[HN Gopher] A popular Bluetooth car battery monitor that siphons... ___________________________________________________________________ A popular Bluetooth car battery monitor that siphons up all your location data Author : x1sec Score : 203 points Date : 2023-06-26 20:45 UTC (2 hours ago) (HTM) web link (doubleagent.net) (TXT) w3m dump (doubleagent.net) | yazzku wrote: | Noob question, but was the application streaming over plain http, | or did you do something to decrypt https traffic? How would you | do the latter? | | Edit: with mitmproxy and installing a cert in the phone's store, | as explained in the latter half of the write-up. I guess that | wouldn't work if the application pinned the server certs, but I | guess this "commercial malware" is not that sophisticated. | x1sec wrote: | In the second part of the blog post series, I show that they | AMap SDK they use encrypts data data first using AES and then | further encrypting the AES key(s) with a public RSA key | embedded in the application. Not trivial. | | If certificate pinning was used, it can be bypassed by | modifying the APK or dynamically hooking into the running | application using Frida. Often you have to try a few things | before getting it working, often starting with a universal TLS | bypass Frida script [1][2] | | [1] https://codeshare.frida.re/@pcipolloni/universal-android- | ssl... | | [2] https://codeshare.frida.re/@akabe1/frida-multiple- | unpinning/ | x1sec wrote: | Hi HN, this is my efforts in reverse engineering a BLE car | battery monitor where it's app has over 100,000 downloads on the | Google Play store alone. | | It turns out it's sending GPS, cell phone tower cell IDs and Wifi | beacon data to servers in Hong Kong and mainland China on a | continued basis. Google and Apple app store pages say no personal | data is collected or sent to 3rd parties. | | Hopefully readers pick up a few tips on reversing apps for their | connected devices. | disposition2 wrote: | Really appreciate the write up. Just wanted to share, while | unimportant...I still thought I would share, some grammatical | errors near the top of the page | | > reveals that that the Apple iPhone version is also location | data to remote servers. | | I'm guessing there should only be 1 "that" and there's a | missing "sending" between "also" and "location data" | OldManRyan wrote: | Would love to learn more about this type of reverse | engineering. Do you have any resources or tips on getting | started? | x1sec wrote: | The best way is to just start practicing. I would say pick | some simple apps on your (Android) phone and dig straight in. | | The great thing about Android applications is that often they | generally decompile quite nice into human readable Java so | the barrier of entry can be quite low to start reversing. | | Grab a copy of JADX[1] - it will decompress and decompile the | APK files. If you don't have an Android handset, use an | emulator and/or grab APKs from apkpure[2] | | Dynamic analysis is a bit more challenging. In my blog post I | use Frida[3] extensively. | | If you get started on something and get stuck/looking for | support, feel free to DM me on Twitter (handle in HN | profile), more then happy to help. | | [1] https://github.com/skylot/jadx | | [2] https://m.apkpure.com/ | | [3] https://frida.re/docs/android/ | OldManRyan wrote: | Thanks! I have an Android device so I'll start by looking | at some apps I use daily. | x1sec wrote: | Great - good luck and most of all, have fun! | TheBozzCL wrote: | Awesome write-up! | | When my friends laugh at my obsession over privacy and data | collection, this is the kind of thing I point at. There's no | reason to believe they're doing this for malicious reasons, but | we really have no way to know. It's probably just | ignorance/incompetence. | x1sec wrote: | Thanks! Part of my motivation to documenting this is to raise | awareness and also provide encouragement for others to start | looking at what their devices/apps in their home are doing. | | The amount of location data the device maker is collecting is | significant - perhaps they are monetizing it? If so, would you | consider this malicious (if not disclosed to the end user this | was happening)? | | The AMap SDK the app uses collects much more location data - | here I feel they are likely using it to improve the accuracy of | their location service/mapping software. I don't consider this | malicious, unless this behavior is not disclosed to users and | developers. Their site is in Chinese [1], would anyone read | through their fine print to verify? | | [1] https://lbs.amap.com/api/lightweight-android-sdk/download | TheBozzCL wrote: | That's my thought exactly: there's no logical reason for this | to need to send your location, so it's probably monetized by | AMap to improve location accuracy. The fact that it's not | disclosed is worrisome but sounds more like incompetence or | ignorance to me. | | I haven't taken the time to fully dig into your posts, did | you notice if they're generating a user ID? For me, that | would be the difference between using it for location | accuracy or tracking user locations. That being said, the | data they already have is probably more than enough to track | individuals. | | Reminds me of this one post that I just can't