Related
Hello,
I think about rooting my device.
However I also think about how secure the custom roms builds or rooting apps are.
E.g.
In the modaco forum there is a tool called Superboot r2 to root the motorola moto g device.
How can I know/trust that this tool doesn't contain any spyware/malware or other malicous code?
How do you guys look at the security of custom roms and other apps which root your device?
Customizing and rooting one's phone can be done very securely. Even more now than a few years ago. I would be wary about apps that can root your phone with a buttoon press. Unless, of course, there is a really long thread about it on xda. The same with apps not from the Google store. You should run a virus scan on any apks you get in general. They can contain malicious code that can mess up your device and steal your information.
Once you root your device, it's a good idea to look into the XPrivacy app. You can use it to control the individual permissions of all of your installed app. There are a lot of other security measure you can take too. Do research on what would be relevant to your device.
kbntk said:
Hello,
I think about rooting my device.
However I also think about how secure the custom roms builds or rooting apps are.
E.g.
In the modaco forum there is a tool called Superboot r2 to root the motorola moto g device.
How can I know/trust that this tool doesn't contain any spyware/malware or other malicous code?
How do you guys look at the security of custom roms and other apps which root your device?
Click to expand...
Click to collapse
Rooting a device greatly decreased the overall security of the device. You are breaking the basic security design of Android, you are incorporating new code (mods etc) from developers who may not be properly trained, many who jsut copy past code from elsewhere without understanding what exactly is going on. Potentially (almost certainly with most custom roms) introducing new vulnerabilities.
Elzbach said:
Customizing and rooting one's phone can be done very securely. Even more now than a few years ago. I would be wary about apps that can root your phone with a buttoon press. Unless, of course, there is a really long thread about it on xda. The same with apps not from the Google store. You should run a virus scan on any apks you get in general. They can contain malicious code that can mess up your device and steal your information.
Once you root your device, it's a good idea to look into the XPrivacy app. You can use it to control the individual permissions of all of your installed app. There are a lot of other security measure you can take too. Do research on what would be relevant to your device.
Click to expand...
Click to collapse
I'm going to have to flat out disagree. Once you have rooted your device, security has greatly been decreased. What would be a minor vulnerability in a normal app, can become a huge vulnerability in an application that has been granted permission to use root. Same goes for the Superuser control application.
Thank you for your replies guys.
jcase said:
Rooting a device greatly decreased the overall security of the device. You are breaking the basic security design of Android, you are incorporating new code (mods etc) from developers who may not be properly trained, many who jsut copy past code from elsewhere without understanding what exactly is going on. Potentially (almost certainly with most custom roms) introducing new vulnerabilities.
I'm going to have to flat out disagree. Once you have rooted your device, security has greatly been decreased. What would be a minor vulnerability in a normal app, can become a huge vulnerability in an application that has been granted permission to use root. Same goes for the Superuser control application.
Click to expand...
Click to collapse
I agree rooding the device decreases the overall secruity of the device.
On the other hand, rooting the device gives access to the apps that give you control over the system and data on it. For example as Elzbach wrote, with the app XPrivacy I can control what apps have access to my personal information.
Now - without root - when I instal a new keyboard or launcher with widgets, I'm warned that these apps can have access to my personal information and can use them malicously. For me that means, that even without root using normal apps I can get big security risk when using some apps from play store.
Do you build the custom android version by yourself from the source or use builds provided on this forum or modaco or use another way?
kbntk said:
Thank you for your replies guys.
I agree rooding the device decreases the overall secruity of the device.
On the other hand, rooting the device gives access to the apps that give you control over the system and data on it. For example as Elzbach wrote, with the app XPrivacy I can control what apps have access to my personal information.
Now - without root - when I instal a new keyboard or launcher with widgets, I'm warned that these apps can have access to my personal information and can use them malicously. For me that means, that even without root using normal apps I can get big security risk when using some apps from play store.
Do you build the custom android version by yourself from the source or use builds provided on this forum or modaco or use another way?
Click to expand...
Click to collapse
XPrivacy, and apps like them introduce additional security concerns of their own. Android is not designed to work the way they force it too, introducing many new unknowns.
New keyboard, launchers introduce an infinitely smaller risk than any root app, and unlike with root apps you are warned and privileges are handled by an established well tested permission system. Comparing the two is completely silly.
Any developer, in a matter of minutes, put together a root app requesting 0 permissions, that can gain permissions or otherwise use APIs requiring permissions at runtime without declaring them, and disable or work around any "security" any XPrivacy type app claims to provide. Once rooted, apps like XPrivacy provide a complete false sense of security. Given you need root to use them... they provide no real security at all.
A completely valid scenario (one we have seen in the wild): An app with 0 permissions, but the ability to use su could download and dynamically execute new code to perform the malicious activities. IE Google bouncer, and any anti virus software would be @#[email protected] out of luck on that one. All because a user decided to completely break the basic security model, by installing su.
The only customized version of Android I use, is a customized emulator I use for analysis, and that only used when I suspect something could damage an actual test device.
I do not mess with customized versions of Android on real hardware, I only build when testing patches I plan to push to the AOSP gerrit for review.
jcase said:
Rooting a device greatly decreased the overall security of the device. You are breaking the basic security design of Android, you are incorporating new code (mods etc) from developers who may not be properly trained, many who jsut copy past code from elsewhere without understanding what exactly is going on. Potentially (almost certainly with most custom roms) introducing new vulnerabilities.
