[HN Gopher] A popular Bluetooth car battery monitor that siphons...
___________________________________________________________________
A popular Bluetooth car battery monitor that siphons up all your
location data
Author : x1sec
Score : 203 points
Date : 2023-06-26 20:45 UTC (2 hours ago)
(HTM) web link (doubleagent.net)
(TXT) w3m dump (doubleagent.net)
| yazzku wrote:
| Noob question, but was the application streaming over plain http,
| or did you do something to decrypt https traffic? How would you
| do the latter?
|
| Edit: with mitmproxy and installing a cert in the phone's store,
| as explained in the latter half of the write-up. I guess that
| wouldn't work if the application pinned the server certs, but I
| guess this "commercial malware" is not that sophisticated.
| x1sec wrote:
| In the second part of the blog post series, I show that they
| AMap SDK they use encrypts data data first using AES and then
| further encrypting the AES key(s) with a public RSA key
| embedded in the application. Not trivial.
|
| If certificate pinning was used, it can be bypassed by
| modifying the APK or dynamically hooking into the running
| application using Frida. Often you have to try a few things
| before getting it working, often starting with a universal TLS
| bypass Frida script [1][2]
|
| [1] https://codeshare.frida.re/@pcipolloni/universal-android-
| ssl...
|
| [2] https://codeshare.frida.re/@akabe1/frida-multiple-
| unpinning/
| x1sec wrote:
| Hi HN, this is my efforts in reverse engineering a BLE car
| battery monitor where it's app has over 100,000 downloads on the
| Google Play store alone.
|
| It turns out it's sending GPS, cell phone tower cell IDs and Wifi
| beacon data to servers in Hong Kong and mainland China on a
| continued basis. Google and Apple app store pages say no personal
| data is collected or sent to 3rd parties.
|
| Hopefully readers pick up a few tips on reversing apps for their
| connected devices.
| disposition2 wrote:
| Really appreciate the write up. Just wanted to share, while
| unimportant...I still thought I would share, some grammatical
| errors near the top of the page
|
| > reveals that that the Apple iPhone version is also location
| data to remote servers.
|
| I'm guessing there should only be 1 "that" and there's a
| missing "sending" between "also" and "location data"
| OldManRyan wrote:
| Would love to learn more about this type of reverse
| engineering. Do you have any resources or tips on getting
| started?
| x1sec wrote:
| The best way is to just start practicing. I would say pick
| some simple apps on your (Android) phone and dig straight in.
|
| The great thing about Android applications is that often they
| generally decompile quite nice into human readable Java so
| the barrier of entry can be quite low to start reversing.
|
| Grab a copy of JADX[1] - it will decompress and decompile the
| APK files. If you don't have an Android handset, use an
| emulator and/or grab APKs from apkpure[2]
|
| Dynamic analysis is a bit more challenging. In my blog post I
| use Frida[3] extensively.
|
| If you get started on something and get stuck/looking for
| support, feel free to DM me on Twitter (handle in HN
| profile), more then happy to help.
|
| [1] https://github.com/skylot/jadx
|
| [2] https://m.apkpure.com/
|
| [3] https://frida.re/docs/android/
| OldManRyan wrote:
| Thanks! I have an Android device so I'll start by looking
| at some apps I use daily.
| x1sec wrote:
| Great - good luck and most of all, have fun!
| TheBozzCL wrote:
| Awesome write-up!
|
| When my friends laugh at my obsession over privacy and data
| collection, this is the kind of thing I point at. There's no
| reason to believe they're doing this for malicious reasons, but
| we really have no way to know. It's probably just
| ignorance/incompetence.
| x1sec wrote:
| Thanks! Part of my motivation to documenting this is to raise
| awareness and also provide encouragement for others to start
| looking at what their devices/apps in their home are doing.
|
| The amount of location data the device maker is collecting is
| significant - perhaps they are monetizing it? If so, would you
| consider this malicious (if not disclosed to the end user this
| was happening)?
