LWN: Comments on "Android security state of the union"

Android security state of the union

robbe — Fri, 10 Apr 2015 13:12:59 +0000

I didn't read donbarry's message as a complaint that Google has this power -- of course, technically it does (as does MS on Windows computers) -- but that it actually wields it.

Of course, with all this stuff moving to the cloud we get less and less transparency into what is actually done. Google didn't have to publish this. The famous Facebook mood-altering study could have stayed private. We're probably only seeing the tiniest tip of the iceberg.

In the good old world, all it took was one researcher looking closely at the connections made to the mothership. Now, these connections are more and more necessary for things to actually work.

Android security state of the union

mathstuf — Thu, 09 Apr 2015 20:40:24 +0000

I don't think it should be unencrypted. "passwordisfoobar" as the ESSID with at least WPA2 encryption is something I'd get behind though.

Android security state of the union

job — Thu, 09 Apr 2015 17:16:30 +0000

Just another reason to run an open unencrypted wifi. Internet access should be like the air we breathe.

Android security state of the union

mathstuf — Wed, 08 Apr 2015 20:54:57 +0000

They also support client-side certs (which is why I've stuck with them despite davdroid's existence). I'm happy the apps are migrating to be more FOSS-y (especially since it means that maybe CardDAV support will get the same amount of love and attention as CalDAV :) ).

Android security state of the union

ttonino — Wed, 08 Apr 2015 19:33:28 +0000

I live in Europe. I fear the USA more than my own government. But I'd rather see that China spies on me - they have little power over me, while my own government wil bow to everything the US demands.

Android security state of the union

ttonino — Wed, 08 Apr 2015 19:30:37 +0000

There are CalDAV-sync and CardDAV-sync from Marten Gajdja as well... one of those has a free version as well, and he is finally changing iver to an open-source DAV library.

Android security state of the union

dlang — Sat, 04 Apr 2015 22:38:18 +0000

> I fully agree with you; I am only more radical about a point: the owner of a "standard"[*] Android phone, has to take in account that all its data are shared with Google; or if not shared, the data are fully accessible by Google.

I'll point out that the same thing applies to ANY system that allows automatic updates. The updates can change the system to do anything, and so anyone who can influence the updates (legitimately, through government power, through a black bag operation, through threats, etc) can do anything they want on your device.

Android security state of the union

kreijack — Sat, 04 Apr 2015 10:00:01 +0000

> Not mine: I run a thoroughly de-Googled Android. As for losing the "main
> advantage" -- hardly! I share contacts and calendar by davdroid onto a
> radicale server and have all the tools I really need through fdroid.

Nice to know davdroid; I was stuck with caldav and OwnCloud...

> The question is not centrally whether a phone should share *your*
> information to Google -- you are making your choice, though arguably the
> great majority of users are not given the opportunity to learn how
> pervasive is the sharing -- but whether a phone should share *others*
> information to Google. Wifi passwords fall in that category. Unless a
> user is entering their own router's password, then the information being
> sent to Google's servers is private information not theirs to learn.

I fully agree with you; I am only more radical about a point: the owner of a "standard"[*] Android phone, has to take in account that all its data are shared with Google; or if not shared, the data are fully accessible by Google.

However, I have to point out that
a) Google has interest in these data only as "collection", to sell advertisements or something else
b) it is not in the interest of Google to share with others these data; but I am sure that a Government is in position to force Google to provide it.
b.1) worse, the Government may be not the your one...

[*] as standard phone, I am referring with a "Google play" fully working.

Android security state of the union

donbarry — Fri, 03 Apr 2015 17:50:55 +0000

Not mine: I run a thoroughly de-Googled Android. As for losing the "main advantage" -- hardly! I share contacts and calendar by davdroid onto a radicale server and have all the tools I really need through fdroid.

The question is not centrally whether a phone should share *your* information to Google -- you are making your choice, though arguably the great majority of users are not given the opportunity to learn how pervasive is the sharing -- but whether a phone should share *others* information to Google. Wifi passwords fall in that category. Unless a user is entering their own router's password, then the information being sent to Google's servers is private information not theirs to learn.

Android security state of the union

kreijack — Fri, 03 Apr 2015 16:44:54 +0000

Time to time, I see these complaints against Google about the fact that he is able to access/stores *some* our valuable information.

But to be honest, Google has fully access to your phone and to *all information* stored on it: "Google play" can install and remove any application; so Google can make what he want with our Android phone [*].

Accepted that, you have only two choices:
- don't buy an android phone, but look for an old "dumb" phone. These have their problems, but these are order of magnitude lower than an Android phone.
- live with the risk that Google (or someone which can control Google) can access to your data. Believe me, Google is not very interested to my (and I think also to your data) as single person, but only as group of people. And I am sure about the Google effort to protect our data and our privacy: if someone is able to access our data owned by Google, Google loose its main power.

When I will find a Phone which doesn't depend by a centralized store, which has the support for WhatsApp, I will buy it. Until that I have to live with the Android, which (IMHO) is the least problem.

[*] Ok, you can remove the "Google play"; but if so, you lost the main advantage of an Android phone.

Android security state of the union

dlang — Fri, 03 Apr 2015 09:22:12 +0000

> What is one to do? Refuse to give one's wireless passwords to guests unless they make lengthy and difficult alterations to their phones?

no, jut run a guest wifi network that you aren't worried about what can get at it.

Do you really trust your guests to not have any malware on their devices/systems in the first place? if so, why do you think that?

not that I think that backing up passwords to the cloud in cleartext is good, but some of the scenarios that are being painted here are even sillier.

Android security state of the union

donbarry — Fri, 03 Apr 2015 05:52:22 +0000

Years ago, when Microsoft dabbled in sending lists of installed applications back to the mothership, users were rightfully horrified. Virus searching later was performed by downloading lists of signatures and doing comparisons locally. Even these proprietary companies at the time respected to some degree the privacy of their users.

But Google is increasingly moving this into the cloud, which is used as justification to monitor application install on their remote users. Increasingly, information which they have no business knowing is moving to their servers. At one time it was simply list of wireless ESSIDs. But now Google cloud Backup stores even wifi *passwords* back on the mother ship, and in plain text!

What is one to do? Refuse to give one's wireless passwords to guests unless they make lengthy and difficult alterations to their phones?
Run firewalled VAPs to give to guests to wall off their stool pigeon hardware?

Android security state of the union

cesarb — Fri, 03 Apr 2015 01:07:06 +0000

> Verify Apps has seen Rooting applications installed on approximately 0.25% of devices, with those installs from sources outside of Google Play.

Does that mean that, for every 400 Android devices, one has been rooted by its user? Interesting.