F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data 164
They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?
Obligatory (Score:2, Informative)
"By not having one" comment
Re: (Score:2)
Re: (Score:2)
well.. (Score:3)
One could always try one of these...
Nice little phone [photobucket.com]
Normal now (Score:5, Insightful)
Xiaomi smartphones do in fact upload user data without their permission/knowledge
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
Re:Normal now (Score:4, Informative)
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge
Half? Try 99% of the top 400 apps [appthority.com] on both Android and iPhone. I also seem to remember that Apple got into problems because they were uploading user data without permission.
Re: (Score:1)
Did you actually read that report? Most of the items on the list have nothing to do with uploading user's data.
Re: (Score:3)
Location data has legit uses (Score:3)
Re: (Score:1)
No. But "flash light" apps shouldn't. You're confusing a legitimate need for an app to require access to data with an app that requires access to data it should never use.
But there's no way to say "block this access", you either have to accept everything the app asks for, or refuse to install it.
Re: (Score:2)
The only way I'm happy is if the app doesn't want "Full" internet access (never understood what that was designed to mean, but in Android Market terms it only means "Ads")
"Full" means anything but just opening a web page in the browser. How would an application to sync photos or other data work without Internet access? And without ads, would you prefer to have to whip out a credit card for each app?
Re: (Score:2)
There needs to be more granularity allowed.
I also love when I'm offline and an offline game won't start because if it can't
Proxy operated by app publisher (Score:2)
Re: (Score:2)
I also seem to remember that Apple got into problems because they were uploading user data without permission.
Indeed, and in fact what F-Secure found is that the phone sense the IMSI and SIM's phone number to a server via a HTTP request. The lack of encryption is rather poor but in terms of what data it sent it is actually far less than what Apple was caught doing.
Re: (Score:2)
Those numbers look clearly inflated to sell their own consulting reports and services. Like in-app purchases, so because Angry Bird lets you buy the Mighty Eagle it has a "risky behavior"? Oh please. It'd be easier to take serious without the hyperbole.
Re:Normal now (Score:5, Informative)
I also seem to remember that Apple got into problems because they were uploading user data without permission.
Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.
Re: (Score:2)
I also seem to remember that Apple got into problems because they were uploading user data without permission.
Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.
Right...and even then, this was location-based information that Apple said the phone wasn't collecting. It could just as easily have been a misunderstanding about underlying software behavior at a low level (or even that the programmer who built it that way didn't even work at Apple any longer) as anything else.
Re: (Score:2)
It wasn't collecting the data. It was caching the data. Basically you go to a new area, the iPhone sends the MAC addresses of WiFi APs it sees, and Apple sends back a list of APs in the area and thei
Re:Normal now (Score:4, Insightful)
The only way around it is to avoid storing sensitive data on the phone.
This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.
Re: (Score:3)
The only way around it is to avoid storing sensitive data on the phone.
This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.
Avoid storing sensitive data...like the phone numbers of other people? Like the text messages you send? Just using this phone...to make phone calls, mind you...results in data being uploaded. I don't see how "not having that data" on your phone is really an option. It's a goddamned phone; you're going to have to use it, some day.
Re: (Score:1)
Never ethical, never private, never secure (Score:2)
Location data and contact/address data are sensitive yet inextricably linked to how people use trackers (also known as cell phones and other portable electronic devices). Whether the device conveys GPS coordinates, can be tracked to a remarkably small area via cell tower triangulation, or unknown (to the user) parties get the information from a proprietor (such as Apple [consumerist.com]), the privacy loss inherent in ordinary tracker operation makes it impossible to "avoid storing sensitive data on the phone".
This is no acc
Re: (Score:2)
an app that forwards the credentials to a third party that can use this to access the system.
So if I'm sending a bank transfer, I have to log in to the bank site, usually on a separate computer. The bank sends me an SMS with a one-time-use code to put in for verification. If that code is made public, there's no use for it. It doesn't hurt me if everyone on the planet can see it. They'd need to have already hacked my bank account for it to matter. And the moment I use it, it's useless. And if they do hack my account, the texts to me that give me the confirmation code will get me to call my ban
Re: (Score:2)
The app/rootkit intercepts and delays "display" of the text for 30 seconds.
OK, but impossible, given that I have two 3rd party SMS apps, and they get root SMS capability, so one of them will display it instantly, even with your app "intercepting" them.
Send the web page you were one and the last 50 characters or you typed to a remote server with the SMS confirmation.