|
| The AMap SDK the app uses collects much more location data -
| here I feel they are likely using it to improve the accuracy of
| their location service/mapping software. I don't consider this
| malicious, unless this behavior is not disclosed to users and
| developers. Their site is in Chinese [1], would anyone read
| through their fine print to verify?
|
| [1] https://lbs.amap.com/api/lightweight-android-sdk/download
| TheBozzCL wrote:
| That's my thought exactly: there's no logical reason for this
| to need to send your location, so it's probably monetized by
| AMap to improve location accuracy. The fact that it's not
| disclosed is worrisome but sounds more like incompetence or
| ignorance to me.
|
| I haven't taken the time to fully dig into your posts, did
| you notice if they're generating a user ID? For me, that
| would be the difference between using it for location
| accuracy or tracking user locations. That being said, the
| data they already have is probably more than enough to track
| individuals.
|
| Reminds me of this one post that I just can't find anymore: a
| (danish? finnish?) journal bought a pack of "anonymized"
| location data and chose one individual. They were able to
| track where they lived and worked, and where they went for
| vacation. They even went to their place and talked to them,
| and they had no idea this was happening whatsoever. I really
| wish I could remember where I read it.
| segmondy wrote:
| For once, I really hope the US govt would do something about
| these sort of devices. I bought a digital picture frame from
| amazon. It's listed as having an SD card. When I tried to set it
| up. It wanted me to install an android app, and that was the only
| way to save pictures to the SD card. To connect the device to
| Wifi, then use my phone to send picture to the device. So nothing
| only would I have an unknown device in my network, collecting and
| reporting who knows what, it would be on my cell phone as well. I
| returned it. Imagine if there was 100k or 500k of these trojan
| horse devices in the US. It's truly scary what it means for US's
| national security.
| Libcat99 wrote:
| Nothing to imagine, I am certain that there are 100s of
| thousands of such devices, and even if their design intent is
| not malicious they are typically security nightmares.
| gxs wrote:
| How is it that giving an app the ability to scan for nearby wifi
| networks is not a permission in and of itself?
|
| The very first time it happened to me, it was confusing - hm, why
| does this random app, having nothing to do with connectivity,
| require bluetooth access?
|
| Permissions should be more granular - and more importantly, Apple
| should make it so not giving an application a non-essential
| permissions is not grounds for not letting the user use the app.
|
| That was a mouthful, hope it made sense.
| x1sec wrote:
| I agree and Apple's approach does this. You can deny the
| location permissions and still use the Bluetooth services. This
| is not the case with Android.
| Syonyk wrote:
| Of course it is.
|
| Because that's what "consumer tech" has turned into. An excuse to
| lie to end users as much as you can possibly get away with, to
| collect as much information from them as you possibly can,
| gatekept by companies who _do not care in the slightest_ about
| any of those, unless it makes bad press for them, at which point
| they "promise to try harder to not get caught doing this in the
| future."
|
| And they don't even _try_ to hide it. It 's just that nobody
| looks.
|
| > _Note: Since the BM2 does not use HTTPS, there is no need to
| even install a certificate. What this means is that anyone can
| independently identify that their latitude and longitude co-
| ordinates are being sent on either iOS or Android with no
| modifications to their phone._
|
| "Anyone can independently verify." And also, anyone on the
| network connection between you and the server can help themselves
| to this data.
| KMnO4 wrote:
| I mean... If you're on the network presumably you already know
| the location?
| [deleted]
| malux85 wrote:
| What do we do about it? The obvious answer is just stop buying
| this junk, but how would anyone know?
|
| I'm curious, have you (or anyone else) seen novel solutions to
| this problem? Is this even solvable? Ideas everyone!
| RajT88 wrote:
| Clone their products so cheaply that you can undercut them on
| price and still make money.
|
| Of course that requires said person to also resist the
| temptation of data harvesting. Which few seem to be able to.
| lolinder wrote:
| You can't clone them cheaply without the subsidy the data
| provides. These products are usually cheaper than they
| should be because the manufacturer knows they can get value
| out of the data sale.
| javajosh wrote:
| This looks like fraud by Amap and negligence by Google (and
| Apple). The 100k users have cause for a class action. However
| the upfront cost of such a thing is prohibitive.
