DroidActivator - the Open Source anti-piracy system - Android Apps and Games

Hi,
We have developed a new, effective licensing control system for Android called DroidActivator.
It's intended to block piracy and also gives you some interesting opportunities, as licensing your app with an annual renewal fee, apply a subscription model to sell features or contents, protect your app outside GooglePlay, acquire device data, track custom events and more.
It is an Open Source project licensed under LGPL.
You can take a look at the Google Code Project Page (code.google.com/p/droidactivator) and to the project web site ([www].droidactivator.org)
Hope it can help the community!
Have a nice day,
The DroidActivator developers team.

Not quite sure what the point of an open source anti-piracy app. It just allows people to tinker with it and thus bypass it.

A protection system should not rely on hiding its code to be effective.
Any protection can be defeated by a determined pirate.
It's just a matter of making life harder.

algos-dev said:
A protection system should not relay on hiding its code to be effective.
Any protection can be defeated by a determined pirate.
It's just a matter of making life harder.
Click to expand...
Click to collapse
Isn't open source making it easier?

This is an interesting topic.
You are right lambstone: looking at the source can help you cracking the code.
But in my opinion, the point is in the targeted audience.
An open source protection would not be suited for the new angry-birds-whatever but it would be for your medium/high-priced business app.
We have just no technology to avoid piracy. If the app is interesting enough, the pirate will decompile the app, remove the protection, repackage it and share it on the web. In this scenario, if the pirate got helped by looking at the code or struggled a bit more on the binaries doesn't matter so much.
We are not willing to fight this kind of piracy. We just wanted to build a tool to help small software houses to fight "casual" piracy (folks who won't search for and use the crack, but won't hesitate violating the EULA in the absence of technical license protection mechanism) which represents the vast majority of piracy.

lambstone said:
Isn't open source making it easier?
Click to expand...
Click to collapse
It cuts both ways: more people reviewing the code means that it can be made harder to crack.
Security through obscurity

DroidActivator anti-piracy system updated
DroidActivator, the Open Source anti-piracy system for Android, has been updated.
The backend now features searching in activations and events and generates activation codes automatically. The GUI has also been restyled using CSS.
If you are interested, have a look at the Google Code project page [code.google.com/p/droidactivator] or at DroidActivator's web site [3w.droidactivator.org]
Thank You,
DroidActivator's development team

