[codedokode]

I have a chinese Android phone. Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send. There were attempts to connect to Google servers and chinese manufacturer's servers. The data sent to China was supposed to contain sensitive information like phone number or SIM card identifier.

It also has an auto-update (read: backdoor) feature that cannot be disabled.

I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.

As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.

We need a law against this.

[gwu78]

"And I can use it only at home."

In other words you can use it only on a network you control.

In other words, at home you can use your own router; you can set the gateway as a computer that you control.

Correct?

What if you had a portable gateway, one that could travel with you?

We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.

We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).

But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.

To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.

It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.

The aim with these efforts is control, not impressive hardware specs.

Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.

But to get those things, the user has to sacrafice some control.

[codedokode]

> In other words, at home you can use your own router; you can set the gateway as a computer that you control.

Yes.

> What if you had a portable gateway, one that could travel with you?

I can rent a VPS and connect through it using "Always-on VPN" option (I did it once and it worked). But then I have to pay for a server monthly in addition to the mobile plan. It is not that expensive but I would prefer just having access to iptables and being able to install my firewall on a phone.

I might be wrong but on Windows you can at least install a firewall. At least you could on earlier versions.

[joshumax]

> I can rent a VPS and connect through it using "Always-on VPN" option...

Still though, you have to worry that the hosting provider is taking adequate measures to protect your data, as well as also not secretly spying on you. I've worked with enough hosting sysops making trivial errors with their OVZ/KVM setups to realize that some VPS providers are about as secure and resilient as a power grid made from discarded toasters with forks shoved in them.

[whyagaindavid]

The OP instead of doingall these, could get another phone supported by AOSP or Cyanogemnod ROMs.

[e40]

As a consumer I am very disappointed and feel being deceived by Google.

Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?

[codedokode]

And Google advertises Android as free, open source, linux-based OS. "open" is supposed to mean I can do whatever I want with it but in fact I cannot even access the iptables.

[elorant]

Jailbreak a phone and you can surely do whatever you want on it. Other than that it's not Google's fault how a manufacturer customizes the software.

[aNoob7000]

If it is an Android phone with Google Play store then it is definitely Google's fault. Maybe Google should stop manufacturers from installing Android on their phones when they are doing things like this.

You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible and in return they get more advertising dollars.

[codedokode]

The phone has Google Services including Play Store (which I never used because it needs a Google Account, so I download software either from F-droid or from apkpure). But I don't know if it is licensed. It is noname chinese manufacturer that probably doesn't care much about american copyright (and GPL too because I could not find any links to linux kernel source code at their website).

> You want me to tell you why Google won't do anything, because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible

Google could allow controlling firewall on Android (and getting root access). The only reason they don't do it is because then users will be able to block tracking and advertisement.

[maxsilver]

> If it is an Android phone with Google Play store then it is definitely Google's fault. Maybe Google should stop manufacturers from installing Android on their phones when they are doing things like this.

If it's GMS Certified, sure.

It's possible (common even) for some shady OEMs to install Google Play Store, despite not being GMS certified. Asking them to prevent that is a lot like demanding a stop to all software piracy.

[elorant]

because Google doesn't give a crap about what manufacturers do as long as they keep installing Android on as many phones as possible and in return they get more advertising dollars.

And why exactly is that bad?

[aNoob7000]

Because Google has no incentive to fix the issue.

[closeparen]

"Open" means the re-distributor can do whatever they want with it, as long as they pass along the source under the same license. Software licenses with strings attached like "you must let end-users access the iptables" are emphatically nonfree.

[joshumax]

Actually, licenses like the GPLv3 have been actively trying to prevent this in certain cases [1]

[1]: https://en.wikipedia.org/wiki/Tivoization

[jlgaddis]

Upvoting because you are absolutely 100% correct (and because I'm trying to help prevent HN from becoming more like Reddit where everyone "downvotes to oblivion" statements they don't like).

[codedokode]

Google could provide easy ways to control Internet traffic and to gain root access. For example, they could grant access to builtin linux iptables which doesn't cost anything to implement. And Google is easier to influence than noname chinese company.