|
| There is also the possibility that this is a national
| security issue. Exfiltrating location data to China for 100k
| Americans, probably including government and military
| employees, violates the law. But again, it's all about the
| cost. Also ambivalence (as others have pointed out).
| hedora wrote:
| Establish financial liability for products that engage in
| opt-out data collection. The liability should be shared by
| the manufacturers and by any resellers (especially including
| Amazon in the US).
|
| Make sure the financial liability is at least the maximum of
| 100x the value of the data and 10x the revenue the suite of
| bundled products generate.
| blibble wrote:
| this is more or less the main idea of the GDPR
|
| it attempted to turn the people's personal data from a
| balance sheet asset into a liability
|
| with varying success
| genocidicbunny wrote:
| Also, criminal liability for everyone involved. Put every
| single employee and exec of these companies in jail for
| 10-20 years, with the first one to tattle on the employer
| getting a pardon.
| Syonyk wrote:
| And suddenly, a new style of ad: "Work from home! Be your
| own CEO! For a mere $5000, we set up your company, brand
| our products, and you get all the credit! No technical
| skills needed, just a bank account to receive your
| monthly income!"
| genocidicbunny wrote:
| We can go ahead and extend the criminal liability up and
| down the ownership chain too.
| hsbauauvhabzb wrote:
| Regulation is the only way to solve this issue, and
| regulation requires the people in power to care, where
| currently almost none in non European countries do.
| Syonyk wrote:
| > _The obvious answer is just stop buying this junk, but how
| would anyone know?_
|
| You don't have to know. You can safely guess. Assume anything
| "connected" is shouting as much as it possibly can, upstream,
| at all points in time. It's a cell phone app? You have
| location services turned on? It's streaming your position.
| Also, whatever else it can grab. Basically, if you've granted
| a permission to an app, assume it's streaming that attribute
| upstream, and keep things limited.
|
| And, at all costs, prefer offline only devices. It took me a
| while to find some air quality sensors for my home that
| _weren 't_ online and App-based - but they're literally
| standalone displays that sniff the air and report out
| PM2.5/PM10/CO2/etc. I can't access them with an app, I have
| to walk past and look. So be it. For voltage of batteries,
| ffs, just use a voltmeter, or, if you care about always
| seeing it, install a little bulkhead voltmeter. I do this on
| all sorts of projects (most recently a "power toolbox" I use
| for stuff - battery, inverter, solar charger, USB ports, and
| a little voltmeter that shows pack voltage when it's powered
| on).
|
| And then leave your little pocket snoops behind on a regular
| basis. I've gone back to carrying a regular watch on my
| wrist, or, when I'm feeling spicy, a pocket watch. And no
| cell phone, or a turned off cell phone in my backpack or
| something.
|
| > _Is this even solvable?_
|
| No. Because (a) most people don't care, in terms of actions
| they're willing to take. This app in question has had
| hundreds of thousands of downloads, so clearly the devices
| are popular enough. Saying "I care about my privacy!" is one
| thing, but actually living without 30,000 apps installed on
| your phone (shoulder surf when people are scrolling their
| screens in public places - I've watched people on an airplane
| with a iPad Pro Max or whatever have literally 20-30 screens
| full of icons) is pretty uncommon. and slightly inconvenient.
|
| And, (b), politicians are largely in the pay of tech
| companies, or at least believe the lies about how they're
| bringing people together and will self regulate and...
| whatever.
|
| The solutions are simply to opt out, or start using more
| aggressively hostile-to-profile things. _Waves from Qubes-OS
| in a disposable VM_
|
| I don't have any other good ideas. The tech ecosystem has
| rotted, and I don't see any redemption for it. I work in
| tech, and I've been engineering my life to require less and
| less computer use, and I _genuinely_ look forward to putting
| down a computer for the last time.
| proxiful-wash wrote:
| No its not. This is state level treason. It needs to stop.
| Sorry if this hurts anyones feelings.
| smoldesu wrote:
| The state knows, they buy the laundered version of this data
| from Palantir and the like.
