I keep sounding like a broken record. This is not for your "average user" but I use two methods to block all data transmissions for applications that doesn't make sense to have internet connections (e.g. a selfie app):
a) The device's App-Data settings. I keep most boxes unchecked. I don't understand why CamScanner (legit super useful app) needs internet connection when I just email myself all the scans, and not using the cloud-options. Only Email needs internet connection on that scenario.
b) NoRoot Firewall, I either recognize the IP or the domain name, or I check on ipaddress.com the IP, and then I end up global-blocking the whole block of that IP and be done with it.
In this world you have to go with Security in mind. Default state is block-everything, and only allow the truly needed/useful (to me, not the app developer) connections to go through.
I actually can't believe this. How in the name of all the is holy are we letting them get away with this.
Sure, we talk about the problem a lot. But we need to take action. It seems every big corporation are abusing the trust we give them in some form or another.
Please, for the love of God, can anybody prove me wrong. Are there any companies than don't abuse our trust?
As far as I know (and can find online) DU group and Xiaomi are unrelated. However, this is a really interesting discovery in it's own right. I am a Xiaomi phone owner and have the App MiFit.
Would it be possible for me to reproduce what you have found? and if so, how can I do so?
I don't know what to make of MiFit copying all such information. I had assumed they copy it to show notifications on the watch. Does Lumen reveal that Xiaomi is sending that data to their own servers?
One of the things that is really troubling about the Google Android Play store is the ease that an app developer can develop an app and remain totally anonymous unless you are forced to file a lawsuit or subpoena to Google to reveal information.
I own and operate a fairly popular audio streaming platform, and I've had to deal with numerous instances of unscrupulous app developers who steal API keys from our licensed developers, release apps wrapped in tons of ads, and are able to remain totally anonymous by:
1) Setting up what is presumably a fictitious company
2) Privacy policy link that directs to pastebin
3) Email address for support where nobody responds
These apps steal tens of thousands of dollars of ad revenue from my business monthly, and I have absolutely zero recourse. Filing DCMA and other complaints with Google typically goes into a black hole, and when they do respond or address the issue its typically "we don't see the need to take any action here" - presumably because these apps are generating enough revenue for AdMob and the Play Store that Google has zero incentive to take action.
How often does this happen in the Apple App Store, almost never.
the locked in store model has completely failed. both for ios and android it is a terrible experience compared to PC. you are stuck with only the search tools the hardware maker gives you, often designed in a user hostile way (ios brings up ads) and no way to bail out to a different store. as well the monoculture leads to a race to the bottom with garbage programs shoving their way to the top via misleading a dishonest means, and by sheer numbers.
i want no part of it. when a phone maker comes to the market without this locked down model i will buy it, and if windows goes this route i will drop it for linux.
and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
>and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
Then what is your solution? The unwashed masses tried the wild wild west of digital software delivery back in the 2000s. It ended with tears, viruses, UAC and SaaS. Even today, most sideloading, for general consumers, begins with trying to pirate apps and ends with even more invasive spyware.
The locked in store model is better than than what we had before for the general consumer (at least iOS's, unequivocally is, IMO). The App Store might be bad for developers, but it's way better for consumers.
But Linux is not better. Android at least has permissions for apps and allows you to deny some of it; on a typical desktop Linux distribution or on Windows every app has full access to all of your data: a calculator can read your browser history. If you install the Slack app from Deb package on Linux, it will add its repository into APT sources list which means that Slack Inc. can now "patch" any program on your system, for example, sshd or Firefox. Also, it will add a daily cron task that checks that added configuration is not commented out (they explain that it is necessary for the case of upgrading a distribution). Such behaviour is simply impossible on Android.
So I think it is the opposite: mobile OS provide better security than desktop OS.
How does this follow from the article? Sure, a walled garden isn't a perfect model. But opening it up further would make abuse, like the behaviors described in the article, even easier for developers to execute, and harder for anyone to stop.
I feel the problem is the complexity of permissions models. Rather than expose many fine-grained permissions, apps ask for wide ranging permissions. Good apps and Bad apps. because the good apps are written naievely from days past and didn't know there is now a specific APP_PERMISSION_THIS_THING rather than 'all files'
Because even good apps ask for all things, It cannot be used as a filter to determin bad apps.
