[HN Gopher] What happens when your phone is spying on you
___________________________________________________________________
What happens when your phone is spying on you
Author : sizzle
Score : 140 points
Date : 2023-03-15 15:35 UTC (7 hours ago)
(HTM) web link (today.ucsd.edu)
(TXT) w3m dump (today.ucsd.edu)
| blakesterz wrote:
| Maybe I missed it, but I didn't see a link to the actual paper, I
| think this is it from the conference site:
|
| https://petsymposium.org/popets/2023/popets-2023-0013.php
| sizzle wrote:
| Thanks for linking to the paper
| sizzle wrote:
| Some of these employee/child "monitoring" apps rival Remote
| Access Trojans (RATs) that used to wreak havoc in the early days
| of Windows, before Windows Defender and detailed permissions
| level access prompts were brought to the attention of the user
| (Windows UAC (User Account Control prompts).
|
| I feel like mobile operating systems have been stuck in the early
| Windows "undetectable RAT era" for far too long, only recently
| getting basic UI prompts for oversight/control of OS-level
| permissions settings per app.
|
| I believe it was Apple that forced this privacy angle on the
| smartphone space and Android was forced to comply, since Android
| and Google's business model is to track, profile and harvest user
| generated data for targeted advertising. AdTech is too profitable
| and has pervase incentives to keep spying on users.
|
| With all that said, I really respect the approach the EU takes to
| safeguard privacy and enforce compliance from big corps.
| senthil_rajasek wrote:
| I found this article very shallow. It covers only spyware that
| are installed when a device is physically compromised.
|
| I was hoping it would cover spy/malware that install remotely
| through many more infection vectors like clicking text messages.
| I guess NSO/Pegasus malware has this capability.
|
| I barely use any apps and would gladly settle for a flip phone...
| I value privacy more than the ability to order food through my
| phone.
| TheRealDunkirk wrote:
| > I value privacy more than the ability to order food through
| my phone.
|
| I know you didn't mean it like this, but I find it funny that
| it _reads_ like we 've abandoned the idea of calling a
| restaurant and just talking to a person to order takeaway.
| handedness wrote:
| Many restaurant managers already have: I'm increasingly
| finding places won't allow phone orders, at least during peak
| hours.
| SoftTalker wrote:
| So call the places that do. This is called free market
| competition.
| walterbell wrote:
| _> talking to a person to order takeaway_
|
| Also supports small business by saving them double-digit app
| fees!
| Jeremy1026 wrote:
| Not necessarily. The delivery apps set up proxy numbers to
| pass calls through, taking a lead fee. So you can't just
| search "sub shop near me" and call, as it might not be
| their actual phone number. Your best bet if you want to
| save the local place fees from the apps is walk in the
| first time, then call the number off the paper menu from
| then on.
| xeromal wrote:
| If they have a website, that's usually a good number too
| scarface74 wrote:
| I know a couple of small restaurant owners. Even ones that
| don't go through UberEats or GrubHub that use SaaS
| restaurant software that also come with a white labeled
| restaurant specific app that accepts Apple Pay (standard
| credit card fees - not 30%) and other payment methods. They
| actually prefer it.
| Schroedingersat wrote:
| Middleman feudal tax garbage always seems great at first.
|
| In an abusive relationship that part is called the
| honeymoon period. The goals, the mindset of the
| perpetrator, and the end results are the same.
| SoftTalker wrote:
| Weird. The small places here (I'm thinking chinese take-
| out, for example) take cash only, order tickets are on
| paper, they don't deliver, and seem to be thriving. Have
| the Uber Eats and other tech middlemen started taking
| such a big slice of the profit that it's not worth it?
|
| Having worked in a restaurant, if someone took 30% of my
| gross it certainly would have been all of my profit and
| then some.
| walterbell wrote:
| NYC currently caps fees at 20%. Grubhub is lobbying for
| 30%.
|
| https://www.restaurantbusinessonline.com/technology/nyc-
| coul...
|
| _> New York, like many cities, put a limit on third-
| party delivery fees during the pandemic to help
| restaurants that had come to depend heavily on the
| service. Last August, it became one of the few
| jurisdictions to make the emergency measure permanent ...
| Last year, it passed a first-of-its kind law that would
| force delivery providers to share more customer data with
| restaurants._
| scarface74 wrote:
| I just said the opposite. Restaurants apps _do not_ pay
| 30% even when going through the App Store. It's a
| physical good and even if they do accept Apple Pay, they
| get charged standard credit card processing fees - $0.25
| + 2-3% of the amount.
