Your user data is secretly sent to China through a backdoor on some U.S. Android phones

Originally published at: http://boingboing.net/2016/11/15/your-user-data-is-secretly-sen.html

…

Oh no we have a different one that phones home to the NSA for you guys.

“American authorities say it is not clear whether this represents
secretive data mining for advertising purposes or a Chinese government
effort to collect intelligence,”

Intelligence gathered:

American lips are becoming deformed, almost duck-like.

Sending a pic of your dick or boobs seems to be a standard American custom.

Americans seem to eat their food so fast, they have to take a picture of it so they can remember what they just ate. Is this the reason they are getting fatter?

Many people seem to be literally dying over cute animals. Is their health care as good as they say it is?

I think it’s safe to say there’s no innocent explanation for this.

So, on Google Android you get data mined and have your private information used to sell advertising. Or you can buy ASOP android from a cheap Chinese handset maker and get your private information looked over by Chinese government spies.

Android truly is all about choice.

At least I only have to worry about it for the five or six hours of my waking day when my phone is not being rebooted/frozen up in a kernel panic or glitched with a disappearing keyboard, non-responsive screen, atrocious lag, etc.

if I had to choose the agency getting all my data I would prefer a Chinese or Russian one over the local domestic intelligence service. the latter one has much better means to make my life miserable if the political climate demands the harassment of my person

At least, no ethical one.

So glad we didn’t go with BLU phones.

That doesn’t guarantee my Android phone is spyware-free though. I don’t know what apps are safe to install and run. I have to assume that no apps can protect my privacy and data as well as turning the phone off and leaving it at home while I go about my business.

What is most damning is that the ‘explanation’ is “Oh, just a routine marketing analytics program accidentally deployed on the wrong handsets, sorry about that.”

It would, of course, not be good if The Ministry of Tyranny were behind it; but at least it would be treated as transgressive. The fact that the response to a massive datamining operation is ‘meh, it’s just advertising’ is appalling.

We ought to necklace anyone who thinks that this is acceptable for commercial purposes; much less for state surveillance.

Unfortunately, there are other risks out there(though not all as frankly amateurish as this one). AT&T, for instance, owns “CarrierIQ”, which makes one wonder about the safety of their OTA firmware updates; and there are other vendors of such…'legitimate customer experience tools… in the market.

Try “not ones you downloaded from a shady website that require root.”

This is one of the best arguments for immediately rooting your Android device I have ever seen.

I rooted my battered LG G2 right away — and it was a bear; LGs are a serious PITA to root, at least at the time — and I haven’t regretting anything but loss of some camera functions, as AOSP ROMs can’t use LG’s proprietary hooks and I went with CyanogenMod ^^’ .

Basically, I traded the loss of some cam usefulness (which I hardly use) for SERIOUSLY upgraded security and total control over my phone. I think it was worth it but YMMV; it’s still not a process that’s for the faint of heart, in many cases, as well.

Well, at least I can rest assured in the knowledge that I’m boring them to bits.

Of course, rooting your device (and leaving it rooting) is step 1 in most of the malware out there getting permanently resident on your phone too because people then follow it up with “install this APK I found on bittorrent” next.

(@JemmieDuffs: I use CM Security and their Stubborn Trojan Killer, free apps from the Google Play Store. They’ve warned me of some vulnerabilities, and they help clean out junk files, but they’ve never reported viruses or malware.)

So let me get this straight: if I’ve got this bug in my phone, the Chinese will be able to spy on my thousands-deep collection of free Kindle books, my collection of silly gifs, random Google searches and regular BBS-ery?

If it is only some U.S. Android phones, then why is it “your” user data - rather than simply “some people’s” user data?

Is my data somehow on others’ phones?

I use Android Pay because (a) I am not paranoid about it and (b) the physical security is better than with nfc cards. Rooting would prevent this. But in any case and despite having some background in security, I do not think my own knowledge is sufficiently good to justify my rooting a phone which is hooked into so many services that I simply don’t have the time or the energy to investigate them all.
I run very, very few apps and only paid-for, ad free ones and I pay careful attention to battery usage.

“Hi, I notice you’re learning Russian. Would you like to betray your country? I am earning $10000 a month with just a few hours clicking links on this website.”

I get the joke but, like vaccinations, online security really only works when a critical mass is secure, irrespective of whether they’re just sharing kitten pics or planning the next strike at Walmart. When only a few people have secure comms … guess who looks highly suspicious?