I'm going to have to flat out disagree. Once you have rooted your device, security has greatly been decreased. What would be a minor vulnerability in a normal app, can become a huge vulnerability in an application that has been granted permission to use root. Same goes for the Superuser control application.
Click to expand...
Click to collapse
jcase said:
XPrivacy, and apps like them introduce additional security concerns of their own. Android is not designed to work the way they force it too, introducing many new unknowns.
New keyboard, launchers introduce an infinitely smaller risk than any root app, and unlike with root apps you are warned and privileges are handled by an established well tested permission system. Comparing the two is completely silly.
Any developer, in a matter of minutes, put together a root app requesting 0 permissions, that can gain permissions or otherwise use APIs requiring permissions at runtime without declaring them, and disable or work around any "security" any XPrivacy type app claims to provide. Once rooted, apps like XPrivacy provide a complete false sense of security. Given you need root to use them... they provide no real security at all.
A completely valid scenario (one we have seen in the wild): An app with 0 permissions, but the ability to use su could download and dynamically execute new code to perform the malicious activities. IE Google bouncer, and any anti virus software would be @#[email protected] out of luck on that one. All because a user decided to completely break the basic security model, by installing su.
The only customized version of Android I use, is a customized emulator I use for analysis, and that only used when I suspect something could damage an actual test device.
I do not mess with customized versions of Android on real hardware, I only build when testing patches I plan to push to the AOSP gerrit for review.
Click to expand...
Click to collapse
Well I stand corrected.
Apologize if I'm resurrecting an oldie but this is a topic I've been contemplating for a while now. I used to root, looking back to my old OG Droid days. But I find newer devices sufficient as to not root anymore (mostly). I'm currently debating rooting a Samsung Tab S 8.4 to remove Touchwiz and hopefully speed some things up and maybe further control the CPU.
If the user is rooted and they only install apps from the marketplace that are known to be safe (I assume)- i.e.- not downloaded from some misc internet site and from "non-trusted sources," would this still be able to happen?
- "Any developer, in a matter of minutes, put together a root app requesting 0 permissions, that can gain permissions or otherwise use APIs requiring permissions at runtime without declaring them, and disable or work around any "security" any XPrivacy type app claims to provide. Once rooted, apps like XPrivacy provide a complete false sense of security. Given you need root to use them... they provide no real security at all."
I guess I'm just not sure how google approved apps, or if they even do. And what's the process of showing app permissions in the Play Store these days, since permissions are front and center when you download an app. Do dev's just flag permissions on their own will or is it built into the Android code? I would ASSUME the android code when posting to Play Store decides permissions for the dev. I would be horrified if Android relied on good will for people to post permissions solely from the dev's input.
I could be completely wrong
But as I understand dev a pick the permissions they need for the app to work correctly. They declare the permissions they need to the Android system. And then they can only use those permissions and no others. However they don't need to use all of the permissions but they can if they want to.
Btw apps from google play are in no way safe.it has no bearing if you do or don't have apps from unknown sources on your device. fact is google in no way checks the source code of apps on the play store.now maybe the run a virus checks but honestly that means nothing as moron could code in malicious code that would not trigger a scanner (and Trojans are far more prevalent for Android than viruses). If the source code is not available then no one knows what an app could be doing.
90% of my apps come from fdroid, who builds everything from source.
In the discussion above I should also note (but could be wrong about this completely) that system apps (the ones that come with your phone) all have root(administrator) permissions by virtue of being system components.
So rooting may decrease your security but personally I think factory roms are far too unsecure to start with and will never have a device that is not rooted. The benefits far out weight the risks for the careful user. Until such time as the source code is released.
Unless you trust google, face book, Samsung, Twitter, and a host of other baked in developers who get to put apps on your phone at the factory.
Or Apple who has their own way of making money off your every move, or microsoft with win 10 that also sells your habits.
jcase said:
Rooting a device greatly decreased the overall security of the device. You are breaking the basic security design of Android, you are incorporating new code (mods etc) from developers who may not be properly trained, many who jsut copy past code from elsewhere without understanding what exactly is going on. Potentially (almost certainly with most custom roms) introducing new vulnerabilities.
I'm going to have to flat out disagree. Once you have rooted your device, security has greatly been decreased. What would be a minor vulnerability in a normal app, can become a huge vulnerability in an application that has been granted permission to use root. Same goes for the Superuser control application.
Click to expand...
Click to collapse
This alone is enough for me to stay away from root and its capability to make things worse in my end. Thank you for the professional input on this.
Without root you can't add any security to Android. Which has very little security to start with. Permissions are vague and can't be denied on a per app basis short of not installing the app.
System apps have no way of being removed without root unless you do it before flashing, and without root you can't do a complete backup of your system.
Even if you don't root a device yourself Trojans can gain root with many of the same exploits, root themselves and cause whatever havoc they desire.
An app only gets root if you allow it even after rooting your device. It will pop up and ask you if you want to allow or deny or always allow or deny. a Trojan that can create root will do can do it regardless if you root your device yourself, I have no idea if such a Trojan tried to get root if supersu, or superuser will pop up and ask.