|
| I said they do _not_ use GrubHub. They have their own
| system run as SaaS. The company they use takes care of
| the POS system, merchant accounts, and a white labeled
| app just for their store.
| walterbell wrote:
| Are customers willing to download a new app for each
| restaurant?
|
| Does the SaaS/POS company let customers use one app and
| "install/subscribe" to each restaurant as needed?
| scarface74 wrote:
| They also offer a white labeled website. Once you have a
| website, creating an "app" that's just a web view that
| provides notifications for delivery and or when your
| table is ready is relatively easy. Of course it's more
| about branding than anything else. They can also just
| send text messages
| A4ET8a8uTh0 wrote:
| << just talking to a person to order takeaway.
|
| The sad thing is that even if you do that, the restaurants
| are now almost guaranteed to use your phone as unique
| identifier and use that data for, hopefully, their own
| purposes ( hopefully, because the lure of selling data might
| be too much ).
| KingLancelot wrote:
| [dead]
| moremetadata wrote:
| [dead]
| AtlasBarfed wrote:
| Oh here, let me run it down real quick. You don't even need to
| be an expert.
|
| Tracking cookies, browser fingerprinting, and ISP-level
| monitoring logs everything you do.
|
| Various consumer database warehouses hoover up the data for
| resale/targetting by ad companies
|
| Hint: once a business has it, at a minimum the
| FBI/CIA/Government has it. Likely, they've been hacked by China
| and Russia too.
|
| In addition, the CIA/FBI run ISP-level and DC-level
| monitoring/hoovering.
|
| Finally, there is no oversight. Either the FBI will cookie
| cutter whatever request they need after the fact to the rubber-
| stamp-anyway kangaroo oversight "Court", or they won't even
| bother. The CIA doesn't even need to care. The only limitation
| of widespread abuse is some sense of patriotism in the CIA/FBI,
| and of course that is pretty simple to frame/justify as needed.
|
| The bottom line is that there is a 100% turnkey total
| information awareness infrastructure for any authoritarian
| regime that takes over the US government (see: Iraq war, false
| flag attacks, McCarthyism, etc). They know everyone you
| communicate with, your political views, your buying habits, and
| they will soon have AI software to maximize usitlization of the
| firehose for profiling, reeducation camps / gulags, and the
| like. The US government can deny you civil rights by declaring
| a US citizen an enemy combatant, and are more than willing to
| setup concentration camps for immigrants, and therefore
| "terrorists".
| BenFranklin100 wrote:
| Exactly three years ago I would have laughed at you, but
| three years of COVID has taught me that the powers that be in
| our society -- which include journalists, academics and
| moderators of online forums -- will happily help tear down
| essential liberties for perceived, small, and temporary
| safeties.
|
| The abuses stemming from a lack of privacy have not been
| realized because of political convictions, but because of
| technical limitations. The advent of advanced AI models will
| remove many of these technical limitations and allow
| corporations and governments to quickly build detailed
| profiles of every citizen that touches the internet.
| barrysteve wrote:
| God's all-seeing presence is a preservative against sin and a
| means to make you watchful over all your ways and actions. -
| Thomas Gouge
|
| It was always the intent to make sight of citizens completely
| transparent.
| tptacek wrote:
| This is a standard university press-release style article about
| a paper accepted at PETS:
|
| https://www.sysnet.ucsd.edu/~voelker/pubs/spyware-pets23.pdf
|
| It's academic research, so this thread here expressing
| disappointment about the article is weird. We should probably
| just replace the press release with a link to the study itself.
|
| From the abstract:
|
| _. In this work, we perform an in-depth technical analysis of
| 14 distinct leading mobile spyware apps targeting Android
| phones. We document the range of mechanisms used to monitor
| user activity of various kinds (e.g., photos, text messages,
| live microphone access) -- primarily through the creative abuse
| of Android APIs. We also discover previously undocumented
| methods these apps use to hide from detection and to achieve
| persistence._
| sizzle wrote:
| You can read the whole paper shared by another HN user here:
|
| https://petsymposium.org/popets/2023/popets-2023-0013.php
|
| PDF Paper:
| https://petsymposium.org/popets/2023/popets-2023-0013.pdf
| 1vuio0pswjnm7 wrote:
| Flip phones are available. SBF has been issued with one under
| his latest conditions of release.
