• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics in ~tech with the tag "privacy". Back to normal view / Search all groups
    1. Have you tried degoogling your Android?

      In a pursuit of a more privacy-oriented mobile computing I've installed LineageOS ROM on my phone and decided to try living without Google Play Services, which usually provide aGPS (cell tower...

      In a pursuit of a more privacy-oriented mobile computing I've installed LineageOS ROM on my phone and decided to try living without Google Play Services, which usually provide aGPS (cell tower geopositioning), push notifications and lots of other frameworks like Google Maps that apps use as libraries.

      My phone has 4 primary uses:

      • Communicator - mostly Telegram, WhatsApp and Slack. Email of-course.
      • Navigator - GPS and Maps are an irreplaceable tool if you're living in a modern metropolis
      • Internet browser - obviously
      • Music Player - music on the go

      So let's see how you're supposed to tackle each of the uses, while using as much FOSS as possible.

      1. System functionality - both push notifications and aGPS can be solved by microG - fake Google Play Services library. Not sure how it implements push, but aGPS is checked against Mozilla's geolocation database.
      2. Communications - Telegram is available on F-Droid (OSS app store), but everything else is not. The solution here is to use Aurora (Play Store front-end to rip APKs) and install them manually. Push notifications might be broken even with microG (WhatsApp is missing notifications for me, sometimes). AOSP email is fine, K9-mail is ugly but works somewhat better.
      3. Maps and navigation: OpenStreetMap is the obvious choice here and OsmAnd delivers the frontend. It has enough metadata for businesses to get you around, but compared to Google Maps it's can be sometimes lacking and/or out-of-date. Navigation itself is decent, but it's missing timetables for public transportation compared to GMaps, which can be a problem, especially if trains are cancelled or delayed. Overall it's very usable, almost feature complete, but I've found myself falling back to Google Maps in my browser when it comes to using public transport.
      4. Internet browser - Firefox, with uBlock Origin installed (yes, it works on Android) it's really good.
      5. Music Player - there are tons of music players available on F-Droid, you can pick whichever suits your needs. Here I actually stepped away from the FOSS and bought myself a PowerAMP license on developer's website. One of the rare moments where paid Android software is available outside of Play Store.

      Now that the primary use cases are solved, let's try some other useful apps:

      • E-banking? Broken without Google Play, app refuses to even start properly.
      • Bike sharing? Taxi app? Public transport app? Broken without Google Maps libraries for the obvious reason. You might or might not be able to use the browser version, depending on the app.
      • Reddit Relay/any app that requires the license? Okay you've ripped the APK with Aurora, but you can't buy the license to remove the ads.
      • Ebook reader? Nothing good on F-Droid, have to rip something off Aurora.

      Basically you have to be prepared to use your mobile browser a lot. And for some of the sites, do it in a "desktop mode" with tiny text, since the mobile version will just nag you to download the app, that might be broken.

      The takeaway is simple - you give up A LOT of convenience just to cut off Google analytics (which you still might get with apps like Slack). It's certainly usable, don't get me wrong, but I still feel kind of stupid fumbling with OsmAnd when I'm out with my friends and trying to look something up. I'll probably end up going back to the stock ROM, or just installing the Google Apps. For me it was an experiment and I think I've got a general feel on how much information and use I'm actually getting out of GApps.

      So Tildes, have you tried degoogling your phone? How did it go? Are you still using it?

      28 votes
    2. What file access do programs have if I install them? Can they see everything?

      I am thinking on installing League of Legends, but I am not sure about the privacy implications of doing so. If I install it, would it be able to read all the other files in my computer? If it...

      I am thinking on installing League of Legends, but I am not sure about the privacy implications of doing so. If I install it, would it be able to read all the other files in my computer? If it can, can I avoid the problem by using a guest account on my computer to play? Riot's privacy policy seems to be standard as far data mining goes, but I would like to know how much it can see if install it. I am playing on a Mac.

      6 votes
    3. Hidden third party telemetry found in Nokia 6.2, 7.2 smartphones

      Update 12/03/2020: this is not a telemetry, but a kill switch from Colombian carrier - confirmed by HMD. Kill switch will be removed from most devices soon. I updated an article and posted it...

      Update 12/03/2020: this is not a telemetry, but a kill switch from Colombian carrier - confirmed by HMD. Kill switch will be removed from most devices soon. I updated an article and posted it here.