find anymore: a | (danish? finnish?) journal bought a pack of "anonymized" | location data and chose one individual. They were able to | track where they lived and worked, and where they went for | vacation. They even went to their place and talked to them, | and they had no idea this was happening whatsoever. I really | wish I could remember where I read it. | segmondy wrote: | For once, I really hope the US govt would do something about | these sort of devices. I bought a digital picture frame from | amazon. It's listed as having an SD card. When I tried to set it | up. It wanted me to install an android app, and that was the only | way to save pictures to the SD card. To connect the device to | Wifi, then use my phone to send picture to the device. So nothing | only would I have an unknown device in my network, collecting and | reporting who knows what, it would be on my cell phone as well. I | returned it. Imagine if there was 100k or 500k of these trojan | horse devices in the US. It's truly scary what it means for US's | national security. | Libcat99 wrote: | Nothing to imagine, I am certain that there are 100s of | thousands of such devices, and even if their design intent is | not malicious they are typically security nightmares. | gxs wrote: | How is it that giving an app the ability to scan for nearby wifi | networks is not a permission in and of itself? | | The very first time it happened to me, it was confusing - hm, why | does this random app, having nothing to do with connectivity, | require bluetooth access? | | Permissions should be more granular - and more importantly, Apple | should make it so not giving an application a non-essential | permissions is not grounds for not letting the user use the app. | | That was a mouthful, hope it made sense. | x1sec wrote: | I agree and Apple's approach does this. You can deny the | location permissions and still use the Bluetooth services. This | is not the case with Android. | Syonyk wrote: | Of course it is. | | Because that's what "consumer tech" has turned into. An excuse to | lie to end users as much as you can possibly get away with, to | collect as much information from them as you possibly can, | gatekept by companies who _do not care in the slightest_ about | any of those, unless it makes bad press for them, at which point | they "promise to try harder to not get caught doing this in the | future." | | And they don't even _try_ to hide it. It 's just that nobody | looks. | | > _Note: Since the BM2 does not use HTTPS, there is no need to | even install a certificate. What this means is that anyone can | independently identify that their latitude and longitude co- | ordinates are being sent on either iOS or Android with no | modifications to their phone._ | | "Anyone can independently verify." And also, anyone on the | network connection between you and the server can help themselves | to this data. | KMnO4 wrote: | I mean... If you're on the network presumably you already know | the location? | [deleted] | malux85 wrote: | What do we do about it? The obvious answer is just stop buying | this junk, but how would anyone know? | | I'm curious, have you (or anyone else) seen novel solutions to | this problem? Is this even solvable? Ideas everyone! | RajT88 wrote: | Clone their products so cheaply that you can undercut them on | price and still make money. | | Of course that requires said person to also resist the | temptation of data harvesting. Which few seem to be able to. | lolinder wrote: | You can't clone them cheaply without the subsidy the data | provides. These products are usually cheaper than they | should be because the manufacturer knows they can get value | out of the data sale. | javajosh wrote: | This looks like fraud by Amap and negligence by Google (and | Apple). The 100k users have cause for a class action. However | the upfront cost of such a thing is prohibitive. | | There is also the possibility that this is a national | security issue. Exfiltrating location data to China for 100k | Americans, probably including government and military | employees, violates the law. But again, it's all about the | cost. Also ambivalence (as others have pointed out). | hedora wrote: | Establish financial liability for products that engage in | opt-out data collection. The liability should be shared by | the manufacturers and by any resellers (especially including | Amazon in the US). | | Make sure the financial liability is at least the maximum of | 100x the value of the data and 10x the revenue the suite of | bundled products generate. | blibble wrote: | this is more or less the main idea of the GDPR | | it attempted to turn the people's personal data from a | balance sheet asset into a liability | | with varying success | genocidicbunny wrote: | Also, criminal liability for everyone involved. Put every | single employee and exec of these companies in jail for | 10-20 years, with the first one to tattle on the employer | getting a pardon. | Syonyk wrote: | And suddenly, a new style of ad: "Work from home! Be your | own CEO! For a mere $5000, we set up your company, brand | our products, and you get all the credit! No technical | skills needed, just a bank account to receive your | monthly income!" | genocidicbunny wrote: | We can go ahead and extend the criminal liability up and | down the ownership chain too. | hsbauauvhabzb wrote: | Regulation is the only way to solve this issue, and | regulation requires the people in power to care, where | currently almost none in non European countries do. | Syonyk wrote: | > _The obvious answer is just stop buying this junk, but how | would anyone know?