A firewall requires root and that alone is worth rooting for me.
But then I have very few apps that I allow online.
Can root cause serious damage to your device? Yes
Can you administrator your device without root? No
Every Linux has root capabilities,
if you own it you should be able to administer it to the best of your abilities and to do that you need root.
Custom Roms are updated far more often that oem roms and as such generally have the newest fixes and updates for security.come that to factory roms that may update once or twice in their expected lifetime, regardless of how many security holes are found in the rom.older devices(read older as a synonym for 2 years old) may never get another update and the only way to protect yourself with out a custom Rom is to buy a new device.
For example Android 5.01 has a major memory leak.and even with that and other bugs and security issues Samsung had not updated the north American galaxy s5 (just over a year old,) above 5.01 yet and may not until marshmallow comes out (Which will mean almost a year after the security and memory leak were found). And until then you walk around using a device with major security issues and a major memory leak.
XPrivacy is not about Security. "Security" is never linked to Xprivacy on Github. "XPrivacy can prevent applications from leaking privacy-sensitive data". Saying the opposite is a lie.
Whether you have root access or not you can almost do nothing against serious attacks BUT having root access allows you to control some things like Internet connection, restricted access,...
Finally do not confuse Custom ROMs and Root. You can run a custom rom without root and vice versa. As explained above custom ROMs are more updated so you can enjoy more patches and new security features like SElinux.
Kayak83 said:
Apologize if I'm resurrecting an oldie but this is a topic I've been contemplating for a while now. I used to root, looking back to my old OG Droid days. But I find newer devices sufficient as to not root anymore (mostly). I'm currently debating rooting a Samsung Tab S 8.4 to remove Touchwiz and hopefully speed some things up and maybe further control the CPU.
If the user is rooted and they only install apps from the marketplace that are known to be safe (I assume)- i.e.- not downloaded from some misc internet site and from "non-trusted sources," would this still be able to happen?
- "Any developer, in a matter of minutes, put together a root app requesting 0 permissions, that can gain permissions or otherwise use APIs requiring permissions at runtime without declaring them, and disable or work around any "security" any XPrivacy type app claims to provide. Once rooted, apps like XPrivacy provide a complete false sense of security. Given you need root to use them... they provide no real security at all."
I guess I'm just not sure how google approved apps, or if they even do. And what's the process of showing app permissions in the Play Store these days, since permissions are front and center when you download an app. Do dev's just flag permissions on their own will or is it built into the Android code? I would ASSUME the android code when posting to Play Store decides permissions for the dev. I would be horrified if Android relied on good will for people to post permissions solely from the dev's input.
Click to expand...
Click to collapse
Go to F-Droid or fossdroid instead of Google Play to avoid crappy apps and unwanted connections. Apps on F-Droid are safer. Google has an automatic system to scan apks when they are uploaded but it doesn't detect everything... Be sure that if you didn't update the version number of your apk you will be blocked though lol
Permissions are stored in the AndroidManifest.xml. If the developer doesn't want to state the permissions he needs then nothing will be shown into the Manifest. That's why it's important to use 3rd party apps to control what apps really do.
Would never use my phone without a firewall installed. I want to have control over what apps can access the net and which cannot.
So rooting is a must for me.
Have no gapps installed and privacy is important to me.
Semseddin said:
This alone is enough for me to stay away from root and its capability to make things worse in my end. Thank you for the professional input on this.
Click to expand...
Click to collapse
And you'll be 100% wrong. You are getting a bad advice from someone who sounds like he works for Google. He is wrong and he knows it...
Your system apps have root whether you like it or not. So, they can do whatever Google wants them to do. And they can do it silently. So, the question is are you going to have control over your device or google? Without root you can't; with root you can if you know what you are doing. Your main security threat comes from Gapps and the infamous google services framework, which spies on you and regularly transmits home (google servers) your every activity. That has to go and for that you need root. Custom rom vs stock. Custom roms don't have Gapps and gsf, so that puts them on pedestal, as compared to stock. Stock rom is android plus manufacturer's bloat which also spies on you and wastes battery. Custom roms don't have gapps and they are open source (like Linux). Have you ever heard about viruses on Linux? Maybe 2 or 3, but thousands in other OSs. As another user noted, linux (on which android is based) has root. So is any major OS. Root is just a key to control your device. It can be set up to restrict everything, even system apps, so the point that having root reduces security is invalid except for one situation, when you don't know what you are doing. Do you want incompetent and malicious evil Google to own your phone? If you do, stay away from root.
optimumpro said:
And you'll be 100% wrong. You are getting a bad advice from someone who sounds like he works for Google. He is wrong and he probably knows it...
Your system apps have root whether you like it or not. So, they can do whatever Google wants them to do with your device. And they can do it silently. So, the question is are you going to have control over your device or google? Without root you can't; with root you can if you know what you are doing. Your main security threat comes from Gapps and the infamous google services framework, which spies on you and regularly tramsmits home (google servers) your every activity. That has to go and for that you need root. Custom rom vs stock. Custom roms don't have Gapps and gsf, so that puts them on pedestal, as compared to stock. Stock rom is android plus manufacturer's bloat which also spies on you and wastes battery. Custom roms don't have gapps and they are open source (like Linux). Have you ever heard about viruses on Linux? Maybe 2 or 3, but thousands in other OSs. As another user noted, linux (on which android is based) has root. So is any major OS. Root is just a key to control your device. It can be set up to restrict everything, even system apps, so the point that having root reduces security is invalid except for one situation, when you don't know what you are doing. Do you want incompetent and malicious evil Google to own your phone? If you do, stay away from root.
