Ask Slashdot: Are My Drone Apps Phoning Home? 132
Slashdot reader bitwraith noticed something suspicious after flying "a few cheap, ready-to-fly quadcopters" with their smartphone apps, including drones from Odyssey and Eachine.
I often turn off my phone's Wi-Fi support before plugging it in to charge at night, only to discover it has mysteriously turned on in the morning. After checking the Wi-Fi Control History on my S7, it appears as though the various cookie-cutter apps for these drones wake up to phone home in the night after they are opened, while the phone is charging. I tried contacting the publisher of the Odyssey VR app, with no reply.
I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?
The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?
Are the drone apps phoning home?
I would uninstall the app, but then how would I fly my drone? Why did Google grant permission to control Wi-Fi state implicitly to all apps, including these abusers? Are the apps phoning home to report my flight history?
The original submission asks about similar experiences from other drone-owning Slashdot users -- so leave your best answers in the comments. What's making this phone wake up in the night?
Are the drone apps phoning home?
Re:Maybe, just maybe... (Score:5, Funny)
Re: (Score:2)
Actually, no. If you are a truly big corp, such as facebook or google, they can use API's that let them upload/download whatever they want, even when they are no the active app, and even if the user has force-quit the app. Every once in awhile, they'll change the app and then it goes and downloads a bunch of crap in the background, a bunch of users get a surprise at the end of the month with overage charges, then they rush out an update to stop doing that particular thing.
I wish Apple would add a setting
Re:Maybe, just maybe... (Score:5, Informative)
You can enable/disable Mobile Data on a per-app basis in iOS - go to Settings > App Name and you can turn on/off Mobile Data for any apps that have registered as using mobile data on your device.
re: big corps that use unpublished APIs, this used to be the case, but Apple have cracked down on it significantly. There are a number of apps that are permitted to run in the background, Facebook is not one of them, however Facebook "accidentally" registered their app as a media player and they'd play a silent mp3 in the background to get around iOS trying to freeze the app when it wasn't in use. Apple had a quiet chat to Facebook and this has apparently stopped.
As far as I know, if you force-quit an App, it has no way to re-launch itself in the background and start using data again.
Re:Maybe, just maybe... (Score:5, Informative)
Android has had the ability to turn on/off any permission for any app since at least Marshmallow. Go to Settings->Apps then click on an app and then click on 'Permissions'. Don't want it using WiFi? Turn off WiFi. Don't want an app to track your location? Turn off Location. Simple and you don't need to be rooted at all as it's part of the OS
Re: (Score:2)
Facebook is not one of them, however Facebook "accidentally" registered their app as a media player and they'd play a silent mp3 in the background to get around iOS trying to freeze the app when it wasn't in use. Apple had a quiet chat to Facebook and this has apparently stopped.
It has not stopped, at least not in the last few weeks. Play audio, open Facebook app, browse through some pages, click on a link that opens the facebook browser and *BAM* your audio is now hijacked by a completely inaudible MP3. The only time I ever look at Facebook is when I am sitting in the waiting room of a doctor's office or some place like that. I listen to music while I sit there and wait and this drives me insane.
Re: (Score:2)
I'm playing music using Apple's 'Music' app, reading Facebook, looking at a web page using their browser and the music is still playing. I even clicked on a link in the first page to take me to another website to make sure. Music is still playing. iOS 10.3.3, iPhone 6.
Re: (Score:1)
Apple makes sure that every app available to me is a good and wholesome app, no problems with Apple apps. Google allows bad apps, Google is bad.
So now I'm confused... does that make Google a bad Apple?
Re: Maybe, just maybe... (Score:1)
Re: (Score:2)
But Windows also allows me to install programs that keeps other programs' ability to send stuff out at bay. Care to point me to the phone app that can do that?
Re: (Score:2)
Re: (Score:2)
Re:Maybe, just maybe... (Score:4, Insightful)
If you know you're technically incompetent and want someone to handhold you through your phone "ownership", then iOS is what you want. If you have the technical knowledge to tweak the phone and want the freedom to use your phone however you want, then Android is what you want. Just like some people like to buy a Toyota and take the car to the dealer at regular service intervals, while other people buy a Chevy and modify or tweak every single component and do all the maintenance themselves. Different strokes for different folks.