Ah, but I said I'm logging in to the bank site on a separate computer. So your attack will get them a mobile porn site or whatever and a code that's useless to them.
I'm pretty sure a wire transfer can be done in 30 seconds.
None of my banks will process a "wire transfer" without written authorization in person with ID. I can do a funds transfer (that isn't an actual "wire transfer") but th
Re: (Score:2)
Re: (Score:2)
Wires are generally sent the same business day if processed before 5:15 p.m. ET for international transfers and 6 p.m. ET for domestic transfers.
Have you ever had a banking account? That sentence means you'll see it in your account 10 a.m. the next day, maybe. It's not "same day" under anyone else's definition. The banks send the transfers into an escrow-like account that's cleared midnight. The receiving bank gets it at midnight, but most do sanity checking, and have a human the next morning "approve" the overnight transfers. Because it's possible that someone who knows the fraud rules could abuse them. It's happened to them before. If they
Re: (Score:2)
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Since when is spyware legitimate or benign?
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
If by "permissions" you mean non-negotiable demands... I forget there are still people who don't have operating systems which let them configure actual permissions.
Re: (Score:2)
Depends: European or African thing?
Why "relatively" private? (Score:5, Interesting)
I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?
By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.
Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.
Comment removed (Score:5, Insightful)
Re: (Score:2)
Apple, Google & Co already have your details, whether you use their service or not.
It is illegal to use such data in the EU. They can store it on the user's behalf (cloud service), but to use it themselves they need permission of the subject of the data which clearly they don't have. Building "shadow profiles" is illegal here.
Re: (Score:2)
Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details, whether you use their service or not. It should be easy for them to filter out bogus data and associate your number with your real name.
The whole system from top to bottom is inherently non-private. Get yourself a phone number/device, and they have your name and address for billing. Use that smartphone and the very nature of cellular is that you are located to a tower. And GPS even furthers your location accuracy.
There is no privacy, it was not designed to be private. And extraordinary measures to be anonymous simply attract attention.
Re:Won't help my ass (Score:4, Insightful)
> Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details [...]
While it's important to keep that in mind, the "this won't help" mindset is a classical fallacy: someone gotta start, and if (and when) it's widespread enough, it'l help all of us. Like higiene.
You don't spit on the roads, do you? Or do you shit out your window?
So if you implement that -- have a talk with your friends about it too.
Well not really, because *everybody* has to do it or it's useless, and since your phone number could easily be in 100 phonebooks that's alot of poisoning to do. And As soon as people start doing it in numbers you can imagine a malicious Google (or whatever) would implement anti-poisoning analysis.
I believe the only real solution, which is unpopular on this largely libertarian site, is to have stronger protections in law, making data about you your property and controlled as such, and penalties for misuse the same seriousness as theft. That's a long way from where we are now though.
Re: (Score:2)
libertarians are all about personal property, until it conflicts with another of their interests (often big business, but not always).
it's a quick way to tell what they really want. there's no really fundamental libertarian reason to not protect personal data as property; it's just that the vogue in pop-libertarianism right now is to strip consumer rights in favor of tech companies. why? well, maybe because pop-libertarians are techies, and they want that shit.
Re: (Score:2)
libertarians are all about personal property, until it conflicts with another of their interests (often big business, but not always).
it's a quick way to tell what they really want. there's no really fundamental libertarian reason to not protect personal data as property; it's just that the vogue in pop-libertarianism right now is to strip consumer rights in favor of tech companies. why? well, maybe because pop-libertarians are techies, and they want that shit.
What I call the genuine form of libertarianism (small 'l') is about maximizing personal freedom, in the "life, liberty, and property" sense. The basic idea is that my right to swing my hand ends at the tip of your nose. Adult people should be able to do whatever they want that does not infringe on the rights of others, and then reap the consequences. For example: if you can manage to responsibly use any drugs you like, you should be able to; if you drive impaired because you refuse to do it responsibly,
Re: (Score:2)
I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?
By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.
Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.
If you want privacy, don't use an address book, memorize your friends numbers. On that topic of friends, don't have more than two friends. That will minimize your exposure. The first one can be called Mr. White and the second one Mr. Black, and again, don't be lazy, do not enter their nickname into the address book.
Do not use gps navigation, get yourself an old fashion magnetic compass. Magnetic compasses have worked for centuries. And they'll keep on being useful for many centuries to come. Turn on your p
Re: (Score:2)
If you want privacy, don't use an address book, memorize your friends numbers. On that topic of friends, don't have more than two friends. That will minimize your exposure. The first one can be called Mr. White and the second one Mr. Black, and again, don't be lazy, do not enter their nickname into the address book.