| jklinger410 wrote:
| Great observations. I hope everyone who shares these thoughts
| is voting for socialist candidates in their home countries.
|
| This is what unregulated capitalism looks like.
| lamontcg wrote:
| I donated actual hard earned currency to my socialist
| candidate. Predictably futile, but I can state that none of
| this shit is my fault or what I wanted.
| Zambyte wrote:
| This is the result of "intellectual property" laws (which
| exist entirely outside of capitalism) being used by design.
| It's no surprise that when people have access to your
| computer and you are not legally allowed to know what they
| are doing with it, they abuse you.
| x1sec wrote:
| This is very true. I make an effort to point out that MITM
| proxy now supports Wireguard [1] to tunnel traffic out from the
| handset. It literally should take no more then 5 minutes from
| download to packet inspection. Of course if TLS is used by the
| mobile app then on iOS it's a few more minutes of setup time.
| Unfortunately with Android, installing your own certificate in
| the trust store is no longer trivial.
|
| As you point out though, the application doesn't even use TLS
| for sending the GPS data.
|
| In part two [2] of the blog post series, the Alibaba's AMap SDK
| uses both TLS and custom encryption and this took me quite a
| few days to figure out the Wifi and cell data collection - so
| it's not always so trivial. Either way, I recommend to everyone
| to at least do a basic 'desk check' on the apps they install.
| You never know what you will find.
|
| [1] https://mitmproxy.org/posts/wireguard-mode/
|
| [2] https://doubleagent.net/2023/05/22/a-car-battery-monitor-
| tra...
| varenc wrote:
| Sadly certificate pinning is becoming pretty common in my
| experience. Most of the "big apps" do it. That means that
| even if you trust your own CA you still can't MITM the
| traffic. On iOS you need to jailbreak a device to override
| cert pinning.
|
| Funny how mechanisms that increase security also remove some
| of the freedom and visibility we have into our own deviecs.
| x1sec wrote:
| Most defiantly. iOS is a different kettle of fish.
|
| Same challenges are present with performing forensics on an
| iPhone! The top commercial forensic toolkits will try to
| jailbreak the handset if possible to pull off artifacts.
| Good luck on newer hardware with the latest iOS versions.
| [1]
|
| On the topic of iOS forensics, you can still get quite many
| useful artifacts from iOS backups with Mobile Verification
| Toolkit [2] being quite exceptional. I have had less
| success with iOS backups and the popular iLEAPP forensics
| software [3].
|
| [1] https://blog.elcomsoft.com/2022/09/ios-forensic-
| toolkit-8-0-...
|
| [2] https://docs.mvt.re/en/latest/
|
| [3] https://github.com/abrignoni/iLEAPP
| chrisweekly wrote:
| defiantly -> definitely, right?
| titzer wrote:
| Stallman was right. You absolutely cannot trust closed source
| to protect the privacy of your data. Reject all platforms that
| are not fully open, and reject all devices that come with any
| amount of closed software or firmware. Reading some damn
| "location privacy policy" is not going to cut it. Such policies
| are written by lawyers who lie by omission all the time. E.g.
| as soon as location data is "anonymized" the policy no longer
| applies. Which is of course a steaming lie. Location
| information cannot be effectively anonymized without basically
| nullifying its utility. Guess where that car parks? In one of
| two general locations for > 18 hours a day, usually. Gee, I
| wonder who that is. Even with 100m of noise, it's uniquely
| identifying of you. Don't even think about mobile phones that
| are accurate to the meter, tricked out with WiFi,
| accelerometers, and barometers. They are wireframe god mode
| tracking devices given the accuracy of sensors these days. What
| a nightmare to have these in everyone's hands and run by big
| tech.
| colechristensen wrote:
| >Stallman was right. You absolutely cannot trust closed
| source to protect the privacy of your data.
|
| People are fully accepting of data gathering when it's out in
| the open. Trust doesn't have anything to do with it, people
| are consenting to this kind of thing openly, and when
| something does come out they do not care.
| kwhitefoot wrote:
| > reject all devices that come with any amount of closed
| software or firmware.