Re: (Score:2)
Re: (Score:2)
I don't see how iPhones have any kind of real edge with this sort of thing. Plus, you can't really install an effective firewall on iPhones.
Simple answer (Score:5, Informative)
Yes. Recently, the military suspended the use of certain drone manufacturers products for the same reason.
Re:Simple answer (Score:5, Interesting)
Christ, it was even on Slashdot and they still downvote you.
US Army Calls Halt On Use of Chinese-Made Drones By DJI [slashdot.org]
Posted by BeauHD on Friday August 04, 2017 @05:40PM from the new-guidance dept.
Due to "an increased awareness of cyber vulnerabilities with DJI products," the U.S. Army is asking all units to discontinue the use of DJI drones. The news comes from an internal memo obtained by the editor of SUAS News. It notes that the Army had issued over 300 separate releases authorizing the use of DJI products for Army missions, meaning a lot of hardware may have been in active use prior to the memo, which is dated August 2nd, 2017. The Verge reports:
SUAS News published a piece back in May of this year that made a number of serious accusations about data gathered by DJI drones. Author Kevin Pomaski starts out writing, "Using a simple Google search the data mined by DJI from your provided flights (imagery, position and flight logs) and your audio can be accessed without your knowing consent." However, he never follows up with evidence to demonstrate how this data becomes public or can be found through a Google search. Pomaski also point out, correctly, that when DJI users elect to upload data to their SkyPixel accounts through the DJI app, this data can be stored on servers in the U.S., Hong Kong, and China. This data can include videos, photos, and audio recorded by your phone's microphone, and telemetry data detailing the height, distance, and position of your recent flights.
DJI provided the following statement to The Verge: "People, businesses and governments around the world rely on DJI's products and technology for a variety of uses including sensitive and mission critical operations. The Department of the Army memo even reports that they have 'issued over 300 separate Airworthiness Releases for DJI products in support of multiple organizations with a variety of mission sets.' We are surprised and disappointed to read reports of the U.S. Army's unprompted restriction on DJI drones as we were not consulted during their decision. We are happy to work directly with any organization, including the U.S. Army, that has concerns about our management of cyber issues. We'll be reaching out to the U.S. Army to confirm the memo and to understand what is specifically meant by 'cyber vulnerabilities.' Until then, we ask everyone to refrain from undue speculation."
Re:Simple answer (Score:4)
No? The suspension was due to possibly justified paranoia.
While it's possible that these apps are phoning home, there are legitimate reasons for doing so, e.g. updating no-fly zone maps that prevent the user from entering airport boundaries or flying over military installations. You know, the stuff that the government wants them to implement.
Instead of asking Slashdot, this person needs to set up Wireshark to capture the packets. Might need to install a custom certificate on the phone in order to MITM the HTTPS stream too, if their security meets that basic level.
Re: (Score:3)
While it's possible that these apps are phoning home, there are legitimate reasons for doing so
There is never a legitimate reason to do so without my knowledge and permission.
Re: (Score:2)
You're assuming that permission wasn't expressly given. You did read the EULA right?
Re: (Score:2)
Being in the EULA doesn't count as me giving permission.
I understand that's not legally true, but it's certainly true in terms of common sense.
They all phone home (Score:5, Insightful)
Analytics. Telemetry. Whatever you want to call it, data is traversing the network without your explicit approval.
Re: They all phone home (Score:2)
And the answer to the question in the last sentence is therefore: YES.
What's in telemetry data is something that has to be investigated further.
Re: (Score:3)
What's in telemetry data is something that has to be investigated further.
I've reached the point where I don't actually care what's in telemetry data anymore (in part because there's no such thing as "innocuous", "non-PII", or "anonymized" data). I'll do my best to stop it all regardless.
Android and M$ Re:Updates (Score:1)
I saw M$ connections on my router logs too. Strangely those M$ connections came from my Android devices. I was very upset because I can't remember using a M$ product on my android device. It just connects to M$ mothership 24/7 without my permission. So I blocked M$ domains for outbound connections of my Android.
captcha: fetches (fetches data from your android into M$ mothership)
Re: (Score:2)
Re: (Score:2)
The first thing I do when I get a new phone is replace the operating system. This completely eliminates the problem of apps I can't delete.