Do not use gps navigation, get yourself an old fashion magnetic compass. Magnetic compasses have worked for centuries. And they'll keep on being useful for many centuries to come. Turn on your phone only at specific hours on certain dates. The rest of the time, keep your phone turned off, battery removed, and the phone tucked away in a Tesla envelope (along with some extra sim cards). And if someone ever comes knocking on your door, or calls you by mistake, you're a Jehova's Witness and you're into Multi-Level-Marketing.
That's what I would call total privacy, and even then it wouldn't be completely total.
Dude! you forgot the Sextant, a fine and secure way of location.
Re: (Score:2)
But only useful in one dimension on it's own - you'll also need an accurate pocket watch as to be able identify your longitude.
Re: (Score:2)
don't use an address book, memorize your friends numbers
Useless since they keep logs of who you called.
don't have more than two friends. That will minimize your exposure
It also means you can be safely disposed of without anyone caring a fuck.
Re: (Score:2)
*crickets chirping*
Re: (Score:2)
I want one...
But perhaps they struggle to find buyers is largely because there is no pre order option or let me know when it is availible option that I can find on their website. Maybe they could set up something like an if interested in owning one of these, keep me informed something or other. There is only a donate button and I don't wish to fund a project, I wish to purchase the results of it if the price is right- and we won't know that until it's shipping or ready to ship.
Ship dates (Score:2)
But perhaps they struggle to find buyers is largely because there is no pre order option
Perhaps that's because payment processors want a ship date in the next 30 days. OpenPandora had to refund a lot of preorders when it couldn't ship in that time frame.
Re: (Score:2)
Well, it could be done without processing any payment. They aren't selling them yet, just looking for potential buyers.
Re: (Score:2)
Re: (Score:2)
Sigh.. you don't even need a credit card. A simple I want one sign me up and notify me when they are shipping thing is all that is needed at this stage if you are trying to guess the potential sales of them.
As for raising capitol for production, that might be a little easier if you can say "there are 10,000 potential buyers for the first release". They are taking donations for funding and if someone wants to donate money, fine. I don't but I am willing to purchase one if it is as good as it sounds and costs
Not actually sending much info, just the IMEI (Score:5, Insightful)
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/pass/v3/user@id?type=MXPH&externalId=01 [xiaomi.com], The data is transmitted as a cookie of the form deviceId=IMEI . (The API returns a brief reply in JSON.) That tells them the phone has connected to the phone network, and its IP address. That's not particularly interesting information. The carrier knows the IMEI number, too, of course. Perhaps this is to check up on whether carrier-reported sales data matches actual phones coming on the air.
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
But, but, but... (Score:2)
But it's China.
You know. The evil communists.
Well, ok, they're not communists any more. But they're still socialists, and that's almost as evil.
Of course the NSA is evil, too, but they're American, so they're ok. Rah, rah, rah, USA!
Re: (Score:3)
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/... [xiaomi.com], The data is transmitted as a cookie of the form deviceId=IMEI .
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
This is about the point where the boiling frog's brain begins to turn to mush.
You want to be safe? (Score:4, Insightful)
Look, these days if you want to be safe, do not use a smartphone. Get a dumb phone, then you don't have to worry about any apps leaking your data.
Either an app will leak your data, someone will hack your phone, you leave it somewhere or someone steals it. Either way, you are screwed if you use your phone for all sorts of personal/business stuff.
I guess it's about convenience over personal/financial/business safety.
That's not a solution (Score:1)
Your phone is not a trusted device (Score:4, Insightful)
While you may be able to test this with your own base station, the phone might also detect that it's not on an official network and therefore not do anything, but that's probably taking it a bit far.
While you could switch to a "dumb" phone, those are of course also trackable, and your conversations and messages can still be monitored, so I don't see any real gain there.
Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.
Re: (Score:2)
It's as simple as that. It doesn't matter if you turn on mobile data as long as that is under the control of the phone's operating system, and it doesn't matter if you pay attention to your cell phone bill, as traffic to and from specific government servers is likely exempt from the monthly traffic calculations just as the provider's own servers are likely to be. It doesn't matter if you monitor your wireless network, since questionable transmissions are likely to only go through mobile data, as that's harder to monitor.
Trust is subjective/context dependent and tcpdump works just fine on mobile interfaces from an Android terminal.
I trust Cyanogenmod as much as I trust most any generic Linux distro with a few minor tweaks (baseband without shared memory)
Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.