> i want no part of it. when a phone maker comes to the market without this locked down model i will buy it, and if windows goes this route i will drop it for linux.
> and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
I don't totally understand what you want. You say you want a phone (presumably OS?) that does not require an app store then totally dismiss a very popular operating system that has exactly that feature. Who cares if a large segment of Android users don't side load apps, that does nothing to prevent you from doing it.
I've been using Android without Google Play services for a few months and everything works fine. My bank apps work, the few social media apps I use work, WhatsApp/Signal work, Bing/Cortana work, I could go on but I think you get the idea. Most of my apps have been side loaded (or downloaded via F-Droid).
How can you on the one hand complain the locked into a store model has failed, then say yes you know Android has multiple stores and you can side-load.
Doesn't that mean the multiple-stores and side-loading model has failed also? I'm not quite sure what your point is.
I did my Master Thesis on this kind of stuff. There are many Apps among the top 100 free ones that ask permissions completely unrelated to their functionality. Yeah I know, not surprising. What surprised me at the time was that Android gives away much information "for free". For example, if I recall correctly, GET_ACCOUNTS was granted automatically and it allowed to get the "title" of every account on the phone as shown in the Android UI. Most Apps use the actual username as the title, google included (aka, every App could read your email address). Nice exceptions are Signal and WhatsApp.
I'm the author of this article and I'd love to learn more about what you found in your research. You can reach me at craig dot silverman at buzzfeed.com.
> As noted earlier in this thread, I didn't go looking for Chinese developers for this story. But if you go hunting for permissions-abusing apps, this is where you might end up. …
The article puts blame on specific apps of Chinese origin, but lot of said in the article can be applied to other apps too, for example:
> Kaltheuner, of Privacy International, told BuzzFeed News the policies are vague about how third parties, including potentially the Chinese government or other authorities, can gain access to the data being collected.
Google's privacy policy [1] is also very vague. Instead of clearly writing technical details, what data they collect and when, they just give a general description. Take this phrase, for example:
> We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse.
Or this:
> We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
Absolutely no details. I don't see how Google hiding its "partners" identity is different from Chinese companies hiding their identity.
The article says that Chinese company can share the data with their government (without any proofs), but doesn't Google share the data too when required by the law?
Also, there is an interesting note hidden in Chrome's policy [2]:
> Chrome won't allow a site to access your location without your permission; however, on mobile devices, Chrome automatically shares your location with your default search engine if the Chrome app has permission to access your location and you haven’t blocked geolocation for the associated web site.
So instead of singling out a Chinese company, we should pay attention to all of the mobile apps and their practices.
Regarding excessive permissions, I think Google could improve the situation by promoting apps with few required permissions in the search results and making permission list more noticeable. For example, currently, if you browse Google Play, permission list is hidden behind a tiny link.
It's amazing how poor the filtering is. There are plenty of developer horror stories of legitimate apps being taken down by some broken, automated process - sometimes taking peoples' entire Google accounts with them. Then you're stuck dealing with more automated systems for support.
Of course these garbage apps make it through somehow. My favorite is an SNES emulator that's full of ROMs. Clearly a copyright violation, but somehow made it through state-of-the-art AI...
In an ideal world, OS maintainers, instead of running a software store with a client-end on consumer devices, would run just a repository, with version control, metadata and downloadable packages for apps submitted to and supported on their platform, but allowed any third party to link to their repositories for fetching information or downloads. This would allow external review hosting, discovery, competing marketplaces, or even users directly fetching the application without navigating marketplaces if they knew what they wanted.
Of course, there's nothing in this approach financially for the maintaining company, so this was not going to happen.
Its too bad its still flakey at updating apps. I've been using it for a few apps for many years, and I'd say easily half of app updates simply fail for non-obvious reasons. Its been this way across multiple devices and countless versions of Android, so I'm left to believe the problem is with F-droid itself.
For risk management from getting banned, those adware companies, will usually register multiple accounts, with offshore address in Hong Kong or Singapore.
