[HN Gopher] Android phones are sending significant amount of use...
___________________________________________________________________
Android phones are sending significant amount of user data with no
opt-out [pdf]
Author : giuliomagnifico
Score : 625 points
Date : 2021-10-11 16:52 UTC (2 days ago)
(HTM) web link (www.scss.tcd.ie)
(TXT) w3m dump (www.scss.tcd.ie)
| 2Gkashmiri wrote:
| can i see this "exfiltration" out of an android using a pi-hole?
| i have multiple androids at home and a etwork wide pi-hole so i
| would love to see if there is something i can see and maybe block
| rangerdan wrote:
| Not unless you have a lot of free time to pour through
| thousands of log lines manually.
| eldaisfish wrote:
| any DNS-based tool is going to tell you which IP address is
| being contacted, not what is sent or how much.
|
| You can certainly block domains and that will prevent some
| google telemetry but a DNS-based tool is not what you're
| looking for.
| sumtechguy wrote:
| Has anyone played with adding a cert and using a squid proxy
| to help log what is going on?
| [deleted]
| noja wrote:
| Install NetGuard.
| elevaet wrote:
| I use Android because of the walled-garden approach to data that
| Apple tries to funnel its users into. The privacy issues give me
| pause however.
| [deleted]
| ir77 wrote:
| it's always amazing to me that a typical android user tells me
| they hate iOS because it's locked down and android is much more
| open -- whenever i follow up with what apps they've actually side
| loaded they don't know what i'm talking about, never mind about
| whether their phone is rooted and they're running a rom.
|
| yet a majority of them use very expensive handsets that compete
| in a premium space to iOS devices and ciphen data not only back
| to google to to their respective manufacturers and anyone else
| that puts bloat on their phone -- bloat that they can't remove on
| their "much more open devices".
|
| what was the silly movie that had the quote "the greatest trick
| the devil made was to convince the world that he didn't exist.".
| detaro wrote:
| Of course anecdotal here too, but it seems highly unlikely that
| that's a _typical android user_ perspective. Even among fellow
| nerds that argument is not that overwhelming, and they are a
| tiny group of people.
| imwillofficial wrote:
| You are correct. I have the same experience often.
|
| *siphon
|
| "The Usual Suspects", Keyser Soze
| nicoburns wrote:
| > whenever i follow up with what apps they've actually side
| loaded they don't know what i'm talking about, never mind about
| whether their phone is rooted and they're running a rom.
|
| An android phone is more open even without side-loading or
| rooting because Google's play store much less restrictive than
| Apple's app store.
| doc_gunthrop wrote:
| A distinction needs to be made clear here with regards to the
| data being transmitted to Google by LineageOS in this study.
|
| In the cited paper (https://www.scss.tcd.ie/Doug.Leith/Android_pr
| ivacy_report.pd...), the device used to test LineageOS was a
| Google Pixel 2 running LineageOS 17.1 which also included an
| installation of _OpenGapps 10.0 nano_.
|
| It's not the OS that is transmitting the data over to Google, but
| rather OpenGapps (ie. Google Play). OpenGapps is software that
| can be _optionally_ installed after the initial installation of
| LineageOS (but before first boot). A user can still use LineageOS
| without OpenGapps, though they just won 't have the benefits (and
| drawbacks) that come with it (such as being able to use apps that
| require GSF). The user can instead opt for an app manager like
| F-droid or possibly Aurora Store.
|
| In addition, there exists an alternative to OpenGapps called
| MicroG. This is like Google Play but allows users the option to
| anonymize themselves. One can find custom LineageOS builds that
| include MicroG from the MicroG website (as the members of the
| LineageOS project do not advocate for its use, instead giving
| preference to OpenGapps). Keep in mind, however, that there are
| fewer devices supported by those builds.
| xanaxagoras wrote:
| > One can find custom LineageOS builds that include MicroG
|
| Why bother? Just use Calyx.
| CountDrewku wrote:
| Because it's not well supported on many devices
| JasonFruit wrote:
| I'm using LineageOS with neither OpenGapps nor MicroG, and can
| confirm that Aurora works without. There are numerous apps
| available from Aurora that will not function, of course, and
| many other inconveniences of varying severity, but it's overall
| a good experience.
| chasil wrote:
| I am using Lineage without Gapps, and every app on my phone
| came from F-Droid.
|
| I assume that my carrier sees location data on my device, but
| as I have learned to live within F-Droid on my daily driver,
| I assume that I am immune from this Google intrusion.
|
| I do have an older stock phone that keeps my Google login for
| when I need access to Google services. If it is powered down
| for a month, I am assuming that I am free of Google for that
| month.
|
| Google is a destructive force upon their customer base.
| Abandoning Google is always the correct action.
| muixoozie wrote:
| > I am using Lineage without Gapps, and every app on my
| phone came from F-Droid.
|
| Did you transition or quit cold turkey? I switched to
| Lineage OS with micog. Actually, now that I look through
| what I installed via Aurora, I'm surprised how few apps
| there are. 3 required for work. I guess I could reduce that
| to one with some effort. A few financial / shopping apps
| that are nice to have vs using their website. Google maps
| (not sure the replacement to that is).
| m4lvin wrote:
| > Google maps (not sure the replacement to that is).
|
| OsmAnd~ is great :-)
|
| https://f-droid.org/en/packages/net.osmand.plus
| Forbo wrote:
| OsmAnd has been real hit or miss for me. It definitely
| has a lot more friction than Google Maps, and sometimes
| I'm not able to find a destination even with the full
| address. I want to use it, and I want to support the
| ecosystem, but damn if it doesn't make it difficult.
| troyvit wrote:
| I agree. I'm trying to switch to OsmAnd from Here and
| even that is tough when it comes to finding an address on
| the map. You can find place names if they have been added
| to OpenStreetMap, which is mostly in big cities but that
| doesn't cover everything.
|
| I uses a separate app called GPS Coordinates. I give it
| an address and it gives me lat/long which I paste into
| OSM. I'm sure there's gotta be a better way.
| RussianCow wrote:
| > Google maps (not sure the replacement to that is).
|
| Try HERE WeGo: https://play.google.com/store/apps/details
| ?id=com.here.app.m...
|
| It's not quite as polished as Google Maps, but I use it
| as my primary maps app and have mostly not been
| disappointed.
| hkt wrote:
| RE Google maps, /e/OS ships with this:
| https://www.magicearth.com/
|
| I've found it to be more than good enough. There's also
| various OSM based apps:
|
| https://wiki.openstreetmap.org/wiki/Comparison_of_Android
| _ap...
| chasil wrote:
| I used the MicroG respin of Lineage for perhaps a year,
| then on my next hardware upgrade I switched to naked
| Lineage.
|
| I keep an iPhone 7 for corporate apps, but I'm on a Pixel
| 3a XL that hasn't talked to Google since I bought it.
| FormerBandmate wrote:
| For the average end user however, this is a distinction without
| a difference. A Galaxy S21 you buy from the store has Google
| Play and will be sending info of 99.99% of users to Google
| selfhoster11 wrote:
| A Galaxy S21 comes without Lineage pre-installed.
| CountDrewku wrote:
| Yep MicroG is the route I'm going on Pixel3a I just bought. You
| don't need to sign into any Google services to use them. For
| now I'm just using maps. I found a nice Reddit article on de-
| googling even more as well. If you install OpenGapps you might
| as well forget it-
|
| https://www.reddit.com/r/fossdroid/comments/clg2ca/how_to_de...
| cookiengineer wrote:
| Technically, the Internet Connectivity Check on LineageOS also
| sends your position/IP to Google, and also avoids a VPN tunnel
| because it's lower down the stack.
|
| I can recommend LineageOS, however be aware that lots of
| malware infected builds have made it to xda dev in the past, so
| you should build it yourself if possible (or use the official
| downloads).
|
| Regarding the Connectivity Check: You can add all google
| related domains to /system/etc/hosts if you have root/sudo
| access.
|
| Additionally I'd recommend everyone to use RethinkDNS as a DNS
| adblocker and app firewall - and AppWarden to patch out the
| Analytics parts of proprietary Apps.
| 1vuio0pswjnm7 wrote:
| From GrapheneOS FAQ:
|
| "Unlike AOSP or the stock OS on the supported devices,
| GrapheneOS stops making network time connections when using
| network time is disabled rather than just not setting the
| clock based on it."
|
| "... rather than just not setting the clock based on it."
|
| Wow, that is really sneaky and deceptive. The user thinks she
| has disabled the constant connections to the tech company
| time servers but in truth the connections persist.
|
| The time checks are equally as annoying as the connectivity
| checks.
| paulcarroty wrote:
| I'd recommend libredns.gr, it's free and available for non-
| Android devices.
|
| > You can add all google related domains to /system/etc/hosts
| if you have root/sudo access.
|
| Root access is harder to get with each new Android release -
| Google don't like adblockers.
| thrtewgg66 wrote:
| you can disable captiveportal and block everything else with
| netguard
|
| (check Netguard thread on xda)
| yjftsjthsd-h wrote:
| > however be aware that lots of malware infected builds have
| made it to xda dev in the past,
|
| Can you point me to some? How were they caught? I knew this
| was a possibility, but I hadn't seen it actually happen
| before.
| cookiengineer wrote:
| Back in the days I was maintaining the driver support for
| Cyanogen for the MSM7227 based models and I found some
| builds on xda dev that came preinstalled with some RATs.
|
| I only found out by coincidence of another dev asking me to
| verify the build. The nature of how Android is built (with
| all its hundreds of repositories) isn't made for verifiable
| builds, so it's really hard to prove or audit.
|
| From what I've found usually the builds with custom UIs or
| skins on top are infected with stuff either the person
| packaging it doesn't know about (benefit of the doubt) or
| do, but it comes out a year later when someone skeptical
| checks for it.
|
| Verification is especially hard because everybody on xda
| dev is using some paid adfly links or some google storage
| or dropbox links that will change in intervals (depending
| on how much traffic they produce they'll get blocked
| quickly).
|
| So yeah, I think the need for a hash based end to end
| verification tool is kind of there.
|
| But honestly I have no idea how to build it because even
| the partition setup of old flash storage using devices is
| so messed up that there can be side effects when an apk is
| put in /emulated storage folders.
|
| I think the only future proof way to do this is going
| mainline like the postmarketOS devs try to do. But until
| we're there I'm probably dead of old age already. I don't
| believe in the Android ecosystem anymore, because this is a
| governance coordination problem that's not easily fixable.
| Hosting all outdated kernels alone with all the custom
| drivers is way too much traffic for any open source project
| to pay for.
| kekebo wrote:
| One used to be able to change the captive portal url using
| adb [0], although I'm not sure that's still the case in
| current android builds.
|
| [0] https://gist.github.com/tonyseek/bc5b72197ddb15418c614060
| 617...
| commoner wrote:
| I can confirm this used to work, but I'm not sure if that's
| the case now. These were the instructions I used:
|
| https://android.stackexchange.com/a/186995
| johnbrodie wrote:
| I can't recall the exact settings to push via ADB, but the
| Internet Connectivity Check is "easy" to fix. Create a server
| that's always up that responds with a 301 (or whatever the
| check expects), and push the address to the phone. Done.
|
| It's a shame that Google's servers are the default, and I
| wish it were at least called out by Lineage. That said, I
| doubt they want to cover hosting costs of such a service
| (although I'd think they'd be fairly minimal).
| commoner wrote:
| For anyone trying to implement this, the HTTP status code
| that Android looks for is 204.
|
| https://android.stackexchange.com/a/186995
| twobitshifter wrote:
| This internet connection check actually caused problems for
| us when we started having users in China on android. Our
| code was checking for a connection before transmitting data
| and android thought the device was disconnected due to the
| great firewall. I think there's just a hack around it for
| now that disabled the android connection check for those
| users.
| commoner wrote:
| Some Android flavors, including /e/[1] and GrapheneOS,[2]
| don't use Google servers for the internet connectivity check
| by default.
|
| [1] https://gitlab.e.foundation/e/backlog/-/issues/268#note_1
| 809...
|
| [2] https://grapheneos.org/faq#default-connections
| 1vuio0pswjnm7 wrote:
| Looking through the GrapheneOS source, the servers may not
| be Google servers but the system is still designed to phone
| home. As such, have they solved the problem or is this just
| another case of "Dont' trust them, trust us instead."
|
| Has anyone succeeded in running multiboot on "smartphone"
| hardware, i.e., where the user can boot into a choice of
| kernel/userland. One choice might be Android, another might
| be GrapheneOS/LineageOS, another might be an OS that does
| not rely on any third parties whatsoever (no conveniences,
| "app stores", "connectivity checks", etc.) and is fully
| controlled by the user. In other words, the third choice
| lets the pocket-sized computer be used more like a pre-
| smartphone era desktop/laptop OS. Basic functionality.
| kaba0 wrote:
| For your later linked examples, those can be changed.
|
| But as for the microG/GApps question, GrapheneOS provides
| a sandbox for the actual GApps, so that almost everything
| can run properly, with very strong control over what is
| seen by Google.
| bubblethink wrote:
| Eh, if you want an airgapped phone, use it in airplane
| mode. Obviously, the phone needs some network infra for
| things like updates or timekeeping. You can route it over
| vpn if you want and you can build everything yourself and
| host all the servers yourself too if you so prefer. This
| type of pedantry is more harmful than useful to casual
| users who would be far better served with grapheneos than
| some non-existent ideal phone.