Cameras share downsides of mobile devices (small, can be lost or stolen) and none of the upsides (No lock screens or encrypted file systems) ... where even long since deleted pictures can be recovered easily years after the fact.
If I had a stash of pictures I didn't want get
Re: (Score:1)
Cameras share downsides of mobile devices (small, can be lost or stolen) and none of the upsides (No lock screens or encrypted file systems) ... where even long since deleted pictures can be recovered easily years after the fact
True, except it's a lot more convenient to zero the storage of a camera than to wipe your phone's SD card, and while people tend to carry pictures around on their phones for years, I've never met anyone doing that with their actual cameras.
:(
I also agree Cyanogenmod is great. Too bad it doesn't support my phone well yet
Simple (Score:1)
Typical (Score:2)
Because the American phone manufacturers don't do the same thing?
http://online.wsj.com/news/art... [wsj.com]
Don't trust any company with your personal information - or accept that it's going to be shared with whoever has the money to pay for it, or the power to grab it.
Re:Typical (Score:4, Interesting)
Why do they have to imitae Apple or Google? (Score:2)
Please, somebody tell the Chinese that this is not a feature users want, even if all the bog vendors have implemented it!
Re: (Score:2)
They probably use it as a unique id to identify users. Apple and Google do the same.
In other news... (Score:2)
Carry on.
Firefox OS Niche (Score:1)
Written by people that care about your privacy.
Tinfoil hat, blah blah... (Score:1)
Surely I'm not the only one who looks at the supercomputer in her pocket which is capable of speaker independent voice recognition, and often wonders whether encrypted text versions of *all* the conversations she's been having in its proximity are getting squirted off somewhere s33kr1t in the middle of the night, when no-one would notice a stray packet or two...
China can have it. (Score:4, Interesting)
Obligatory (Score:3)
Re: (Score:2)
Indeed. :D
No one loses anything if you make a copy!
Re: (Score:2)
The data is copied, not "stolen". Get it right!
If you own one of these phones, you will be personally attacked by Chinese pirates who will steal trillions of dollars worth of your data!
Blackberry, Microsoft, Apple and Google (Score:5, Insightful)
There are 4 main smartphone brands:
Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.
Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.
Re: (Score:1)
Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.
Apple is selling simplicity, they'll never give you the tools to manage your privacy.
Blackberry is selling central control, a satellite designed to talk to the mothership (BES).
Microsoft is trying to sell you Windows across the board = everything through the cloud.
Google is like you say a data siphon, their first party services are all about market data.
I'd say there's one black sheep and three shades of dark gray. However all of that doesn't matter nearly as much as you'd think as the real issue is third p
Re: (Score:1)
I disagree. Apple does a pretty good job on privacy and is concerned about it. They've already limited applications interactions and they are fairly secure by default. Their infrastructure allows additional privacy to be easily added on.
As for Microsoft I'm not sure where you are disagreeing with me.
Re: (Score:2)
I disagree. Apple does a pretty good job on privacy and is concerned about it.
They're so concerned about your privacy, they have three or four methods built into the phone which appear to be primarily for defeating it.
Re: (Score:2)
I'm not sure what you mean specifically so I can't comment on that. They seem to have a pretty good range of consumer grade privacy features that are adjustable. That's not to say that every-time there is a conflict between privacy and some other goal they optimize for privacy but they do seem to lean towards privacy and allow the privacy conscious to lean more towards privacy.
Re: (Score:2)
They're so concerned about your privacy, they have three or four methods built into the phone which appear to be primarily for defeating it.
Are you referring to the silly hoo-hah of a few weeks ago? Like the feature that makes an unencrypted backup of the phone's data IF THE USER REQUESTS UNENCRYPTED BACKUPS??? And the features that are not even on a normal phone, but get added when users install the developer tools???
Yeah, that was a whole lot of noise about nothing.
Re: (Score:2, Insightful)
Google does _not_ sell user information.
They sell _the use_ of user information.
It is not the same thing.
Selling "Joe Blow works at Acme Corp and shops for sex dolls" is selling user information.
Selling "I will advertize your sex dolls to people who shop for them" is selling the _use_ of the information. Only Google knows you are Joe Blow at Acme with an interest in sex dolls. The advertiser does not; they just get a service that makes use of Google's knowledge.
Yes, Google knows your stuff. But they don't
Re: (Score:2)
In fact selling your information is likely to undercut their profits - why rent the cow if you can buy just the milk.
Re: (Score:2)
But by collecting the data and storing it they make it available to government requests asking for it.