Click to expand...
Click to collapse
Thank you for your detailed answer but if i am not mistaken, are you suggesting that a custom rom made by a 3rd party hobbiest developer is more secure than oem's firmware ? If so, i will continue to be mistaken.
Semseddin said:
Thank you for your detailed answer but if i am not mistaken, are you suggesting that a custom rom made by a 3rd party hobbiest developer is more secure than oem's firmware ? If so, i will continue to be mistaken.
Click to expand...
Click to collapse
Most of the time the answer is yes. Also, you could be a developer yourself meaning you can compile your rom from sources with your own modifications. OEMs have user's security on the back burner. Their goal is to monetize the user and in case of mobile devices, there is no way to monetize the user without compromising security. The beauty of a published source code is that anyone could examine it and they do (even if it is not you yourself). Look at businesses: the majority of them use neither windows nor apple. They use Linux, because linux does not monetize the user and it is open sources and by the way, it is maintained by "hobbiest" developers. And naturally, because of this Linux has a vastly superior security and virtually no viruses.
Google is malicious and incompetent, but luckily, Android is based on linux and most of the code there is from linux.
This is of course a separate from root issue, which remains simply an issue of control: whether you want to be in control of your device or not. You can't name any OS that does not provide root to the user out of the box... Just because some (or most) smart phone dumb users don't know what they are doing does not mean that everyone should be denied root on their devices... And by the way, most Google engineers also don't know what they are doing and had it not been for Linux and the community at large, google wouldn't be able to produce anything that moves...
As title suggests, coming from a so called "clean" iOS environment to Android, my main concern how susceptible is my data to being stolen. I have no (current) plans to root my next phone and will be used mainly from business, but from what I have read in the past even google play store apps have been to known to have malicious content. Am I worrying too much ? I do carry sensitive work data on my iPhone.
applefag said:
As title suggests, coming from a so called "clean" iOS environment to Android, my main concern how susceptible is my data to being stolen. I have no (current) plans to root my next phone and will be used mainly from business, but from what I have read in the past even google play store apps have been to known to have malicious content. Am I worrying too much ? I do carry sensitive work data on my iPhone.
Click to expand...
Click to collapse
As long as the apps you install are from known sources (i.e. Play Store) you don't need to worry. Also every time you download an app check the permissions. If you think that the app shouldn't have those permissions then don't download it. Finally for safety reasons never install any apps from unknown sources (i.e. outside of Play Store) unless you trust the developer.
If you still find yourself worrying read this.
applefag said:
Am I worrying too much ?
Click to expand...
Click to collapse
Yep
I think you won't install any app outside Google Play so install apps that you know and you won't need to worry. FYI http://en.wikipedia.org/wiki/Security-Enhanced_Linux
kalpetros said:
Also every time you download an app check the permissions. If you think that the app shouldn't have those permissions then don't download it.
Click to expand...
Click to collapse
Well only if you are sure. Sometimes apps need permissions that aren't justified for some people.
for the open nature of the android ecosystem, it is somewhat normal that you will have to be careful though there are several different techniques, i use this the most.
Root your phone, install xposed framework and install xprivacy. here is a review of what it does http://www.xda-developers.com/android/manage-individual-app-permissions-with-xprivacy/ . I know the installation pprocess may seem daunting, but it is easier than you think this module wil allow you to block apps of certain permission. IE. you can block location service for all the apps on your phone so that no app can get your location. There are bunch of other permissions that you can block like access to contact, gallery etc
My question to others is : Is antivirus application on android worth it? I mean can it protect me from real time attaks and malwares??
SaffatBokul said:
My question to others is : Is antivirus application on android worth it? I mean can it protect me from real time attaks and malwares??
Click to expand...
Click to collapse
Not useful IMO. FYI I remember this article.
User sensibility is your best defense. Don't install apps not from the market. Only install apps with a lot of positive comments.
I would advise again rooting your phone. It's true that there are ways to block apps from accessing your private data on a rooted phone, but the additional vulnerability from unlocking your bootloader and rooting is not worth it. Just stick to apps from major developers.
snapper.fishes said:
User sensibility is your best defense. Don't install apps not from the market. Only install apps with a lot of positive comments.
I would advise again rooting your phone. It's true that there are ways to block apps from accessing your private data on a rooted phone, but the additional vulnerability from unlocking your bootloader and rooting is not worth it. Just stick to apps from major developers.
Click to expand...
Click to collapse
I agree, rooting your phone comprimises your security even if you do it to install security apps.
Primokorn said:
Yep
I think you won't install any app outside Google Play so install apps that you know and you won't need to worry.
Click to expand...
Click to collapse
Unfortunately, new apps in Google Play are rarely verified by Google staff, so there is still always a possibility of trojan or other malware.
Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Moscow Desire said:
Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Click to expand...