|
| Remember though, privacy comes at a cost. Thousands of
| parasitic "startups" that live off of VC, produce nothing for
| sale, have no profits and rely on surveillance to demonstrate
| speculative "value" might suffer or even "go out of business",
| "Big Tech" might not rake in billions per quarter for selling
| ad services, "tech jobs" might be lost. It could be
| catastrophic. The entire economy could crash. It could put an
| AI-driven utopian future at risk. All because of the desire to
| maintain privacy. This is not just another HN comment
| conatining only FUD or hype-based predictions with zero factual
| support. "We take privacy seriously." It's threat to what we
| do. As an "industry" it's vital that we maintain peoples' trust
| while we surveil them. /s
| teddyh wrote:
| Your quoting of certain words seem odd.
|
| https://prestersperspective.blogspot.com/p/schizophrenia-
| ran...
| mjfl wrote:
| It's because he was using sarcasm, which you failed to
| detect.
| teddyh wrote:
| I probably failed because the quoted words _were not
| actually quotes_. I could understand a word like "value"
| being quoted sarcastically without a specific quote in
| mind, but the quoting of many other words and phrases
| were mystifying.
| salawat wrote:
| > As an "industry" it's vital that we maintain peoples' trust
| while we surveil them.
|
| Thanks. I puked a bit. Put a damn /s on that thing.
|
| If it was not in jest, seek help. You aren't thinking
| properly.
| chaxor wrote:
| Most spyware is installed by the user themselves. It's
| typically called "security software" from your company, or the
| VPN they provide (which also includes additional software that
| backdoors your entire device).
| humanistbot wrote:
| A university PR office puts out a press release that is shallow
| version of the actual paper? Why I never....
| Liquix wrote:
| I was hoping it would raise the alarm regarding Google and
| Apple's overreaching, always-on data collection practices. 99%
| of people don't need to worry about an attacker gaining
| physical access to their unlocked device and installing an
| application. We as a society _do_ need to worry about tech
| giants amassing enough data on us to gain an insurmountable AI-
| training-data advantage which makes them too useful as tools of
| the state to be regulated by said state.
|
| The irony of pointing out how to spot a "spyware" app disguised
| as a WiFi icon when the dozen Big G apps pictured alongside are
| collecting the same data...
| fsflover wrote:
| > I was hoping it would raise the alarm regarding Google and
| Apple's overreaching, always-on data collection practices
|
| It seems this is the article you were expecting:
| https://news.ycombinator.com/item?id=26639261.
| YeahNO wrote:
| You would think the panic over TikTok spying would illuminate
| the problem with apps having carte-blanche access to your
| personal data 24/7. There is nothing that the TikTok app does
| that any other app cannot also do. It seems nobody wants to
| make that connection.
|
| There should be real protections for consumers to prevent ANY
| application from slurping up this data, and I don't mean just
| a disclosure or system setting to hamstring the application
| into uselessness. I mean, there should be regulations
| preventing the collection of this data in the first place,
| with hefty fines and punitive damages.
| eternityforest wrote:
| Most privacy advocates probably do plenty of things I would
| be perfectly happy to see made illegal, but we don't just
| ban them because we don't want a complete dictatorship of
| one segment of the population over everyone else, and
| because it seems the people realize it would cause problems
| for some people, and we need to be careful to find suitable
| replacements before we ban things.
|
| A lot of the tech I imagine you are referring to has been
| life changing for me, and if it cost normal SASS prices
| would not be affordable.
|
| Regulations and disclosures are good, but a straight ban
| would (depending on how it was written) quite likely affect
| services that inherently require mass data collection, like
| Tile trackers, and might make other services have to do
| subscriptions and become unaffordable for many.
|
| If there was a state sponsored Pine64 style company that
| could do all of what Google does for the same price without
| spying, it would be great. But at the moment, the FOSS
| community does not have true equivalents, or the budget or
| interest to do so, nor the marketing power to do the stuff
| that only works if everyone else uses it, and the non-spy
| commercial solutions have many of the same issues and cost
| too much for low income people.
| nichohel wrote:
| What do you mean by "Most privacy advocates probably do
| plenty of things I would be perfectly happy to see made
| illegal"? Can you give some examples of what you mean by
| things you want to see made illegal?
| 867-5309 wrote:
| eating meat, burning coal, owning pets, paying taxes,
| cycling, sunbathing, crochet, wearing crocks with socks,
| shitposting..
| [deleted]
| hb0ss wrote:
| Cycling... says the corn syrup addicted American
| JohnFen wrote:
| Most privacy advocates I know revolve around the concept
| of "informed consent". The idea isn't to ban technologies
| because they can be abused, it's to stop the abuse.