| hilbert42 wrote:
| _"...if you want an airgapped phone, use it in airplane
| mode. "_
|
| Right, that's what I do. In fact this post comes from a
| smartphone sans SIM with airplane mode on, with a
| firewall against apps phoning home, no Google or Gmail
| account, all Google Gapps nuked including playstore - in
| fact all Gapps have been completely removed - not to
| mention that most replacement apps come via F-Droid.
|
| Yes, technically it's not fully airgapped but it is
| against Google and that's my main aim.
|
| Of course there's a penalty: I also carry around both a
| pocket router with WiFi and SIM to which the smartphone
| connects as well as the dumbest of dumb phones just for
| phone calls.
|
| Yes, it's a little inconvenient in that the combined
| paraphernalia is about equivalent to two normal
| smartphones (both the router and dumb phone being
| somewhat smaller). Next step is to upgrade to a Fairphone
| or equivalent. (I've often wondered where I'd fit on a
| percentage scale of users who'd go to such lengths -
| somewhere between 0.1 and 0.001% I suspect.)
|
| _You may well ask why I 've gone to such lenghts. It's
| more principle than privacy really. It's because
| governments around the world completely abrogated their
| responsibility when they deregulated the once-private
| telephone networks in the 1980s, when they did they let
| the Wild West take over. This 'vacuum' then led to a
| depreciation in the value of privacy on telephone
| networks. The ultimate insult came when the vacuum was
| filled by the likes of Google and others who usurped the
| last vestiges of our telephone privacy for good - and
| these damn governments just stood by and let it happen
| without so much as whimper. Remember, we telephone users
| were never first consulted about our privacy -
| governments just let Google and Apple et al take over the
| whole damn caboodle without question. (In the future
| after all the world has finally woken up to the disaster
| then we'll have dozens of historians trying to figure out
| what the hell happened and why. When realization finally
| dawns everyone will be flabbergasted.)
|
| Now, long after the horses have bolted and without so
| much as an apology, governments are trying to reign in
| the likes of Google and Facebook. Right, our governance
| is a fucking farce - it has to be when governments simply
| allow Big Tech to not only effectively overrule
| longstanding law but also to go on and do whatever they
| damned well feel like with impunity._
| 1vuio0pswjnm7 wrote:
| Looking at the FAQ provides more details on various ways
| GrapheneOS phones home by default. Thankfully, some of
| these "services" can be disabled.
|
| The time service is enabled by default but can be
| disabled.
|
| "An HTTPS connection is made to
| https://time.grapheneos.org/ to update the time from the
| date header field."
|
| "Network time can be disabled with the toggle at Settings
| System Date & time Use network-provided time."
|
| Connectivity checks are enabled by default but can be
| disabled.
|
| "Connectivity checks designed to mimic a web browser user
| agent are performed by using HTTP and HTTPS to fetch
| standard URLs generating an HTTP 204 status code."
|
| "You can change the connectivity check URLs via the
| Settings Network & internet Advanced Internet
| connectivity check setting. At the moment, it can be
| toggled between the GrapheneOS servers (default), the
| standard Google servers used by billions of other Android
| devices or disabled."
|
| Why these are enabled by default, i.e., opt-out instead
| of opt-in, is strange considering this OS is aimed at
| technical, security and privacy-conscious users. Users
| who would surely know what services they want and be
| capable of enabling them.
| amatecha wrote:
| Yeah I agree, these settings should be disabled by
| default and require explicit opt-in. That said, I am
| impressed by how privacy/security-conscious the OS seems
| to be otherwise!
| yc12340 wrote:
| You can't really get rid of connectivity check, because
| it is a part of public API. Applications use it to check
| whether a network has internet access. Android itself
| uses it to detect captive portals and prompt user to
| authenticate when network requires authentication/payment
| via a web page.
| londons_explore wrote:
| Not an awful lot of stuff breaks if you just patch the
| api to always return true.
| amatecha wrote:
| I'm not suggesting they get rid of connectivity check.
| They already provide the option to disable it. All I'm
| suggesting is that it's not enabled until the user
| indicates they want it to be. This could be asked during
| a "first time" setup flow like most smartphones have.
| johnmaguire wrote:
| Network time is pretty important for things like HMACs.
| amatecha wrote:
| Maybe, but couldn't they let me set my own server and not
| hit a predefined time server without asking me?
| wolverine876 wrote:
| A couple thoughts:
|
| * Usability: An OS without network connectivity checks
| and time sync might not be usable by non-geeks
|
| * Obscurity: The threat from these pings is low. The
| threat of having a phone that behaves differently than
| "billions of other Android devices", indicating that it's
| GrapheneOS or some other security-oriented OS, is
| arguably higher.
| GoblinSlayer wrote:
| Connectivity checks can't possibly be useful, because the
| network can go down after the check. Then what, the phone
| explodes?
| [deleted]
| Y_Y wrote:
| My pinephone has multiboot to several different Linux and
| Android varieties.
| ranger_danger wrote:
| And nowhere near the security of even stock Android,
| unfortunately. Every app is free to spy on everything
| else on the system, just like most desktops.
| 1vuio0pswjnm7 wrote:
| As well as NetBSD, and probably others, eventually.
| fsflover wrote:
| Librem 5 can also boot different operating systems.
| xook wrote:
| How is Pinephone coming along toward this year's end?
|
| I check in every now and then, but I need it to be where
| current Lineage/Graphene are. I don't need trivial
| software (games et al), but I need it to be automatic
| enough* that I don't have to spend an evening or weekend
| unbreaking things - and reliable all the same.
|
| * barring basic things like package manager updates
| dyndos wrote:
| Did you actually find any examples of GrapheneOS phoning
| home?
|
| GrapheneOS doesn't rely on any third-parties I'm aware
| of. The only service provided is over-the-air security
| updates. It doesn't even come with an app store (although
| you can install F-Droid).
|
| For that reason, GrapheneOS alone fits all three
| categories you mentioned: It is Android, it is
| GrapheneOS, and it is fully controllable / doesn't ship
| bloatware.
| summm wrote:
| It is not controllable at all: It still enforces any app
| author's will against the user's. Root is not offered,
| and the grapheneos maintainer seems to be personally
| offended by the thought that root could be helpful.
| dyndos wrote:
| >enforces any app author's will against the user's
|
| I'm not sure what you mean by this. All apps run in a
| sandbox and you can deny permissions if you like.
|
| >Root is not offered
|
| Root access on Android is a security hole.
| 1vuio0pswjnm7 wrote:
| "The only service provided is over-the-air security
| updates."
|
| Connectivity check / time servers
|
| https://grapheneos.org/articles/grapheneos-
| servers#grapheneo...
|
| Amongst others.
| [deleted]
| aboringusername wrote:
| The issue with Android is it's extremely restrictive from a
| firewall perspective, I guess exactly as designed.
|
| I cannot dictate what apps chat over the internet or to what IP's
| (say, a setting to only allow EU-only addresses).
|
| Of course this means - rightfully or wrongly - you have to move
| this to another layer - probably PiHole or router level, but even
| then there could be gaps (can it use mobile data with you
| unaware?).
|
| I am surprised major OS' still don't allow users to configure
| this yet. it's pretty basic stuff.
| ajvs wrote:
| Custom ROMs like LineageOS which is in this study does have an
| inbuilt firewall. Long press an app and you can deny internet
| access entirely, deny VPN access, etc.
| autoexec wrote:
| Last I checked the default keyboard samsung installs on their
| phones was collecting what you typed and sharing/selling that
| data with third parties. I try not to store or access any
| personal information on my cell phones when i can avoid it, but
| at a certain point, just having one is enough to seriously
| compromise your privacy. Strong regulation with real sharp teeth
| is the only thing that can fix this situation.
| ibeckermayer wrote:
| Strong regulation by whom? The organization that brought us the
| CIA, NSA, FBI, and the rest of the alphabet soup of "security"
| bureaucracies that spy on us arbitrarily?
|
| Strong regulation could easily worsen the problem, as it can
| lead to a ratcheting up of the regulatory burden until only
| mega corps like Apple and Google could afford to make phones,
| and upstarts like Purism and Pinephone get squeezed out.
|
| How about before getting so gung ho with pointing the
| government gun at everyone's head, we consider the option of
| rolling back the unjust regulations that already exist which
| give the mega corps undue government privilege (patents are a
| good place to start), and encouraging (by voting with our
| wallets) organic alternatives to emerge, like they already are
| doing.
| autoexec wrote:
| > The organization that brought us the CIA, NSA, FBI, and the
| rest of the alphabet soup of "security" bureaucracies that
| spy on us arbitrarily?
|
| Which origination do you think that is? you think they all
| came from the same place? Every one of these agencies came
| into existence under very different circumstances at
| different times and they fall under different branches and
| operate in different areas. Do you mean "government" in
| general?
|
| Yes, it's a horrible thing that these agencies are being used
| to spy on all American citizens in violation of our freedoms,
| but that fact doesn't mean that we shouldn't allow any
| government agency anywhere enforce regulations. How that does
| that make any sense at all? You could say the same for
| literally anything. "Who should regulate the amount of lead
| in our drinking water? The organization that brought us the
| CIA, NSA, FBI, and the rest of the alphabet soup of
| "security" bureaucracies that spy on us arbitrarily?"
|
| > Strong regulation could easily worsen the problem, as it
| can lead to a ratcheting up of the regulatory burden until
| only mega corps like Apple and Google could afford to make
| phones, and upstarts like Purism and Pinephone get squeezed
| out.
|
| It literally couldn't worsen the problem of our privacy being
| violated and used against us by cell phone companies. If it's
| illegal for Google to do it, and we had regular independent
| verification that they were not violating those laws, than it
| wouldn't matter if the only cell phones that existed on the
| whole of Earth were made by Google. Google still wouldn't be
| doing the bad thing we're trying to stop.
|
| Yes, I'd prefer to have more choices but there's zero
| requirement that regulations make it prohibitively expensive
| for any company even an upstart. In fact, because this would
| be regulation against collecting, securing, maintaining,
| analyzing, marketing, and selling our personal data it'd
| actually save companies tons of money since they'd no longer
| be dong any of those things. Established companies who are
| currently exploiting consumers won't get to profit off of
| them as they are currently, but they will still save a lot of
| time and money not exploiting the public.
|
| > How about before getting so gung ho with pointing the
| government gun at everyone's head, we consider the option of
| rolling back the unjust regulations that already exist which
| give the mega corps undue government privilege (patents are a
| good place to start)
|
| This isn't an either/or type of thing. There's a lot of great
| and important things we should be doing. This is one of them.
| Let's do them all.
|
| > and encouraging (by voting with our wallets) organic
| alternatives to emerge, like they already are doing.
|
| If "the market" were going to solve this problem, if it were
| capable of solving this problem, it would have been solved
| already. It's not. Until strong regulations are in place
| there will continue to be a very very strong perverse
| incentive to not solve this problem. We're coming up on 50
| years of mobile phone technology and at present there are no
| comparable options for cell phones and mobile networks that
| preserve privacy. None. It's not regulations forcing Google
| and Apple to collect our personal data. They are choosing to
| do it. They could stop tomorrow if they wanted to. They don't
| want to. They won't stop until they are forced to stop.
| hungryforcodes wrote:
| Hi! I have a Samsung and I looked around online and couldn't
| find any real info on this topic. I don't doubt it's quite
| possible, but where is your source from? It's been hard for me
| to confirm. A good point, though, I'll look at the open source
| options....
| autoexec wrote:
| Samsung's own privacy policy and those of the 3rd parties
| they use. It's been over a year and checking now some things
| have already changed, but if you click on the gear icon from
| within the keyboard you can select "about sumsung keyboard"
| which should give you a list of policies including gify and
| tenor (both used for gifs I guess) but i didn't even check
| those. The one you want is the legal info which tells you
| that in addition to samsung's privacy policy (which outright
| says it's collecting and selling everything it can get their
| hands on (see
| https://www.computerworld.com/article/3514999/samsung-
| sellin...) you also have to accept the policy of a 3rd party
| called Nuance which they use for "language data".
|
| The wall of legal text there eventually links to their
| privacy privacy which opens in the browser. They collect and
| store things like "your choice of words, speech and writing
| patters, how you use your keyboard, custom words you add, the
| number of charters you type, your typing speed, etc. and they
| share (read sell) that data to affiliates, subsidiaries,
| vendors, subcontractors, etc (pretty much anyone they feel
| like). They specifically state they use this data to draw
| inferences reflecting your characteristics, behavior,
| abilities, preferences and aptitudes all of which they can
| sell to anyone at any time without even telling you about it
| because what they learn about you by going over all your data
| is their data and they don't have to tell you anything at all
| about what they do with their data.
| zibzab wrote:
| They specifically ask you when something like that is being
| used.
|
| And I don't think giffy or others are receiving your
| emails. This is probably just usage stats, but someone
| needs to check that.
|
| Windows 10 start menu on the other hand send every
| keystroke to bing. You cannot turn it off either
| nimbius wrote:
| https://play.google.com/store/apps/details?id=org.dslul.open...
|
| OpenBoard is a 100% foss keyboard based on AOSP, with no
| dependency on Google binaries, that respects your privacy.
| ByteWelder wrote:
| Alternatively, you can just disable internet access to any of
| the keyboards via 'Settings' > 'Apps and notifications'.
| hbcondo714 wrote:
| Thanks for this, just installed it and when I click to enable
| in my settings, I get an Attention message:
|
| "OpenBoard may be able to collect all the text you type,
| including personal data such as passwords and credit card
| numbers"
|
| This appears to be from Samsung, trying to deter users from
| using keyboards other than their own.