Re: (Score:2)
There's one big wildcard in there though, if you buy an Android phone then the firmware can be replaced (ease depends on the model...) with open source variant that has more protections. Depending on your view of these firmwares, that might catapult it from the bottom of the pile to the top.
Re: (Score:2)
I don't think the problem is so much the firmware on Android. The Samsung firmware on the Galaxy is excellent from a privacy and security standpoint. The issue is the higher up layers in the stack.
Re: (Score:3)
There are 4 main smartphone brands:
Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware. Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin. Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools. Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.
Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.
Here's another heuristic.
Apple, Microsoft and Blackberry uses closed software. Google uses open source.
So, Android is the best choice because you (meaning a team of concerned citizens) can essentially take all the privacy leaking parts out and create a private and secure system. In the others, you are at the mercy of others who likely are to care about your privacy as much as your cat cares about your rants.
Re: (Score:2)
The versions used in the United States haven't had that done (mostly though some phones like Amazon's might be an exception). So what could happen and what the current state is are different. But moreover they can't really. Android as used in the USA includes the Google Play layer which is not open source and can't be modified
Re:Why is /. spreading false rumor ? (Score:5, Funny)
Oh, someone swears it's all a-okay. I'm totally reassured now...
Re: Why is /. spreading false rumor ? (Score:2)
Well he was one hell of a lot more convincing than you.
Which was not difficult.
Re: (Score:2)
Right. And all those people who showed information being uploaded are just paranoid people.
Re: (Score:2)
Yes, new smartphones call home. The question of "does this do it more than anyone else?" wasn't answered.
So a non-denial denial (Score:5, Informative)
The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.
"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.
So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.
This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.
Re: (Score:2, Insightful)
"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.
When my Android phone starts, I'm pretty sure it sends the same shit to api.account.google.com or some such. And probably to api.account.samsung.com. Because I have Google and Samsung accounts and I'm logged in by default.
Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.
When news comes from "security" consultancies, I frankly often side with the manufacturers. The ensuing hype only promotes the "consultancies" - an
Re:So a non-denial denial (Score:5, Informative)
Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.
I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?
F-Secure saw the communication even before they created a Mi cloud account.
I do not often say this on ./ but you're an idiot!
Re: (Score:2)
Re:So a non-denial denial (Score:5, Informative)
Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.
The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.
All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.
Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.
Re: (Score:2)
Mi Cloud is turned off, [...]
Oops! (Though I'm still doubtful, frankly.)
Your Android handset certainly does not do this,
Well, actually, it does. Because Android to be useable requires Google account. And when you create a Google account, Google conveniently activate the "Sync", IOW, sending your contacts, appointments, messages, etc - for archive purposed - to the Google servers.
and not without permission and it is *not* acceptable.
Buried in the EULA is not the same as giving an explicit permission. Having a crippled brick instead of the phone serves is a good incentive to "give the permission" to be spied on.
As others have said: do
Re: (Score:2)
Well, actually, it does. Because Android to be useable requires Google account.
No.
I very deliberately did NOT set up a Google account on my Android Fairphone, and it does the basic things just fine, like, um, phone calls and even alarms. It even takes OK pictures.
I have EU citizens' contact details in my phone and I think that, given NSA revelations, I would be breaking the law to knowingly share/sync those details with/via a US entity such as Google (or Apple).
Would be nice to have local contact and calendar sync with my MacBook (OS X 10.9) but Apple made that hard, not the lack of
Re: (Score:1)
You == idiot.
Re: (Score:2)
A very good point most people missed.
Re:Blackphone (Score:4, Insightful)
Get a Blackphone
...because its manufacturer assures you it's secure!
Re: (Score:1)
Re: (Score:2)
Re:Off-topic rant... (Score:4, Interesting)
In fairness there's not a lot of US or European articles that don't include slants against those governments/corporations as well. The governments and corporations of the world seem to be rapidly sliding toward an invasive authoritarian dystopia. Great for big business and other power-mongers, but not so much for the rest of us. Are you really so surprised we give extra grief to those countries such as Russia and China who wear their fascism openly? We're not ranting against the *citizens* of those countries, we're ranting against their governments and corporations, just as we rant against our own. If you don't like it, go home and fix your country. And while you're at it share your techniques so we can do the same.
Re: (Score:2)
Uh, you have been following the news right, the ones where Blackberry voluntarily agrees to give whole sale all the information they have to governments like India, Saudi Arabia, etc?
You know, the phone where *ALL* your data have to pass through their data centers?
what about android? (Score:2)