If I can't replace the OS on a phone, then I don't buy the phone.
Re: (Score:2)
Indeed. A better question is, "Do I have any apps that are not phoning home?"
Re: (Score:2)
If data about me or my devices is being sent without my permission, I call that "spying".
Re: (Score:2)
Probably so, but that's meaningless except (maybe) in a court of law.
"phone home" subtitled: (Score:1)
Ask Slashdot: What would we have called it if they never made ET?
Re: (Score:2)
An almost as common description not based on ET is "beaming back to the mothership".
some solutions.. (Score:5, Informative)
If you have a samsung and couple of hours I have a solution for you.. if you know a little bit of java.
Samsung phones have firewall apis that you can access with a sdk from samsung and a license code. you can also turn off the wifi with same apis in a way that another app cant open it. also with same api's (and well, if you got admin rights somehow for your app on vanilla android too) you can enable/disable particular services and activities from within the app - this depends on the architecture of the app, but it is possible possibly to just turn off the phone home service.
there are also other things you can do that work on all phones, there's an app on the play store for changing app permissions.
(what it does is repackage the original .apk with different permissions. so you can remove the perm for wifi control from the apk - the app will still have permission for normal http connections though).
now, you might ask why android doesn't give you as the device owner access to all these options just outright from opening the box: because fuck you peon, that's why.
on vanilla android(without rooting) if you want to give admin rights to an app you have to do it BEFORE finishing the first start dialog flow and there isn't that many ways to do that except nfc on some models and a flawed otg auto-apk installer on some other models.
so the samsung extra api's are a case where manufacturer additions to the firmware are actually pretty nice if you use them for yourself instead of someone using them against you.
Re: (Score:2)
(what it does is repackage the original .apk with different permissions. so you can remove the perm for wifi control from the apk - the app will still have permission for normal http connections though).
You just have to remember to do that after every update of the app though. Kind of a drag.
Re: (Score:2)
No you don't. If the new update requires additional permissions, you'll be prompted for them.
Re: (Score:3)
There are several firewall apps on Play and FDroid. They work by creating a local VPN connection which they can filter. As a bonus you get ad blocking too in some of them. I like DNS66.
Re: (Score:2)
I'd have a hard time trusting Samsung's firewall APIs without testing them rather extensively first.
Re: (Score:2)
Can Android apps really turn on wi-fi?
Yes. Any app with the CHANGE_WIFI_STATE manifest permission can do it. Android classifies this as a Normal Permission...
... which indicates that there's no great risk to the user's privacy or security in letting apps have those permissions.
REFs:
Re: (Score:2)
Did you just ask the previous poster to RTFM?
Remove the permission (Score:5, Informative)
Re: (Score:2)
Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.
You lost me at "Advanced". There is no such setting in my particular Android version.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
On my Samsung Note4 (Android 6.0.1), if you go to Settings > Application Manager > 3-dot menu > Change System Settings you can toggle whether an app can change system settings ("such as turning Bluetooth on or off"), but these AREN'T in the normal apps permissions. Completely stupid that it's separate.
But the real issue is the fight over better default security for the people who know what they're doing vs more convenience for the people who have no clue. Whatever side you go with, the other side w
Re: Remove the permission (Score:1)
Re: (Score:2)
Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the Allow. That will disallow the app from enabling your WiFi.
Almost correct, it's actually: Settings > Apps > tap the app (App info) > Advanced > Modify system settings > uncheck the SkynetLaunchJudgmentDay.
Re: (Score:2)
*whine* But when I disallow SkynetLaunchJudgementDay I don't get to see when the dishwasher is done. Do you really want me to go over to the kitchen all the time only to notice that I've wasted a minute of my valuable time walking around like an idiot only to find that it's still running?
Re: (Score:2)
Not just Android... (Score:3, Interesting)
I had a drone with iPhone app that called home too so its not just an android issue at all.
"Smart" Things Phone Home... (Score:2)
You can pretty much count on any "smart" thing these days to phone home some type of data to be collected and monetized by the creator of that thing, and yes all you iFanBoies out there, that includes you as well. Why else do you think your sous vide heater, meat thermometer, thermostat, stove, refrigerator, dishwasher, garage door opener, etc -- fucking damn near unlimited list of crap no one needs 27/7 access to -- each require their own app be installed?