| commoner wrote:
| That's a generic warning that shows up on all flavors of
| Android, including AOSP and LineageOS, when you enable any
| new input method.
| autoexec wrote:
| I'm glad they let people know it's possible, a keyboard
| isn't something you should install without some careful
| consideration because they can be used as keyloggers. I
| just wish they'd been as clear about that with the keyboard
| already installed on the phones when they ship. Anyone
| seeing that warning might easily think it's safer not to
| replace their stock keyboard even though it's already doing
| the very thing they fear a new keyboard might do.
| yc12340 wrote:
| > a keyboard isn't something you should install without
| some careful consideration because they can be used as
| keyloggers
|
| To be frank, Android should not allow input methods
| access to internet/filesystem in the first place. But
| that would have hindered Google's own keylogger, so...
| thaumasiotes wrote:
| I use Google Pinyin Input. (Which seems to have been
| deprioritized or something, but still...)
|
| The general shape of input methods that let you produce
| Yi Zi is that you provide some type of input that hints
| at the character(s) you want, the input method displays a
| menu of options that match your input, and you select the
| correct option from the menu. For example, if I'm using
| pinyin entry and I type `shi`, I can choose from Shi ,
| Shi , Shi , Shi , Shi , Shi , Shi , Shi , Shi , Shi , Shi
| , Shi , ......, which are all pronounced shi. (And heck,
| those are just the top 12 suggestions. They mean things
| like "ten", "be", or "stone". The `shi`s go on for
| several pages.)
|
| You can enter more than one character at once. If I type
| `bhys`, I'll see the suggestion Bu Hao Yi Si ("sorry").
|
| The presented options are chosen based on what the input
| method predicts I'm most likely to want. They are
| context-sensitive -- the order of suggestions will change
| depending on what I typed just beforehand -- and the
| likelihoods and the phrases are collected from what
| people elsewhere in the world type. Suggestions can be
| quite current! Without an internet connection, this would
| be a much worse experience; the predictions would be
| wrong or useless much, much more often.
| tjpnz wrote:
| Looked promising until I noticed that Japanese isn't an
| option (despite practically every other language being
| listed).
| autoexec wrote:
| Once I realized what samsung was doing I switched to
| AnySoftKeyboard and I'm pretty happy with it. It's got a lot
| of options.
|
| https://f-droid.org/en/packages/com.menny.android.anysoftkey.
| ..
| ignoramous wrote:
| One may replace the keyboard, but the underlying "input
| method" framework is still under OEM's (in this case,
| Samsung's) control: That is (afaik), they could key-log
| just fine regardless of whatever keyboard one may install /
| use.
| brodock wrote:
| I've tried both anysoftkeyboard and openboard, and liked
| openboard layout better but wanted swiftkey like support
| from anysoftkeyboard. Looking at reddit fossdroid I
| discovered the one fitted me better as a closer to
| openboard with swiftkey support : FlorisBoard
| commoner wrote:
| FlorisBoard is really nice. Among all of the FOSS Android
| keyboards, I've found the gesture typing on FlorisBoard
| to be the most accurate.
|
| https://github.com/florisboard/florisboard
| padraic7a wrote:
| Thanks, I'll check that out.
|
| I've been using Swiftkey since before Microsoft bought it,
| and really enjoying it.
|
| I know I shouldn't be surprised but I feel really betrayed
| that they use it to track app usage and link it to IMEI and
| the Google advertising id.
| aqfamnzc wrote:
| I was also a long-time fan of Swiftkey, and switched to
| OpenBoard a few months ago. The main differences are lack
| of swipe input which I miss dearly, and slightly less
| intuitive correction. I think since switching I've put a
| little more effort into being more accurate which has
| helped.
| nazgulsenpai wrote:
| FlorisBoard is another open source keyboard project that
| has experimental support for gesture/swipe typing. It
| requires a bit more accuracy than spyware keyboards but
| might be worth a try.
|
| https://f-droid.org/en/packages/dev.patrickgold.florisboa
| rd/
| SV_BubbleTime wrote:
| There are lines in the sand, and a default key logger sending
| data to undisclosed third parties should be a pretty easy one
| everyone can agree on.
| atatatat wrote:
| This isn't the sort of news that wins on people's Facebook or
| Instagram feeds.
| frankenst1 wrote:
| > Last I checked the default keyboard samsung installs on their
| phones was collecting what you typed and sharing/selling that
| data with third parties.
|
| How did you check? Do you have a source/link?
| autoexec wrote:
| as stated elsewhere:
|
| Samsung's own privacy policy and those of the 3rd parties
| they use. It's been over a year and checking now some things
| have already changed, but if you click on the gear icon from
| within the keyboard you can select "about sumsung keyboard"
| which should give you a list of policies including gify and
| tenor (both used for gifs I guess) but i didn't even check
| those. The one you want is the legal info which tells you
| that in addition to samsung's privacy policy (which outright
| says it's collecting and selling everything it can get their
| hands on (see
| https://www.computerworld.com/article/3514999/samsung-
| sellin...) you also have to accept the policy of a 3rd party
| called Nuance which they use for "language data".
|
| The wall of legal text there eventually links to their
| privacy privacy which opens in the browser. They collect and
| store things like "your choice of words, speech and writing
| patters, how you use your keyboard, custom words you add, the
| number of charters you type, your typing speed, etc. and they
| share (read sell) that data to affiliates, subsidiaries,
| vendors, subcontractors, etc (pretty much anyone they feel
| like). They specifically state they use this data to draw
| inferences reflecting your characteristics, behavior,
| abilities, preferences and aptitudes all of which they can
| sell to anyone at any time without even telling you about it
| because what they learn about you by going over all your data
| is their data and they don't have to tell you anything at all
| about what they do with their data.
| MattGrommes wrote:
| It seems worth talking about the fact that it appears to be the
| vendor of the phone putting this kind of snooping in place.
| Blaming Android is missing the real culprit. Like they say in the
| article, we need stronger controls on people's data for whoever
| happens to make the phone's OS.
| closeparen wrote:
| For practical purposes Android is not just the open source
| codebase but also the economic institution, where various
| middlemen get to do sketchy and low-rent stuff in between the
| trusted brand and the consumer. That is the "openness" that
| sets it apart from its competitor.
| brundolf wrote:
| And at the end of the day that's the reason I don't use it
| anymore. It's just the wild-west.
| 3np wrote:
| There's still data sent to Google as part of Android except for
| currently obscure ones like /e/ and Graphene.
|
| It's like a combination of the desktop Windows of the 90s
| (malware preinstalled by vendors) and today (increasing
| surveillance by the OS developers) with Apple (you need to
| basically risk breaking the device and void the warranty to get
| away from it)
| Dutchie2020 wrote:
| Does anyone here have any experience with the /e/OS mentioned in
| the article?
| ForHackernews wrote:
| Yes, I've been using /e/ in daily use for over a year now.
|
| It's pretty good most of the time. It will not satisfy people
| who want/need a truly "hardened" device, but if you are just a
| normal person who wants to feed less data to the ad-tech
| monsters, then it works well.
|
| The default /e/ app store has both FLOSS apps from F-Droid and
| free-as-in-beer proprietary apps mirrored from Google Play
| store. Whether an individual app works well or not depends on
| how tightly coupled it is to Google Play Services
| COGlory wrote:
| I purchased a Samsung Galaxy S9 (in the US) from them. My first
| impression: Everything works. Apps (if it's not on their store,
| which is a mix of F-Droid and other APKs, it's on Aurora),
| Google services works without signing (MicroG), GPS works, OTA
| updates work (with one click).
|
| My biggest complaint is that their App store isn't just
| F-Droid, and their APKs are often out of date by 1-2 weeks. My
| biggest compliment (besides everything just working to the
| point I could recommend it to a relative), is that they are
| active and engaged in their community, regularly reading their
| forum, soliciting feedback, and posting weekly updates.
|
| https://community.e.foundation/t/week-41-development-and-tes...
| Kototama wrote:
| It's rather good and at some point they managed to have release
| for my previous phone model when the lineageos stopped!
|
| I used it without their cloud services. Some of the pre-
| installed apps cannot be removed (like email, pdf readers)
| which is slightly annoying. They have their own
| launcher/desktop but it's not that good, it even crashes time
| to time.
|
| Last time I checked, it was not super transparent which non-
| FOSS store they used.
|
| Overall I think the experience with LineageOS is better but /e/
| comes with MicroG so it's practical if you need a few
| proprietary apps.
| ForHackernews wrote:
| > Last time I checked, it was not super transparent which
| non-FOSS store they used
|
| I'm pretty sure that's deliberately opaque because mirroring
| APKs from Play store breaks some ToS somewhere and they don't
| want everyone getting their Google accounts banned.
| hellisothers wrote:
| And yet we have articles that say iOS is similar if not worse and
| people pile in to "both sides" it (1). Why is it I feel it's
| clear that fundamentally iOS favors privacy (for profit) and
| Android eschews it (for profit) yet it's somehow debatable still?
|
| (1) https://news.ycombinator.com/item?id=28819318
| rangerdan wrote:
| iOS is just as bad, if not worse. See
| https://gist.github.com/iosecure/357e724811fe04167332ef54e73...
| JohnWhigham wrote:
| How anyone can say iOS favors privacy with a straight face
| after the CSAM debacle is beyond me.
| mattnewton wrote:
| Is it possible the feeling is at least in part the result of
| marketing? Not trying to be inflammatory, but apple does spend
| a lot of money running excellent ads about how iPhones are
| private.
| margalabargala wrote:
| Do you have any evidence the iOS operating system is better in
| any significant way? The article you linked focused on the apps
| available in the store, not the phone OS itself (which is what
| this article is about).
| hellisothers wrote:
| Apps draft off what the OS allows, iOS keeps adding features
| at the OS level (do not track, "app tracking health" metrics,
| advertising opt out, etc). At best Android grudgingly offers
| some of this after the fact, at worst does what this article
| offers.
| margalabargala wrote:
| What the OS allows for third-party apps and what the OS
| allows for the software of the manufacturer are completely
| different.
|
| This article is about Samsung's OS sending data to Samsung,
| Google's OS sending data to Google, etc. All of this data
| is fairly above and beyond what would be available to an
| app on any of the mentioned operating systems. Just because
| iOS disallows apps from collecting certain classes of data,
| does not mean it does not collect that same data to send to
| Apple.
| KennyBlanken wrote:
| Nevermind that iOS provides an _extensive_ list of system-
| level data collection toggles. Don 't want to contribute
| traffic data? Done. Don't want to contribute cellular/wifi
| location data? Done. Don't want your phone collecting data
| about what stores you visit and when? Done.
|
| With Android, you don't have a choice for _any_ of that. It
| just does it. Google Maps constantly slurps up every bit of
| location related information it can, whether you like it or
| not.
|
| iOS even allows for forcing apps to only have access to
| coarse location data - it's off by a few miles - as well as
| only granting location data when the app is actually in
| use. Also options you don't get with Android.
|
| The only thing I miss after switching: Android allowed for
| controlling not just cellular data but _background_ data.
| shkkmo wrote:
| iOS collects and transmits all MAC addresses on the local
| network even with location services off, there is no way to
| disable this:
|
| > iOS shares with Apple the handset Bluetooth UniqueChipID, the
| Secure Element ID (associated with the Secure Element used for
| Apple Pay and contactless payment) and the Wifi MAC addresses
| of nearby devices e.g. of other devices in a household of the
| home gateway. When the handset location setting is enabled
| these MAC addresses are also tagged with the GPS location.[0]
|
| [0] https://www.scss.tcd.ie/doug.leith/apple_google.pdf
|
| So the answer is clearly that while they are both bad for
| privacy with the default configuration, some Android devices
| provide more control over the device and thus options for
| disabling telemetry.
| smoldesu wrote:
| If iOS were an open-source project, we wouldn't need to spend
| so long speculating what code is running on the devices that we
| own.
| commoner wrote:
| One area that iOS can improve on is the linking of app
| downloads to Apple IDs. I don't want every app I've ever
| downloaded on iOS to be permanently recorded in my Apple ID.
| With Android, I can use Aurora Store or sideload apps that were
| originally published on the Play Store without needing a Google
| account at all. Apple should implement a way to anonymously
| download free apps, whether from the App Store or from
| elsewhere.
| johnthuss wrote:
| I don't think this is news to anyone (in general), but it is
| increasingly becoming the differentiating factor between Android
| and iOS.
|
| Apple is all-in on customer privacy and Google hasn't really been
| able to respond on that front since their business model depends
| on targeted advertising based on data collected about their
| users.
|
| The question is whether regular people really care about privacy
| more than they do about the price of a phone. And so far it seems
| that the lower priced phones are winning.
| Tenoke wrote:
| Price and privacy are hardly the only differentiating factors
| between the two. And even if they were, those who care most
| about privacy have more options on Android at the extreme end.
| a_imho wrote:
| Wasn't CSAM the hot topic just a couple of weeks ago?
| BiteCode_dev wrote:
| Apple is just better at pretending being all in.
|
| They were part of PRISM.
|
| They recently added a systematic scan, compare and report
| routine to all your pictures.
|
| They forces you to tie your phone to an Apple account just to
| use it. My android phone doesn't have an account, or even an
| email linked to it.
|
| Apple now has an entire mesh network of BT devices constantly
| looking up each others, even if some of them are not connected
| to internet.
|
| The microphone on the Apple device is always on, to answer to
| hey siri.
|
| Finally, you can't install a real alternative browser on iOS,
| so no real privacy addons.