|
| Implementing that policy would mean not owning a mobile
| phone, a car, a television, microwave, or washing machine,
| etc.
| HeckFeck wrote:
| > Reject all platforms that are not fully open, and reject
| all devices that come with any amount of closed software or
| firmware.
|
| I wish we could, but they truly have us by the balls. It is
| nigh impossible to participate in society without using
| proprietary software.
| throitallaway wrote:
| It's annoying that this has become the norm with basically zero
| consequences for bad actors.
|
| Seeing this article made me thankful for GrapheneOS. I've been
| dailying it for a few months now. Every single app is explicitly
| granted network permission (or not) upon installation. Local apps
| like this definitely don't get network perms, and neither does my
| keyboard app (that always creeped me out.)
| jbombadil wrote:
| Phones already have app permissions: can access you contact, can
| access your location...
|
| But no major phone OS provides a reliable "can access the
| internet" permission (without jailbreak/root). This would solve
| this issue much above the stack. I can install the dubious app.
| If the app can't access the internet at all (properly enforced by
| the OS) then by definition it can't leak anything.
|
| I find it particularly disappointing from Apple. If they were
| truly committed to privacy as they claim, this would be a feature
| already.
| bluetidepro wrote:
| This would be the best feature ever.
| throitallaway wrote:
| GrapheneOS has this function, and it's great. My phone is not
| rooted.
| lyu07282 wrote:
| > "Since the Android app requires location permissions to use the
| hardware device"
|
| God because Blutooth LE devices need location permission on
| Android? How is that still a thing, I remember being outraged
| about that a decade ago or something.
| SV_BubbleTime wrote:
| So... as I understand it... this is about Bluetooth beacons.
|
| Bluetooth, it to require locations because if you passed by a
| beacon and an app is registered to the OS to watch it, that
| that is the same as reporting your location.
|
| Your phone said "hey, app that the user installed, you know
| that BLE device you told me to watch for? Saw it just now!"
|
| So it's not it doesn't make sense. Bluetooth low energy can be
| used to determine your location so you should have to give it
| permission.
|
| The problem is... No one knows this.
|
| It's not even like there's a solvable problem, because you
| don't have to be using the Bluetooth low energy beacon format
| for this, you just need to be able to scan for advertising BLE
| devices which the OS does all time. Remember the rush to turn
| Covid Tracking on (Covid is over, but those changes aren't
| going away).
|
| This is how Tile and the Apple Tags that killed them work.
| Those are just roaming beacons.
|
| Tons of apps that you install for major retailers, Home Depot,
| Target, Walmart, Best Buy all know exactly when you walk in the
| store if you have their app on an location services given into
| it.
|
| Don't install apps. Not unless you have to. Then questionable
| permissions aren't an issue.
| Larrikin wrote:
| This is no longer the case
| https://developer.android.com/guide/topics/connectivity/blue...
| There is actually a lot more review in the Play Store now as
| well, they will kick you out the store if they detect you're
| lying about the permission.
| throitallaway wrote:
| It seems like permissions should be part of the app manifest
| and there should be no way to lie about it.
| [deleted]
| varenc wrote:
| Location permission is required because with Bluetooth access
| alone an app can essentially locate a device already by
| checking nearby device addresses against a database of known
| locations. Similar to how scanning WiFi BSSIDs can also
| determine location.
|
| It's a tricky problem. As a more technical user, I'd love it if
| they were separate permissions and the Bluetooth permission
| included an extra "your location can be determined from
| bluetooth alone" warning. But for the average user that's just
| going to confuse them.
| murderfs wrote:
| Just as with wifi networks, being able to see nearby Bluetooth
| devices is enough to figure out your location using publicly
| available databases like WiGLE.
| x1sec wrote:
| Good point, and I assume this is why Google has taken this
| approach. That said, the more location data points you have,
| the more accurate the location (larger sample size, time
| proximity data - GPS is accurate _always_ , SSID/BSSIDs can
| be out of date.
| api wrote:
| If it's connected assume it is spying on you as much as it
| possibly can.