|
| The guiding principle for when that line is crossed is
| whether or not the affected person was completely and
| accurately informed about what is going to happen, and
| that they have affirmatively given their consent for it
| to happen.
| eternityforest wrote:
| The GDPR goes a little farther than that though, because
| it makes consent revokable even after the fact, and
| disallows consent as a requirement to access a service,
| and some privacy advocates seem to think that's still not
| enough.
| JohnFen wrote:
| The ability to revoke consent is an essential part of
| consent, in my view.
|
| > some privacy advocates seem to think that's still not
| enough.
|
| I am one of them. I think the GDPR is inadequate in many
| ways, but it's certainly a huge improvement over the
| nothing that existed prior, and it's much better than
| anything we have here in the US.
|
| But the things I think are inadequate about the GDPR
| still revolve around consent. I will admit that "consent"
| is a very broad term, though, and includes a whole lot of
| intricacies and nuances. It's a bit like "freedom" in
| that sense.
| A4ET8a8uTh0 wrote:
| << A lot of the tech I imagine you are referring to has
| been life changing for me, and if it cost normal SASS
| prices would not be affordable.
|
| I think part of the issue is that it is too affordable.
| The whole free content, free email, free infrastructure
| got us into current mess to begin with and since
| advertising was the only place that paid, now it is a
| part of the landscape. But on that front, pendulum may be
| swinging the other way.
|
| And privacy itself is one of those terms that can easily
| led into a very broad discussion unless it is not clearly
| defined from the outset.
|
| << we need to be careful to find suitable replacements
| before we ban things.
|
| Nah, as a society we were very permissive for the past
| two decades at least. It is time for tech to grow up and
| join the rest of the mature industries.
|
| << But at the moment, the FOSS community does not have
| true equivalents,
|
| Sadly true. I am currently on Pine ( postmarketos ) since
| my main phone died. I absolutely love the idea and I keep
| trying to support it when I have a chance, but it is
| still not ready for prime time ( and I am not good enough
| to contribute in code ).
|
| << and the non-spy commercial solutions have many of the
| same issues and cost too much for low income people.
|
| And this is why spying - ekh, totally voluntary data
| collection - should just be verbotten. We have seen where
| this road leads and it is not fun long term.
| eternityforest wrote:
| Well, I sure don't ever want to losing half my day to
| forgetting things, being constantly lost, and losing my
| keys and wallet constantly.
|
| As far as effects on me, getting rid of modern tech would
| already _be_ getting close to the authoritarian nightmare
| they talk about, far more than basically any of the laws
| other people complain about.
|
| If the effects are harmful enough to regulate, it's the
| same kind of conversation as cigarettes and gas engines
| and a million other things that we put varying levels of
| restrictions on but don't ban.
|
| Going after spy tech with more force than we go after
| everything else just seems like government enforced
| luddism.
| fossuser wrote:
| Apple has "Advanced Data Protection" that you can enable
|
| This was built after the NSO group hacks to lock down the
| device to be resilient to nation state attacks.
|
| It limits some of the attack vectors you're taking about (with
| a tradeoff of also limiting some features).
|
| Apple also enabled true e2ee in the cloud where only you retain
| the keys.
| irobeth wrote:
| > Apple also enabled true e2ee in the cloud where only you
| retain the keys.
|
| Is there a procedure to realistically verify that your
| communications are e2e and not e2mitm2e ?
| lisasays wrote:
| So what do people recommend for malware detection (at whatever
| degree of efficacy) on Androids these days?
|
| Yes I know what search engines are, but I'd appreciate curated /
| personal recommendations, please.
| kramerger wrote:
| Nothing.
|
| Anyone recommending antivirus apps for your android is clueless
| and/or after your money.
| mikece wrote:
| "When your phone is spying on you"???
|
| The title makes it sound like this isn't a 24x7x365 concern when
| it very much is!
| victor106 wrote:
| The title needs to be updated to say "Android"
| photochemsyn wrote:
| This quote in the article seems overly optimistic:
|
| > "While Google does not permit the sale of such apps on its
| Google Play app store, Android phones commonly allow such
| invasive apps to be downloaded separately via the Web. The
| iPhone, in comparison, does not allow such "side loading" and
| thus consumer spyware apps on this platform tend to be far more
| limited and less invasive in capabilities."
|
| Recommended:
|
| https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents...
|
| > "After confirming forensic traces of Pegasus on Nour's
| iPhone, we identified the presence of additional spyware, which
| we attribute with high confidence to Cytrox. We further
| conclude with high confidence that it is unrelated to Pegasus
| spyware."