|
| They make big claims about privacy nobody can check because
| everything is closed source. So you have to just trust them.
|
| "But apple doesn't have an ad business"
|
| Oh but they do. And they don't have to play by their own rules
| in the app store, and have the right to track users, gather
| device informations, location, etc. Fun thing is, they start
| the list of information they collect
| (https://www.apple.com/legal/privacy/data/en/apple-
| advertisin...) by stating "Apple-delivered advertising helps
| people discover apps, products, and services while respecting
| user privacy".
|
| I don't think they are any better, just different. And better
| at PR.
| EastOfTruth wrote:
| > They were part of PRISM.
|
| Isn't that still a thing?
| chuckee wrote:
| > The question is whether regular people really care about
| privacy more than they do about the price of a phone. And so
| far it seems that the lower priced phones are winning.
|
| To find that out, the privacy intrusions would have to be
| advertised as prominently as the price.
| micah94 wrote:
| So is the data collected by Google from Huawei phones a function
| of their OS based on Android 10? I thought Huawei was prevented
| from talking to Google.
| aritmo wrote:
| Android takes snapshots (screenshots) of apps as soon as you
| switch to another app. When you view the app list, it already has
| the last view of each app.
|
| But the Xiaomi/MIUI Android sends over those screenshots back to
| the company is new information.
| WarOnPrivacy wrote:
| > Android takes snapshots (screenshots) of apps as soon as you
| switch to another app.
|
| For the interested, here's info on where those are stored:
| https://android.stackexchange.com/questions/172913/where-doe...
| AuthorizedCust wrote:
| I had a Pixel. That it took a screenshot when I switched apps
| makes sense. It allows the task switcher to open immediately
| and show the most recent state of all my apps. A screenshot of
| some sort is mandatory for the OCR functionality that allowed
| me to select text from these tiles in the task switcher (super
| handy!).
|
| I'm now on iOS 15 on an iPhone 12 Pro Max. I _think_ I've seen
| movement on the tiles in its task switcher, so I'm not clear if
| it takes screenshots. But the fact that the task switcher opens
| with no delay suggests that screenshots might be used?
|
| I'm only defending taking screenshots. Transmitting them to
| other parties is problematic.
| rootusrootus wrote:
| > I think I've seen movement on the tiles in its task
| switcher, so I'm not clear if it takes screenshots.
|
| In my experience, it seems like only the app you were in when
| you brought up the task switcher continues to update the
| screen. If you go somewhere else, like just back to the home
| screen, it goes static like all the rest.
| marcellus23 wrote:
| This is correct. iOS snapshots the app as soon as it's
| moved into the background, and that snapshot is what you
| see. When you bring up the switcher, the foreground app
| isn't backgrounded yet -- that only happens if you go to
| the home screen or actually switch apps.
| interpol_p wrote:
| If the app is using the Background App Refresh
| entitlements [1] (Background fetch / background
| processing) then it is possible for iOS to update the
| screenshot for the app switcher periodically even when
| the app is in the background
|
| Messages does this, as you will notice that an active
| conversation tends to be up-to-date in the app switcher
|
| [1] https://developer.apple.com/documentation/uikit/app_a
| nd_envi...
| numair wrote:
| As I understand it, each iOS application is sort of like its
| own 3D plane within a larger environment, hence why the
| launcher shows up without any lag.
|
| I hope someone can do the work of pasting the original Aqua
| framework overview that's probably still hiding somewhere on
| the Apple website. The manner in which the combination of
| OpenGL (Metal?) and PDF work to render UI and elements on OS
| X and iOS is really quite remarkable. I think even now, 20
| years later, there isn't anything comparable being done by
| Android/Linux or Windows. I would love to be proven wrong,
| however (I haven't followed this closely for the past few
| years).
| kitsunesoba wrote:
| Yeah the iOS multitasking view tracks all the way back to
| windows in OS X 10.5 Expose being actual windows instead of
| snapshots, and the parlor trick of QuickTime player windows
| continuing to play video when minimized to the dock all the
| way back in 10.0 (and perhaps the 10.0 public beta, I
| forget). It's the kind of thing that family of operating
| systems has handled well for a long time.
| nitrogen wrote:
| Compiz and all subsequent compositing managers do the same
| thing for Linux (each app has its own surface in the GPU
| and can be composited in 3D), and I believe the compositing
| in Windows Vista and later is similar.
| FreezingKeeper wrote:
| https://developer.apple.com/library/archive/documentation/C
| o... might be what you're after?
| extr wrote:
| How have you found the transition to iOS? For me, the task
| switcher OCR feature is absolutely killer, one of the main
| things still keeping me on Android. Does iOS have anything
| similar?
| AuthorizedCust wrote:
| I find the Pixel experience to be superior. But I took each
| of the areas where Pixel is better, item by item, and
| scored their value, and came out with a score recommending
| I keep the iPhone: https://www.arencambre.com/iphones-are-
| inferior-to-android-p...
|
| Context: I made that right after I got an iPhone 12 Pro
| Max. It was running iOS 14. iOS 15 may bias the score
| towards Apple even more with the current phone, and iPhone
| 13 biases it a bit more.
|
| I still like Android better.
| marcellus23 wrote:
| iOS 15 now OCRs text across the OS, including screenshots.
| So you can take a screenshot and get OCR'd text from there.
| AuthorizedCust wrote:
| That's more of a process than simply selecting text on
| the task manager tile.
| marcellus23 wrote:
| I guess. You have to hit the screenshot combo and then
| tap the screenshot, versus hitting the app-switcher
| button. Are you doing this often enough for that 1 extra
| step to be a big deal?
| extr wrote:
| For me, yeah this would be a much different experience. I
| use this feature all the time, to select anything from
| the title of a song on Spotify to a phone number embedded
| in an image on the web.
| marcellus23 wrote:
| In the latter case, you could just select the text in the
| image directly. How often do you use this feature per
| day?
| AuthorizedCust wrote:
| I'm increasingly finding great value in reducing
| complexity of simple tasks. I thought the push button
| rear door closer on my minivan was silly, but it came
| with it, so (shrug). I've grown to like it!
|
| Reducing from a few steps plus a major context switch to
| just one step is valuable.
| marcellus23 wrote:
| Where's the context switch?
| aero-glide2 wrote:
| The article doesn't mention screenshots at all.
| jand wrote:
| > System apps on several handsets upload details of user
| interactions with the apps on the handset (what apps are used
| and when, what app screens are viewed, when and for how
| long).
|
| I am too far away from Android development to make any claim
| about what "app screens" are. Is that android-lingo? Could
| someone please clarify?
| Arnt wrote:
| Sounds like an attempt at phrasing for the general public.
|
| Android apps have zero or more activities, each of which
| may be thought of as a single screen and a single Intent,
| which is a bit like a URL (and sometimes very much like a
| URL). A messenger or email app will typically have a main
| activity, an activity to view a single message, an activity
| to view a conversation with someone, perhaps an activity to
| view a single attached image, probably an activity to view
| and edit the application's settings, and so on.
|
| What is sent is perhaps the app's name and a class name
| within the app for each activity that's started.
| dr_kiszonka wrote:
| Exactly right. And you don't have to be a system app to
| access this information. Any app with sufficient
| permissions granted explicitly by a user can access these
| data (no root needed), and it may have legitimate reasons
| for doing it.
| alickz wrote:
| It sounds a lot like the screen events Firebase reports (a
| library by Google for analytics, among other things)
|
| It allows you to know which screens a user views, but not
| the data on the screen. A pseudo-example would be like
| "User opened LoginScreen/LoginActivity at yyyy-mm-dd and
| stayed on that screen for X seconds"
|
| Not an actual screenshot of said screen
| scns wrote:
| The /e/ foundation has a visualization here [0]. Better viewed in
| landscape on mobile. Even iPhone users should take a look at it
| IMO.
|
| [0] https://e.foundation/about-e/#why-/e/
| jpm_sd wrote:
| What is the actual value of all this privacy invasion? Is the
| data even useful to anyone? Or is it just getting collected
| endlessly for no reason?
| dylan604 wrote:
| To the people collecting the data that can sell it, it is
| useful only in that someone will buy it. Once it is sold, they
| don't care one bit about how/where/why it is used.
| criddell wrote:
| Where can you buy it?
| jpm_sd wrote:
| But are the third parties buying the data actually getting
| anything useful out of it?
| dylan604 wrote:
| I'm not sure why you'd think it's not useful to someone
| somewhere.
|
| Game devs see how much time you play games, what type of
| games, if you purchase IAPs, etc. News feed apps sell what
| kind of news stories you read/follow/subscribe. Commerce
| apps sell what kind of things you buy, the prices you pay,
| the items you look at but don't buy etc.
|
| From all of that "metadata", one can build up a profile
| about you that's pretty accurate. If you can't imagine why
| that is useful to someone, then I'd posit you're not trying
| hard enough.
| streamofdigits wrote:
| How far are we from a phone that: ships fully formed - no
| flashing and stuff, has reliable supply chain and production, is
| open source only, usable on a daily basis (stable, normal battery
| life, all basic apps, easy upgrades) and ideally repairable /
| recyclable as much as possible?
|
| I would leave "high-end" specs and price constraints out of scope
| to make this a reality sooner than later.
|
| There are several contenders and combos /e/, lineageOS,
| pinephone, fairphone etc and I wish them all godspeed (also other
| small efforts out there I am not aware of), but its not clear
| which one is ready for just the simple, honest, society and
| environment friendly mobile computing that we should have had all
| along and it is really a crime that we don't.
| jmnicolas wrote:
| Far in never. There's no (real) money to be made, manufacturers
| don't care.
|
| I use GrapheneOS. It's rough but at least it gives me peace of
| mind.
| streamofdigits wrote:
| Why is there no money to be made? I would at least pay to buy
| the hardware and possibly for ongoing software support as
| well (depending on how they structure such support or any
| other "soft" features). E.g. I think its a jolly good idea if
| somebody really checked for a living all those open source
| apps.
|
| In any case if there is really no viable business model for
| private mainstream mobile computing we have been duped big
| time: This is not a consumer device, it is track-and-trace
| machinery.
| xondono wrote:
| > Why is there no money to be made?
|
| Because we don't really know how much hardware costs
| anymore. Most hardware you buy is subsidized in one way or
| another through data collection, from phones to TVs.
| Building stuff is very capital intensive, and the world
| changes very rapidly. And most people don't really care
| about data collection because they don't understand the
| consequences, or they don't care at all (which I find
| baffling). This means you'll be always facing cheaper
| competition. It's very hard to keep a company like that
| afloat.
| streamofdigits wrote:
| this is plausible (and very worrisome if really true). We
| are not talking about an aspirational consumer device, it
| is already the case that you are being cutoff from
| regular life / the economy without one.
|
| Incidentaly, I don't buy the "people don't care"
| argument. First of all, people _do_ care. There is
| massive legislation in the EU (which represents half a
| billion people) towards data privacy. They are not freaks
| - well informed people obviously care about privacy. This
| touches also companies / commercial privacy and states
| (data sovereignty etc). But it is true that large numbers
| around the world are dazed and confused ("don't care") as
| nobody credible (and holding a large mouthpiece) is
| actually warning them.
|
| But if you are right and its not viable (e.g why did
| blackberry not survive given companies at least should
| appreciate privacy) it is a baffling state to have
| degenerated into.
| xondono wrote:
| > I don't buy the "people don't care" argument.
|
| A lot of very informed people do really _sincerely_ not
| care. A coworker of mine (IT professional) literally told
| me that the fact that his phone is constantly tracking
| him and that he could show me his whereabouts during the
| last week /month on google maps was _a feature_.
|
| A lot of people really, truly don't care. Is as baffling
| to me as it is to you.
| techrat wrote:
| > Why is there no money to be made?
|
| Not enough people care to use cut rate hardware that
| actually conforms to the 'wholly open' philosophy. Even
| Stallman couldn't maintain using fully open hardware. He
| had to switch to a Thinkpad with Coreboot.
|
| People have expectations when using devices as complex as a
| phone or laptop to where, compared to even a desktop with
| Linux, having a smartphone that is fully open comes with
| serious drawbacks.
|
| You could always get a LibrePhone or a Pinephone but you
| probably won't enjoy the experience.
| streamofdigits wrote:
| well, "fully open" is just an ideal. I think I could live
| with proprietary bits that are not involved in the
| private data trade.
|
| it doesn't have to be "cut rate". I left the specs/price
| point open for that reason. But indeed thinking of it as
| a tool, not as a trend-following gadget with 12 cameras
| and the screen size of a laptop.
|
| Just interested to see whether this approach is viable.
| techrat wrote:
| > Just interested to see whether this approach is viable.
|
| Spoiler alert: It's not. The better SOCs end up becoming
| more proprietary because it's the companies' own
| implementations that make them perform better. That leads
| to proprietary drivers/software.
| PeterisP wrote:
| In order to have a reasonable, stable supply chain at all,
| you need quite large scale; and even then your phone would
| have much smaller scale than the mainstream competitors and
| so would be be significantly more expensive than their
| models with similar hardware, both because it's targeting a
| niche and also because all this tracking&targeting does
| result in some revenue stream for the manufacturers.
|
| It indeed is a jolly good idea if somebody really checked
| for a living all those open source apps, however the math
| works out only if you allocate the salary of those people
| over a million phones, not if you have only 10000
| customers.
|
| Perhaps _you_ would actually be willing to pay a large
| premium for that, but the vast majority people are not.
