Google’s latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews…

… “The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said…

You are viewing a single thread.
View all comments View context
8 points

I like calyx, might try graphene some day. But I absolutely won’t run Google’s play services ala graphene. It’s sandboxed, supposedly, but why run it at all?

Calyx uses microG, a much smaller, fully open source emulator of Google’s services.

permalink
report
parent
reply

but why run it at all?

Because it is unfortunately required by some apps. microG is not a viable alternative, as it requires root access on the device, which drastically reduces the security. It also has worse compatibility than Sandboxed Play services, and doesn’t offer much of a benefit. It still downloads and executes proprietary Google blobs in the background in order to function. Apps that require Google services also include a proprietary Google library, making microG essentially useless. It’s an open source layer that sits between a proprietary library and a proprietary network service, using proprietary binaries and requiring root access. You gain absolutely nothing from using it, and significantly increases the attack surface of your device.

fully open source emulator

This is simply false, as I explained, only a tiny bit of what microG requires to function is open source

You’re far better off using Sandboxed Play services on GrapheneOS

permalink
report
parent
reply
1 point

Dude I’m looking at the source code, there’s only a binary downloaded for enabling Safety net. Why are you making false statements?

permalink
report
parent
reply
4 points

@RubberElectrons @multi_regime_enjoyer its not actually fully open source, it uses a lot of closed-source libraries, and its not as battle-tested as google’s official one so there really isn’t a reason to use it

permalink
report
parent
reply
4 points
*

Just about all of your identifying data is stripped out by the framework before interacting with Google at all: https://github.com/microg/GmsCore/wiki/Google-Network-Connections

That alone makes it an important tool. I’m not too worried about memory exploits as I don’t really install apps, but it’s an important feature in graphene’s toolkit.

For most people who want an Android alternative that’s open source but don’t have time to fiddle with it, calyxOS seems like a good solution. It just works out of the box.

permalink
report
parent
reply

Just about all of your identifying data is stripped out by the framework before interacting with Google at all

For all of them, we strip device identifier (MAC addresses, IMEI, etc)

This is literally nothing special, as all user-installed apps are denied access to identifiers like the IMEI and MAC address since Android 10. Since GrapheneOS isolates Play services in the Android application sandbox, they don’t have access to any of these identifiers either.

I’m not too worried about memory exploits as I don’t really install apps

That’s not how memory corruption exploits work. These can occur anywhere in the system, and just need to be triggered by an attacker. This doesn’t require you to install an app, receiving a rogue message might for example be enough to exploit a memory vulnerability in the SMS app. Visiting a rogue website, which loads malicious JavaScript can be enough to trigger a memory corruption vulnerability in the Chromium WebView. That’s why GrapheneOS doesn’t just use hardened_malloc, but it also disables the JavaScript JIT compiler in Vanadium by default, and offers a toggle in the settings to disallow JavaScript JIT compilation in all apps making use of the system WebView component.

permalink
report
parent
reply

DeGoogle Yourself

!degoogle@lemmy.ml

Create post

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

!privacyguides@lemmy.one !privacy@lemmy.ml !privatelife@lemmy.ml !linuxphones@lemmy.ml !fossdroid@social.fossware.space !fdroid@lemmy.ml

Community stats

  • 377

    Monthly active users

  • 153

    Posts

  • 1.3K

    Comments