| CharlesW wrote:
| Once an iPhone is jailbroken, yes -- anything goes. The paper
| describes an Android attack that just requires an app install
| that "[does] not require specialized technical know-how to
| deploy or operate".
| paulmd wrote:
| or more generally when you're going up against nation-state
| level actors, such as in your link. In that case yeah all
| bets are off, NSA and Mossad (and places commercializing
| technology developed for them) are gonna get in your phone
| if they want to.
|
| But this is still qualitatively different from android
| where the threat model is "connect USB cable and run ADB
| command", if even that much.
| hot_gril wrote:
| At the end of the day, tech-illiterate people are gonna
| get spyware onto their Android phones much more easily.
| If a website tells them to download some app directly and
| ignore any warnings about it being untrusted, they'll do
| it.
| sizzle wrote:
| There are surreptitious ways to achieving covert monitoring on
| iOS. To say this applies to Android only is simply untrue.
|
| You can do things via MDM on iOS for example and install
| spyware "monitoring" apps/set OS level permissions that are
| invisible to non tech saavy users.
|
| Also if you have access to the device and the iCloud
| password/device pin (e.g. abusive partner scenario, etc.) then
| non tech saavy people don't stand a chance against being
| secretly monitored.
| bartvk wrote:
| > You can do things via MDM on iOS for example and install
| spyware "monitoring" apps
|
| Can you name one?
| CharlesW wrote:
| > _To say this applies to Android only is simply untrue._
|
| To be fair, this particular issue -- the creative abuse of
| Android APIs by "stalkerware" apps -- applies to Android
| only.
|
| Also, MDMs on iPhones can't do the kinds of covert monitoring
| that this paper discusses. They can't access texts, emails,
| photos or other personal messages or data within apps on a
| device.
| sizzle wrote:
| honestly all they need to monitor people is built into
| Apple products out of the box. Sync a dummy iCloud enabled
| AppleID, and clear all the prompts and emails that the
| device was added to the account.
|
| You now have access to everything via iCloud and FindMy app
| for location tracking. You can even sign into another
| device and have real-time iMessage and other private data
| without installing any spyware apps. I will admit this is
| outside the scope of the paper, but arguably harder to
| mitigate if you are not ever checking your iCloud settings.
| paulmd wrote:
| well, thanks to the EU, it's going to apply to Apple real
| soon too. This is one of the things app store review and
| fully enforcable permissioning prevents (prevented).
|
| https://9to5mac.com/2022/12/13/apple-alternative-app-
| stores-...
|
| So much for the "app store is like 1984" marketing spin
| that Epic put out lol. Now you have the freedom to have
| spyware installed on your phone... which is what I and many
| others have been saying all along. Not just abusive spouses
| but Facebook and others will be all over this.
|
| https://www.youtube.com/watch?v=euiSHuaw6Q4
|
| As I said previously... Facebook and others already have
| this sort of spyware ready to go, _because they were
| already using their developer credentials to get users to
| sideload it for data mining_. Now it won 't be
| optional/"we'll give you a gift card", it'll just be
| mandatory if you want to use Facebook on a ios device.
| Sorry this device is not supported via web, please install
| the native app.
|
| https://arstechnica.com/gadgets/2019/01/facebook-and-
| google-...
| cyberbanjo wrote:
| TFA: We focus on Android-based spyware because most of the
| mobile spyware market appears to be focused there. Since
| curated app stores like Google Play do not permit the sale of
| such apps, in practice they must be side-loaded off-store, a
| process that Apple does not support. As a result, consumer
| mobile spyware only operates on "rooted" iPhones. Rooting an
| iPhone can be a technically involved operation (one popular
| guide to jailbreaking the iPhone involves 41 distinct steps
| [17]) and one that can take significant time to complete --
| both requirements at odds with the broad, non-technical
| customer base such apps are marketed to. We also focus on
| leading spyware apps as they are the apps that more people
| are exposed to and they are more likely to be innovative (new
| features could potentially bring them more customers).
| scarface74 wrote:
| And you think the Google Play Store (or the App Store) for
| that matter could even know what apps are doing? With iOS,
| the protection comes from its tighter permissions model and
| sandboxing
| kramerger wrote:
| Are those two really significantly different in
| sandboxing and permission model?
|
| Should also point out that neither app store is perfect
| and both have let malicious app slip through. Thanks to
| the Epic lawsuit we also know that they have tried to
| hide major incidents ( as in 500M installs of potential
| malware) from consumers.