| Perhaps a meaningful number of people would be willing to
| pay a _small_ premium like 10-20%? But that 's not what's
| reasonably achievable, the differences are much larger as
| soon as you go off mass market production or start needing
| software modifications which are a large fixed cost that is
| cost-effective only if you're distributing it over very
| many phones.
|
| There have been many companies in the past which have found
| out the hard way that few people really care about privacy
| _that_ much (or they care but can 't really afford much,
| which has the same effect), but for a recent example, you
| can look at the troubles of Librem 5; IMHO it's trying to
| do similar things, but its price/performance is suffering
| because of that and you be the judge whether their business
| model looks viable. And if you want a _trustworthy_ supply
| chain, then your (already high) costs literally double,
| again, Librem 5 "USA" model is an example of that - a $2k
| phone where the _core_ functionality (excluding the
| privacy) is essentially the same or worse as a $200 phone
| from a Chinese brand.
| streamofdigits wrote:
| you sketch a good frame to help think about this
| challenge holistically. the list of failed initiatives is
| by now so large it almost gives you a statistical sample
| of factors to take into account (I contributed a data
| point once - one of the <10K firefox-os/zte users :-(
|
| but somehow the numbers could/should add up at some
| point. If you think (ballpark) a billion devices in
| circulation and assume that 1-in-1000 people has a
| combination of awareness and ability to afford a private
| / open source device, that is your 1M right there.
|
| this should be a very conservative estimate. it assumes
| that people (more precisely those who claim to represent
| their best interests) will continue with the inexcusable
| practice of governments "not interfering" with the
| "market" (in quotes because it not a real market when you
| have two options). While some governments slowly take
| legislative steps in the data privacy space, I have never
| seen any actual _warning_ from official lips about
| privacy (the way they warn about assuming financial risk,
| being overweight, drunk driving, not getting vaccinated
| etc).
|
| maybe the current business model only stands due to the
| "subsidy through silence"?
| thrtewgg66 wrote:
| there was a mass market sailfish phone in India but it was a
| flop. ofcourse it has Android emulator that used to send just
| as much crap out as tthe original... but atleast you could stop
| that.
| pjmlp wrote:
| Nothing that appeals to general public, OpenMoko was released
| in 2006.
| COGlory wrote:
| This has been my experience with e os. Everything just works
| joemazerino wrote:
| Always mind blowing. I recall a video from Copperhead showing the
| difference between a gApps enabled phone vs no-gApps.
|
| https://m.youtube.com/watch?v=zemRALtU4OY
| dont__panic wrote:
| Does anybody know if alternatives like GrapheneOS + microG
| mitigate these issues? Or should I just switch back to a 2005
| flip phone at this point?
| bennettnate5 wrote:
| It definitely helps--the vast majority of snooping comes from
| Google Play Services, so options like GrapheneOS + microG or
| CalyxOS resolve that issue quite nicely. They also have app-
| specific firewall abilities, so you can disable background or
| foreground network connectivity on any app you're suspicious
| of.
| dont__panic wrote:
| Thanks! I'm still using an old iPhone SE (2016) as my daily
| driver, but sooner or later iOS support is going to drop and
| I'll have to find a decent upgrade path. Considering my size,
| headphone jack, and fingerprint reader preferences, I think
| the Pixel 4a is the only device that seems viable to me on
| the market today... hopefully I'll still be able to pick one
| up in a year or two and slap GrapheneOS on it.
| deathjester wrote:
| I think it's a bit misleading to say Lineage OS sends data,
| because it doesn't. It's just the GApps installed with Lineage OS
| that sends data to Google. But you don't need to install GApps,
| then it doesn't send anything just like /e/OS does...
| thastings wrote:
| This is the exact thing I was wondering about. As far as I
| understood, they flashed GApps, even though GApps is not part
| of the default installation. I wonder what the findings
| would've been like on LineageOS without the GApps.
| salusinarduis wrote:
| I use GraphineOS and LineageOS without Google Play Services. They
| are great and are suitable replacements for Apple and Google.
|
| - Osmand(FOSS) for maps (supports being fully offline!)
|
| - Signal and Discord for messaging (Discord is sandboxed)
|
| - Newpipe(FOSS) for Youtube
|
| - F-droid(FOSS) for my FOSS appstore
|
| - APKmirror for the few non-free apps I need
|
| - Libretorrent(FOSS) and VLC(FOSS) for watching movies
|
| - Firefox(FOSS) and Vanadium(FOSS) for browser
|
| - K9 Mail(FOSS) for email
|
| - Infinity(FOSS) for Reddit
|
| - Secur(FOSS) for 2FA
|
| - Taskkeeper(FOSS) for reminders
|
| Almost everything you need is in the F-droid FOSS app repository.
| It all works, and it works well. You can buy a used Pixel 3a for
| around $80 on Ebay and have a better experience in every category
| than iOS, hardware and software.
| [deleted]
| [deleted]
| websap wrote:
| I hope you have recurring donations setup for all these FOSS
| apps. FOSS still means that developers need to eat.
| websap wrote:
| It's unbelievable that I'm getting downvoted for asking
| people to pay for software on a platform where a large % of
| users are involved with technology. No wonder opensource
| based businesses are dissatisfied with how they are treated.
| Throwaway808808 wrote:
| Seconded. The downvote button is for comments that detract
| from the conversation, not because somebody disagrees. This
| place is turning into another Reddit.
| _V_ wrote:
| How does "I hope you at least pay for these apps" adds
| anything even remotely relevant to the thread about what
| apps someone uses as part of their de-googled phone?
|
| Yeah, developers do need to eat, but this (IMO) snarky
| comment is hardly relevant to the OP.
| websap wrote:
| The way I read this submission is:
|
| 1. Google is tracking you. They track you because they
| need this data to target better ads, this is how they
| make money.
|
| 2. The OP for this comment, says they use FOSS apps to
| get around Google's tracking.
|
| My comment is about - if you are against the idea of
| being tracked from profit, it would be a good idea to
| vote with your wallet to help open source developers get
| paid and to show that there is a viable business model
| for other individual developers.
| krageon wrote:
| At a guess, it may have something to do with how rude the
| original comment was and how you doubled down on that
| rudeness with this one. If you toned it down a little and
| actually spoke to other people as human beings it might
| help you with this problem.
| zibzab wrote:
| I'm going to setup a librapay account exactly for this
| purpose
|
| https://en.m.wikipedia.org/wiki/Liberapay
| CountDrewku wrote:
| Just bought a pixel to test lineageOS out. Worth mentioning
| that if you want less Google and still want to use normal
| Android services in the OS you need to install the MicroG
| lineageOS ROM. Otherwise, you're still sending Google a lot of
| info through Gapps or MindTheGapps.
|
| Graphene or lineage without any of those is also an option but
| you'll be missing a lot of the normal everyday apps you use.
| IMO if you're going that far though you might as well just go
| back to a flip phone.
| salusinarduis wrote:
| I don't agree regarding your flip phone comment, that's
| silly. I don't use any form of Google Play Services (No
| OpenGapps or MicroG even) and my phone works completely fine.
|
| The only thing that doesn't work is push notifications, which
| isn't a problem because FOSS apps like Signal bundle their
| own notification system that does not use Google Play
| Services. Discord however, does not get push notifications
| (which I wouldn't want anyway)
| CountDrewku wrote:
| Regardless of what software you put on the phone it is a
| tracking device. It has gps, audio, cameras, and web
| browsers that are all vulnerable to being hacked or used
| for tracking. I signed into gmail via the Bromite browser
| on my Pixe3a. I immediately received an email from google
| about my new Pixel device. They now know what device I use,
| what browser etc.
|
| I don't care how locked down and FOSS you make your smart
| phone it's not going to be as secure as a dumb phone.
| There's a reason criminals don't use smart phones.
| salusinarduis wrote:
| GraphineOS constantly spoofs the device's MAC so that
| argument is not valid (I also don't know how a website
| based email client is getting your MAC). It's also
| extremely easy to spoof the device's name. The way they
| are getting that is simply your browser's User Agent, or
| if it's an app, your phones root properties. There may be
| some other identifying properties about the device they
| can collect though, I agree with you on that.
|
| Also, I agree with your argument about phones being
| tracking devices. Anything with a radio that connects to
| cell towers is going to be logged and tracked in perfect
| detail.
| CountDrewku wrote:
| You're correct about the MAC address. However, the rest
| of the information collected is plenty to build a profile
| of any person.
| snypher wrote:
| If you think Google is adversarial then don't use Gmail;
| It seems strange to avoid using their 'apps' but
| continuing to use their products? I think you just handed
| them that information when you logged into their website.
| CountDrewku wrote:
| >I think you just handed them that information when you
| logged into their website.
|
| Obviously and that's my point. You are not going to avoid
| Google if you use the web. The best you can do is limit
| exposure.
|
| >Google is adversarial then don't use Gmail
|
| This is ignorant and unhelpful. Do you think I just
| decided not to consider that option? I don't have an
| option. I have to use it for work. This is the problem
| with the "don't use it" crowd. Most people are not going
| to get away from the major email provider options. The
| best I can do is sign in via browser or a 3rd party app.
| pessimizer wrote:
| > Obviously and that's my point. You are not going to
| avoid Google if you use the web. The best you can do is
| limit exposure.
|
| That couldn't have been your point. It's very easy to
| avoid having a gmail account.
|
| > This is ignorant and unhelpful.
|
| People here don't know you personally, or your needs.
| Most people don't need gmail for work. If your job
| requires you to use google products, it's going to be
| difficult for you to avoid google. But, again, your
| situation is not representative of the vast majority of
| people.
| CountDrewku wrote:
| >That couldn't have been your point. It's very easy to
| avoid having a gmail account.
|
| Did you miss the part where I told you we have Google
| Workspace (GSuite) and I have to use it for work? What
| part of getting rid of that is easy? I cannot stop using
| it end of story.
|
| >People here don't know you personally, or your needs.
| Most people don't need gmail for work.
|
| I feel like you're not aware of the fact that Gmail is
| used in corporate environments through Google Workspace.
| You need to research before spouting off stuff that's
| obviously misinformed. It's a direct competitor to Office
| 365 and MS Outlook servers.
|
| https://www.cnbc.com/2020/04/07/google-g-suite-
| passes-6-mill...
| fomine3 wrote:
| Do those companies accept login G Suite account on custom
| ROM?
| snypher wrote:
| I don't think it's fair to say I was ignorant when you
| only now mention need it for work. You could use a second
| handset, or try asking your employer to move away from
| Google products, or even find a new employer. There's
| plenty of options here.
|
| If you say that the best you can do is limit exposure,
| then do that!
| dont__panic wrote:
| Consider Fennec instead of Firefox -- I just switched
| yesterday, and I _think_ the only difference is that Fennec is
| usually a couple of versions behind because it removes some
| Mozilla crapware.
| colordrops wrote:
| What about Firefox Focus? It's private by default and VERY
| unbloated. The ephemeral nature of sessions also forces me to
| not leave a hundred tabs open.
| salusinarduis wrote:
| Does it support extensions? I can't go anywhere without
| uBlock Origin :D
| COGlory wrote:
| It does
| dont__panic wrote:
| There's a workaround to support pretty much any FF
| extension at this point -- but you have to create a
| "collection" with your firefox account and then point your
| Android FF install at that collection. Not too hard, but a
| little bit of a PITA. If you're like me and maintain the
| same couple dozen extensions on every FF install, though,
| it actually works pretty well.
| aqfamnzc wrote:
| FWIW, Mozilla has worked with devs of some popular
| extensions to get them working on "new" mobile FF,
| including uBo.
| commoner wrote:
| Nowadays, Fennec F-Droid is usually on the same version as
| the release channel of Firefox, or at most a version behind
| for a week or so.
|
| https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/
|
| Fennec also lets you install any add-on from
| addons.mozilla.org through a tedious process,* which is still
| an improvement over Firefox release/beta on Android. The only
| channel of Firefox that supports this process on Android is
| the nightly channel.
|
| * https://blog.mozilla.org/addons/2020/09/29/expanded-
| extensio...
| _V_ wrote:
| What do you use as Dialer/SMS/Contact app?
|
| I tried to switch myself from iPhone and almost everything was
| OK but these were the worst to get right... I ended up using
| suite from Tibor Kaputa (Simple Dialer etc) but I ran into some
| rather annoying issues.
|
| Also, do you use phone recoding? This was actually my breaking
| point, because i have an iPhone w/ jailbreak that enables me to
| record phone conversations (for my use only, not trying to get
| into the legal discussion). I did not find _anything_ for
| GrapheneOS (or Android in general) - just some info that I need
| to root my phone to get this working and with that I just
| reverted to my jailbroken iPhone.
| commoner wrote:
| The only functional FOSS call recording app for Android that
| I'm aware of is the Call Recorder app on F-Droid:
|
| - Call Recorder: https://f-droid.org/en/packages/com.github.a
| xet.callrecorder...
|
| To use this app, you'll need to root your phone using
| Magisk[1] and the install the Magisk module for Axet's Call
| Recorder.[2] Then, upgrade the Call Recorder app to the
| latest version in F-Droid. Note: do not enable "System Mixer
| Incall Recording" in Call Recorder, since it is not needed
| and may cause issues with recording.
|
| [1] https://github.com/topjohnwu/Magisk
|
| [2] https://github.com/Magisk-Modules-Repo/callrecorder-axet
|
| The default dialer and contact apps are both FOSS and
| functional, so I never felt the need to replace them. Signal
| can take over as the default SMS/MMS app, and there are
| alternatives with more features such as QKSMS:
|
| - QKSMS: https://f-droid.org/en/packages/com.moez.QKSMS/
| doc_gunthrop wrote:
| FairEmail is also a nice open-source, privacy-focused email
| client available on F-droid.
