Your user data is secretly sent to China through a backdoor on some U.S. Android phones

The lifecycle of phones is so fast you can’t effectively audit the software and updates. And for all the “nothing to hide” folks, I suppose you think that this can’t be intercepted? That you don’t use 2factor authorization and have never texted important numbers? We all have something to fear.

This is a reminder that you cannot trust these tools.

1 Like

“Sir, we finally have DukeTrout’s secret Wienerschitzel recipe! We can begin Phase 2 of Operation Gastropub.”

Edit: Need some more mustache-twirling here.

3 Likes

True. I don’t know if it helps or if it hurts that I’ve got an older model phone that I got from my service provider. Then again, with an older phone I can’t get the latest Android operating system. I do my best to use Antivirus apps and surf as smart as I can… but there’s always vulnerabilities. And no, I don’t want my phone hacked… but I try to find a little humor in the situation. :slight_smile:

2 Likes

Um, no, you can “sideload” .apks without rooting at all. That’s a completely separate issue.

2 Likes

You are misinformed. Rooting does not, of itself, remove the capability to use Android Pay; all you need is a simple “root hider”. Personally, I use “Hide my Root”, although some apps will require different methods.

You can verify this with many of the links found on page 1 of this Google search: https://www.google.com/search?q=android+pay+rooted+phone

If you have an older phone, you are VERY likely to remain vulnerable to bugs found in older versions of Android, such as the rather alarming “Stagefright” exploit, which exists from 2.2 (Froyo) to 5.0 (first version of Lollipop). The only real way to address this with older, no longer officially supported phones is via rooting and installing a different, updated ROM (two separate processes, by the by; you can use the original retail ROM on a rooted phone, in most cases).

Most phones are supported long after their manufacturer’s intended “End of Life” via ROMs.

2 Likes

Uhm, yes, but those are the mainly dangerous ones. It is the ones you sideload that take advantage of your rooted status that are the main issue. This is leaving aside the stupid people who sideload apps and then then approve massive permissions for them.

I do work in security for a living. Do you need a list of all of the malware out there that takes advantage of rooted devices?

2 Likes

Sorry, but no, that’s NOT how it works. You can bork your phone just as easily with sideloaded apps, whether you’re rooted or not. Nor are you required to sideload apps, if/when rooted; the Play Store works fine, as long as you install Google Apps (for AOSP ROMs, like CyanogenMod, that don’t include it already).

Most — in fact, nearly all — of the malware found “in the wild” for Android is found right on the Play Store, because that’s where the vast majority of users get their Android software, of course. Do YOU need a list verifying this? Here’s a perfect example, re: the “Dresscode” spyware found on the Play Store.

1 Like

No one said anything about requiring anything. Quick making strawmen to bolster your argument.

And, yes, it is how it works to some extent. If your phone isn’t rooted, apps are restricted in many places as to what they can do to your system. That’s kind of the point of why people root. Why is it that you think people root their devices beyond installing custom roms?

Yes, the play store is full of malware. The malware that requires a rooted device is, surprisingly (right), not in the play store. It is out there and it does horrible things though. I’m less worried about the malware in the playstore than the malware that people with rooted phones install on their phones that takes advantage of it being rooted. Are you pretending that it isn’t an issue?

You know why iPhones are more secure than Android phones? It isn’t because iOS is inherently better. It is because all apps on the iPhone need to be signed by Apple to be installed since almost no one roots their phone to sideload things. (That and Apple seems to do a much better job overall of reviewing what is allowed in the store.) Android users root their phones all the time and think it is no big deal and aren’t aware they’re actively disabling a security measure. Once you root your phone, assuming you leave it rooted, you’re halfway to being owned for most people. People are clueless and will install anything they find online.

1 Like

You made an assertion about sideloading that you cannot, in fact, support. You can do exactly as much damage with a malicious app, rooted or not, sideloaded or not; the only thing that changes is the method(s) that particular program uses for its chicanery.

If you think the tiny minority of phones that are rooted AND have root-enabled malware on them is statistically significant, you’re simply a fool. For that matter, Stagefright is present on ALL older versions of Android, rooted or not, except those explicitly repaired by the ROM community; wanna tell me how it’s great to leave all of those older (still in use!) phones with such a potent time bomb ticking away in their innards?

The number of people harmed by malware found on the Play Store is orders of magnitude larger than those harmed by root exploits, even by percentage of each type of user. Your assertion has no merit; you are confusing sideloading with rooting, and they simply are not the same issue at all.

1 Like

Well, I see we’re down to ad-hominem now. Have a nice day.