Click to collapse
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
TheMadScientist said:
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
Click to expand...
Click to collapse
Thanks, I deleted the culprit. No issues so far.
LOL...after 3 or 4 days the lovely File Manager App magically installed itself. Looks like a more indepth investigation is forthcoming.
Obviously there is another app that re-installs it.
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
TheMadScientist said:
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
Click to expand...
Click to collapse
Haven't really had a chance to look deep into it yet. I've disabled auto updates, so pretty sure it's not getting it from the netz.
Funny thing, I tried running a 100mb system update and i failed to completely install. Havent thot about it much since then, But I suspect it was in that update somewhere, as I had never seen nor had an issue with it before.
Will strip down that update and see when I get a chance.
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
adware/spyware
Not happy said:
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
Click to expand...
Click to collapse
Yes , this lovely new addition to the file manager is actually the "Hawk Super Cleaner/ antivirus" seen here: https://play.google.com/store/apps/details?id=com.apps.go.clean.boost.master&hl=en
You can see my complaint(s) here: https://forum.xda-developers.com/idol-3/help/joy-launcher-joy-t3628670
I just installed TWRP and SuperSU on the stock Marshmallow following this guide:https://forum.xda-developers.com/idol-3/general/twrp-custom-recovery-idol3-6045-t3162608 and will be removing this cancer for good!
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Had 3 myself
Not happy said:
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Click to expand...
Click to collapse
I hear ya, I bought 3 of these.
I am very careful what I install on my device and read the manifest files on EVERYTHING so you can imagine how angry I was when my own phone manufacturer pushed unwanted adware/possible-probable spyware on to my device with no warnings or asking my permission.
Another odd thing is that after I uninstalled the Facebook app I had 2 apps appear (or were left over?) com.facebook.appmanager.apk and com.facebook.system.apk that were using up data and could not be removed until tonight after rooting.
Interesting article here: https://forum.xda-developers.com/tmobile-lg-v10/help/suspicious-apps-apps-section-facebook-t3415876
I have been studying computer and mobile security as a hobby for some time and have found that these "antivirus" and 'cleaner" apps on Android are the worst offenders of privacy of them all.
Scanning all your files, installed apps, contacts etc etc and sending all that data back to God knows where!
I have found that almost every single app that I have downloaded from the Play Store has some form of data mining and/or analytics.
Unfortunately, it's a catch 22 in Android..rooting your device breaks what little security is built into the system but it's the only way to remove pre-installed crapware.
---------- Post added at 06:02 AM ---------- Previous post was at 05:53 AM ----------
Also, good luck trying to get anything done with Google or Alcatel.
I battled with Google for almost 8 months straight trying to stop an unscrupulous advertiser that was using FAKE virus warnings to trick users into installing an "antivirus" app on the Play store and just got sent around in circles.
Google is complicit!
I was finally successful in stopping the fraudulent activity after I contacted the Federal Trade Commission.
http://smisecurity.altervista.org/DFNDR.html
Data mining is a given these days which is why I have Pi-hole for my home dns and ubuntu for my home box, gotta do what you can. As for this phone I wouldn't do much on it unless I re flash it which is why I am angry with it.
As for Android taking the normal software stance of do nothing unless legally required, this time is interesting to me because they are effectively allowing the bypassing of the playstore agree feature to Install an app, being side loaded from Alcatel like this one would think breaks the playstore terms so knowledge should be enough for action in this case from the android or playstore devs. Doubt it but.
Also apon sale did not mention android as being adapted software that over rides expected android and playstore behaviour but did advertise android and use their logo so most likely a trademark vialation also.
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
Went over it again for peace of mind (sorry) but I wish you the best in your education as we need more people shinning the light on privacy simply because we are in the rise of the machines, not long before people worldwide ask what happened to all the jobs and when did the need for conventional ID actually dissapear.
Not happy said:
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
.
Click to expand...
Click to collapse
Very well said!
The supervisor I spoke to at Alcatel tried to say that I/we agreed to the terms by using their devices which allowed them to push this on to our phones but I disagreed with him.
At one point I even thought of ditching my phone and getting an iPhone or an Android device that is compatible with the Replicant OS https://www.replicant.us/
I have a few Raspberry PI's laying around but never used one as an access point. (I'm assuming that's what your doing?)
I just sent a very nasty email to the developer "[email protected]" and referenced this thread.
Keep us updated if you get anywhere and I will be fighting this from my end and posting any updates as well.
Will do, I don't plan on not continuing with this one because my hardware and android do not operate as advertised.
The day I can rely on Linux for a phone OS is the day android gets ditched but will definatly check out your link also.
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Not happy said:
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Click to expand...
Click to collapse
Very cool!
I'll have to check that out.
I altered the hosts file on both my laptop and my other rooted phone to block ads and apps I used to have.
