Googleās latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.
Cybernews researchers analyzed the new Pixel 9 Pro XL smartphoneās web traffic, focusing on what a new smartphone sends to Google.
āEvery 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,ā said Aras Nazarovas, a security researcher at Cybernewsā¦
ā¦ āThe amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,ā Nazarovas saidā¦
@RubberElectrons @multi_regime_enjoyer its not actually fully open source, it uses a lot of closed-source libraries, and its not as battle-tested as googleās official one so there really isnāt a reason to use it
Just about all of your identifying data is stripped out by the framework before interacting with Google at all: https://github.com/microg/GmsCore/wiki/Google-Network-Connections
That alone makes it an important tool. Iām not too worried about memory exploits as I donāt really install apps, but itās an important feature in grapheneās toolkit.
For most people who want an Android alternative thatās open source but donāt have time to fiddle with it, calyxOS seems like a good solution. It just works out of the box.
Just about all of your identifying data is stripped out by the framework before interacting with Google at all
For all of them, we strip device identifier (MAC addresses, IMEI, etc)
This is literally nothing special, as all user-installed apps are denied access to identifiers like the IMEI and MAC address since Android 10. Since GrapheneOS isolates Play services in the Android application sandbox, they donāt have access to any of these identifiers either.
Iām not too worried about memory exploits as I donāt really install apps
Thatās not how memory corruption exploits work. These can occur anywhere in the system, and just need to be triggered by an attacker. This doesnāt require you to install an app, receiving a rogue message might for example be enough to exploit a memory vulnerability in the SMS app. Visiting a rogue website, which loads malicious JavaScript can be enough to trigger a memory corruption vulnerability in the Chromium WebView. Thatās why GrapheneOS doesnāt just use hardened_malloc, but it also disables the JavaScript JIT compiler in Vanadium by default, and offers a toggle in the settings to disallow JavaScript JIT compilation in all apps making use of the system WebView component.
Very nice. Can I use the much smaller codebase of microG instead of Googleās? Even you do not know how Play Services actually works, and thatās a problem.
Further, a memory exploit that leads to compromise would need a chain of privilege escalation. Thereās a lot in the way of making that trivial even on stock Android. And you know what helps reduce risk of exploit? Smaller codebases.