Or they could not to sell Android license to companies not repecting consumer's privacy.

Even if I got refunded, what would I buy instead? Free market doesn't work here and all major manufacturers have some form of tracking and preinstalled software built in. It looks like the only way is to buy a backdoored proprietary device and replace a ROM (and then solve all kinds of problems with hardware not working properly or battery getting drained).

[hx87]

> Google could provide easy ways to control Internet traffic and to gain root access. For example, they could grant access to builtin linux iptables which doesn't cost anything to implement. And Google is easier to influence than noname chinese company.

And the manufacturer could simply unroot the phone and lock its bootloader. At the end of the day it's the phone manufacturer that controls the product, even if Google tries to prohibit such practices in its contracts.

[codedokode]

My phone has an option to unlock a bootloader. But it would take time to find or build a custom ROM and install it and solve all kinds of problems with drivers and hardware.

And generally it is pretty decent model. It sends some data home but at least it doesn't have preinstalled adware like another chinese tablet I saw (that displays an ad over browser window and tries to disguise it as a part of a web page).

[whyagaindavid]

Then do not buy such hardware. Do your homework or search or ask xda before buying phone/tablet. Or just get nexus or see copperheadOS

[hackuser]

> Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send

How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).

Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.

> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.

A VPN with a firewall might be easier.

[jdavis703]

I imagine you just turn cellular off and only use Wi-Fi or LTE. A lot of these backdoors are poorly constructed and wouldn't check to see if they're on a cellular connection.

[codedokode]

I used Windows laptop with bluetooth and linux machine in VirtualBox (that also provides a virtual internal network). I physically disconnected a laptop from the Internet and used standard Windows "share Internet connection" feature to "share" virtual network via bluetooth. So Windows thought that linux VM is an Internet gateway and provided DHCP service to bluetooth network. The phone connected via bluetooth, got an IP address and all its traffic was redirected to a virtual machine by Windows. Once you get traffic to go to linux machine everything gets easy (if your host OS is linux you could skip some steps and obviously you don't need VirtualBox).

I used Wireshark on Windows to check that everythink is set up correctly and to see what kind of requests the phone makes.

You can use WiFi instead of bluetooth the same way. You only need to use "hotspot" option and provide DHCP to a phone and set your linux machine as a gateway. Probably you can do that with a router too, for example if you connect its WAN port to your linux machine or set up traffic redirection.

On linux I redirected traffic from phone to localhost with ports 53 (DNS), 80/443 (HTTP) and rejected any other traffic (there were some requests to time servers, that were sent by drm component of Android). I also ran a DNS server (dnsmasq) and Squid HTTP proxy that can process redirected traffic (Squid can also generate certificates to decrypt HTTPS traffic which was very useful though it took some time to find correct settings). I set up dnsmasq and squid to serve requests based on white and black lists.

After I did some tests I found another, easier way to capture traffic from Android phone. Android has a useful "Always-on VPN" feature that sends all traffic through specified host (and doesn't allow any network access until VPN connection is set up). You only need to set up ipsec on a linux box (I used strongswan). I used "Always-on VPN" feature to redirect traffic to my VPS while using mobile internet connection.

> Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage?

I physically disconnected a laptop from the Internet and monitored the traffic on a bluetooth interface with Wireshark. The phone did not have a SIM card inside so it could not connect to a mobile network.

> For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.

This can be detected using my setup. But if software is programmed to send some data only via mobile network and not via WiFi/bluetooth then it is more difficult to detect. You would need to set up a fake BTS (using OpenBTS for example) to capture that traffic. You would need special (not very expensive) SDR hardware in this case.

> A VPN with a firewall might be easier.

I ended up with the same idea. I even wrote a simple PHP app to manage black and white lists and view logs.

[hackuser]

Thanks for such a helpful and detailed response; I really appreciate it and I bet I'm not the only one.

[paradite]

Where did you buy that phone from and what brand was it?

I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?