|
| https://f-droid.org/en/packages/eu.faircode.email/
| commoner wrote:
| FairEmail is really great, almost as fully featured as
| Thunderbird with the best support for multiple
| accounts/identities that I've seen on Android so far. The
| developer asks for a small donation to unlock a few advanced
| features,* which I recommend doing.
|
| * https://email.faircode.eu/donate/
| jonstaab wrote:
| Feeling quite smug about switching to CalyxOS earlier this week.
| ruph123 wrote:
| Same. It feels like the "have the cake and eat it" situation
| for me who switched over from iOS.
|
| I was worried that some apps might not work but that is not the
| case. Everything from banking apps to password managers just
| works fine with the only exception being NPR One (which is
| hilarious).
|
| They are really doing an outstanding job and I do not miss
| anything on here besides a Apple/Google Pay NFC solution. But
| that is quite ok.
| bennettnate5 wrote:
| Definitely on this boat. CalyxOS feels like it strikes a good
| balance between security/privacy and practical usability--the
| locked bootloader and app-specific firewall options are a huge
| plus, while MicroG ensures that I can still use every app I
| used to with the old Pixel-specific OS without ceding all of my
| data to Google Play Services.
|
| Invariably people bring up the signature spoofing needed for
| MicroG as some huge security hole, but from what I've seen it's
| really a non-issue--CalyxOS has tight restrictions to
| specifically allow only MicroG to use this, it's disabled for
| any other app.
| markenqualitaet wrote:
| Can I expect CalyxOS to support the Pixel 6 rather soon? Is
| e.g. camera performance dependent on closed source Google
| code/firmware? What are the limitations there?
|
| I was going for GrapheneOS, but tbh seeing that one main
| developer's personality issues turned me off big time. I don't
| care about technical advantages, if I have to trust in that
| guy's impulse control. Too small a project for that.
| xanaxagoras wrote:
| You can expect a dedicated team to start working on it once
| they're able to get their hands on some Pixel 6 devices. They
| don't get them early from Google you know, there's no
| cooperation there. They buy them when they're released just
| like we do, and it hasn't been released yet so work hasn't
| started.
|
| The general attitude towards GCam seems to be... Calyx isn't
| going to ship it but it's generally understood most people
| will be using it. The recommendation I got when I switched
| was to install the apk and disable all network access via
| Datura before I launched it for the first time. That works
| well, the pictures look great too. A recommendation I heard
| after I did that which I will be following next time is to
| extract the gcam apk from your new phone before you flash
| calyx and install that one (to avoid apkmirror or whatever).
| kaba0 wrote:
| GrapheneOS's main dev can come across as paranoid, but it is
| sort of understandable given the history of the project.
| Nonetheless, they are doing a spectacular job and I think
| using GCam with properly set permissions is the best of both
| words.
| summm wrote:
| Paranoia is not the problem. The problem is general
| hostility and not being open to other viewpoints and ideas.
| Also I feel some kind of power hunger, which makes me feel
| really uncomfortable surrendering basically full control
| over my phone to these people.
| kaba0 wrote:
| From what I've seen, he gets summoned, and angry when
| things like "Calyx pays great attention to usability,
| while GrapheneOS gives more focus to security at the
| price of usability" gets mentioned, which is just false.
|
| Also, do note that it is indeed a dangerous business --
| false sense of security is the worst. And there are
| plenty of companies taking advantage of people wanting
| something "privacy-oriented".
| markenqualitaet wrote:
| Nah, it's not about having strong options. I've been
| around nerds forever, that doesn't bother me. Yours might
| be the impression on recent HN, but if you look around he
| is all over the place, attacking people on various
| platforms, while promoting some conspiracy narrative;
| derailing, gaslighting and manipulation. Whatever is
| going on with that guy, something is definitely going on.
| He doesn't inspire trust, he probably needs therapy.
| markenqualitaet wrote:
| *opinions. Sorry can't edit.
| Darmody wrote:
| I can't recommend Blokada enough.
|
| It won't solve your privacy problems but sure will block a lot of
| apps from sending info to their masters.
| afrcnc wrote:
| "significant amount of user data" = telemetry to catch and fix
| bugs
|
| something the study doesn't tell you
| kop316 wrote:
| Skimming through the article, they compare a few ROMs from
| significant phone manufacturers, LineageOS with Google Play, /e/,
| and Stock Android.
|
| It seems that LineageOS has GApps installed and /e/ does not
| (presumably since they use MicroG?), so it is looking like for
| LineageOS, it's really Google Play leaking this data.
| jeroenhd wrote:
| > It seems that LineageOS has GApps installed
|
| It doesn't come with GApps installed, you need to flash those
| packages manually. That said, LOS also comes without an app
| store whereas /e/ has a custom F-Droid-compatible store pre-
| installed.
|
| Combining LineageOS and MicroG is kind of hard (relatively),
| because LineageOS enforces signature validation, which MicroG
| needs disabled to properly fake the proper Google APIs. There
| are non-enforcing builds and build instructions available, but
| that's not the default. /e/ seems to have the necessary patches
| enabled by default, which makes using popular apps without
| flashing GApps a lot easier.
| Guest42 wrote:
| Can you recommend a couple phones that are compatible with
| LOS + microg? I looked on their sites and it wasn't quite
| clear
| commoner wrote:
| LineageOS for microG supports all phones that LineageOS
| does. Here's a spreadsheet of the full list along with the
| specs of each device:
|
| https://docs.google.com/spreadsheets/d/1bx6RvTCEGn5zA06lW_u
| Z...
|
| If you want a more specific recommendation, could you
| provide your budget and your requirements?
| Guest42 wrote:
| No budget restrictions although I'd like the ability for
| Bluetooth to run in the background and not go to sleep ,
| and ideally ip67 or ip68 water protection.
| commoner wrote:
| All of the LineageOS phones I've ever used have been able
| to maintain a Bluetooth connection in the background.
|
| If you're fine with a used phone, the OnePlus 8 has a
| high-end Snapdragon 865 processor and 8 GB RAM.[1] The
| carrier models have IP68, and unlocked models are
| manufactured similarly but don't have an official IP
| rating.[2] If you're getting the T-Mobile carrier model
| (which may be carrier unlocked at sale), you'll need to
| request a code and wait a week to unlock the bootloader
| before you can flash LineageOS.[3] Used models go for
| $200-300 on eBay depending on condition, and a new
| factory unlocked model is $399.
|
| If you're looking for a new phone, you may want to
| consider the Pixel 5a which manages to have both IP67 and
| a headphone jack for $449 new, but uses a mid-level
| Snapdragon 765G processor paired with 6 GB RAM.[4] The
| OnePlus 9 Pro is also available with a high-end
| Snapdragon 888 processor, 12 GB RAM, and IP68 for $969
| new or about $600-800 used.[5]
|
| [1] https://www.oneplus.com/8
|
| [2]
| https://9to5google.com/2020/04/14/oneplus-8-ip68-water-
| resis...
|
| [3] https://www.oneplus.com/support/answer/detail/op588
|
| [4] https://store.google.com/us/product/pixel_5a_5g
|
| [5] https://www.oneplus.com/9-pro
| Guest42 wrote:
| Appreciate it very much.
|
| To check, do you know whether the bootloader can be
| unlocked without a SIM card with these phones?
|
| I am thinking that the oneplus 8 has plenty of
| horsepower.
| commoner wrote:
| Unlocking a phone is a pain* (at least in the US), so I
| recommend buying one that is already unlocked. For
| example, a listing that says both "T-Mobile" and
| "unlocked" is for a phone that was originally locked by
| T-Mobile when it was sold as a new phone, but was then
| unlocked by T-Mobile before it was listed for sale as a
| used phone. For this type of phone (carrier unlocked),
| you'll just need to request a bootloader unlock code from
| OnePlus, which takes a week.
|
| (Not all manufacturers require a bootloader unlock code,
| but having this option is still better than not being
| able to unlock the bootloader at all.)
|
| And yes, the OnePlus 8 is faster than any Pixel phone
| released so far. It's only a year old after all.
|
| * https://www.digitaltrends.com/mobile/how-to-unlock-a-
| phone-o...
| toastal wrote:
| The irony of this being in a Google Spreadsheet
| dron57 wrote:
| I've been using the Pixel 4a 5G for about 6 months with
| MicroG and Lineage. Works really well. Other than Whatsapp
| and Google Maps I don't miss anything, but those apps have
| alternatives too.
| Guest42 wrote:
| Fantastic!!!!
| commoner wrote:
| If you're trying to combine LineageOS with microG, the most
| straightforward solution is "LineageOS for microG" which has
| everything set up for you:
|
| https://lineage.microg.org
|
| I know of two other Android flavors that have microG
| integrated. /e/ is one of them and CalyxOS is the other.
| rcMgD2BwE72F wrote:
| I've made a complaint to the police and my local privacy
| regulator (in France) more than a year ago, regarding blatant and
| widespread illegal data collection by Google on probably most
| Android devices on Earth. I have not yet heard back from them and
| I doubt they'll even consider this report. Here it is in a
| nutshell.
|
| 1. set up a brand new phone (Pixel, OnePlus or else)
|
| 2. do not connect to a Google account at first or if it is
| required, log out and remove the account as soon as possible
|
| 3. create a contact on your phone with any Contact application
| (with a name, email address and phone number). Do no enable sync
| for this application.
|
| 4. open the Play Store to download any application (e.g one from
| your government). You'll be asked to connect to a Google account
| at this stage, of course
|
| 5. now, try to log into your Google account to download the
| application but *not have Google automatically collect all your
| contacts' details* (stored locally).
|
| You can't!
|
| This is not possible because:
|
| 1. by default, adding the Google account will enable the
| automatic synchronization for all Google-related apps and
| services (incl. Contacts). You can disable this _before_ login.
|
| 2. You cannot stop the sync of these Contacts while connecting
| Google Play to your account. It is done in the background and by
| the time you switch from Google Play (or the login page) to the
| Settings menu of your device, the sync will have started (if not
| completed already).
|
| 3. You cannot do all this in airplane mode obviously, as it it's
| impossible to log into a Google account without an Internet
| connection.
|
| This is illegal per GDPR, because at no point you consent to have
| your data collected by Google. Also, Android does not inform you
| of this collection so it's up to you to discover this by browsing
| your device's settings, down a a sub-levels.
|
| It is a massive collection (and fraud) because most people have
| probably a hundreds contacts or more on their mobile device. Most
| mobile devices run Android. Google Play is almost impossible to
| avoid nowadays (Twitter, Facebook, Youtube, Whatsapp, Signal,
| Firefox, your bank's app, your employers' apps... they all
| require Google Play and Services to work correctly). Worst, your
| contacts' information isn't yours, but your contacts' too. Google
| simply helps themselves.
|
| With 73% of mobile OS market share, around 99% of Android users
| being probably logged in just to access the Play Store, Google
| probably has collected the names, email addresses, phone numbers
| and lots of private information (birthday dates, home and work
| addresses, employers' names, job titles, digicodes, etc) of every
| person on Earth, and probably more than once. Without asking for
| permission.
|
| This is easy to reproduce, 100% illegal (at least per GDPR),
| everyone is affected and yet, _crickets_.
|
| If you're in the US and believe this is illegal there too, please
| contact a privacy organization or any entity that might do
| something about it, at least if you don't like having all your
| contact details collected by Google without consent.
| Tepix wrote:
| I'm wondering if Nokia phones with Android One are not snitching
| on their users like the others are.
| durnygbur wrote:
| Nokia licensed their mobile brand and now it's some Chinese
| producer slapping the logo on the devices. Probably on pair
| with Xiaomi and Huawei.
| summm wrote:
| probably below Xiaomi even: they promised an open bootloader
| once, but broke that promise and every bootloader after that
| was fully locked up.
| commoner wrote:
| I don't think this is accurate. Microsoft acquired Nokia in
| 2014, but then spun off the brand to HMD Global (a new
| Finnish company) in 2017. HMD and Foxconn have a partnership
| in which both companies co-design the Nokia phones that are
| then manufactured by Foxconn in Taiwan.
|
| https://www.anandtech.com/show/10879/hmd-closes-nokia-
| brand-...
| uhtred wrote:
| I use /e/os and have found it to be a great experience.
| https://e.foundation/
| snvzz wrote:
| Companies like Google hold a lot of power over their users.
|
| It's all-or-nothing, and not being part of the Google ecosystem
| is extremely inconvenient as more and more services depend on it.
|
| Only legislation can give power back to the users. It shouldn't
| be necessary to put up with this level of surveillance by big
| corps in order to function in society.
| cute_boi wrote:
| you mean the legislation that forced banks to use google safety
| nets create hindrance in rooting the phone? I really find
| myself in hopeless position these days when Google can do
| anything freely because they have enough cash to lobby
| anything.
| snvzz wrote:
| >the legislation that forced banks to use google safety nets
| create hindrance in rooting the phone?
|
| You're saying some legislation made SafetyNet a legal
| requirement?!
|
| You should try and elaborate on that.
| winternett wrote:
| >Only legislation can give power back to the users. It
| shouldn't be necessary to put up with this level of
| surveillance by big corps in order to function in society.
|
| Don't worry, after about 7 years there will be a low key class
| action suit and we'll miss the $7 payout and lawyers will
| collect the leftover millions for the sake of symbolic justice.
| Then perhaps big industry won't ever learn it's lesson again.