_ | | You don't have to know. You can safely guess. Assume anything | "connected" is shouting as much as it possibly can, upstream, | at all points in time. It's a cell phone app? You have | location services turned on? It's streaming your position. | Also, whatever else it can grab. Basically, if you've granted | a permission to an app, assume it's streaming that attribute | upstream, and keep things limited. | | And, at all costs, prefer offline only devices. It took me a | while to find some air quality sensors for my home that | _weren 't_ online and App-based - but they're literally | standalone displays that sniff the air and report out | PM2.5/PM10/CO2/etc. I can't access them with an app, I have | to walk past and look. So be it. For voltage of batteries, | ffs, just use a voltmeter, or, if you care about always | seeing it, install a little bulkhead voltmeter. I do this on | all sorts of projects (most recently a "power toolbox" I use | for stuff - battery, inverter, solar charger, USB ports, and | a little voltmeter that shows pack voltage when it's powered | on). | | And then leave your little pocket snoops behind on a regular | basis. I've gone back to carrying a regular watch on my | wrist, or, when I'm feeling spicy, a pocket watch. And no | cell phone, or a turned off cell phone in my backpack or | something. | | > _Is this even solvable?_ | | No. Because (a) most people don't care, in terms of actions | they're willing to take. This app in question has had | hundreds of thousands of downloads, so clearly the devices | are popular enough. Saying "I care about my privacy!" is one | thing, but actually living without 30,000 apps installed on | your phone (shoulder surf when people are scrolling their | screens in public places - I've watched people on an airplane | with a iPad Pro Max or whatever have literally 20-30 screens | full of icons) is pretty uncommon. and slightly inconvenient. | | And, (b), politicians are largely in the pay of tech | companies, or at least believe the lies about how they're | bringing people together and will self regulate and... | whatever. | | The solutions are simply to opt out, or start using more | aggressively hostile-to-profile things. _Waves from Qubes-OS | in a disposable VM_ | | I don't have any other good ideas. The tech ecosystem has | rotted, and I don't see any redemption for it. I work in | tech, and I've been engineering my life to require less and | less computer use, and I _genuinely_ look forward to putting | down a computer for the last time. | proxiful-wash wrote: | No its not. This is state level treason. It needs to stop. | Sorry if this hurts anyones feelings. | smoldesu wrote: | The state knows, they buy the laundered version of this data | from Palantir and the like. | jklinger410 wrote: | Great observations. I hope everyone who shares these thoughts | is voting for socialist candidates in their home countries. | | This is what unregulated capitalism looks like. | lamontcg wrote: | I donated actual hard earned currency to my socialist | candidate. Predictably futile, but I can state that none of | this shit is my fault or what I wanted. | Zambyte wrote: | This is the result of "intellectual property" laws (which | exist entirely outside of capitalism) being used by design. | It's no surprise that when people have access to your | computer and you are not legally allowed to know what they | are doing with it, they abuse you. | x1sec wrote: | This is very true. I make an effort to point out that MITM | proxy now supports Wireguard [1] to tunnel traffic out from the | handset. It literally should take no more then 5 minutes from | download to packet inspection. Of course if TLS is used by the | mobile app then on iOS it's a few more minutes of setup time. | Unfortunately with Android, installing your own certificate in | the trust store is no longer trivial. | | As you point out though, the application doesn't even use TLS | for sending the GPS data. | | In part two [2] of the blog post series, the Alibaba's AMap SDK | uses both TLS and custom encryption and this took me quite a | few days to figure out the Wifi and cell data collection - so | it's not always so trivial. Either way, I recommend to everyone | to at least do a basic 'desk check' on the apps they install. | You never know what you will find. | | [1] https://mitmproxy.org/posts/wireguard-mode/ | | [2] https://doubleagent.net/2023/05/22/a-car-battery-monitor- | tra... | varenc wrote: | Sadly certificate pinning is becoming pretty common in my | experience. Most of the "big apps" do it. That means that | even if you trust your own CA you still can't MITM the | traffic. On iOS you need to jailbreak a device to override | cert pinning. | | Funny how mechanisms that increase security also remove some | of the freedom and visibility we have into our own deviecs. | x1sec wrote: | Most defiantly. iOS is a different kettle of fish. | | Same challenges are present with