that just didn't work well (or at all) without Gapps, | and trying to get Play Services shoe-horned into GrapheneOS was | still quite the bug-ridden hassle. Additionally, the Open | Camera app produced rubbish results compared to Google's native | Android camera app, which matters a lot to me. | busterarm wrote: | I run GrapheneOS on a 4A with TMobile and the frequent | reports of people trying to call me telling me my line is out | of service and days where calls won't initiate from my phone | at all makes me want to run back to my iPhone. | | The tethering seems to be pretty flakey as well with me often | having to reboot the phone. | margalabargala wrote: | I've been using GrapheneOS on a 4A with TMobile as my daily | driver for over a year and have had none of these issues. | Never had an out-of-service notice from someone calling me, | never had a call not initiate, and tethering works great. | | Maybe it's something to do with OpenGapps? I never | installed it or microG, I'm perfectly happy with just | Fdroid. | louloulou wrote: | I'm running GrapheneOS on a 4a right now and it's smooth like | butter - maybe you needed to wait for a few updates. The | camera has improved a lot as well but is still not close to | the stock google camera. | | It seems like what you're looking for is CalixOS + microG. | commoner wrote: | The mid-level processor on the Pixel 4a may just not be | performing to your expectations. A phone with a high-end | processor would perform better. For GrapheneOS, the fastest | compatible phone available (used/refurbished) right now is | the Pixel 4 (or Pixel 4 XL). | | Also, if you are using a Pixel phone with a non-default | flavor of Android, the Google Camera app still works if you | download it manually. APKMirror is a trustworthy app source | run by Android Police: | | https://www.apkmirror.com/apk/google-inc/camera/ | | (For Pixel phones using an older Android version, you may | have to use an older version of Google Camera if the current | version does not work.) | salusinarduis wrote: | I'm surprised to hear you say that. I've played the most | demanding Android games on the Pixel 3a with no issues. I've | never experienced anything but a butter smooth UI on Graphine | or Lineage to be honest. The battery life has been all day | for me even when using GBA emulators for multiple hours a | day. | | I agree the default camera app of Graphine isn't great, but | it's picture quality better than the iPhone I came from | (iPhone SE gen1) | 1vuio0pswjnm7 wrote: | You mentioned Signal and Discord for "messaging". Can you or | someone else confirm that _video calls_ work with GrapheneOS or | LineageOS. I am getting ready to try these but I am still not | sure video calling works. When reading about them I cannot find | much discussion of this particular application. | commoner wrote: | I can confirm that video calls work in Signal on Android | flavors that don't use Google Play Services, including both | GrapheneOS and LineageOS. | 1vuio0pswjnm7 wrote: | Thank you. Much appreciated. :) | | (Perhaps WhatsApp might work as well, since, IME, it can be | sideloaded and will work without a functional Google Play | Services.) | salusinarduis wrote: | Signal is specifically designed to work without Google | Play Services, so expect a 1:1 experience when using it | with these privacy conscious distros. | | I'm confident Whatsapp will work, but I have not tried. | Push notifications will not work without Google Play | Services. | commoner wrote: | According to Plexus, WhatsApp works perfectly on Android | without Google Play Services, whether or not you have | microG installed.[1] I think they implement their own | push notification system if you download directly from | them,[2] though I haven't confirmed this. | | Discord works perfectly with microG, and has a 3/4 rating | without it since notifications will only work if you have | microG. | | [1] https://plexus.techlore.tech/applications/whats-app | | [2] https://www.whatsapp.com/android/ | | [3] https://plexus.techlore.tech/applications/discord | 1vuio0pswjnm7 wrote: | IME, the notifications do work. I downloaded .apk | directly from WhatsApp. | tgsovlerkhgsel wrote: | I've tried Osmand and found it way too slow/janky for everyday | use (since it has to render the tiles locally and doesn't seem | to pre-render for scrolling). | | Newpipe loads videos much slower than the official app and | occasionally fails completely (likely because YouTube changed | something). | | F-droid (regular, non-root install) shows me notifications to | update apps, then when I tap them, I get a "there was a problem | parsing the package" - this is a bug that has remained unfixed | for over 5 years | (https://gitlab.com/fdroid/fdroidclient/-/issues/669). | | It's not _impossible_ to use a FOSS phone, but it 's truly | painful. | salusinarduis wrote: | If you don't like Newpipe you can use Youtube Vanced which is | basically a pwned version of the native Youtube app. I've had | some stutters with Newpipe but overall I like it. | | Osmand really isn't bad, sure it's a little bit slower to | render but we're talking maybe 500-1000ms on a Pixel 3a. | | Regarding F-Droid you're right it is quite buggy, but | thankfully once you've got the apps you want you don't really | need to use it except to update. | dgan wrote: | Do banking applications work? I mean as in "I buy X