|
| Congress has already proven that they're the Rip Van Winkle of
| IT awareness unless it pertains to boosting their personal
| investments.
| codefeenix wrote:
| Copperhead advert?
| salusinarduis wrote:
| I use GraphineOS and LineageOS without Google Play Services. They
| are great and are suitable replacements for Apple and Google.
|
| - Osmand(FOSS) for maps (supports being fully offline!)
|
| - Signal and Discord for messaging (Discord is sandboxed)
|
| - Newpipe(FOSS) for Youtube
|
| - F-droid(FOSS) for my FOSS appstore
|
| - APKmirror for the few non-free apps I need
|
| - Libretorrent(FOSS) and VLC(FOSS) for watching movies
|
| - Firefox(FOSS) and Vanadium(FOSS) for browser
|
| - K9 Mail(FOSS) for email
|
| - Infinity(FOSS) for Reddit
|
| - Secur(FOSS) for 2FA
|
| - Taskkeeper(FOSS) for reminders
|
| Almost everything you need is in the F-droid FOSS app repository.
| It all works, and it works well. You can buy a used Pixel 3a for
| around $80 on Ebay and have a better experience in every category
| than iOS, hardware and software.
|
| The only limitation is push notifications, which isn't a problem
| because FOSS apps like Signal bundle their own notification
| system that does not use Google Play Services. Discord however,
| does not get push notifications (which I wouldn't want anyway)
| gnull wrote:
| I just reinstalled my FP2 with LineageOS and microG after
| reading your post.
| daneel_w wrote:
| _> ...and have a better experience in every category than iOS,
| hardware and software._
|
| Really? I tried GrapheneOS on a Pixel 4A, and without
| exaggerating or trying to come off sensationalist the
| experience was _really tepid_ compared to iOS, and even
| "normal" Android. Stuttering and jerky UI (which often also
| wanted to take a brief nap), very poor GPU hardware
| acceleration support, notably worse battery life, loads of
| things that just didn't work well (or at all) without Gapps,
| and trying to get Play Services shoe-horned into GrapheneOS was
| still quite the bug-ridden hassle. Additionally, the Open
| Camera app produced rubbish results compared to Google's native
| Android camera app, which matters a lot to me.
| busterarm wrote:
| I run GrapheneOS on a 4A with TMobile and the frequent
| reports of people trying to call me telling me my line is out
| of service and days where calls won't initiate from my phone
| at all makes me want to run back to my iPhone.
|
| The tethering seems to be pretty flakey as well with me often
| having to reboot the phone.
| margalabargala wrote:
| I've been using GrapheneOS on a 4A with TMobile as my daily
| driver for over a year and have had none of these issues.
| Never had an out-of-service notice from someone calling me,
| never had a call not initiate, and tethering works great.
|
| Maybe it's something to do with OpenGapps? I never
| installed it or microG, I'm perfectly happy with just
| Fdroid.
| louloulou wrote:
| I'm running GrapheneOS on a 4a right now and it's smooth like
| butter - maybe you needed to wait for a few updates. The
| camera has improved a lot as well but is still not close to
| the stock google camera.
|
| It seems like what you're looking for is CalixOS + microG.
| commoner wrote:
| The mid-level processor on the Pixel 4a may just not be
| performing to your expectations. A phone with a high-end
| processor would perform better. For GrapheneOS, the fastest
| compatible phone available (used/refurbished) right now is
| the Pixel 4 (or Pixel 4 XL).
|
| Also, if you are using a Pixel phone with a non-default
| flavor of Android, the Google Camera app still works if you
| download it manually. APKMirror is a trustworthy app source
| run by Android Police:
|
| https://www.apkmirror.com/apk/google-inc/camera/
|
| (For Pixel phones using an older Android version, you may
| have to use an older version of Google Camera if the current
| version does not work.)
| n8cpdx wrote:
| Pixel 4 running graphene. I'm sure it's fine by android
| standards, but if you're used to iOS, it is unbearable.
|
| Going back to iPhone as soon as I've got some free time to
| get everything set up again.
|
| Unrelated, but I'm still very surprised there's no standard
| way of doing live photos on Android. They really do add a
| lot to the experience of reviewing old memories and Google
| has had at least 5 years to catch up.
| daneel_w wrote:
| It performs worse than my 10 year old iPhone 4S. It really
| shouldn't have to.
| walteweiss wrote:
| On my Nexus 6P I use GCam v. 5.2.019.188906351 and it
| performs really great! It is quite slow with HDR+ (but
| usable), and almost on par with the default camera
| without HDR+ (still producing great camera quality). I am
| curious whether the experience is similar on a Pixel
| line, with Lineage OS (or any other custom ROM).
| bubblethink wrote:
| >very poor GPU hardware acceleration support
|
| Pretty sure GrapheneOS doesn't do anything to change GPU h/w
| acceleration.
| salusinarduis wrote:
| I'm surprised to hear you say that. I've played the most
| demanding Android games on the Pixel 3a with no issues. I've
| never experienced anything but a butter smooth UI on Graphine
| or Lineage to be honest. The battery life has been all day
| for me even when using GBA emulators for multiple hours a
| day.
|
| I agree the default camera app of Graphine isn't great, but
| it's picture quality better than the iPhone I came from
| (iPhone SE gen1)
| walteweiss wrote:
| Can you install GCam as apk from somewhere? Will it work? I
| use GCam on the default Android (8) on my Nexus 6P and it
| works well. I am thinking of upgrading to Pixel 2XL or 3A
| and install Lineage OS with GCam, so I believe it would be
| a much better experience than the default ROM on a Pixel.
| But I have no idea whether GCam would work in LOS.
| ptidhomme wrote:
| Same here. I can also recommend :
|
| - Organic Maps which is cleaner than Osmand
|
| - KeepassDX for password management
|
| - AntennaPod for podcasts
|
| - I have a Tutanota email address. Their app is fully open
| source, downloadable on FDroid's main repos.
| 1vuio0pswjnm7 wrote:
| You mentioned Signal and Discord for "messaging". Can you or
| someone else confirm that _video calls_ work with GrapheneOS or
| LineageOS. I am getting ready to try these but I am still not
| sure video calling works. When reading about them I cannot find
| much discussion of this particular application.
| commoner wrote:
| I can confirm that video calls work in Signal on Android
| flavors that don't use Google Play Services, including both
| GrapheneOS and LineageOS.
| 1vuio0pswjnm7 wrote:
| Thank you. Much appreciated. :)
|
| (Perhaps WhatsApp might work as well, since, IME, it can be
| sideloaded and will work without a functional Google Play
| Services.)
| salusinarduis wrote:
| Signal is specifically designed to work without Google
| Play Services, so expect a 1:1 experience when using it
| with these privacy conscious distros.
|
| I'm confident Whatsapp will work, but I have not tried.
| Push notifications will not work without Google Play
| Services.
| commoner wrote:
| According to Plexus, WhatsApp works perfectly on Android
| without Google Play Services, whether or not you have
| microG installed.[1] I think they implement their own
| push notification system if you download directly from
| them,[2] though I haven't confirmed this.
|
| Discord works perfectly with microG, and has a 3/4 rating
| without it since notifications will only work if you have
| microG.
|
| [1] https://plexus.techlore.tech/applications/whats-app
|
| [2] https://www.whatsapp.com/android/
|
| [3] https://plexus.techlore.tech/applications/discord
| 1vuio0pswjnm7 wrote:
| IME, the notifications do work. I downloaded .apk
| directly from WhatsApp.
| krageon wrote:
| > expect a 1:1 experience
|
| Push notifications are bad and it drains significantly
| more battery.
| tgsovlerkhgsel wrote:
| I've tried Osmand and found it way too slow/janky for everyday
| use (since it has to render the tiles locally and doesn't seem
| to pre-render for scrolling).
|
| Newpipe loads videos much slower than the official app and
| occasionally fails completely (likely because YouTube changed
| something).
|
| F-droid (regular, non-root install) shows me notifications to
| update apps, then when I tap them, I get a "there was a problem
| parsing the package" - this is a bug that has remained unfixed
| for over 5 years
| (https://gitlab.com/fdroid/fdroidclient/-/issues/669).
|
| It's not _impossible_ to use a FOSS phone, but it 's truly
| painful.
| dr_hooo wrote:
| As mentioned elsewhere, Organic Maps provides a much smoother
| OSM experience (fork of older maps.me version)
| salusinarduis wrote:
| If you don't like Newpipe you can use Youtube Vanced which is
| basically a pwned version of the native Youtube app. I've had
| some stutters with Newpipe but overall I like it.
|
| Osmand really isn't bad, sure it's a little bit slower to
| render but we're talking maybe 500-1000ms on a Pixel 3a.
|
| Regarding F-Droid you're right it is quite buggy, but
| thankfully once you've got the apps you want you don't really
| need to use it except to update.
| hkt wrote:
| Skytube is also a good YT client available on F-Droid
| dgan wrote:
| Do banking applications work? I mean as in "I buy X online. It
| requires me to login to my bank application and press
| 'confirm'. I perform this sequence, and online purchase is
| completed. "?
| thaumasiotes wrote:
| > I mean as in "I buy X online. It requires me to login to my
| bank application and press 'confirm'. I perform this
| sequence, and online purchase is completed. "
|
| Huh? This is not a real thing.
| krageon wrote:
| It is real and absolutely routine.
| nicbou wrote:
| Bog standard in Germany
| salusinarduis wrote:
| Some will, however I have heard some of these apps have janky
| hooks into Android's trust system which will break them on
| non-google distros.
|
| Personally I wouldn't suggest having banking apps on a phone.
|
| You can always use the web browser if you absolutely must
| access those accounts.
| soylentnewsorg wrote:
| The number one reason to use a banking app on your phone is
| to deposit a paper check by taking a photo of it. I am not
| aware of a bank that lets you do that from a webpage.
|
| Vanguard works on my completely google-free phone, although
| I had to change the OS language to English because w/
| Android set to French their app would force the use of
| commas as the cents separator, then complain that commas
| are not a valid character. Another fun thing was it uses
| its own internal camera app, which would focus the preview,
| then completely ignore the focus setting and take a blurry
| photo of the check. Eventually I figured out the camera's
| default focus length and take the photo from that distance.
| dgan wrote:
| I will try to do so with web account, however I doubt it
| will work..
| Kubuxu wrote:
| Most banks in EU require phone app based confirmations for
| transfers and other operations (according to PDS2
| directive).
|
| Visa and Mastercard also introduced 3DSecrue system which
| piggybacks on the same system of confirmations. Vendors are
| incentivised to adopt it by lower rates.
|
| In essence when paying with card or making a wire transfer
| (or using some instant transfer method, for example Blik in
| Poland), you get notification on you phone asking you to
| confirm operation, even if you initiate it from your
| account in the browser.
|
| In essence Bank apps became 2FA devices. The only way to
| avoid it is to opt-out of the App 2FA and use paper one-
| time code pad. You regularly then get sent a list of codes
| by snail mail, which you have to type to confirm
| operations.
| gpvos wrote:
| It depends per bank; mine discontinued the paper OTP pad
| as well as the SMS codes, and gave me a separate 2FA
| device when I didn't want to use their app. I don't think
| banks can force you to have a smartphone yet.
| bubblethink wrote:
| Does nobody in the EU do computers ? How do they pass
| asinine laws like this ? I mean, from the outside, it
| always appears as though the EU is much better than the
| US when it comes to consumer rights, but it always feels
| like they don't have a very good grip on technology.
| gpvos wrote:
| I don't think this was driven by law, but by an
| appropriate wish to increase transaction security (you
| really shouldn't use SMS for this anymore).
|
| There are some rules here that are nonsense, such as
| know-your-customer laws that force me to enter my home
| address even when the product or service (say, a concert
| or train ticket) is delivered to me entirely
| electronically.
|
| Most of the move to purely electronic payment is driven
| by the market and the large banks; e.g. in the
| Netherlands we actually never had laws that force shops
| to accept cash as payment.
| bubblethink wrote:
| I agree that you shouldn't use SMS. My point was that
| unless the law (if there is one), requires that 2FA be
| enabled in an accessible way, the banks will do their own
| thing with the phone push notification system. The 2FA
| situation is quite bad in the US too, but a small no. of
| banks do offer TOTP.
| toastal wrote:
| This whole situation caused me to throw up my hands in
| Thailand and now I pay for most everything in cash since
| it's still a cash-friendly nation.
| inside_out_life wrote:
| It's hard to explain but Poland got hooked on mobile
| payments/banking, the adoption is very high and one of
| the major players is home grown.
| mateuszf wrote:
| Btw, I live in Poland, and I use my banking app for
| internet payments and NFC payments using Pixel with
| CalyxOS.
|
| So it's possible to do that with some of the banking
| apps.
| krageon wrote:
| > I don't think banks can force you
|
| They can and do. There are a number of banks where you
| have absolutely no choice.
| jiggunjer wrote:
| you have a choice to not be their customer.
| krageon wrote:
| unless of course they are all equally bad :)
| robocat wrote:
| > separate 2FA device
|
| FYI in New Zealand a few banks can provide a device (e.g.
| RSA SecurID) for proper non-bank 2 factor auth with
| consumer accounts. However some major banks only use
| phones for 2FA (app or SMS).
|
| The norms seem to vary considerably depending on country.
| PostOnce wrote:
| Which banks provide a device?
| robocat wrote:
| I have had SecurID tokens for ASB and SBS accounts. I
| have been told Westpac does not provide secure 2FA. I am
| not sure about other banks.