performing forensics on an | iPhone! The top commercial forensic toolkits will try to | jailbreak the handset if possible to pull off artifacts. | Good luck on newer hardware with the latest iOS versions. | [1] | | On the topic of iOS forensics, you can still get quite many | useful artifacts from iOS backups with Mobile Verification | Toolkit [2] being quite exceptional. I have had less | success with iOS backups and the popular iLEAPP forensics | software [3]. | | [1] https://blog.elcomsoft.com/2022/09/ios-forensic- | toolkit-8-0-... | | [2] https://docs.mvt.re/en/latest/ | | [3] https://github.com/abrignoni/iLEAPP | chrisweekly wrote: | defiantly -> definitely, right? | titzer wrote: | Stallman was right. You absolutely cannot trust closed source | to protect the privacy of your data. Reject all platforms that | are not fully open, and reject all devices that come with any | amount of closed software or firmware. Reading some damn | "location privacy policy" is not going to cut it. Such policies | are written by lawyers who lie by omission all the time. E.g. | as soon as location data is "anonymized" the policy no longer | applies. Which is of course a steaming lie. Location | information cannot be effectively anonymized without basically | nullifying its utility. Guess where that car parks? In one of | two general locations for > 18 hours a day, usually. Gee, I | wonder who that is. Even with 100m of noise, it's uniquely | identifying of you. Don't even think about mobile phones that | are accurate to the meter, tricked out with WiFi, | accelerometers, and barometers. They are wireframe god mode | tracking devices given the accuracy of sensors these days. What | a nightmare to have these in everyone's hands and run by big | tech. | colechristensen wrote: | >Stallman was right. You absolutely cannot trust closed | source to protect the privacy of your data. | | People are fully accepting of data gathering when it's out in | the open. Trust doesn't have anything to do with it, people | are consenting to this kind of thing openly, and when | something does come out they do not care. | kwhitefoot wrote: | > reject all devices that come with any amount of closed | software or firmware. | | Implementing that policy would mean not owning a mobile | phone, a car, a television, microwave, or washing machine, | etc. | HeckFeck wrote: | > Reject all platforms that are not fully open, and reject | all devices that come with any amount of closed software or | firmware. | | I wish we could, but they truly have us by the balls. It is | nigh impossible to participate in society without using | proprietary software. | throitallaway wrote: | It's annoying that this has become the norm with basically zero | consequences for bad actors. | | Seeing this article made me thankful for GrapheneOS. I've been | dailying it for a few months now. Every single app is explicitly | granted network permission (or not) upon installation. Local apps | like this definitely don't get network perms, and neither does my | keyboard app (that always creeped me out.) | jbombadil wrote: | Phones already have app permissions: can access you contact, can | access your location... | | But no major phone OS provides a reliable "can access the | internet" permission (without jailbreak/root). This would solve | this issue much above the stack. I can install the dubious app. | If the app can't access the internet at all (properly enforced by | the OS) then by definition it can't leak anything. | | I find it particularly disappointing from Apple. If they were | truly committed to privacy as they claim, this would be a feature | already. | bluetidepro wrote: | This would be the best feature ever. | throitallaway wrote: | GrapheneOS has this function, and it's great. My phone is not | rooted. | lyu07282 wrote: | > "Since the Android app requires location permissions to use the | hardware device" | | God because Blutooth LE devices need location permission on | Android? How is that still a thing, I remember being outraged | about that a decade ago or something. | SV_BubbleTime wrote: | So... as I understand it... this is about Bluetooth beacons. | | Bluetooth, it to require locations because if you passed by a | beacon and an app is registered to the OS to watch it, that | that is the same as reporting your location. | | Your phone said "hey, app that the user installed, you know | that BLE device you told me to watch for? Saw it just now!" | | So it's not it doesn't make sense. Bluetooth low energy can be | used to determine your location so you should have to give it | permission. | | The problem is... No one knows this. | | It's not even like there's a solvable problem, because you | don't have to be using the Bluetooth low energy beacon format | for this, you just need to be able to scan for advertising BLE | devices which the OS does all time. Remember the rush to turn | Covid Tracking on (Covid is over, but those changes aren't | going away). | | This is how Tile and the Apple Tags that killed them work. | Those are just roaming beacons. | | Tons of apps that you install for major retailers, Home Depot, | Target, Walmart, Best Buy all know exactly when you walk in the | store if you have their app on an location services given into | it. | | Don't install apps. Not