*700 million android devices at risk*

[SolApathy]

A disturbing look into the future as tech takes over our lives. We are trusting that manufacturers and software vendors have our best interests in mind... All too often that is not the case.

Remember the old saying - Trust but verify. We will update this post as needed.

More than 700 million devices at risk..What exactly are they doing with our text messages?


Here is ADUPS reply "assuring " us all is well, pay no attention to the man behind the curtain....

 

[codesplice]

More details straight from the horse's mouth:
http://www.kryptowire.com/adups_security_analysis.html

Important take-aways:
• The only affected devices in the US are from BLU, and BLU has already proactively disabled the data collection/reporting "features" that were bundled with their updating framework.
• All you really need to do if you're concerned is look for system apps with "adups" in the package name ("com.adups.fota.sysoper" and "com.adups.fota" per the Kryptowire report).

It's hella sketchy, sure, but given BLU's market share in the US I don't think it's something to panic over.

 

[SolApathy]

It's other devices that have the code as well, not just phones... And if you think that is the only hidden software... I think this will become more and more common unfortunately.

There need to be serious criminal consequences for this type of stuff. Right now most of it's limited to bad PR (which their PR firms spin into some innocent data mining) that was in no way intentional...Mhm.... Our laws are in serious need of updating, especially on the digital front. It is becoming harder and harder to protect "personal" data.

There is absolutely no excuse for any company to have access to my texts, photos, call information, contacts, etc without my express permission. While "legitimate" apps ask for these permissions it is all too often that pre installed apps have permissions granted before we even have our devices in hand. This needs to change.


Companies keep saying it's for a "better experience" - I call (insert special comment here) on any company that uses that tag line as reasoning to invade our privacy without our express knowledge. I could go on and on about this, but the bottom line is that our privacy is under full attack under the guise of "better social integration".


We need to fight back before we start texting our wives -Hey can you get some milk and a pop-in message say -Hey there is a special buy 1 get one free deal at Kroger.... <--While that sounds cool, it will be just the beginning...

 

[codesplice]

Taylor Wimberly shared a post last night about how this is in fact a systemic issue with low-margin unlocked devices:
https://medium.com/@wimbet/no-one-c...nlocked-android-phone-cd8ad4aae4c5#.k1zd8a8cw

In short, companies are able to sell millions of devices without "wasting" money on doing security checks or even issuing regular updates, so there's no real incentive for them to do so - particularly when they may sell devices for extremely low profit margins.

It kind of goes back to a topic we've discussed before...

 

[El Presidente]

Taylor Wimberly shared a post last night about how this is in fact a systemic issue with low-margin unlocked devices:
https://medium.com/@wimbet/no-one-c...nlocked-android-phone-cd8ad4aae4c5#.k1zd8a8cw

From the article -

To put it simply, Google’s CTS can’t detect vulnerabilities it doesn’t know about. Apparently Mediatek is a repeat offender when it comes to evading Google’s CTS tests, and some in the computer security industry have called them the worst chipset vendor when it comes to security measures.

Pretty much why, no matter how fast or power efficient they get, I will never buy a device with a mediatek chipset

 

[AZgl1500]

hmmm, something to keep in the memory banks for the next purchase.

Just did a Google search on 3 words, mediatek chipset security

the results that came back are scary...

 

[SolApathy]

Like I said, unless there is potential criminal liability they will just keep doing it.

 

[zuben el genub]

Blu does put out some very good-looking cell phones which can also be bought unlocked.
Amazon is full of them. Best Buy has them. TMO might have one.

They were the only company I saw mentioned.

Alcatel is another supplier of budget phones - what do they use?

How about the companies that supply the pay as you go crowd like Go Phone? Some phones from major makers are low cost. What chipset do they use?

 

[El Presidente]

https://www.xda-developers.com/report-android-phones-transmit-data-to-adups-a-chinese-firm/

It was never on any ZTE device sold in the US apparently...

 

[Thom]

It seems to me that BLU should be held accountable for this one.

There is an even bigger problem. Software developers are creating apps that extract private information. The app comes with a privacy statement that you must agree to before using the app. Almost none reads it.

Play Store ought to have a category of "Use At Your Own Risk". Apps like Clean Master (and everything else form Cheetah Mobile) would be listed there due to their data sharing issues.

A developer would have to include their app in this group when they submitted it to Play Store.

If it was later found that a developer did not identify the risk in this way then they would be barred from Play Store.

So ... you want to use Clean Master ... go right ahead ... and you ignore the flag showing the risk ... what the hell ... it's your foot ... pull the trigger.

... Thom

 

[AZgl1500]

Here is another release on the subject:

good to note which phones to never buy again.

http://arstechnica.com/security/201...und-preinstalled-on-3-million-android-phones/