This is a good starting move by Google, but not enough still. We still see companies like Cheetah mobile, Du group being active in Google Play Store.
Those companies (and their associated accounts which distributes malware) who caught red-handed, should be banned permanently.
Good. This is what advertising agencies asked for and what they deserve. Implement a "click button to get money" system means of course people are going to try to beat that any way they can. I'm surprised any web advertising firm manages to stay afloat.
I'm not entirely sure I have that much of a problem with ad fraud, doesn't it only hurt the ad companies and companies like google (which I have a problem with anyway), by basically scamming them into believing that I interacted so that company should be compensated.
I do object to collecting and sending my personal information, but I feel they just mixed it, as that probably relates to more then just these Chinese apps.
And I really don't like the fact that it seems that Google only cares about abusing the users, and breaches of trust and privacy when it hurts the advertisers (and themselves), and not when the normal user gets hurt.
They're mixing so many issues and confusing the matter. They have discovered ad fraud, which is interesting, but doesn't actually directly harm the user (right?), just the advertisers and Google. But then to make sure they are propagating fear, they bring in the completely unrelated issue of data being sent to China. And there is some confusion there too - is it only through the (unnecessary) permissions that users approve (a much different problem) or are they able to send unexpected data also without the permissions? I wish the world didn't have this sensationalism arms race to get their articles read.
People think I'm weird for not installing whatsapp because it downloads all my contacts and I can't prevent that in this version of android which I can't update because I can only do that through at&t while on their network but I get service through someone else because at&t doesn't cover my area.
Just get a written permission from all of your contacts that you're allowed to upload their data to WhatsApp, like the rest of us clearly have.
Or make it so that no one has anything against you ever. Because people have been sued already for uploading their contacts' information to WhatsApp without permission.
It's a separate store for your contacts, so that you don't have to use the Android contacts implementation where every app and their mum wants access to.
However, mind that WhatsApp is not going to be particularly user-friendly whether you do this or block access to the contacts in newer Android versions. It won't display people's names until they've chatted to you (and then only in a shitty secondary GUI), so you will often have to guess from their picture who they might be.
And worse still, there's no way to initiate a chat from within WhatsApp to someone who's not in your contacts.
Bullshit, Google. Bullshit. Only a very small proportion of the apps on Play ask only for the permissions that are needed to perform their task, and Internet access is not a deniable permission, leaving a nice little back door for them to siphon off your data. The example of the flashlight app is not an edge case, it's the norm. Google does not care because they'd rather earn more ad revenue than have quality apps, and the number of apps with the ability to seriously spy on you is staggering.
Why is that? I can't even imagine what's going on at the meetings leading up to implementing ad fraud in what I presume is a normal company otherwise and not a bunch of gangsters. Is it morally OK to do this in China for some reason?
> While on my most recent flight to Beijing, I sat next to an chatty elderly Chinese woman. We started discussing the topic, and she said that Chinese society lacks su zhi 素质, which translates roughly to manners or etiquette. Before the Cultural Revolution, she explained, Chinese society was guided by the moral lessons of Confucianism, with its emphasis on being a gentleman, respecting one’s elders, and obeying one’s leaders. But during the Cultural Revolution, Mao Zedong put Confucian principles on its head, pitting the Red Guard youth against their parents, the less educated against the educated elite. This chaos tore the social fabric and transformed the society into a survivalist one, a dog-eat-dog world, the vestiges of which are still felt today.
> When Deng Xiaoping implemented the Reform and Opening Up policy in 1978, capitalism was added to the mix of the survivalist culture; in order to get rich, you had to compete fiercely, fend for yourself and take care of your own with no regard for rules. This would also explain the rampant corruption among government officials, who use their position to amass wealth for themselves and their family. And nowadays, a third phenomenon has also added itself to the dangerous cocktail of selfishness and competition: the digital age. Many Chinese young people spend the majority of their days glued to WeChat, or taking selfies everywhere, or shopping at the ubiquitous malls around the country. This “me” culture is certainly not unique to China; indeed, we see the same thing happening to the youth in New York to Buenos Aires to London to Brussels to Moscow. But in China it exacerbates the already self-centeredness brought on by the cruelty of the cultural revolution and the competitiveness of capitalism with Chinese characteristics.