| scarface74 wrote:
| Even with someone's iCloud password and physical access to
| your phone, a normal app can't access your phone logs, your
| camera while running in the background, record your screen
| etc, even with an MDM.
| baxtr wrote:
| I don't think it's black and white.
|
| But the two systems are pretty much on opposite end of the
| spectrum.
| zw123456 wrote:
| Something happened to me the other day, I started drafting a text
| using the regular text messaging app on my android phone, I was
| sending it to a friend, but I got distracted by a call and never
| sent the text. Later I went to finish it and send it but he had
| gone in and put some smart-alec comment in the text of the
| message I was drafting. I was shocked. He refuses to tell me how
| he did it. I went through all the settings, scans permissions and
| so on. He says he can't do it now but still refuses to tell me
| how he did it. Scary. I wish I could find out what it was he did.
| Any HN'ers have any ideas?
| px43 wrote:
| Option 1:
|
| Sounds to me like physical access is most likely. Your friend,
| or someone who knows them saw the message on your phone because
| you left it unlocked somewhere, and added it that way.
|
| Option 2:
|
| Autocomplete randomly added some weird stuff to your message
| without you noticing it, and your friend took credit for it,
| because that's the kind of friend they are.
|
| Option 3:
|
| Your draft got synced to some other phone or computer that you
| were logged in to that your friend had access to. Maybe you
| logged in on a device that they own or something, or maybe you
| aren't using any sort of MFA and they just guessed your
| password.
|
| Option 4:
|
| Carbon monoxide poisoning :
| https://www.reddit.com/r/legaladvice/comments/34l7vo/ma_post...
|
| If you're interested in narrowing things down a bit, you could
| give more information about exactly which model of phone you
| have, what level of jailbreak that it's in, exactly which
| Android flavor you're running, the patch level of the OS, and
| exactly which text messaging app you're using (different
| carriers and manufacturers ship different default SMS apps).
| Also relevant would be the message you were trying to send, and
| exactly what got injected.
| zw123456 wrote:
| I have a Galaxy S21 5G with Android 13
|
| I also changed my pin because I suspect he saw me entering
| it, but when this occurred he was at the other end of town so
| it would have had to have been some sort of remote access. I
| am thinking maybe phone link, which I had been using with my
| laptop, I disabled that.
|
| It was definitely not autocomplete because he said something
| that only he would have know regarding the message I was
| typing.
|
| He is being kind of a dick about it but I think will probably
| tell me if I push it but I guess part of it is I don't want
| to appear as stupid as I guess I am and want to at least get
| an idea of what it was.
|
| I also turned on face recognition so that people will not see
| me putting in my pin.
|
| I do not think he went through my laptop because it was
| turned off at the time.
|
| It has been making me crazy. I will probably have to buy him
| a bottle of wine or something to get him to confess :)
|
| UI Verion 5.1 Android Version 13 Kernel 5.4.219 Android
| Security patch level March 1, 2023
|
| The app is called Messages, it's the default app and it's
| version 14.1.30.19
|
| It was a half typed message, something like this:
|
| I put in: "Hey Dan, are you going to the comedy club Friday "
| but was going to put night and is anyone else going. but took
| a call. then he somehow put in the text area where i was
| typing "yeah, Jan and Steve are going too but you are buying
| me drinks if you want to know how I did this."
|
| So I knew it was him, I never hit send. So, he was in my
| phone I think.
| the_pwner224 wrote:
| Wow, that's very interesting. Please post an update once
| you find out what the attack vector was.
| zw123456 wrote:
| I will, assuming I buy him enough drinks, I am sure I
| will wriggle it out of him. That little F---er.
| enneff wrote:
| You should not buy him anything. You should cut him out of
| your life entirely. This is an egregious trust violation.
| I'd forgive a teenager of such thoughtlessness but if
| they're an adult then they're going to abuse you in other
| ways. They don't care about you.
| zw123456 wrote:
| Good points. Maybe time to say goodbye.
| tcbawo wrote:
| Have you ever logged into messages.google.com?
| zw123456 wrote:
| No, never. HN is pretty much the only social media I use,
| the rest of it is not really my thing.
| tcbawo wrote:
| Maybe this isn't what happened. But I was specifically
| referring to the ability to pair a computer with your
| Android device to send/receive messages without your
| phone: https://messages.google.com/web/authentication
| It's actually quite handy.
| zw123456 wrote:
| Maybe too handy.
| sizzle wrote:
| love this list, especially Option #4 that is not on
| everyone's radar but a very real issue clouding people's
| judgement.