| fswd wrote:
| Victron's android mobile app for battery management does this as
| well. Luckily I spoof my GPS, according to them I'm in the middle
| of the pacific.
| patja wrote:
| Which Victron app? My install of Victron Connect doesn't seem
| to do this.
| x1sec wrote:
| Can you link me to the app store for this? Happy to take a
| look.
| Waterluvian wrote:
| Could someone fill me in: why do people want to monitor their 12V
| battery? Is it just a proxy for "you seem to have left your light
| on"?
|
| It honestly feels like a way to spy on family/company vehicles.
| Powered by the battery... knowing its voltage just being a side
| effect. But I guess that's only if the app also tells you these
| data.
| x1sec wrote:
| I know someone who actually has a few of these devices - they
| are big into their FWD'ing - they have solar panels on their
| roof and spend days 'off the grid'.
|
| Another (more common) use case is people that take their
| caravan out on the road. Many have a plug into the car that
| keeps the caravan fridge powered on when driving.
|
| For me, I wanted to keep track of the voltage of the battery in
| a caravan when not connected to mains power.
| hsbauauvhabzb wrote:
| Even if it is, the attitude of 'don't install this app as it
| might track you' is not a viable solution for it that classes
| of app. Reducing risk is one thing, but until regulation occurs
| there's nothing to stop _every_ app you use doing the same
| thing.
| thepasswordis wrote:
| It's useful if you have a lot of vehicles and don't drive all
| of them every day.
| blibble wrote:
| over covid my battery went flat a couple of times
|
| I ended up using a multimeter but an app would have been more
| convenient
| Arrath wrote:
| Less often used equipment/vehicles (say, boats or weekend
| motorcycles) are often put on battery tenders when not in use,
| to keep the battery fresh for when you do want to use it. Just
| yesterday my FIL was relating how he put his motorcycle on a
| tender because it had some parasitic drain that would flatten
| the battery in 3 days of sitting, for example.
|
| This product seems to be a bit of an in-between, not having the
| ability to trickle charge the battery, but you can keep any eye
| on it and charge or jump it as needed.
| Syonyk wrote:
| Yeah, I got tired of replacing batteries and now keep just
| about everything infrequently used on a battery tender. Lead
| acid as used in cars doesn't like being deeply discharged, so
| a couple good deep charges will trash them. A battery tender
| and extension cord is an awful lot cheaper than batteries,
| and a $30 unit will save you a lot more in battery
| replacement for infrequently used vehicles.
|
| Also, they make the tractor a lot happier to start in the
| winter. :)
| SV_BubbleTime wrote:
| I was in a warehouse of supercars recently. Stuff you had no
| idea existed. 10 offs, things like that.
|
| Every vehicle was on a trickle charger, for a few reasons.
| But one reason I especially liked...
|
| The La Ferrari CAN NOT run the barriers dead. If it does, and
| it's locked, you are in trouble. Like call a Ferrari rep to
| come fly out and partially take it apart to get it charged
| and running again trouble.
|
| Same with some Bugati I had never heard of.
|
| Everything down to McCarens and lower. These aren't vehicles
| that will run after sitting for a month let alone months.
| tacker2000 wrote:
| At this point its fair to assume that all these devices are
| collecting large amounts of data and phoning home. I wouldnt be
| surprised if TP Link routers also send everything back to China.
| But this is not limited to China anyway, the iPhone im using here
| is probably sending every keystroke and location data back to the
| US.
| firefoxd wrote:
| There needs to be a feature on android to give fake gps data on a
| real device. This would be useful for any app that requires gps
| for no good reason.
|
| If your flashlight app needs gps to turn on, no problem. You are
| currently on mount Kilimanjaro.
| x1sec wrote:
| Android warns the user that location related permissions are
| required. The issue is, is that this is required for Bluetooth
| scanning and the app developer abuses this by collecting other
| 'location data'. The app developer even tries to explain to the
| user with a pop up saying (paraphrasing) "click accept, so
| bluetooth will work".
| neilv wrote:
| > _acquired from a popular electronics retailer in Australia._
|
| Use the courts and public sentiment.