> In other words, China doesn’t just lack common etiquette and basic manners; it lacks a moral compass altogether.
> Google confirmed it found fake ad clicking on all 6 apps, and said ad fraud was against Play store policy. So why aren't you removing the apps, I asked. They said they banned them from ad products and were still investigating. Really? Finally, not long ago, Google removed them.
What's wrong with this guy? Does he not understand what investigating means? God forbid Google actually investigates claims of malfeasance.
google play store and android have consistently shown that the first priority is gaining market share. user safety and security, app quality, data privacy and positive developer experience are far, far lower priorities.
Here is a solution for this problem: let's devalue mobile advertisements. How? Simple: every time you see an ad, add the product advertised to a blacklist. Refuse to download any app that advertises to you. I've been doing this for a few years, and have felt no negative effects; in fact I have way less app clutter on my phone, and I still find all of the apps that I look for.
Advertising has changed in nature; it used to be about increasing visibility of your products. Now it is about compelling people who don't want or need your product into buying it, by using deception and psychological manipulation. So how do we kill the beast that the ad industry has become? Don't feed it.
[+] [-] rayraegah|7 years ago|reply
https://www.reddit.com/r/miband/comments/8eqtve/why_did_mifi...
[+] [-] HenryBemis|7 years ago|reply
a) The device's App-Data settings. I keep most boxes unchecked. I don't understand why CamScanner (legit super useful app) needs internet connection when I just email myself all the scans, and not using the cloud-options. Only Email needs internet connection on that scenario.
b) NoRoot Firewall, I either recognize the IP or the domain name, or I check on ipaddress.com the IP, and then I end up global-blocking the whole block of that IP and be done with it.
In this world you have to go with Security in mind. Default state is block-everything, and only allow the truly needed/useful (to me, not the app developer) connections to go through.
[+] [-] DarwinMailApp|7 years ago|reply
Sure, we talk about the problem a lot. But we need to take action. It seems every big corporation are abusing the trust we give them in some form or another.
Please, for the love of God, can anybody prove me wrong. Are there any companies than don't abuse our trust?
[+] [-] tomglynch|7 years ago|reply
Would it be possible for me to reproduce what you have found? and if so, how can I do so?
[+] [-] lake99|7 years ago|reply
[+] [-] mtgx|7 years ago|reply
[+] [-] blantonl|7 years ago|reply
I own and operate a fairly popular audio streaming platform, and I've had to deal with numerous instances of unscrupulous app developers who steal API keys from our licensed developers, release apps wrapped in tons of ads, and are able to remain totally anonymous by:
1) Setting up what is presumably a fictitious company
2) Privacy policy link that directs to pastebin
3) Email address for support where nobody responds
These apps steal tens of thousands of dollars of ad revenue from my business monthly, and I have absolutely zero recourse. Filing DCMA and other complaints with Google typically goes into a black hole, and when they do respond or address the issue its typically "we don't see the need to take any action here" - presumably because these apps are generating enough revenue for AdMob and the Play Store that Google has zero incentive to take action.
How often does this happen in the Apple App Store, almost never.
It's absolutely infuriating.
[+] [-] 076ae80a-3c97-4|7 years ago|reply
[+] [-] OoooooooO|7 years ago|reply
[+] [-] def_true_false|7 years ago|reply
Avoiding ads is not stealing. Neither is wrapping someone else's content in ads.
[+] [-] gameswithgo|7 years ago|reply
i want no part of it. when a phone maker comes to the market without this locked down model i will buy it, and if windows goes this route i will drop it for linux.
and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
[+] [-] nemothekid|7 years ago|reply
Then what is your solution? The unwashed masses tried the wild wild west of digital software delivery back in the 2000s. It ended with tears, viruses, UAC and SaaS. Even today, most sideloading, for general consumers, begins with trying to pirate apps and ends with even more invasive spyware.
The locked in store model is better than than what we had before for the general consumer (at least iOS's, unequivocally is, IMO). The App Store might be bad for developers, but it's way better for consumers.