      Original article below:

      I have recently purchased Nokia 6.2 and wanted to check if it sends any data somewhere, considering what happened with previous models

      First, I noticed approx. daily connection to dapi.hmdglobal.net
      This is a Google Cloud that could belong to a company behind Nokia - HMD Global.
      But the Privacy policy in my phone only speaks of "activation" process, not of daily diagnostics data.
      So I used developer tools to remove the following packages (warning: this may break your device, I am not responsible for any consequences)

          com.hmdglobal.enterprise.api
          com.qualcomm.qti.qms.service.telemetry
          com.qualcomm.qti.qmmi
          com.qualcomm.qti.qdma
      

      Before removing them, I used APK Extractor to save APK files just in case it breaks my phone and I may be able to attempt reinstall. This part comes into play later.
      The first was my blind guess about what exactly connects to dapi.hmdglobal.net
      The next 3 I found mentioned in various forums for other devices as "safe to remove", however, I have not seen any telemetry sent to Qualcomm or anywhere else, except what I mention next.

      After removing these packages, I noticed that there are some remaining unknown connections my device attempts several times per day.
      They are all done in same order, one right after the other:

          www.pppefa.com
          www.ppmxfa.com
          www.forcis.claro.com.co
      

      After some investigation, I found that the first two domains point to some Microsoft Cloud servers rented in US.
      The last one most probably belongs to Colombian telecom company, and this is where it becomes interesting.
      After many hours of fruitless removing of different apps in my attempt so stop it, I suddenly remembered something.
      When I used APK Extractor previously, there was an empty first line with some generic icon where an app icon should have been.
      I went there again and indeed, this is a hidden system app, that you can not see in the list of all apps in Settings, normally. But it turns out, you can see it in Data usage (after it successfully sends some data using your mobile connection).
      The name of the app is deliberately left empty to hide it, but if you click it in Data usage, you can see that this app is co.sitic.pp , which can receive SMS, can make calls, and has access to internet.
      As with all Android apps, you can reverse read the name to guess what it is.
      Turns out, http://sitic.com.co is a Colombian company, who "are leaders in innovation and create mobile and WEB applications for new products and services." (credit goes to Google Translate)

      screenshot of the app with permissions

      In other words, this app is a 3rd party telemetry, hidden from user, not mentioned in the Privacy policy, that has access to SMS.
      This looks very bad and I really hope this is a malware injected by factory and not something knowingly distributed by Nokia, HMD Global, the EU company.

      After removing the co.sitic.pp app, requests to Microsoft Cloud and Columbia stopped.
      I was later pointed to a German forum, where (I believe) it was first found in a Nokia 7.2 device.
      So, we have it confirmed in 2 devices in 2 different countries.

      On German forum they contacted Nokia (I assume support) but got tired exchanging emails for weeks without any result.
      On 02/03/2020 I have requested an official reply from Nokia and HMD Global via press.services@nokia.com and press@hmdglobal.com and waiting for reply.
      Since I am not a journalist, I may never get one.

      TLDR: 3rd party telemetry is found in Nokia 6.2 and 7.2 devices, is hidden from user, has access to SMS, and sends data to Microsoft Cloud in US and a server in Columbia.
      It is probably supplied by SITIC S.A.S., a Colombian company, and looks more like a malware than a telemetry.

      28 votes
    4. Changing e-mail and cleaning up my Internet presence

      I'm trying to clean up my internet presence and move away from at least Facebook and Google. I've come a long way with deleting my Facebook and it's now basically an empty shell for messaging....

      I'm trying to clean up my internet presence and move away from at least Facebook and Google. I've come a long way with deleting my Facebook and it's now basically an empty shell for messaging. I've installed Signal and will start the grooming process with my friends and family now. If you have some solid arguments for the change regular ol' folks can understand please share them with me because as we all know "privacy" just isn't enough.

      Next phase is the big one...Google or basically G-mail.

      1. Is there any way to get an complete overview of where you've used your e-mail for a service online?

      2. What e-mail would you recommend?
      2a. I'm OK with paying a bit for overall quality, security and equally important UX!
      2b. I don't use any other relevant Google products like Drive etc. It's just regular e-mail and sign in credentials for other services I basically need

      3. I use a Mac, iPhone and iCloud. Is iCloud a problem? IF this needs to change it HAS to be an "easy" switch and not like setting up a server for myself. Because it won't happen and I'm not skilled enough.

      I would very much appreciate your input :)

      EDIT: Thank you all for your thorough comments!

      22 votes