unless you have to. Then questionable | permissions aren't an issue. | Larrikin wrote: | This is no longer the case | https://developer.android.com/guide/topics/connectivity/blue... | There is actually a lot more review in the Play Store now as | well, they will kick you out the store if they detect you're | lying about the permission. | throitallaway wrote: | It seems like permissions should be part of the app manifest | and there should be no way to lie about it. | [deleted] | varenc wrote: | Location permission is required because with Bluetooth access | alone an app can essentially locate a device already by | checking nearby device addresses against a database of known | locations. Similar to how scanning WiFi BSSIDs can also | determine location. | | It's a tricky problem. As a more technical user, I'd love it if | they were separate permissions and the Bluetooth permission | included an extra "your location can be determined from | bluetooth alone" warning. But for the average user that's just | going to confuse them. | murderfs wrote: | Just as with wifi networks, being able to see nearby Bluetooth | devices is enough to figure out your location using publicly | available databases like WiGLE. | x1sec wrote: | Good point, and I assume this is why Google has taken this | approach. That said, the more location data points you have, | the more accurate the location (larger sample size, time | proximity data - GPS is accurate _always_ , SSID/BSSIDs can | be out of date. | api wrote: | If it's connected assume it is spying on you as much as it | possibly can. | fswd wrote: | Victron's android mobile app for battery management does this as | well. Luckily I spoof my GPS, according to them I'm in the middle | of the pacific. | patja wrote: | Which Victron app? My install of Victron Connect doesn't seem | to do this. | x1sec wrote: | Can you link me to the app store for this? Happy to take a | look. | Waterluvian wrote: | Could someone fill me in: why do people want to monitor their 12V | battery? Is it just a proxy for "you seem to have left your light | on"? | | It honestly feels like a way to spy on family/company vehicles. | Powered by the battery... knowing its voltage just being a side | effect. But I guess that's only if the app also tells you these | data. | x1sec wrote: | I know someone who actually has a few of these devices - they | are big into their FWD'ing - they have solar panels on their | roof and spend days 'off the grid'. | | Another (more common) use case is people that take their | caravan out on the road. Many have a plug into the car that | keeps the caravan fridge powered on when driving. | | For me, I wanted to keep track of the voltage of the battery in | a caravan when not connected to mains power. | hsbauauvhabzb wrote: | Even if it is, the attitude of 'don't install this app as it | might track you' is not a viable solution for it that classes | of app. Reducing risk is one thing, but until regulation occurs | there's nothing to stop _every_ app you use doing the same | thing. | thepasswordis wrote: | It's useful if you have a lot of vehicles and don't drive all | of them every day. | blibble wrote: | over covid my battery went flat a couple of times | | I ended up using a multimeter but an app would have been more | convenient | Arrath wrote: | Less often used equipment/vehicles (say, boats or weekend | motorcycles) are often put on battery tenders when not in use, | to keep the battery fresh for when you do want to use it. Just | yesterday my FIL was relating how he put his motorcycle on a | tender because it had some parasitic drain that would flatten | the battery in 3 days of sitting, for example. | | This product seems to be a bit of an in-between, not having the | ability to trickle charge the battery, but you can keep any eye | on it and charge or jump it as needed. | Syonyk wrote: | Yeah, I got tired of replacing batteries and now keep just | about everything infrequently used on a battery tender. Lead | acid as used in cars doesn't like being deeply discharged, so | a couple good deep charges will trash them. A battery tender | and extension cord is an awful lot cheaper than batteries, | and a $30 unit will save you a lot more in battery | replacement for infrequently used vehicles. | | Also, they make the tractor a lot happier to start in the | winter. :) | SV_BubbleTime wrote: | I was in a warehouse of supercars recently. Stuff you had no | idea existed. 10 offs, things like that. | | Every vehicle was on a trickle charger, for a few reasons. | But one reason I especially liked... | | The La Ferrari CAN NOT run the barriers dead. If it does, and | it's locked, you are in trouble. Like call a Ferrari rep to | come fly out and partially take it apart to get it charged | and running again trouble. | | Same with some Bugati I had never heard of. | | Everything down to McCarens and lower. These aren't vehicles | that will run after sitting for a month let alone months. | tacker2000 wrote: | At this point its fair to assume that all these devices are | collecting large amounts of data and phoning home. I wouldnt be | surprised if TP Link routers also send everything back to China. | But this is not limited to China anyway, the iPhone im using here | is probably sending every keystroke