This is a small sample of IP's I blocked in the hosts file after running NETSTAT scans, there are a TON more that I added from MVP hosts (it is against MVP's EULA to post their blocked IP's)
http://winhelp2002.mvps.org/hosts.htm
127.0.0.1 localhost
127.0.0.1 search.vip.gq1.yahoo.com
127.0.0.1 a96-6-122-162.deploy.akamaitechnologies.com
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 yahoo.com
127.0.0.1 rtr3.l7.search.vip.gq1.yahoo.com
127.0.0.1 c.amazon-adsystem.com
127.0.0.1 yandex.st
127.0.0.1 mc.yandex.ru
127.0.0.1 c1.popads.net
127.0.0.1 c1.popads.net/pop.js
127.0.0.1 google-analytics.com
127.0.0.1 google-analytics.com/analytics.js
::1 localhost #[IPv6]
---------- Post added at 01:40 PM ---------- Previous post was at 12:54 PM ----------
Wow! that PI-hole block list on Git Hub is a LOT larger than the one I was using!
Him guys and thanks again for the thread. Anyone found a solution? This app is wasting 20 percent of my battery, which does not last me a whole day anymore, it's outrageous. I also sent a report to Google and the app developers.
Cheers
Guys, I found someone with a solution, just see this post: https://forum.xda-developers.com/showpost.php?p=73642381&postcount=4
Cheers
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
sloshnmosh said:
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
Click to expand...
Click to collapse
It solved my problems
It's easy to solve the problem. Just go to applications. Select file manager uninstall upgrades, it will revert it back to factory version, no more spam !
I was getting really annoyed by the app that stealthily installed itself and called itself File Manager for my Alcatel POP 4. It constantly wanted to clean, boost, virus-protect, be a flashlight and camera app with it’s own toolbar and playing an ad whenever you asked any of those actions to be performed. The beauty of it was that it could not be disabled or uninstalled. I was desperately looking for a way to get rid of it without drastic measures, like a full factory reset or rooting my device. I found a suggestion on the net to install AppMgrIII from the Play Store. I did it as I was determined to try anything at that point. It offered me to replace the app with a “factory version”. I accepted that and sure enough, a normal-looking File Manager with no ads or toolbars appeared, all the rockets, boosts, virus-protection, cleaning brushes gone! I hope it won’t reinstall itself magically. In a perfect world I would prefer to have no file manager on my machine at all and a choice of installing one that I prefer but at least the nightmare of this intrusive monster seems to be over. I hope it stays that way.
Update: reverting back to factory version stopped the spam but it all came back with the next update. Now I reverted it back again and stopped automatic updates on Google Play for all apps. I will pick apps to be updated manually.
My banking app stopped working 30mins ago and after I nuked the data/cache and got it working again. I caught the app asking for new permissions that I don't believe it asked for before
telephoneManager/getSimOperatorName - in my case o2
settings.Secure.getstring/android_id - same as asking for the serial, why does my bank need this.
PackageManager.getindstalledPackages - wtf does it need to know what apps are on my personal phone?
NetworkInfo.getextrainfo - why does it need to know who my data provider is?
AdvertisingClient$Info.getid - why the actual f*** does a banking app or my bank need my advertising id.
TelephonyManager/getNetworkOperatorName - asking who my operator again, why.
Fabric.with/Kits - not quite sure what this is, cant find anything beyond its something to do with android SDK.
I am emailing my bank app support to see if I can get some straight answers, but in the meantime can someone tell me what "Fabric.with/Kits" is and why the app would be asking for this permission?
b1k3rdude said:
My banking app stopped working 30mins ago and after I nuked the data/cache and got it working again. I caught the app asking for new permissions that I don't believe it asked for before
telephoneManager/getSimOperatorName - in my case o2
settings.Secure.getstring/android_id - same as asking for the serial, why does my bank need this.
PackageManager.getindstalledPackages - wtf does it need to know what apps are on my personal phone?
NetworkInfo.getextrainfo - why does it need to know who my data provider is?
AdvertisingClient$Info.getid - why the actual f*** does a banking app or my bank need my advertising id.
TelephonyManager/getNetworkOperatorName - asking who my operator again, why.
Fabric.with/Kits - not quite sure what this is, cant find anything beyond its something to do with android SDK.
I am emailing my bank app support to see if I can get some straight answers, but in the meantime can someone tell me what "Fabric.with/Kits" is and why the app would be asking for this permission?
Click to expand...
Click to collapse
Yes, seems like a lot of unnecessary permissions, I'd be suspicions also. Though they might be using those permissions to increase security by "fingerprinting" your phone, thus making it harder for someone to impersonate you, though you can change your advertisers ID on newer Android versions, so maybe not! Or app legitimately need that info for some other reason. Also app permission fall into 2 categories "normal" & "dangerous" you are not asked to approve normal ones only dangerous ones eg access to contacts, network access etc. I'm not a dev so not sure if they have been moved to a new category now & that is why you are seeing them now. Maybe permissions added by bank legitimately but on other hand seem excessive to me.
The Fabric one might be OK as fabric is a module framework that uses kits & is used by some developers to implement crashlytics etc, but guess some kits could be used maliciously. (Google are pushing devs form Fabric to Firebase)
But if suspicions give that app a scan with a good security app (not that this proves app is safe!) Try the Sophos security app, its free, might identify if malicious but also gives a nice summary of permissions granted to all your apps.
I am a brand new owner of a OP 8. First thing I did was flash it to OOS 11, then installed Magisk. The phone is now up and running and rooted.
I am coming from a galaxy S5 that I have owned and used for more than 7 years, and for most of that time it has been running Lineage OS. I am used to the control that Lineage gives me, and I would expect that I could exercise the same degree of control with a rooted OOS.
