Google’s latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.
Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.
“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews…
… “The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said…
You can’t say no to Google’s surveillance
Yes you can: https://grapheneos.org/
I will never understand buying a google phone just to deGoogle it. why would you give them money.
I’ve seen the reasoning, I just …
Because I want a secure phone with relatively good specs, relatively good design, battery life and camera quality. And because it is one of the very few devices with a user-unlockable and re-lockable bootloader.
@averyminya @Andromxda grapheneos is SOTA of android security, and it only supports pixels, thats why
Right, like I said I’ve seen the reasoning. It just seems like giving money to the very company you’re all trying to avoid, which in turn is just funding for Google to be more invasive.
@averyminya bought it secondhand, problem solved
Playing them for hardware only is different from paying for hardware and then providing all your personal information 24/7 to them.
GrapheneOS
Do they have passkeys yet
Edit: passkeys support. Last year when I checked they didn’t support pass keys yet.
What does that even mean? It’s not the function of an OS to have passkeys.
Grapheneos didn’t support pass keys last year when I checked, so you couldn’t use them at all. There was some APIs broken/missing between the OS to browser comms so you couldn’t use 3rd party apps for pass keys, like proton or bit warden. I have been actively experimenting and adopting passkeys and didn’t want to revert. It sounds like there is support now though, so I will give it a try soon.
I’m not sure because I’m on a OnePlus device running a lineage OS.
What’s surprising about their stock ROM having tracking and phoning home? Use Grapheneos.
You still have to trust their black box Titan security chip that’s only in Pixels, that they pinky promised to open source but never did.
You will have to inevitably trust someone somewhere for every phone, unfortunately. At least the Titan has been tested in the real world, and it’s not like it’s phoning home on it’s own or anything.
Who truly owns the device is a question that has been answered ever since Android came into being.
Ask yourself: do you have root access to YOUR phone? No you don’t: Google does.
It’s the so-called “Android security model”, which posits that the users are too dumb to take care of themselves, so Google unilaterally decides to administer their phone on their behalf without asking permission.
Which of course has nothing to do with saving the users from their own supposed stupidity and everything to do with controlling other people’s private property to exfiltrate and monetize their data.
How this is even legal has been beyond me for 15 years.
Weirdly, Pixels are actually the best Android phones for installing custom ROMs, at least out of the major manufacturers. So for me, there isn’t another choice, because I can finance a Pixel, and I can’t finance a Fairphone or something.
GrapheneOS is really the furthest away from Google you can get on an Android phone and it’s mainly developed for Pixel.
Please read the many write-ups by developers of well regarded privacy and security ROMs, such as grapheneOS and divestOS.
Who detail in great length why root access is a bad idea, and why many apps that require root access, are just poorly developed security nightmares.
That said, I agree that it should be an option, or at least a standardized means of enabling it. As well as all bootloaders should be unlockable. But phones are more personal devices than the PC ever was, and there are good reasons NOT to push for the proliferation of standardized root access.
These writeups never managed to to convince me me that I should not be able to modify any file on my device. If the system is not able to grant this access to me, and me only, while doing it securely, than it’s bad operating system, designed without my interests first on mind. I am absolutely sure that granting so-called “root access” can be done securely, as decades of almost-every-other-OS have shown.
Yes. It is the principle, everyone should be informed of the security risks, but not stripped of the root privileges they keep for themselves.
Yep, what radicalized me against Google was all the way back when they had bought Android and rolled out the Play Store for the first time.
I was on my first-ever phone, and yes, it did have rather limited internal storage, but then the Play Store got installed, taking up all the remaining space. I had literally around 500KB of free storage left afterwards, making it impossible to install new apps.
Couldn’t uninstall the Play Store, couldn’t move it to the SD-card and it didn’t even fucking do anything that the Android Market app didn’t do. It just took up 40MB more space for no good reason.
And this is different from Apple. Right? Right?
The only real difference is that Google pretends to be open and Apple pretends to be privacy-focused. It’s the illusion of choice. They’re both selling their users’ data to the same people.
Removed by mod
Yes. On a Pixel 9 Pro Fold.
Not if you run the stock OS you don’t.