| zw123456 wrote:
| I am pretty sure I would not have written "Hey buy me
| drinks to see how I did this." even if I was CO
| intoxicated, that seems pretty unlikely.
| teekert wrote:
| First: What is smart-Alec? Second: Does not sound like a friend
| to me.
| zw123456 wrote:
| smart-alec is a smart ass, I was trying to keep it clean,.
|
| agree, he is being a dick.
| asciii wrote:
| I would just avoid charging your phone at your friend's place
| or clicking his links.
| robin_reala wrote:
| Hate to say it, but he doesn't sound like much of a friend if
| he's owned your phone and refuses to elaborate on how.
| zw123456 wrote:
| I think he will fess up eventually, but is sort of being a
| dick about it for sure.
|
| I was hoping HN could give me ideas, but now he will probably
| read this on HN and then really give me a hard time about it.
| BiteCode_dev wrote:
| Instead of freaking out about it, it would be more fun to
| do a similar joke to him. What's fair is fair.
| zw123456 wrote:
| Yeah, I sure want to, especially on April 1st. Maybe I
| should do and Ask HN, how do I get back at my dickhead
| friend on April fools day :)
| BiteCode_dev wrote:
| Sounds like a good joke to be of either side on to me. No
| harm done.
| jabroni_salad wrote:
| to me this is an unacceptable boundary to cross. I would
| never be able to trust someone that does that.
| zw123456 wrote:
| Yeah, I sort of feel that way too but maybe also is a
| good lesson learned.
| enneff wrote:
| What's the lesson here? That software is insecure? Or
| that you shouldn't trust your friends? Sad.
| zw123456 wrote:
| All of the above, plus, maybe, don't let people see you
| put in your pin. don't take security for granted. Be
| careful. I guess the lesson I learned is you need to pay
| attention to security.
| BiteCode_dev wrote:
| Is it because the phone is very intimate to you, or
| because of the implications?
| sizzle wrote:
| because they could be viewing all their private
| communication/media on their device and that causes a lot
| of anxiety cause they won't confirm or deny if they have
| access.
| zw123456 wrote:
| Ugh, yeah, if this was not someone I know, the pictures,
| yikes !
| amelius wrote:
| It's basically the equivalent of someone in the 80s
| tapping your phone line.
| BiteCode_dev wrote:
| Rather someone in the 80 changing the numbers on your
| phone book so that you dial a wrong number.
| f0e4c2f7 wrote:
| Type the message you sent again into a random text message
| window and see if it changes to the smart alec comment again.
|
| My guess is that at an earlier time he had access to your phone
| unlocked (when you stepped away perhaps) and changed the
| autocorrect for a common word or phrase to be something else as
| a prank.
| NextHendrix wrote:
| He might've paired a bluetooth keyboard to your phone at some
| point.
| zw123456 wrote:
| hmmm, could be, but at the time it happened he was on the
| other end of town but I wonder if will we were in close
| proximity he could have connected a BT device somehow and
| planted something.
| davchana wrote:
| Do you mean your friend edited your draft sms? Did he had
| physical access to your phone? Are you using stock android app
| or anything special? What make model is your phone?
|
| By definition he should not see "your" draft on "his" phone.
| zw123456 wrote:
| I have a Galaxy S21 5G with Android 13
| [deleted]
| jtbayly wrote:
| Were the two of you ever in physical proximity?
| zw123456 wrote:
| Yeah, I replied in the thread earlier, I suspect he saw me
| put my pin in. But at the time it happened he was on the
| other side of town.
| sasas wrote:
| TLDR; purchase an device that pairs with your phone, follow a
| hunch that it's doing a lot more then what it advertises it does.
|
| A week ago I purchased a bluetooth device that takes some
| measurements. You require an Android or iOS application. The
| first thing the iOS app did was request permission for your
| location. Immediate fired up MITMproxy [1] running in transparent
| `--mode wireguard` and installed it's certificate in the iOS
| trust store. It was sending a whole bunch of data to China and
| HK. Since I don't have a jailbroken iPhone, it's off to Android.
|
| For BLE scanning, Android does require permissions for location,
| but this application is using a Chinese branded tracking SDK and
| sending encrypted blobs (within already encrypted TLS). So it's
| time to start reversing and instrumenting the runtime.
|
| Well - not so easy, they used a commercial packer that encrypts
| their compiled bytecode and decrypts and I think executes it
| within C++ library that might be an actual interpreter. I managed
| to pull the Dalvik bytecode out of memory using Frida[2] after
| the packer had decrypted the base application and converted it to
| java bytecode with dex2jar[3] then into decompiled java with jadx
| [4].