But, this appears to not be true.
On the S5, I had 3C System Tuner Pro which is now an obsolete app, so I have replaced it with the current variant; 3C All-In-One toolbox. This package should allow me to control which apps start at boot, but it seems I cannot turn any of the apps off; when I uncheck them, the app fails to actually remove them from the startup list.
Also, I expect the 3C tool to allow me to uninstall pretty much any app, but there are a lot of google apps that I just can't remove.
I also use greenify (the paid version) and mostly it seems to be working OK, except that I cannot seem to access system apps from it, which makes it very hard for me to shut down things that I don't want running.
I also use afwall (the paid version) and it seems to work as expected. Which is good.
My focus is security and privacy, and my mantra is: "on android, the app that is not running is the app that is not spying". Thus, I want everything that is not needed to satisfy my purposes to not be running, and I only want apps running when *I* say that they can run.
Now, my S5 was running Lineage 17.1 which is android 9. I did not update it past that. And now I am running android 11, and I note that there is a lot of new hardware-based validation in android 11. So possibly I can't remove some things without disabling this validation (which I would prefer not to do). But even if I can't remove, I can disable (which, fortunately, I AM able to do). But I should be able to remove things from the startup list so they don't get started automatically at boot time. Right now, the way it works is they all start, then greenify shuts them down (and that isn't always completely reliable). I need more to make this phone genuinely secure and private.
So.
Does anyone here know how I could gain the capability to remove apps (including system apps) from the startup list and have it stick? Does anyone know what I need to do to get greenify to recognize system apps so I can shut them down when they are not needed, or failing that, can anyone steer me to a different app than greenify that will do that?
Perhaps I would gain by adding the xposed framework? I have not used it in a very long time (since I move to lineage) and I recall it being a bit of a pain.
I suppose I could move to Lineage from OOS, but I would prefer to not do that because of the camera software. This device seems to have a fine camera and not a lot of bloatware, so I would much prefer to stay with OOS for as long as the device is supported by the manufacturer.
But I do insist on being able to completely control it, and disabling apps that I can't stop from running is a much bigger hammer than I would like to use; some of those apps I might actually want to use from time to time.
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
jiml8 said:
OK, after some work I have successfully taken full control of the OnePlus 8 and have been able to configure startups as I want them. I installed xposed through Magisk.
I also installed the latest greenify (3.7.8) and afwall, and have those set up too. Since I did purchase greenify, I am able to greenify system apps as well. So, generally, I have full control over the device.
But there remains a problem.
I have disabled wifi and data connections in settings for all apps that I don't want to have accessing a network. I have also blocked those apps in afwall. And yet, my pihole DNS server that services my LAN shows me some of my apps are trying to call home, even when their capability to talk on the internet is denied.
Specifically, greenify is denied network access and is firewalled off, yet there is an attempt to connect to oasisfeng.com.
Also, I use an old version of ES File Explorer (from before it was sold and turned into something very like malware) and it is allowed LAN access but denied any access beyond the LAN...and I see it trying to call its old home domain (estrongs.com).
Similarly, I use an old version of UB Reader (later versions again approach malware status), and it is completely denied network access. But, I see a connection to mobisystems.com.
This clearly indicates that there is a proxy in use somewhere in the system, that is allowing these guys past my blocks. I am using adaway to block these specific domains, but it would be far better to just block that proxy.
However, I don't know where the proxy is and what it is called. Can someone here tell me?
If not, it will be trial and error, which is painful because functionality will break when I turn something off to see if this is it.
Click to expand...
Click to collapse
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
optimumpro said:
If you are concerned about security, you should stay away from Xposed.
First of all, Xposed requires disabling Selinux, otherwise, it won't work. So during the installation, your Selinux status is turned to 'permissive'. That, coupled with the fact that almost every custom rom sets 'ro.secure to Zero', exposes your System partition to third party apps. So, basically, anything can exploit your phone.
Second, Greenify, with all due respect to its great developer, is not needed anymore, since Android 10, because now we have builtin sleep mode that does the same thing as Greenify.
Third, even if Xposed didn't require disabling Selinux, it is still an exploit that creates a back door to your system.
Click to expand...
Click to collapse
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
jiml8 said:
Device security is only one aspect of security, and I handle that mostly through device configuration and usage policy anyway.
Overall security involves many other factors, which include maintaining full privacy and control over all data that gets out of the device and goes...elsewhere. To maintain this level of privacy requires reconfiguring any android device to prevent the release of that information. If this requires setting Selinux to permissive, then that tradeoff is quite acceptable. I might prefer it not be the case, but so long as all android devices sold into the marketplace represent the interests of google, the manufacturer, and any third-party that pays the manufacturer ahead of my interests then I will make that tradeoff.
As for Greenify, I have not found the sleep mode that is available in Android 11 to be adequate because it does not allow me to control system apps. You can take it as a maxim that the only android app that does not spy is the android app that is not running - and this includes lots of system apps that I might not want to delete or disable but also don't want running unless I say so, and then only while I am satisfying MY purpose for them.