My comment was generic. The vast majority of Android users don’t unlock their bootloader and install a custom ROM. The people who do that are fringe users.
My point was that when the normal state of affairs is Google controlling YOUR property that YOU paid with YOUR hard-earned, and you have to be technically competent and willing to risk bricking your device to regain control, that’s full-blown dystopia right there.
out of interest, what use cases do you have in mind that require root access?
I used to use a root based solution to block ads system wide via hosts but now I just use ublock origin in Firefox.
That only blocks for the browser. What about your apps? I never see add banners or popups in apps as i use adaway. Further, I can customize with well maintained blocklists that include other categories like malware and harvesting sites.
what use cases do you have in mind that require root access?
Ownership.
okay cool but what are you specifically using system or systemless root for now?
Nah. The only thing root does is massively decrease security. To actually own your phone, you need to install a proper, FOSS, private and secure OS in the first place. Pixels are great, because they support GrapheneOS.
I own my Pixel 8 Pro. No root. GrapheneOS. So, your logic is therefore flawed.
This doesn’t seem surprising at all. Isn’t that what Google Play Services is for? If you don’t want it, custom ROMs are easily installed.
I know this isn’t the topic here, but I really wish these researchers would unroll what all Apple harvests from Apple devices. It’s quite a lot as well. Could help pop that “we’re so private” myth.
deleted by creator
What is the advantage over Calyx/Lineage/iode OS on compatible devices? I just don’t want Google to have any of my money at all. Buying a privacy solution from them recoups their loss.
It’s my understanding that Graphene has security as its main goal, not privacy, though it’s also quite private.
Mainly the locked bootloader that GrapheneOS offers. It’s more secure, and GrapheneOS emphasizes security over all else, but privacy features are part of that security.
As well as all the other security features offered by Pixels, like the Titan M2 secure element, which securely stores encryption keys and makes brute-force attacks basically impossible.
deleted by creator
In my country, it’s the law that a cop is allowed to examine a phone during a traffic stop.
One underrated feature of the Graphene OS is that you can set a duress PIN that wipes your entire phone when entered.
deleted by creator
Oh, I was mostly leaving the comment for other people who might be interested in the feature.
the pin is written on a post-it in the case.
That’s not a bad idea. If someone steals the phone, they might inadvertently erase it for you if they find that post-it.
deleted by creator
Schools even have Cellebrite devices now, that is how prolific they have become. GrapheneOS has a duress password to wipe the phone and you can block all data or even power to the USB port while the phone is running. If you blocked all power to the USB port while the phone is on the only way to charge it is if it is fully turned off putting your encrypted data at rest. You can just disable data on the USB port options menu in GrapheneOS if you don’t want to completely turn off the whole port.
You probably already know this stuff I was just mentioning it for people reading this comment section. :)
deleted by creator
I like calyx, might try graphene some day. But I absolutely won’t run Google’s play services ala graphene. It’s sandboxed, supposedly, but why run it at all?
Calyx uses microG, a much smaller, fully open source emulator of Google’s services.
but why run it at all?
Because it is unfortunately required by some apps. microG is not a viable alternative, as it requires root access on the device, which drastically reduces the security. It also has worse compatibility than Sandboxed Play services, and doesn’t offer much of a benefit. It still downloads and executes proprietary Google blobs in the background in order to function. Apps that require Google services also include a proprietary Google library, making microG essentially useless. It’s an open source layer that sits between a proprietary library and a proprietary network service, using proprietary binaries and requiring root access. You gain absolutely nothing from using it, and significantly increases the attack surface of your device.
fully open source emulator
This is simply false, as I explained, only a tiny bit of what microG requires to function is open source
You’re far better off using Sandboxed Play services on GrapheneOS
Dude I’m looking at the source code, there’s only a binary downloaded for enabling Safety net. Why are you making false statements?
The legacy SafetyNet check bypass may not be around much longer especially because hardware based attestation will be gradually replacing it.
https://grapheneos.social/@GrapheneOS/111504057847795464
Below is a guide for app developers who want to support third party OSs in a way that does not rely on Google. Most apps work on GrapheneOS just fine already but there are some banking apps and NFC payment systems that do not.
https://grapheneos.org/articles/attestation-compatibility-guide
Sigh. It just doesn’t stop. But it’s ok, Pokemon go required attestation and so I simply stopped playing. Thanks for your links.