Assuming the IP's aren't hardcoded.... (Score:5, Insightful)
I've found that using a Pi-hole and adding the domains they're trying to call to the blacklist to be useful.
Re: (Score:2)
Oh give me a drone... (Score:5, Funny)
If you don't know ... (Score:2)
... assume 'yes'.
Umm... duh? (Score:2)
Is it in their interest to gather your data? Yes.
Is it possible to them to gather your data? Yes.
Does it cut into their bottom line because people would avoid their products? No. 9 out of 10 don't give a shit and the 10th (you) notices after he bought it.
Do I need to answer your question or can you find the answer yourself?
Re: (Score:2)
Can an app turn on the Wi-Fi radio on its own? (Score:2, Insightful)
How is this even possible!?
Although I have owned a few Android phones over the last few year, my primary smartphone has been an iPhone since th
Re: (Score:2)
I'm more curious why he turns wifi off at night? So you purposely want to use up your cellular bandwidth while its charging?
Turning off wifi does not mean cellular is enabled. I know a number of people who put their phones in airplane mode at night to avoid being awakened by notifications.
Re: (Score:2)
Block it with a firewall app (Score:1)
tradecraft (Score:2)
Have we learned nothing from the whole Snowden experience?
You put your drone in the fridge overnight. A microwave oven would be even better, for some values of oven.
Why disable Wi-Fi? (Score:2)
I know this question is outside of the main focus of the post, but why is the submitter disabling Wi-Fi overnight? I can't think of any logical reason to do it.
Re: (Score:1)
I do this all the time. There is this thing called "power" that gets "consumed" when devices are on.
You may have heard of it.
There are also people that try to pirate your wi-fi during hours when you are sleeping, since you won't notice, and they can then use it to run various things, like blade servers in their basement used for hack attacks on foreign banks. That way it all gets traced back to you, since they changed their CPU ids. You end up in jail instead of them.
Re: (Score:2)
I can think of a lot of reasons to do this, but I don't know which one(s) the commenter has.
In general, though, there's a compelling security reason: if you aren't actively using a communications channel, best practice is to shut it off to minimize the attack surface.
Chinese spies, Russian spies, Asgardian spies (Score:3)
Happiness is No Apps (Score:2)
Seriously, I don't want a load of badly coded, intrusionware on my phone or for it to declare my location to all and sundry. Of course, it's possible to triangulate with cell tower data, but my view is that this level of intrusion shouldn't be a) defa
Re: (Score:2)
Younger members of my family usually gather by tradition during public holidays to mock me, but they're beginning to wake up now.
I won't mock you at all, but I will point out that it's entirely possible to use a smartphone in a way that doesn't leak any data more than a feature phone does.
my view is that this level of intrusion shouldn't be a) default b) 'easy'.
Then you should lose your feature phone, too. If it has been made in the last 10 years or so, then it almost certainly includes a GPS receiver (even if you don't get to access it yourself) and reports your location to the your carrier on demand. This is the easiest way for companies to comply with the E911 regulations.
Re: (Score:2)
Probably (Score:4, Insightful)
In this day and age, you have to assume that every piece of software you run on any platform will be phoning home.
That's why I firewall all traffic, incoming and outgoing, these days, especially on my phone. It's also rather interesting examining the logs of what was blocked.
In fact, as I was doing routine firewall maintenance over the weekend, it occurred to me that at some point I made a shift -- I now pay more attention to outgoing traffic than incoming!
Industry trends have resulted in it becoming necessary to treat all devices and software, inside or out, as threats.
Firewall, don't leave home without it... (Score:2)
The "Connects" app will let you see where all your apps are connecting too on a map and you
Why I don't install apps (Score:2)
Virtualize and then capture the packets (Score:2)
Re: Only apps can app apps! (Score:2)
You will need a bigger teabag.
Re: (Score:2)
Re: (Score:2)
This comment just gets funnier every time the next idiot posts it.
APK was right (Score:2)
Root your Android device and edit the hosts file. No more spying.
Re: (Score:2)
Editing the hosts file is completely inadequate, as it only affects domain name lookups.
You need a good firewall.
Re: (Score:2)
Don't put untrusted apps on your primary phone with all your personal data.
And don't consider any app you didn't write yourself as "trusted".