|
| Since the developer relied on the packer to hide/obfuscate their
| software, it's quite easy to follow the deobsfucated code. The
| libraries that do the location tracking on the otherhand are
| obfuscated so now I'm at the stage of identifying where to hook
| before the encrypted blobs are sent to servers in China.
|
| Here it would be nice to have a call flow graph generated based
| on the static decompiled java code - can anyone recommend
| anything?
|
| I've sunk about 8 hours into this so far. The message here is
| that to understand what some applications on your phone does you
| need to really invest time and effort. The developers increase
| the cost to the consumer to know what their application is doing
| by obfuscation, encryption and packing. It's asymmetric. Also
| note: the play store and apple store state the app does not send
| data, which is demonstrably false.
|
| I can also see that the tracking SDK has what looks like
| functionality to dynamically invoke code - which would break the
| terms and conditions of the app stores.
|
| At some point I will reimplement it's primary BLE functionality
| and release it as opensource to the public and perhaps write a
| blog post.
|
| [1] https://mitmproxy.org/posts/wireguard-mode/
|
| [2] https://frida.re/docs/android/
|
| [3] https://github.com/pxb1988/dex2jar
|
| [4] https://github.com/skylot/jadx
| gabanutrition wrote:
| This topic is intriguing. Could you please provide more
| information about the device and application? I'd appreciate
| the opportunity to examine them more thoroughly.
| sasas wrote:
| Sure! feel free to reach out direct; contact details in my
| profile.
| charcircuit wrote:
| >They collect a range of sensitive information such as location,
| texts and calls, as well as audio and video.
|
| This sentence ruins the credibility of the article because
| Android doesn't let you do this. The camera, microphone, can only
| be used when an app is in the foreground. For location data being
| tracked in the background it will have a persistent notification
| telling the user that an app has your location. For an app to
| read your call log or SMSs it has to be set as the phone's
| default phone or SMS app.
|
| This combined with androids reminders to review the permissions
| for apps that have dangerous permissions and Play Protect which
| can detect and remove spyware this article is giving Android much
| less credit than it deserves.
| sdiq wrote:
| For one to use WhatsApp to make calls, for example, one would
| need to provide it with permission to view the call logs
| without making WhatsApp the default app for calling.
| tptacek wrote:
| There's a whole section in the paper (3.3) about how they
| accomplished this.
|
| For example, with respect to the camera, they documented a
| "standard" way to abuse Android APIs to do it (create a
| Preview, which unlocks the camera, but hide it in a 1x1 or
| transparent element), and two "new" ones --- raw frame access
| with `SurfaceTexture`, and creating a 1x1 WebView.
|
| When you see articles like these at university sites, they're
| virtually always announcing a paper that got accepted
| somewhere, and you need to read the paper and ignore the press
| release.
| bbarnett wrote:
| Doesn't overlay do the same?
| charcircuit wrote:
| Do you mean having a persistent notification? Yes, it does.
| uoaei wrote:
| > The camera, microphone, can only be used when an app is in
| the foreground.
|
| This is not true. This may be partially true on the latest
| Android, but you can still set permissions to use e.g. GPS all
| the time, for things like weather or GPX recording apps.
|
| But it's also important to remember that the vast majority
| (easily 90%) of devices out there are running EoL'd Android
| versions, nevermind Android 12 and 13.
| charcircuit wrote:
| >you can still set permissions to use e.g. GPS all the time
|
| It requires you to manually go into the settings to grant
| this permission. And as I mentioned it has a persistent
| notification. This is a part of Android 11.
|
| >But it's also important to remember that the vast majority
| (easily 90%) of devices out there are running EoL'd Android
| versions
|
| This is unfortunate. If want to have a secure device it's
| important to be using one which is still supported and is
| getting security updates. Else if a vulnerability exists an
| attacker can install spyware by using the vulnerability
| despite Android's security model.
| uoaei wrote:
| For many it is not a choice. See: large swaths of Asia and
| Africa, who largely only have access to second-hand or
| scrapped phones.
|
| All I'm saying really is, please try to know more about the
| world outside of your immediate experience.
| mcsniff wrote:
| Ctrl-F "Graphene". Nobody has mentioned GrapheneOS.
|
| GrapheneOS and a Pixel phone are about as private and secure as
| you can get whilst maintaining good usability of a smartphone in
| 2023.
|
| Highly recommended, no affiliation.
| okamiueru wrote:
| How does it compare to CalyxOS?
___________________________________________________________________
(page generated 2023-03-15 23:01 UTC)