[+] [-] codedokode|7 years ago|reply
So I think it is the opposite: mobile OS provide better security than desktop OS.
[+] [-] duskwuff|7 years ago|reply
[+] [-] ggm|7 years ago|reply
Because even good apps ask for all things, It cannot be used as a filter to determin bad apps.
[+] [-] gruez|7 years ago|reply
They seem to be able to find epic's fortnite just fine. What more do you want?
[+] [-] thekyle|7 years ago|reply
> and yea i know you can sideload on android, but the unwashed masses don’t know that so it doesn’t matter.
I don't totally understand what you want. You say you want a phone (presumably OS?) that does not require an app store then totally dismiss a very popular operating system that has exactly that feature. Who cares if a large segment of Android users don't side load apps, that does nothing to prevent you from doing it.
I've been using Android without Google Play services for a few months and everything works fine. My bank apps work, the few social media apps I use work, WhatsApp/Signal work, Bing/Cortana work, I could go on but I think you get the idea. Most of my apps have been side loaded (or downloaded via F-Droid).
[+] [-] simonh|7 years ago|reply
Doesn't that mean the multiple-stores and side-loading model has failed also? I'm not quite sure what your point is.
[+] [-] Kiro|7 years ago|reply
How is Steam or Windows Store any different? How do you install apps/games on PC?
[+] [-] thorwasdfasdf|7 years ago|reply
[+] [-] oblio|7 years ago|reply
Nope, it hasn't. It's very successful. It succeeded in lining the pockets of Apple and Google.
[+] [-] kenoph|7 years ago|reply
[+] [-] cjsilver|7 years ago|reply
[+] [-] mzs|7 years ago|reply
https://twitter.com/CraigSilverman/status/111862075124903936...
[+] [-] nine_k|7 years ago|reply
I bet Eastern Europe is also represented.
[+] [-] codedokode|7 years ago|reply
> Kaltheuner, of Privacy International, told BuzzFeed News the policies are vague about how third parties, including potentially the Chinese government or other authorities, can gain access to the data being collected.
Google's privacy policy [1] is also very vague. Instead of clearly writing technical details, what data they collect and when, they just give a general description. Take this phrase, for example:
> We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse.
Or this:
> We provide personal information to our affiliates and other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.
Absolutely no details. I don't see how Google hiding its "partners" identity is different from Chinese companies hiding their identity.
The article says that Chinese company can share the data with their government (without any proofs), but doesn't Google share the data too when required by the law?
Also, there is an interesting note hidden in Chrome's policy [2]:
> Chrome won't allow a site to access your location without your permission; however, on mobile devices, Chrome automatically shares your location with your default search engine if the Chrome app has permission to access your location and you haven’t blocked geolocation for the associated web site.
So instead of singling out a Chinese company, we should pay attention to all of the mobile apps and their practices.
Regarding excessive permissions, I think Google could improve the situation by promoting apps with few required permissions in the search results and making permission list more noticeable. For example, currently, if you browse Google Play, permission list is hidden behind a tiny link.
[1] https://policies.google.com/privacy?hl=en-US
[2] https://www.google.com/intl/en/chrome/privacy/
[+] [-] doublepg23|7 years ago|reply
Of course these garbage apps make it through somehow. My favorite is an SNES emulator that's full of ROMs. Clearly a copyright violation, but somehow made it through state-of-the-art AI...
[+] [-] userbinator|7 years ago|reply
I'd actually be fine with it letting stuff like that through, but filter out actual malicious to the user apps.
[+] [-] keerthiko|7 years ago|reply
Of course, there's nothing in this approach financially for the maintaining company, so this was not going to happen.
[+] [-] scarface74|7 years ago|reply
[+] [-] comradesmith|7 years ago|reply
[+] [-] ac29|7 years ago|reply
[+] [-] OrgNet|7 years ago|reply
[+] [-] yccheok|7 years ago|reply
- battery booster - phone cleaner - anti virus - note taking app - file manager - ···
For risk management from getting banned, those adware companies, will usually register multiple accounts, with offshore address in Hong Kong or Singapore.