[codedokode]

The manufacturer's name is Shenzhen Huafurui Technology if it tells you anything. The brand name is Cubot. I do not live in US but one can buy such kind of phone on Amazon (if you search manufacturer's name there you can find it is even cheaper now).

It is good to hear that in some countries importing such phones is not allowed.

[r00fus]

Is there any real difference between buying on Amazon with an non-major brand and buying at Alibaba?

Seems like for items that involve things you care about (kids, your personal data), you take your chances buying from a vendor who might be an fly-by-night and in a jurisdiction that doesn't care about your local country's laws.

[whyagaindavid]

Did u search in the web to see if there is a clean AOSP or Cyanogenmod recompileable ROM before buying?

[paradite]

Sorry to hear your experience. Next time you'd be better off buying from a more established brand if you going to buy a phone of Chinese brand. Chances are, if they are officially selling outside China, they would have met some the requirements from the respective countries. I know Europe and US has strict privacy laws and that's why you can't buy such phones through official channels.

[throthaway]

Unless you've purchased phones from all the "more established" brands and verified whether they're sending data, this is hardly sound advice.

"More established" brands have a history of leaving secret backdoors and phoning home just the same as the Chinese devices.

One was discovered in a range of Samsung devices just a couple years ago. Lenovo, same story, spyware and garbage hidden deep within their gadgets.

The only solution is to take a chance, buy a device, test it. If it's backdoored, return it if you can, and call them out on HN/Amazon reviews, etc.

[paradite]

That seems rather pessimistic. If you really don't trust any brands, what's wrong with directly buying from the tech companies instead of the manufacturers? Like Google Nexus (Pixel), Microsoft Windows Phone and iPhone. They are supposed to the industrial standards for how to do privacy correctly.

[YUPampessimist]

When a simple Google search reveals the exact pattern mentioned occurring again and again, not just with phones but with networking gear, laptops, TV's, IoT devices, CDs (Sony rootkit anyone?), and websites loaded to the max with trackers and secret downloads onto people's machines, it moves from pessimism to "this is just how it works."

The price of freedom is eternal vigilance. You want crap free gadgets, make them sell crap free gadgets by ratting them out when they sell gadgets loaded with crap.

[hackuser]

What standards are you talking about? I don't know of any. AFAIK, the standard is to monitor users and collect as much data on them as possible. The whole Internet runs on that model.

[codedokode]

Even if I bought a Samsung (that is established brand, isn't it) or Apple phone I still would have to trust the manufacturer that it would not spy on me even if requested by NSA. I know that Samsung adds additional software into Android, they might have some kind of analytics too.

[dopamean]

Have you not heard of OnePlus?

[paradite]

Yes, I know. I mean most brands, notably ZTE and Huawei. I am sure OnePlus is an exception here and does not fall into the category of phones with such capabilities otherwise it would have faced similar destinies as ZTE and Huawei. Anyway, I edited my comment to reflect that.

[yolesaber]

Is OnePlus a good phone? Been wanting an Android phone but can't seem to settle on one

[redwards510]

Yes. I replaced my Nexus6 with a OnePlus3 ($400) because paying the Pixel's price ($950) would have made me feel like a sucker. The screen is excellent, and there is a wide variety of ROMs to choose from.

[fzzzy]

Where on earth did you get that impression?

[mbgaxyz]

Are there are any consumer protection laws that would help here, for example, to obtain a full refund if it is proven that a manufacturer and retailer sold you a product full of spyware?

[codedokode]

I am not a lawyer. Ususally consumer protection laws protect only from not providing advertised features. There might be something related to privacy laws but I am not sure how they work internationally.

[BEEdwards]

I'm not sure what device you have, but there is a better than even chance that simply changing your rom will remove the spyware.

[codedokode]

I am considering this but is would take time to find and configure all necessary drivers and build the ROM.

[bitmapbrother]

You feel deceived by Google for buying a cheap Chinese made phone? What other things do you feel deceived by Google? Buying a car from Ford that always breaks down?

[codedokode]

Google is developing software for cars so maybe soon it will be inside Ford cars too. Of course with Google Analytics preinstalled.