Everyone knows all the apps on your phone

Posted by gniting 6 days ago

Everyone knows all the apps on your phone(peabee.substack.com)

1192 points | 478 commentspage 4

HackerThemAll 5 days ago|

Thank you Google's "top talent" Android devs for this permission system full of loopholes.

OutOfHere 6 days ago||

If Google truly cared about privacy, each app would run in its own strict jail, and permissions would be faked by default. Also, easy malware by Israel or anyone else would not be a thing. As it stands, apps know everything I am doing, and I get targeted spam email rather immediately.

JumpCrisscross 6 days ago||

> If Google truly cared about privacy

Have they even been pretending on this front?

Speedy218 6 days ago||

They put in a lot of work to make it seem like they do believe it or not, I'm not sure how well it is working out for them though.

brunoqc 6 days ago||

> apps know everything I am doing

I think I call bullshit on this.

But I agree that they could do way more and that they don't seem to care.

bloomingeek 5 days ago||

Perhaps crazy question: is it a good idea to have two phones now? One for making calls only, with as many apps as possible removed. And another phone for email, web surfing, photos, etc...?

edit: Oops, I left out texting. Which phone for that?

subscribed 5 days ago||

If you don't need ANY apps on your main number, good dual-Sim feature phone (but be extremely picky, some are utter trash).

The for all the smart stuff, Pixel 6 with GrapheneOS. You can confine various "classes" off apps to dedicated profiles, so they'll never know of each other, and you get a vastly improved security (multiple releases in the month) and significantly improved privacy.

bloomingeek 5 days ago||

Excellent, thank you.

dvrj101 5 days ago|||

phones had/some still have user profile/account option so you can do this on a single phone

Explore4526 4 days ago||

Why is that feature removed by companies? It still exists in vanilla Android, but for some reason the phones sold don't have it.

monsieurbanana 5 days ago||

You still make calls with your phone?

bloomingeek 5 days ago||

Of course, amazingly that's one of it's best features, enabling you to actually speak to a real person. (it's a type of personal connection that fleshy robots have, for some reason, derided.)

But I digress, excusing your bad form of answering a question with a question, I am interested in your opinion of the possible conundrum of the two phone idea.

monsieurbanana 4 days ago||

My bad, I didn't knew you wanted a serious answer, I should have known that some people would seriously consider having three separate phones for texting, calling and everything else.

For a serious answer then: Rather than segregating phone calling vs the rest, if you want to go to the hassle of maintaining multiple phones, I would put sensitive apps (i.e. bank apps) separated from the rest.

But ultimately it depends on which threat model you are trying to mitigate. Most people would worry about protecting their financial information. If you are worried about possible backslash from a fascist state, you shouldn't use normal phone calls at all and switch to a privacy app.

OTOH, a dedicated phone just to make phone calls makes sense if your threat model is your significant other.

nickvec 6 days ago||

Just curious, why was this targeted specifically at Indian apps?

wcfields 6 days ago||

The author is probably Indian based upon the blogs subtitle of “ tales from indian web rabbit holes. “

epistasis 6 days ago|||

The tag line for the blog is "tales from indian web rabbit holes."

gopkarthik 6 days ago||

Because the substack's author focuses on Indian web. From their description: "tales from indian web rabbit holes."

aussieguy1234 5 days ago||

If I have Uber, but multiple competing apps on my phone and I grant Uber permissions to see that, will I get cheaper rides?

dTal 6 days ago||

Another fantastic reason to strictly only install apps from F-Droid.

JohnFen 6 days ago||

How does that address the problem? Does F-Droid do some sort of additional screening to keep out apps that do this?

marcodiego 6 days ago|||

First, f-droid only accepts OSS apps, so the incentives for spyware is simply not there. Second, anti-features are explicitly marked on f-droid. Third, f-droid apps are curated like a very rigorous linux repo.

JohnFen 6 days ago||

Being an OSS app is not sufficient protection. Most OSS apps aren't terribly misbehaved, but some are. Being OSS in and of itself is not anything like a guarantee with this sort of thing.

> Third, f-droid apps are curated like a very rigorous linux repo.

Yes, I know. My question is is this one of the things they're screening for?

johntitorjr 6 days ago||

[dead]

dandersch 6 days ago|||

packages on f-droid list all required permissions explicitly, and the mentioned permission seems to be listed as "query all packages: Allows an app to see all installed packages.". It doesn't mark the app as having "anti-features", but you can at least make a more informed decision this way.

JohnFen 6 days ago|||

That's pretty cool, but the article says that most apps that are doing this sort of thing aren't using the query all packages permission and instead are using the facility to provide a specific list of apps they're checking for, which is not permission-gated.

wkat4242 6 days ago||

It is. It specifically says that the apps must be declared in the manifest like other permissions. So it's a specific permission for each app really. F-Droid could query that if it wants to (not sure if it does)

throwaway290 6 days ago||

Did you stop reading before the post got to the MAIN loophole that doesn't require the list of apps in the manifest? How does F-droid describe MAIN?

wkat4242 5 days ago||

Yeah I did as the article was a bit long. But I'm sure this is detectable too as it must be in the manifest.

throwaway290 5 days ago||

The article already showed it is detectable. But it is not detected by Google and I am unclear if F-Droid detects it either...

duskwuff 6 days ago|||

> It doesn't mark the app as having "anti-features"

I suppose they must be too busy ticking off "anti-features" like "can communicate with non-Free services" to notice that sort of thing.

(No, really. F-Droid will tag applications like a Mastodon client as having "anti-feature: Non-Free Network Services", presumably because it can be configured to connect to servers running non-free software?)

hnburnsy 6 days ago||

My daily driver has minimal apps, most from F-Droid. An old iPad on my IOT network has any other apps needed.

marcodiego 6 days ago||

Well, things are particularly more complicated on my case: I don't use google services and only install apps from f-droid.

anonym29 5 days ago||

You don't have to sacrifice your privacy to use Android. GrapheneOS is a tremendous alternative, and even if you still need some Play Store applications, you can install a GMS compatibility layer and Play Store in either a secondary profile (recommended) or your main profile (not recommended) without granting Google unfettered control over your entire operating system. This compatibility layer offers a better reduction in attack surface and stronger hardening than microG.

Alternatively, you can continue with the standard setup, accepting that you’re willingly providing companies with an unprecedented level of access to your personal data. It’s puzzling that many seem more concerned about breaking a familiar routine than about the risks associated with sharing every detail of their lives with companies that, in turn, share that data with one (or more) hostile government(s).

There is certainly a lot of justified concern about government overreach and abuse of power on HN. It remains difficult to understand why many with these warranted concerns do nothing to adopt a more coherent and rational approach — such as merely attempting to protect their personal data by not deliberately and voluntarily feeding it entirely to companies that are secretly coordinating with the very same hostile governments these people claim to seriously fear and detest.

Explore4526 4 days ago|

The problem is GrapheneOS is Pixel only. They are prohibitively expensive, especially in India where the mobile market is very crowded and you get Snapdragon 8s gen 3 for ₹25k.

smallnix 6 days ago||

Nice analysis. Google should take notice. Do worldwide used apps do this too?

einszwei 6 days ago|

From the article - Facebook, Instagram, Snapchat, Subway Surfers, and Truecaller use this too

More comments...