This is a good starting move by Google, but not enough still. We still see companies like Cheetah mobile, Du group being active in Google Play Store.
Those companies (and their associated accounts which distributes malware) who caught red-handed, should be banned permanently.
[+] [-] shittyadmin|7 years ago|reply
[+] [-] gyaniv|7 years ago|reply
I do object to collecting and sending my personal information, but I feel they just mixed it, as that probably relates to more then just these Chinese apps.
And I really don't like the fact that it seems that Google only cares about abusing the users, and breaches of trust and privacy when it hurts the advertisers (and themselves), and not when the normal user gets hurt.
Not surprising though, but still annoying.
[+] [-] thinkloop|7 years ago|reply
[+] [-] comex|7 years ago|reply
[+] [-] yeahitslikethat|7 years ago|reply
It's absurd.
[+] [-] Sylos|7 years ago|reply
Or make it so that no one has anything against you ever. Because people have been sued already for uploading their contacts' information to WhatsApp without permission.
I really don't want to encourage you to use WhatsApp, but one possible solution would be to use this app: https://f-droid.org/app/opencontacts.open.com.opencontacts
It's a separate store for your contacts, so that you don't have to use the Android contacts implementation where every app and their mum wants access to.
However, mind that WhatsApp is not going to be particularly user-friendly whether you do this or block access to the contacts in newer Android versions. It won't display people's names until they've chatted to you (and then only in a shitty secondary GUI), so you will often have to guess from their picture who they might be.
And worse still, there's no way to initiate a chat from within WhatsApp to someone who's not in your contacts.
Thankfully, there's an app for that nowadays, too: https://f-droid.org/app/io.github.subhamtyagi.openinwhatsapp
[+] [-] SmellyGeekBoy|7 years ago|reply
[+] [-] Walf|7 years ago|reply
Bullshit, Google. Bullshit. Only a very small proportion of the apps on Play ask only for the permissions that are needed to perform their task, and Internet access is not a deniable permission, leaving a nice little back door for them to siphon off your data. The example of the flashlight app is not an edge case, it's the norm. Google does not care because they'd rather earn more ad revenue than have quality apps, and the number of apps with the ability to seriously spy on you is staggering.
[+] [-] circular_logic|7 years ago|reply
A useful automated tool for this is 'Exodus' it will scan APKs for trackers and permissions and provide a web report.
Here is a report for one of the apps mentioned. https://reports.exodus-privacy.eu.org/en/reports/15627/
[+] [-] Kiro|7 years ago|reply
Why is that? I can't even imagine what's going on at the meetings leading up to implementing ad fraud in what I presume is a normal company otherwise and not a bunch of gangsters. Is it morally OK to do this in China for some reason?
[+] [-] snaky|7 years ago|reply
> When Deng Xiaoping implemented the Reform and Opening Up policy in 1978, capitalism was added to the mix of the survivalist culture; in order to get rich, you had to compete fiercely, fend for yourself and take care of your own with no regard for rules. This would also explain the rampant corruption among government officials, who use their position to amass wealth for themselves and their family. And nowadays, a third phenomenon has also added itself to the dangerous cocktail of selfishness and competition: the digital age. Many Chinese young people spend the majority of their days glued to WeChat, or taking selfies everywhere, or shopping at the ubiquitous malls around the country. This “me” culture is certainly not unique to China; indeed, we see the same thing happening to the youth in New York to Buenos Aires to London to Brussels to Moscow. But in China it exacerbates the already self-centeredness brought on by the cruelty of the cultural revolution and the competitiveness of capitalism with Chinese characteristics.
> In other words, China doesn’t just lack common etiquette and basic manners; it lacks a moral compass altogether.
https://thediplomat.com/2016/09/chinas-quest-for-a-moral-com...
[+] [-] qmanjamz|7 years ago|reply
What's wrong with this guy? Does he not understand what investigating means? God forbid Google actually investigates claims of malfeasance.
[+] [-] HillaryBriss|7 years ago|reply
[+] [-] craftinator|7 years ago|reply
[+] [-] Sylos|7 years ago|reply