I’ve wanted to run graphene but absolutely do not want google code running on my system if I can avoid it. If only there were some way to run microG on graphene.
Sure you could root and install microG , don’t see why but you can do it. GOS sanboxed playatore is a better option.
@RubberElectrons @multi_regime_enjoyer its not actually fully open source, it uses a lot of closed-source libraries, and its not as battle-tested as google’s official one so there really isn’t a reason to use it
Just about all of your identifying data is stripped out by the framework before interacting with Google at all: https://github.com/microg/GmsCore/wiki/Google-Network-Connections
That alone makes it an important tool. I’m not too worried about memory exploits as I don’t really install apps, but it’s an important feature in graphene’s toolkit.
For most people who want an Android alternative that’s open source but don’t have time to fiddle with it, calyxOS seems like a good solution. It just works out of the box.
Just about all of your identifying data is stripped out by the framework before interacting with Google at all
For all of them, we strip device identifier (MAC addresses, IMEI, etc)
This is literally nothing special, as all user-installed apps are denied access to identifiers like the IMEI and MAC address since Android 10. Since GrapheneOS isolates Play services in the Android application sandbox, they don’t have access to any of these identifiers either.
I’m not too worried about memory exploits as I don’t really install apps
That’s not how memory corruption exploits work. These can occur anywhere in the system, and just need to be triggered by an attacker. This doesn’t require you to install an app, receiving a rogue message might for example be enough to exploit a memory vulnerability in the SMS app. Visiting a rogue website, which loads malicious JavaScript can be enough to trigger a memory corruption vulnerability in the Chromium WebView. That’s why GrapheneOS doesn’t just use hardened_malloc, but it also disables the JavaScript JIT compiler in Vanadium by default, and offers a toggle in the settings to disallow JavaScript JIT compilation in all apps making use of the system WebView component.
Very nice. Can I use the much smaller codebase of microG instead of Google’s? Even you do not know how Play Services actually works, and that’s a problem.
Further, a memory exploit that leads to compromise would need a chain of privilege escalation. There’s a lot in the way of making that trivial even on stock Android. And you know what helps reduce risk of exploit? Smaller codebases.
If you only care about security, you should keep Play Services isolated in a separate profile. That way, even if there happens to be a memory corruption vulnerability in Play services, which isn’t caught by hardened_malloc or the hardware MTE in newer devices with ARMv9 chips, the rest of your system would still be safe, since Play services aren’t running as root, and in order to compromise the entire system, there would need to be a privilege escalation vulnerability in all of Android, not just Play services.
And you know what helps reduce risk of exploit? Smaller codebases.
Why does CalyxOS include the F-Droid privileged extension then? It’s yet another component running with elevated permissions and unnecessarily increasing attack surface. Why does it include Google’s eUICC component with elevated privileges and no proper sandboxing?
So what phones do you all have?
Pixel 7 Pro with GrapheneOS
Fairphone 5
pixel 6a with graphene os
A couple of different ones. One kali nexus two graphene, one stock pixel
It’s so ironic that Pixels are the go to devices for privacy roms these days.
All this shit is probably happening at the hardware level too, with 100 different backdoors you can’t remove with your megamind plan of installing a custom rom.
The silicon probably has the ability to live stream all sensor data directly to the NSA using the fanciest ML compression technology lmao.
Citation needed. I get that it’s healthy not to trust anyone, but with the amount of security research that goes into these devices if something like that was happening then we would know about it.
- Applies to every phone, smart or simple, can be combatted with a £5 Faraday bag
- That is about monitoring by your network, nothing to do with the phone manufacturer really
- A ten year old article about Samsung phones
- An exploit affecting lots of phones that seems like it was fixed
So a few interesting points, but nothing even slightly like what OP was suggesting.
can be combatted with a £5 Faraday bag
I don’t consider that a reasonable solution for most people, and there are many posts claiming those almost never work well enough. You could also make the argument that it shouldn’t be necessary in the first place.
That is about monitoring by your network
I don’t think it matters to most people, as you are still tracked by having the phone physically with you, which is what people are against.