| TeMPOraL wrote:
| Didn't know this was driven by PDS2. As much as I
| appreciate the convenience, I still find the whole drive
| fucking annoying - especially that, with all the talk
| about data portability, I _still_ can 't get a simple API
| endpoint I could point a script at to fetch me my
| account's balance.
|
| Yes, I'm bitter. If there's ever a bank that puts end-
| user automation first, I'll switch in a second.
| selfhoster11 wrote:
| If you are in the UK, Starling offers a relatively simple
| API.
| [deleted]
| andrepd wrote:
| My bank uses SMS. It's simple and platform agnostic: even
| a Nokia 3310 is compatible x)
| 5etho wrote:
| also not very safe. Attacker can duplicate your sim. This
| way he can call the bank and use the mobile numer as to
| restore bank account details. At least in Poland
| hkt wrote:
| On /e/OS with microG, I successfully use the apps for
| Starling Bank and Hargreaves Lansdowne. Nationwide and Nivo
| also both work. (these are all UK services, not sure how far
| they are known elsewhere)
| sorry_outta_gas wrote:
| I just use the website
| dylan604 wrote:
| What kind of purchase/checkout system works like this? I have
| never seen one, but if I had, I would not complete the
| transaction.
| Daniel_sk wrote:
| Most in EU do this or will do - it's part of EU bank
| regulation (PSD2). SMS isn't considered safe anymore and
| debit/credit card payments are confirmed through banking
| apps (you get a push and confirm).
| GoblinSlayer wrote:
| Wait, but smartphones are less safe than SMS. The attack
| surface of SMS is your surrounding, the attack surface of
| a smartphone is entire world, and virus infections happen
| much more regularly than sim copies.
| soylentnewsorg wrote:
| That's not the issue though. I can log in to my cell
| account and see the content of every sms i send and
| receive. an app establishes an encrypted connection
| between your phone and the bank. sms is open to the
| public.
|
| in addition, you don't need to copy a sim. you can copy a
| cell tower. which the authorities do all the time,
| without any warrants, and capture data en-masse. The fake
| cell tower fits in a backpack.
|
| But it's not just the cops capturing your cell data. It's
| anyone, they've been doing it for over a decade, and it's
| cheap and easily accessible.
|
| https://www.vice.com/en/article/vv7zn9/surprise-scans-
| sugges...
| thirdsun wrote:
| Reading the comment I was confused as well - it sounds as
| if the user provides his banking login to the merchant as
| part of the checkout process. However they mean that the
| transaction has to be approved via banking app, not unlike
| a 2FA authenticator app.
| dgan wrote:
| amazon paysend many others do too. bank is Boursorama
| dylan604 wrote:
| Is this something more popular outside of the US where
| credit/debit cards are not as ubiquitous?
| Yizahi wrote:
| I think it's called 3D-Secure for debit/credit cards. In
| Ukraine for example it is pretty much a normal path for
| online payments. Also our "credit" cards aren't the same
| your "credit" cards. Ours are basically the same as debit
| cards but with added overdraft amount and different
| service fees. They are created by the same banks as debit
| cards, not by a separate corporations.
| dgan wrote:
| Maybe. I never owned a credit card, however I also
| basically didn't use cash for years, only debit card
| kevin_thibedeau wrote:
| I've had a US debit card where 3D secure was triggered.
| joshuaissac wrote:
| It usually happens when someone pays with a credit or
| debit card. If the confirmation is not given in the app
| within a certain time limit, the bank rejects the card
| transaction.
|
| Edit: to clarify, my comment is about the UK, and it does
| not happen with most card transactions; "usually" here
| refers instead to card transactions being the usual
| trigger (in my experience) for this app-based
| authentication flow.
| dylan604 wrote:
| "Usually" is a bit of sticky word here. Your usual is not
| my usual, hence my questioning of it. My experience is US
| centric, so I'm assuming non-US but non-US is a really
| big place.
| nicoburns wrote:
| Online purchases with UK bank accounts often require this.
| Some banks use an OAuth-style redirect instead. I think the
| merchants get lower rates if they enable this feature
| (called "3D secure") because it lowers the risk of fraud.
|
| It's basically 2FA for online transactions, which seems
| very sensible to me.
| slock83 wrote:
| I switched to /e/ rather recently, and it also just happen
| that I am in the process of switching banks, which means I
| currently have two banking apps on my phone.
|
| Both are rather strict on having a clean, non rooted, non
| modified phone. Currently, they both work without any
| caveats, but I had to install magisk, add them to magisk
| hide, and use the magisk renaming feature to have them work.
| toastal wrote:
| I recently had a bank detect Magisk Hide. Since on
| principle, I don't think it's their business what I do with
| my phone, especially once added Magisk Hide, I went into my
| branch, told them just that and asked for everything in
| cash to move to a different bank. These are the same banks
| that only have SMS for 2FA and it's required.
| krageon wrote:
| OSMAnd is visually difficult to parse (especially at a glance)
| and fairly complicated to use. It is not a good map app.
| phh wrote:
| Fun, I guess this is just a question of habit. Nowadays I use
| OSMAnd mostly, and when I have to use Google's Maps (OSMAnd's
| search isn't great, and public transportation isn't there),
| I'm lost, and the app never shows the information I want.
|
| It's happened to me a lot of times with Google's Maps (with
| regard to how frequent I use Google's Maps) that I'm looking
| for something, I KNOW it's there, I'm searching for it (like
| "groceries" for a grocery store), and the only way Google's
| Maps would ever show it to me is by zooming it until the ONLY
| thing on screen is building, and then it does display it.
| ptidhomme wrote:
| I had the same feeling. I now use Organic Maps which I find
| much better.
| thastings wrote:
| I use the exact same setup, works like a charm. I can
| definitely recommend it for anyone concerned with the privacy
| issues of current mobile OSes. Furthermore, it never feels
| limited after getting used to this suit of apps, which may take
| up to a week at most.
| EVa5I7bHFq9mnYK wrote:
| Almost all of these just need a browser, without any apps. I
| personally don't need any notifications, but I'm retired so
| it's easier.
| Scramblejams wrote:
| What do you use for photo management?
| commoner wrote:
| The default Gallery app is functional, and there are other
| FOSS options such as LeafPic and Simple Gallery.
|
| - LeafPic Revived: https://f-droid.org/en/packages/com.alienp
| ants.leafpicrevive...
|
| - Simple Gallery Pro: https://f-droid.org/en/packages/com.sim
| plemobiletools.galler...
|
| If you are looking for a hosted service to back up your
| photos, Stingle is an end-to-end encrypted photo hosting
| service. Alternatively, you can use Nextcloud to self-host.
| Both are FOSS on the client side, and Nextcloud is also FOSS
| on the server side.
|
| - Stingle: https://stingle.org
|
| - Les Pas gallery app for Nextcloud:
| https://github.com/scubajeff/lespas
| mattl wrote:
| If you wanted to install something like WhatsApp or Lyft would
| it work?
| salusinarduis wrote:
| Yes they will work, however to get notifications when the
| apps are closed you would need to have to some form of Google
| Play Services. I suggest MicroG if you are intending to do
| this since it seems to be the least invasive.
|
| In my personal case though, I would still not use MicroG, and
| would just leave the app open until I am done using it. This
| is easier on Android because apps are not suspended in the
| same manner iOS apps are.
| dylan604 wrote:
| What about when the phone locks? My phone is set to
| autolock after 1 minute. Leaving an app open just to
| receive notifications seems like a waste of battery.
| uhtred wrote:
| I use /e/os. It is based on LineageOS, is completely de-
| googled and has MicroG integrated. MicroG means push
| notifications with apps like WhatsApp will work.
| https://e.foundation/
| salusinarduis wrote:
| If your phone is locked you will most likely not get the
| notifications, it just depends on the app. I do agree it
| can waste battery.
|
| It's important to remember this is only a concern on non-
| free apps. The FOSS apps have very low power background
| services that check for notifications without the app
| running.
| xzjis wrote:
| I prefer FairEmail (FOSS) over K9 Mail because it's more
| modern.
|
| I also recommend CutTheCord as a Discord client. It's not FOSS
| because it's based on the official client but it's privacy
| oriented.
|
| https://gitdab.com/distok/cutthecord
| technerder wrote:
| Could you elaborate on what you mean by "Discord is sandboxed"?
| Are you using an app to sandbox it?
| Steltek wrote:
| Could be using [Shelter](https://github.com/PeterCxy/Shelter)
| to isolate apps. I don't know how effective it really is.
| commoner wrote:
| Insular is another app that activates the Android work
| profile: https://secure-system.gitlab.io/Insular/
|
| Both Shelter and Insular are effective for isolating your
| files, contacts, and phone logs in each profile. If you are
| using a VPN, it is limited to the profile that the VPN app
| is installed on, and you need to install and run it again
| on the other profile to cover the apps in that profile.
| deft wrote:
| There's an app available on f-droid called Aurora Store that
| lets you download apks from the Play Store directly, avoiding
| the need for stuff like APKMirror (where you don't know where
| or what happens to the apk you're downloading). On desktop you
| can use the program Raccoon for the same.
| salusinarduis wrote:
| Thanks for the suggestion!
| porjo wrote:
| Thanks for the list!
|
| > You can buy a used Pixel 3a for around $80 on Ebay
|
| It's worth noting that GrapheneOS recommend Pixel 4a or newer
| for best support: https://grapheneos.org/faq#recommended-
| devices
| noja wrote:
| Please, technical people of HN, install NetGuard on your Android
| phone. You will be shocked where your data goes. GDPR? Ha!
| Graffur wrote:
| Based on your comment I have installed it and enabled
| notifications.. immediately it told me that Facebook attempted
| internet access. I have 432 other apps so it will be
| interesting to see what else is phoning home.
| aboringusername wrote:
| > immediately it told me that Facebook attempted internet
| access.
|
| I am not sure how that information is useful to you or anyone
| else, not trying to be snarky, but an internet app wanting
| internet access...is the expected behavior?
|
| Most apps and operating systems communicate over the internet
| for any number of reasons, heck, apps can even check if you
| _have_ internet access or not (and respond accordingly, such
| as caching content to send later on).
|
| Doesn't make it weird or suspicious...
| larrik wrote:
| Doesn't sound like he was in the Facebook app at the time,
| though.
| Graffur wrote:
| I have the FB app but rarely use it. Why would it be
| phoning home when I don't have it open?
| kaba0 wrote:
| To check for notifications? I'm fairly sure they haven't
| implemented a complex AI model to determine that "you are
| using it rarely", so the check it out each n minutes is a
| constant thing.
| KennyBlanken wrote:
| On Android, most notifications are handled by Google
| Cloud Messaging. The app/site developer pushes a
| notification to GCM, which then puts up the notification
| on your device.
|
| The ugly white elephant in the room is that Google sees
| the text of the notification; it's not e2ee'd. Some more
| privacy-oriented apps implement GCM such that it just
| "pokes" the app on your phone to say "hey, check in with
| us" and the app then fetches the notification text etc.
| directly. But Google still knows that you got an event
| from what app.
| ignoramous wrote:
| See also: https://github.com/offa/android-foss#-firewall (In
| particular, AfWall+ for _root_ ed device is quite powerful)
| aboringusername wrote:
| I was wondering if you could expand on your comment because I
| am confused. How is seeing what IP addresses an app
| communicates with a violation of GDPR? If I can't see the
| _content_ of the data it 's sending but just _where_ it 's
| going, that is not exactly a violation.
|
| It's not illegal to communicate with an IP address, there could
| be many reasons $app sends a request via a US server.
|
| Like a postman with an address and an envelope isn't enough to
| just assume a crime has been committed it works the same
| digitally...
| noja wrote:
| Install the app. You'll see that it sends personally
| identifiable information (your ip address) to facebook,
| before you have opted in.
|
| 99% of apps also send usage stats and/or crash information to
| mixpanel, etc. also without opt-in.
| drclau wrote:
| Similarly, for iOS you can use the new "Record App Activity"
| functionality.
|
| See:
|
| https://news.ycombinator.com/item?id=28804174
|
| https://news.ycombinator.com/item?id=28838394
| silicon2401 wrote:
| Giving this a try based on your glowing recommendation. Thanks
| for suggesting it! I'm always interested in improving my
| privacy measures
| Factorium wrote:
| Your opt-out is to buy an iPhone.
| Gunax wrote:
| But I also don't approve of apple's control over what I install
| and I think it's stance on browsers in anti-competitive.
|
| Now I feel stuck.
| dlevine wrote:
| In the book Post Corona, Scott Galloway talks about red vs blue
| companies. Blue companies (e.g. Apple) charge a premium for their
| product and offer you some level of privacy, while red companies
| give you their product (the Android OS and Google Apps) for
| "free" and then collect lots of data on you (and use that to make
| money). Amazon is clearly going this route too with the
| ridiculous number of ads they have started putting on their Echo
| Speakers.
|
| He predicts that over time there will be paid versions of a lot
| more products for people who want (and can afford) privacy. I
| know there is a lot of hate for Galloway, and I take everything
| he says with a grain of salt, but this struck me as pretty
| astute.
| raffraffraff wrote:
| TL;DR: They track long-lived phone identifiers and some send
| usage data like:
|
| > Xiaomi telemetry logs the user interaction with the dialer app
| when receiving a phone call, including the start and end times of
| the call
|
| ...and Microsoft SwiftKey logs the apps you open, how many
| characters you typed (with timestamps), and sends crash dumps
| that contain who-knows-what.
___________________________________________________________________
(page generated 2021-10-13 23:01 UTC)