online. It | requires me to login to my bank application and press | 'confirm'. I perform this sequence, and online purchase is | completed. "? | salusinarduis wrote: | Some will, however I have heard some of these apps have janky | hooks into Android's trust system which will break them on | non-google distros. | | Personally I wouldn't suggest having banking apps on a phone. | | You can always use the web browser if you absolutely must | access those accounts. | dgan wrote: | I will try to do so with web account, however I doubt it | will work.. | Kubuxu wrote: | Most banks in EU require phone app based confirmations for | transfers and other operations (according to PDS2 | directive). | | Visa and Mastercard also introduced 3DSecrue system which | piggybacks on the same system of confirmations. Vendors are | incentivised to adopt it by lower rates. | | In essence when paying with card or making a wire transfer | (or using some instant transfer method, for example Blik in | Poland), you get notification on you phone asking you to | confirm operation, even if you initiate it from your | account in the browser. | | In essence Bank apps became 2FA devices. The only way to | avoid it is to opt-out of the App 2FA and use paper one- | time code pad. You regularly then get sent a list of codes | by snail mail, which you have to type to confirm | operations. | gpvos wrote: | It depends per bank; mine discontinued the paper OTP pad | as well as the SMS codes, and gave me a separate 2FA | device when I didn't want to use their app. I don't think | banks can force you to have a smartphone yet. | bubblethink wrote: | Does nobody in the EU do computers ? How do they pass | asinine laws like this. | robocat wrote: | > separate 2FA device | | FYI in New Zealand a few banks can provide a device (e.g. | RSA SecurID) for proper non-bank 2 factor auth with | consumer accounts. However some major banks only use | phones for 2FA (app or SMS). | | The norms seem to vary considerably depending on country. | sorry_outta_gas wrote: | I just use the website | dylan604 wrote: | What kind of purchase/checkout system works like this? I have | never seen one, but if I had, I would not complete the | transaction. | Daniel_sk wrote: | Most in EU do this or will do - it's part of EU bank | regulation (PSD2). SMS isn't considered safe anymore and | debit/credit card payments are confirmed through banking | apps (you get a push and confirm). | dgan wrote: | amazon paysend many others do too. bank is Boursorama | dylan604 wrote: | Is this something more popular outside of the US where | credit/debit cards are not as ubiquitous? | Yizahi wrote: | I think it's called 3D-Secure for debit/credit cards. In | Ukraine for example it is pretty much a normal path for | online payments. Also our "credit" cards aren't the same | your "credit" cards. Ours are basically the same as debit | cards but with added overdraft amount and different | service fees. They are created by the same banks as debit | cards, not by a separate corporations. | dgan wrote: | Maybe. I never owned a credit card, however I also | basically didn't use cash for years, only debit card | kevin_thibedeau wrote: | I've had a US debit card where 3D secure was triggered. | joshuaissac wrote: | It usually happens when someone pays with a credit or | debit card. If the confirmation is not given in the app | within a certain time limit, the bank rejects the card | transaction. | | Edit: to clarify, my comment is about the UK, and it does | not happen with most card transactions; "usually" here | refers instead to card transactions being the usual | trigger (in my experience) for this app-based | authentication flow. | dylan604 wrote: | "Usually" is a bit of sticky word here. Your usual is not | my usual, hence my questioning of it. My experience is US | centric, so I'm assuming non-US but non-US is a really | big place. | nicoburns wrote: | Online purchases with UK bank accounts often require this. | Some banks use an OAuth-style redirect instead. I think the | merchants get lower rates if they enable this feature | (called "3D secure") because it lowers the risk of fraud. | | It's basically 2FA for online transactions, which seems | very sensible to me. | slock83 wrote: | I switched to /e/ rather recently, and it also just happen | that I am in the process of switching banks, which means I | currently have two banking apps on my phone. | | Both are rather strict on having a clean, non rooted, non | modified phone. Currently, they both work without any | caveats, but I had to install magisk, add them to magisk | hide, and use the magisk renaming feature to have them work. | thastings wrote: | I use the exact same setup, works like a charm. I can | definitely recommend it for anyone concerned with the privacy | issues of current mobile OSes. Furthermore, it never feels | limited after getting used to this suit of apps, which may take | up to a week at most. | Scramblejams wrote: | What do you use for photo management? | commoner wrote: | The default Gallery app is functional, and there are other | FOSS options such as LeafPic and Simple Gallery. | | - LeafPic Revived: https://f-droid.org/en/packages/com.alienp | ants.leafpicrevive... | | - Simple Gallery Pro: https://f-droid.org/en/packages/com.sim | plemobiletools.galler... | | If you are looking for a hosted service to back up your | photos, Stingle