and location data back to the | US. | firefoxd wrote: | There needs to be a feature on android to give fake gps data on a | real device. This would be useful for any app that requires gps | for no good reason. | | If your flashlight app needs gps to turn on, no problem. You are | currently on mount Kilimanjaro. | x1sec wrote: | Android warns the user that location related permissions are | required. The issue is, is that this is required for Bluetooth | scanning and the app developer abuses this by collecting other | 'location data'. The app developer even tries to explain to the | user with a pop up saying (paraphrasing) "click accept, so | bluetooth will work". | neilv wrote: | > _acquired from a popular electronics retailer in Australia._ | | Use the courts and public sentiment. | x1sec wrote: | The OIAC (Privacy regulator in Australia) notes [1]: | | > If you're concerned your personal information has been | mishandled, you first need to complain to the organisation or | agency you think has mishandled it. If they don't respond to | your complaint within 30 days or you're not happy with their | response, you can lodge a complaint with us. | | I have complained to the retail store that I purchased it from. | It's been over 30 days, next is the OIAC. The device is | rebranded and sold under many different names (globally) so the | real impactful course of action is to have Google and Apple | take the applications off the app store. | | [1] https://www.oaic.gov.au/privacy/privacy-complaints/lodge- | a-p... | cryptoegorophy wrote: | I know it has been talked about this many times, but any tips for | readers on how to safe guard from such issues? What comes to | mind: - don't install apps unless absolutely necessary. - don't | let apps have extra permissions when possible. - if app is free - | most likely you paid for it somehow (your data) Anything else? I | also use 1blocker on iOS to block trackers etc, although, I am | not sure if 1Blocker is not spying on my browsing. | x1sec wrote: | > don't install apps unless absolutely necessary | | Very sound advice. What if you have purchased some Bluetooth | enabled device that requires an app? Don't purchase | Bluetooth/connected hardware? Perhaps! | | My next blog post will be on a bike Speedometer that uses GPS | to calculate the bike speed. It has an Android app, and yes it | sends your data to remote servers hosted within Hong Kong. | hnburnsy wrote: | Why the f@#k on Android can't the user stop Apps from 1. Running | at start up 2. Running in the background. At a minimum why aren't | these user granted permissions? | | This would stop a great deal of the apps that hover up data like | this. | | Google is complicit here. Change my mind. | HeckFeck wrote: | Yeah, mobile really sucks for this compared to the 90s and 00s | desktop experience. It really feels like a step backwards; at | least you could delete things from the StartUp folder on | Windows 98. | MBCook wrote: | You can delete things real easy on iPhones. | kccqzy wrote: | Operating systems need to make Internet access a permission that | users can grant or revoke. (Pretty sure that used to be a thing | in Android, but never in iOS except mobile data.) | | If I get a device that claims to use Bluetooth, I would return it | if it actually needs access to the internet. | notjulianjaynes wrote: | I have used NetGuard on Android to block internet access to | certain apps. | | https://netguard.me/ | 1970-01-01 wrote: | Realize the thing that watches the thing is also slowly consuming | it, to the point of it being necessary to actively monitor the | monitor. (The BLE gizmo will slowly but surely drain your car | battery. You must take action to recharge the battery when it | eventually sends you an alert, because it will soon stop sending | them to you.) | | It also siphons data on your phone and sends it to China. Oh, and | I bet _that_ drains your phone battery. I can 't think of a | better anti-gift for the holidays. This gizmo is a rare triple | consumer threat. | londons_explore wrote: | I suspect that all the location data stuff is to prevent someone | pirating the app and building/selling their own hardware. | | Sure, the Chinese manufacturer is a factory making gadgets on the | other side of the world - they have no real avenue to monetize | your location data. They likely don't even know your name. | | Hence, my suspicion is this is all a complex way to stop someone | else making a 'compatible' device and selling it without | developing their own app. Thats why the app checks the mac | address is valid, and uploads location data so the manufacturer | can see if one device is in two locations at once, confirming | piracy must have occurred. | drewda wrote: | For better or worse, there are lots of channels for "no name" | apps and gadgets to make money selling location data. See, for | example: https://themarkup.org/privacy/2021/09/30/theres-a- | multibilli... | hnburnsy wrote: | I am so sick of this I have resorted to putting almost all my | apps on an old iPad (iOS being the lesser of two evils) connected | to its own isolated guest network. My Android phone only has apps | needed for leaving the house. ___________________________________________________________________ (page generated 2023-06-26 23:00 UTC)