As for the problem I was asking about, I added the specific URIs to the adaware blocklist and that suppressed them. Prior to that, I was seeing the DNS requests on my LAN DNS. I suspect the network utility I am using to monitor the phone's traffic is reporting requests ahead of the iptables FILTER table, and the packets were being suppressed prior to leaving the device, but I am not certain of that. The only way I could tell would be to monitor the device traffic as it went through the upstream VPN gateway on my LAN, and I did not do that.
Adaware works adequately for this, and I am not seeing any other unexpected/unacceptable traffic from my phone. The one remaining thing I need to check for will involve monitoring from the VPN gateway, as I look for any DoH or DoTLS traffic. I hope I don't find any; that will be a ***** to block. I do block it on the IOT VLAN on my network, but it requires a separate device running a script I wrote. To block DoH/DoTLS on my phone, while allowing appropriate DNS will be...fun.
Edit: And, actually, I just took a quick look. The sestatus command returns that my selinux status is "enforcing". The xposed framework I installed, actually, is lsposed, which is a systemless install using magisk. It implements the xposed framework but in a systemless way; I was just lazy when I wrote about it in my previous post.
Click to expand...
Click to collapse
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
optimumpro said:
I have been building Android roms for multiple devices for 9 years. When I started, I also gave a significant positive weight to Xposed, etc... . But the more I learned Android code, the more I became convinced that all those 'privacy' layers are mostly useless and even harmful, because they create a false sense of security.
Vanilla Android roms, actually, contain very little advertising/spying, and it makes a perfect sense: why would Google open-source their spying/advertising machine?
The only thing that might be considered spying (in vanilla Android) is captive portal detection that checks the internet connection and a few other network tools/tests that periodically connect to the internet, but not necessarily with nefarious purposes. But even these could be disabled or changed to other servers.
Android becomes an advertising tool only when you install Google Apps/Google Services Framework, register a Google account, etc. Once you have that, and 100% of stock roms do, no amount of tweaking can prevent spying, because these Google 'structures' sit lower than any systemless layer. In other words, they can go around Magisk/Xposed tricks. Moreover, on devices with stock roms, one doesn't even need encryption and the use of apps like Signal/Telegram/Silence etc.. Google Services Framework can see your outgoing messages before they are encrypted, and incoming messages after decryption. In other words, they can see what your eyes see on the screen.
So, the only way to prevent Google interests from taking over your phone is never install Google 'things', which is the case with my rom and my phone.
Click to expand...
Click to collapse
I don't really program Android, though I am a kernel developer in both Linux and Freebsd. I also am one of the principal architects of a network infrastructure appliance that is getting a lot of attention in the industry.
So, while I do not know android in detail at a low level, I know linux thoroughly and I am fully equipped to completely monitor and control what access that android (or any other computer) has to any network. And that has been my dilemma; I can see what my device is doing and I am determined to stop it.
I agree with you about vanilla Android, absent all the google stuff. It is just linux with a different desktop on it, and the connections it makes to google are just for network management functions; the network device I have built also contacts google (and a few others) for network maintenance only and not any information transfer.
Unfortunately, the google apps infrastructure is required for some things that I use the phone for. Google maps is required by both Uber and Lyft; without Maps, I can't use those apps - and there are times when I am traveling where I really need to be able to use those apps.
Also, unfortunately, the company I am contracted to (where I am part-owner) for which I have built this network appliance makes heavy use of google tools. I have not been able to convince my partners to move away from google, and they can outvote me.
I have to allow Meet, and Chat to run on my device; I don't have a practical alternative. So I have spent a lot of time determining exactly which google components are the minimum required to allow those apps to run, and I have disabled or blocked or restricted permissions for all other google components - and both greenify and afwall play key roles in this activity.
With my old Galaxy S5, I just would install the smallest google package that supported Maps onto my Lineage OS on that device, but on this OnePlus 8, I have elected to stick with OOS for as long as it receives updates. So, tying google's hands is a lot more work.
My monitoring tells me I have it now as good as it will be. There are a few connections to google, as expected, but the frequency of those connections is not high and very little data is being transferred in either direction. I believe most of the traffic is administrative. The only thing I have not yet checked is whether there is any DoH or DoTLS traffic. My IOT VLAN watches for and blocks such traffic (my IOT VLAN exists to isolate and completely control my Android TV), and I have connected the phone to the IOT VLAN for a short while to see if any DoH/DoTLS was detected and none was - but I really need to connect it to that VLAN for an extended period.
I do root around in the phone's databases (which reveals what Google is doing, and Google can't stop that...) and the result is that I know Google is not doing much.
So, it isn't perfect. I would be much happier if the company would move away from google. But it is as good as its going to get, and I don't believe google is sneaking anything by me; I would have detected it. I do block a LOT of google URIs.
Also, as far as google open-sourcing their spying machine...that, quite explicitly, is the purpose of Android. It is open-sourced spyware for google.
They open-sourced it partly because they had to (the gnu licensing ties their hands) and partly to gain acceptance; its open source nature is why it is now the dominant architecture. It greatly reduces development costs for device manufacturers while providing a standardized framework upon which they can build.
Those of us who put in the effort to exploit that open-source nature to stop the spying are a small fraction of the total marketplace, and google can easily tolerate us.
Android has increased google's reach and ability to collect data about individuals to an enormous extent. From the standpoint of knowing everything about everybody (which is google's explicit goal) it is an enormous win for them.