A ten year old article about Samsung phones
Are you suggesting Samsung phones should have ever been allowed to spy on people? Or that this doesn’t highlight a bigger issue? I don’t see why this should get a pass at all.
An exploit affecting lots of phones that seems like it was fixed
I think it’s very much a real threat, and leaked docs show world governments and bad actors actively use such exploits routinely for years, including keeping previously unknown exploits a secret to use for themselves.
I understand your desire to turn talking points into nothingburgers but I feel like this is not only disingenuous but against the entire principal of security and privacy. Of course we all have our own individual threat models, but to dismiss another person’s model because you think it shouldn’t matter to anyone, doesn’t seem like a good idea to me.
Look, I’m not trying to say there aren’t real security/privacy issues that aren’t being exploited right now, my citation needed was regarding this comment:
The silicon probably has the ability to live stream all sensor data directly to the NSA using the fanciest ML compression technology lmao.
The articles you linked are real issues that have been documented, OP was arguing that Google phones specifically are bad because of this statement they pulled out of their arse.
It’s so ironic that Pixels are the go to devices for privacy roms these days.
It’s so ironic it’s a show-stopper for me. I’m not paying fucking Google to escape the Google dystopia. Nosiree! That’s just too rich for me.
This is why I own a Fairphone running CalyxOS. Yes, I know GrapheneOS is supposedly more secure - I say supposedly because I think 95% of users don’t have a threat model that justifies the extra security really. But I don’t care: my number one priority is not giving Google a single cent. If it means running a less secure OS, I’m fine with that.
There’s no way on God’s green Earth I’m buying a Pixel phone to run a deGoogled OS. That’s such an insane proposition I don’t even know how anybody can twist their brain into believing this is a rational thing to do.
Wait for the 9 to hit refurb market, boom. Google phone without paying Google.
Google doesnt make the big bucks on phonesales. Even buying a new ( I refurbish mine myself) and putting GOS on it is worse for Google than buying anything else and run it with gapps.
That’s why I buy my phones used or refurbished. It’s also cheaper and more environmentally friendly.
I say supposedly because I think 95% of users don’t have a threat model that justifies the extra security really.
Does street cred with my Cybersecurity peers count as a threat model?
I’m definitely one of the users of GrapheneOS that you’re talking about. My threat model is “this is fucking cool!”
Also, the grass is always greener on the other side. I want a Fair phone.
I think some people buy used/refurbished.
What if you buy a used Pixel? Google was already getting that money, but you haven’t paid them…or would that just be a cop out?
I’ve been arguing this many times with many people, and everybody seems to adopt their own way of interpreting things to suit their preferences.
Here’s my line of thinking:
- If the first buyer buys a Google cellphone new for, say, $500 (no idea of the price, just making it up for the sake of explaining), this buyer gives $500 to Google
- If I then buy this cellphone second-hand for, say, $300, the original buyer gets $300 back, meaning Google now has $300 of my money.
That’s a hard no.
Of course, there’s the argument that Google got $500 no matter what and they don’t know who the money is from. But that’s besides the point: I know Google got my money. I most defintely parted with $300 to acquire a Google cellphome, meaning as far as I’m concerned, I indirectly gave Google $300 of my money. And I refuse to give Google any money, however indirect the transaction might be. The only way I could become the owner of a Google phone is if someone gave one to me, I found it in the trash or I stole it.
There’s also the argument that if I don’t buy the cellphone, it might end up in a landfill, so if I’m environmentally-minded, I should save it from the landfill. That’s true, but my counter-argument to this is that a healthy second-hand market for Google phones gives them more value, therefore makes them more appealing to potential buyers and ultimately supports Google’s business.
I don’t like serviceable stuff being landfilled for no good reason (otherwise I wouldn’t pay extra to buy a Fairphone) but in the case of Google hardware, I reckon it should end up at the landfill as often as possible to diminish its value and hurt Google. Of course, I’m only one meaningless guy, but I reckon boycotting Google is a moral duty for anybody who’s concerned about privacy and civil liberties.
And of course, I don’t want a Google product in my pocket because it would make me nauseous. But that’s entirely subjective.