is an end-to-end encrypted photo hosting | service. Alternatively, you can use Nextcloud to self-host. | Both are FOSS on the client side, and Nextcloud is also FOSS | on the server side. | | - Stingle: https://stingle.org | | - Les Pas gallery app for Nextcloud: | https://github.com/scubajeff/lespas | mattl wrote: | If you wanted to install something like WhatsApp or Lyft would | it work? | salusinarduis wrote: | Yes they will work, however to get notifications when the | apps are closed you would need to have to some form of Google | Play Services. I suggest MicroG if you are intending to do | this since it seems to be the least invasive. | | In my personal case though, I would still not use MicroG, and | would just leave the app open until I am done using it. This | is easier on Android because apps are not suspended in the | same manner iOS apps are. | dylan604 wrote: | What about when the phone locks? My phone is set to | autolock after 1 minute. Leaving an app open just to | receive notifications seems like a waste of battery. | uhtred wrote: | I use /e/os. It is based on LineageOS, is completely de- | googled and has MicroG integrated. MicroG means push | notifications with apps like WhatsApp will work. | https://e.foundation/ | salusinarduis wrote: | If your phone is locked you will most likely not get the | notifications, it just depends on the app. I do agree it | can waste battery. | | It's important to remember this is only a concern on non- | free apps. The FOSS apps have very low power background | services that check for notifications without the app | running. | technerder wrote: | Could you elaborate on what you mean by "Discord is sandboxed"? | Are you using an app to sandbox it? | Steltek wrote: | Could be using [Shelter](https://github.com/PeterCxy/Shelter) | to isolate apps. I don't know how effective it really is. | commoner wrote: | Insular is another app that activates the Android work | profile: https://secure-system.gitlab.io/Insular/ | | Both Shelter and Insular are effective for isolating your | files, contacts, and phone logs in each profile. If you are | using a VPN, it is limited to the profile that the VPN app | is installed on, and you need to install and run it again | on the other profile to cover the apps in that profile. | deft wrote: | There's an app available on f-droid called Aurora Store that | lets you download apks from the Play Store directly, avoiding | the need for stuff like APKMirror (where you don't know where | or what happens to the apk you're downloading). On desktop you | can use the program Raccoon for the same. | salusinarduis wrote: | Thanks for the suggestion! | noja wrote: | Please, technical people of HN, install NetGuard on your Android | phone. You will be shocked where your data goes. GDPR? Ha! | Graffur wrote: | Based on your comment I have installed it and enabled | notifications.. immediately it told me that Facebook attempted | internet access. I have 432 other apps so it will be | interesting to see what else is phoning home. | aboringusername wrote: | > immediately it told me that Facebook attempted internet | access. | | I am not sure how that information is useful to you or anyone | else, not trying to be snarky, but an internet app wanting | internet access...is the expected behavior? | | Most apps and operating systems communicate over the internet | for any number of reasons, heck, apps can even check if you | _have_ internet access or not (and respond accordingly, such | as caching content to send later on). | | Doesn't make it weird or suspicious... | larrik wrote: | Doesn't sound like he was in the Facebook app at the time, | though. | Graffur wrote: | I have the FB app but rarely use it. Why would it be | phoning home when I don't have it open? | kaba0 wrote: | To check for notifications? I'm fairly sure they haven't | implemented a complex AI model to determine that "you are | using it rarely", so the check it out each n minutes is a | constant thing. | ignoramous wrote: | See also: https://github.com/offa/android-foss#-firewall (In | particular, AfWall+ for _root_ ed device is quite powerful) | aboringusername wrote: | I was wondering if you could expand on your comment because I | am confused. How is seeing what IP addresses an app | communicates with a violation of GDPR? If I can't see the | _content_ of the data it 's sending but just _where_ it 's | going, that is not exactly a violation. | | It's not illegal to communicate with an IP address, there could | be many reasons $app sends a request via a US server. | | Like a postman with an address and an envelope isn't enough to | just assume a crime has been committed it works the same | digitally... | drclau wrote: | Similarly, for iOS you can use the new "Record App Activity" | functionality. | | See: | | https://news.ycombinator.com/item?id=28804174 | | https://news.ycombinator.com/item?id=28838394 | silicon2401 wrote: | Giving this a try based on your glowing recommendation. Thanks | for suggesting it! I'm always interested in improving my | privacy measures | Factorium wrote: | Your opt-out is to buy an iPhone. | Gunax wrote: | But I also don't approve of apple's control over what I install | and I think it's stance on browsers in anti-competitive. | | Now I feel stuck. ___________________________________________________________________ (page generated 2021-10-12 23:01 UTC)