1 Like

Nope. You also don’t understand ad hominem; insults are not necessarily ad hominem. I didn’t say you’re a fool, therefore you’re wrong. Rather, I said you’re a fool, if you believe a certain thing.

You’re batting .000, so far. I’m not going to apologize for correcting provably bad security advice, sorry.

1 Like

and you’re purposely misunderstanding what I am saying and creating straw men to argue with (along with being insulting repeatedly). Good luck with it.

Oh, and as to older phones? I guess they should get new ones or choose wiser in the future. The phone carriers and Google aren’t going to give new versions of Android to hardware that can’t run it. That’s how the software business works. As someone who PERSONALLY oversaw the fixing of stagefright issues in the code base and communicated with their discoverer, I’m well aware of the damage that can be done. I also work professionally in software and know that people yelling that every version affected by it must get a fix isn’t something that is going to happen. There isn’t enough time or money in the world to get it. The answer is the same I give to people running older, unpatched versions of Windows: time to dump it and update.

1 Like

Oh, and my “bad security advice” is “don’t root your phone unless you have a specific need because there are consequences” and yours is “root away, it will be fine!”? Ok.

Hell, I don’t see any actual security advice from you that stands out. What is your advice? This:

??

You’re telling normal users to root their phones and install a new operating system on them? Seriously. One, there may not be one with a fix for their phone (luck of the draw). Two, normal users will probably just brick their phones a large percentage of the time. Hell, I’ve seen computer professionals brick their phones doing it and they knew what they were doing. It is non-trivial to put a new ROM on a phone a lot of the time and if anything goes wrong, you’re screwed. Your advice is “Do this difficult thing and try not to fuck up if you’re lucky enough to have a secure OS with a fix available.” Oh and “then reinstall all of your software, your contacts, etc.”

I suggest that people with ancient phones go spend $100 and buy a more up to date and supported phone. It isn’t ideal because some people are poor but it is better than trying to patch a three or more year old phone.

2 Likes

Why should I worry if they spy on me? It’s NOT like they can do anything to hurt me, like stealing my identi- … Well it’s not like they could completely shut down my pho- Well, it’s NOT like they world use any remote programs to flood US communication networks and cause chaos at a time of national emergenc- NEVER MIND.

7 Likes

The thing I dislike most about the current situation is that I have to sift through semi-reputable sources in order to gain the means to control my own property.

Consider this warning example from the Kingdom of Ruritania:
The King of Ruritania has decreed that all Ruritanian houses must be outfitted with a lock approved by the Royal Locksmith. These locks automatically enforce the curfew that the king has imposed for the safety of His subjects, and will automatically grant access to His Majesty’s Police even should they have misplaced their warrant.
To regain control of their own front doors, some Ruritanians install their own locks. Unfortunately, this means walking along disreputable streets after curfew until one of the many black market locksmiths whispers: “do you need a lock replaced?”.
Naturally, some of these locksmiths also sell master keys, and others simply sell insecure locks. Burglary in Ruritania is at an all-time high. But as a foreign supporter of the Ruritanian Democracy Movement, I still think that giving up and submitting to the king is not an alternative that I can recommend to my Ruritanian friends.

Definitely because my Chinese Android phone is still full of American spyware, and the NSA for some reason routes their captured data over American Android phones, where it can be stolen by China. Or maybe the headline was just slightly exaggerated? To be honest, I’d be disappointed in BB if it wasn’t. :wink:

3 Likes

Tinfoil hat time.
The NSA is not supposed to spy on Americans without cause. However, they can gather intelligence from China. So, help the Chinese develop a system to forward all texts to a location in China and then gather your intelligence from there easily sidestepping the restrictions on NSA activities within the states. Heck, they don’t even need to get the data from China. They just need to intercept/duplicate the data stream in transit since they are allowed to spy on communications with other nations even if originating in the US and from US citizens.

1 Like

Oh, I hear you. We shouldn’t have to go to dodgy forums or get tools from unknown folks (which may try to pwn you) to control device we paid money for.

2 Likes

Actually, it is so common for all the Chinese companies to collect private imformation. Everyone in China is getting used to it and never take it as a big problem. No wonder they do the same thing to abroad users.

When you think everybody is out to get you, you aren’t paranoid. They are out to get you.
When you think that everybody is conspiring to get you, then you’re paranoid.

China needs no help developing a system to forward texts to a location in China.
So at most, the NSA will have asked them to collect data. Or more likely, just quietly be happy when the Chinese did it for their own reasons.

A real “National Security Agency” would of course actively defend the citizens of its nation from such data leaks. It’s as simple as making it public when they notice it in the data stream they are monitoring anyway.

Or does the spy software send the data encrypted securely? If that’s the case, the NSA is probably innocent for a change.