| x1sec wrote:
| The OIAC (Privacy regulator in Australia) notes [1]:
|
| > If you're concerned your personal information has been
| mishandled, you first need to complain to the organisation or
| agency you think has mishandled it. If they don't respond to
| your complaint within 30 days or you're not happy with their
| response, you can lodge a complaint with us.
|
| I have complained to the retail store that I purchased it from.
| It's been over 30 days, next is the OIAC. The device is
| rebranded and sold under many different names (globally) so the
| real impactful course of action is to have Google and Apple
| take the applications off the app store.
|
| [1] https://www.oaic.gov.au/privacy/privacy-complaints/lodge-
| a-p...
| cryptoegorophy wrote:
| I know it has been talked about this many times, but any tips for
| readers on how to safe guard from such issues? What comes to
| mind: - don't install apps unless absolutely necessary. - don't
| let apps have extra permissions when possible. - if app is free -
| most likely you paid for it somehow (your data) Anything else? I
| also use 1blocker on iOS to block trackers etc, although, I am
| not sure if 1Blocker is not spying on my browsing.
| x1sec wrote:
| > don't install apps unless absolutely necessary
|
| Very sound advice. What if you have purchased some Bluetooth
| enabled device that requires an app? Don't purchase
| Bluetooth/connected hardware? Perhaps!
|
| My next blog post will be on a bike Speedometer that uses GPS
| to calculate the bike speed. It has an Android app, and yes it
| sends your data to remote servers hosted within Hong Kong.
| hnburnsy wrote:
| Why the f@#k on Android can't the user stop Apps from 1. Running
| at start up 2. Running in the background. At a minimum why aren't
| these user granted permissions?
|
| This would stop a great deal of the apps that hover up data like
| this.
|
| Google is complicit here. Change my mind.
| HeckFeck wrote:
| Yeah, mobile really sucks for this compared to the 90s and 00s
| desktop experience. It really feels like a step backwards; at
| least you could delete things from the StartUp folder on
| Windows 98.
| MBCook wrote:
| You can delete things real easy on iPhones.
| kccqzy wrote:
| Operating systems need to make Internet access a permission that
| users can grant or revoke. (Pretty sure that used to be a thing
| in Android, but never in iOS except mobile data.)
|
| If I get a device that claims to use Bluetooth, I would return it
| if it actually needs access to the internet.
| notjulianjaynes wrote:
| I have used NetGuard on Android to block internet access to
| certain apps.
|
| https://netguard.me/
| 1970-01-01 wrote:
| Realize the thing that watches the thing is also slowly consuming
| it, to the point of it being necessary to actively monitor the
| monitor. (The BLE gizmo will slowly but surely drain your car
| battery. You must take action to recharge the battery when it
| eventually sends you an alert, because it will soon stop sending
| them to you.)
|
| It also siphons data on your phone and sends it to China. Oh, and
| I bet _that_ drains your phone battery. I can 't think of a
| better anti-gift for the holidays. This gizmo is a rare triple
| consumer threat.
| londons_explore wrote:
| I suspect that all the location data stuff is to prevent someone
| pirating the app and building/selling their own hardware.
|
| Sure, the Chinese manufacturer is a factory making gadgets on the
| other side of the world - they have no real avenue to monetize
| your location data. They likely don't even know your name.
|
| Hence, my suspicion is this is all a complex way to stop someone
| else making a 'compatible' device and selling it without
| developing their own app. Thats why the app checks the mac
| address is valid, and uploads location data so the manufacturer
| can see if one device is in two locations at once, confirming
| piracy must have occurred.
| drewda wrote:
| For better or worse, there are lots of channels for "no name"
| apps and gadgets to make money selling location data. See, for
| example: https://themarkup.org/privacy/2021/09/30/theres-a-
| multibilli...
| hnburnsy wrote:
| I am so sick of this I have resorted to putting almost all my
| apps on an old iPad (iOS being the lesser of two evils) connected
| to its own isolated guest network. My Android phone only has apps
| needed for leaving the house.
___________________________________________________________________
(page generated 2023-06-26 23:00 UTC)