Related

READ ME: Clearing Misconceptions About CyanogenMod C&D

Lately a lot of threads have been popping up on this subforum and others with regard to the CyanogenMod C&D. A lot of these long threads seem to just be giant echo chambers filled with uninformed or ignorant end-users who don't understand the true nature of the situation. I am creating this thread to help clear up the misconceptions surrounding CyanogenMod, the AOSP, and Google's position in this matter.
Here are some common misconceptions and their clarifications:
"We should petition to keep Android open source!"
Click to expand...
Click to collapse
Google acquired Android, Inc. in 2005 and began investing time and manpower to develop the Android operating system into a fully fledged mobile operating system. The entire project was open sourced in October 2008 to coincide with the first public availability of the Dream hardware. Since then, the Android Open Source Project (which consists of all the source code required to build a working Android environment) has been completely open source. Period.
On top of the completely open source operating system, Google also bundled several useful applications into many stock builds of Android. These builds are commonly referred to as "Google Experience" builds, and the apps include things like the Market, GMail, Youtube, etc. These are NOT a part of the Android Open Source Project, they NEVER WERE a part, and it is unlikely that they ever will be. Many end users seem to have the misconception that these apps are and/or should be a part of the AOSP. They are not. Period.
"Google is trying to keep me from installing other ROMs [sic]!"
Click to expand...
Click to collapse
The C&D letter to Cyanogen was not meant to suppress users from using non-official builds ("ROMs"). The purpose of the cease and desist letter was to stop Cyanogen from continuing to redistribute without permission the proprietary Google-specific apps described above. This is completely within Google's right to do so.
Now to be fair, the work done on xda has often skirted the matter of unauthorized redistribution. In fact, without unauthorized redistribution, it would be difficult (but not impossible) to "cook ROMs". However, unauthorized redistribution has generally been viewed as an unspoken, ungranted privilege. If the company holding the rights to the related software issues a cease and desist letter, the community must respect that choice. To fail to do so would only serve to delegitimize what we do here and risk the survival of the os hacking community as a whole. Users with an overinflated sense of entitlement, you are not welcome here!
"I bought the phone, I should have a right to use the proprietary Google software however I like."
Click to expand...
Click to collapse
Generally, being legally licensed to run a software package does still impose limitations on your usage of it (e.g. you cannot make unauthorized copies or disassemble it). However, in this case, the violation is not in the end-user act of installing CyanogenMod, it is with Cyanogen distributing it. And by no means is this singling out Cyanogen; any "ROM cooker" that includes copyrighted proprietary software in the updater (which at this point is the majority of them) is potentially risking a legal letter.
"Google should not have waited until Cyanogen had worked so much to shut him down!"
Click to expand...
Click to collapse
As in #2, I have to emphasize that unauthorized redistribution is something of an unspoken tacit permission. "ROM cookers" therefore need to exercise good judgement. Back when builds were simply slightly modified versions of stock update.zip files, it was easy for Google to turn a blind eye. The latest CyanogenMod installer included a leaked pre-release version of the Android Market software. Now, I hope it's plainly obvious for even the most oblivious reader, but if you leak a company's unreleased proprietary software before their official release, chances are you will piss them off. Leaks like this have several potentially negative consequences for companies: 1) decreased perceived quality because the program had not been fully debugged, 2) ruining planned launch timelines, 3) causing server backend issues due to unrecognized clients logging in.
Bottom line is this: if you are a "ROM cooker" and you absolutely have to include proprietary copyrighted software in your build, DO NOT INCLUDE ANY UNRELEASED SOFTWARE. You will very likely get C&D'd.
"Google should appreciate Cyanogen's hard work!"
Click to expand...
Click to collapse
From the time you boot up your phone to when you run that first app, probably somewhere like only 1% of the code is written by the "ROM cook". The process of "cooking a ROM" is not, for the most part, programming.
If you want to give credit where credit is due, for the most part you would be thanking Linus Torvalds and the contributors of the Linux kernel, the Android Open Source Project team, and the folks who really did the groundbreaking work establishing root access on the Dream.
good post!
Agreed, very good post..
Maybe someone can clear something up for me (its been bugging me a little)
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of asop?
I have not seen this addressed and i am curious what the state of play is with these files.
Agreed ........ !
Thank you for taking the time to clear things up. Hopefully this will help folks gain some perspective and move toward productive directions.
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of aosp?
Click to expand...
Click to collapse
Good question. It certainly means the ROM is not purely open-source, at the least.
My sense is that those files are the property of HTC and we don't have a license to redistribute them.
Now I don't really expect HTC to serve anyone with a C&D anytime soon, for various reasons, but until a ROM cook gets a written license to redistribute those files from HTC, or until a fully open-source rewrite of those files is done, it's a gray area at the very least.
vixsandlee said:
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Click to expand...
Click to collapse
Speaking very technically: yes, because you do not have the express right to redistribute the binary drivers for things like the wifi module or the radio. In reality, these pieces of code are so tightly tied to the hardware that it is unlikely you will get a c&d for redistributing them. However, in the hardcore open source community, even these drivers will be left out, requiring the user to fetch them for him/herself. That would be the 100% license-compliant way.
I'm pleased to say though, there are already many people working on semi and full license compliance methods and "ROMs". Just take a look at the first two pages of this subforum.
vixsandlee said:
If i compile from source i need to add files that are pulled from my phone.
Does this mean that ALL roms are technically illegal, even if they dont include the google closed source programs.
Or are we ok to include these files as they are needed for the phone to work, so considered closed source but part of asop?
Click to expand...
Click to collapse
Read the post again. It's illegal to even copy the Google APKs files out of an original installation and import it into a custom ROM. The major issue was that all ROM creators were importing the Google Apps which are "closed-source" into their own legal open-source code.
I guess now, it'll be down to the individual to decide whether they want the Google Apps in their phone. That's why scripts have been created to give the user a choice on whether to do the illegal act of placing the Google Apps onto their phone.
Google are unlikely going to chase you the individual down rather than the ROM creator (like in Cyanogen's case with the C&D letter).
Hope this helps.
ok. so then all this is not because of the google propriatary crap, but because he released the market early, so google just USED this BS reason to stop that? in other words, had he not released it early, nothing would have happened?
if thats the case, i dont blame cyanogen, but i blame ALL those GREEDY users that MUST have EVERYTHING before everyone else because they feel they need to be the best. you greedy punks almost ruined it for everyone. from what i see cyanogen usually tries his best to do what the people want, had the people not wanted the market so early(its not even that great, just new colors "ooohhh wooow ive never seen colors before i must have that! and now!".. ridiculous.) then this wouldnt happen.
now from i see the latest and "greatest" usually comes in the experimental releases. i think, cyanogen should shut down the experimental releases, or only release them to certain people.. or make it a lot LESS public..that way he can keep testing the stuff till its good and then release it as stable when he sees fit. i mean come on, 4.0.4 is already awesome!! i love it! been using since forever. why couldnt everyone else just be happy with 4.0.4?
and like the post said, dont be stupid and release some leaked program. cause it doesnt just shut you down its gonna shut everyone down. unfortunately i see that soon some noob working on hero roms is gonna release something, and then HTC will be here next.
oh and add this in there:
My guess is that Google has known for some time what was going on, but probably thought 'best not to upset the apple cart' while Android was in its infancy, with only one or two devices from a single manufacturer available on a single carrier. Now that we are on the verge of Android devices being shipped from at least five hardware vendors with over half a dozen carriers, Google probably felt that they needed to get a handle on this. I sense they feared things getting out of control with modders doing willy-nilly ports of innovations from one vendor/carrier to another—e.g., Motoblur on HTC devices and HTC Sense on Motorola devices. I think Google's legal team had a strong part in what took place, and forced action.
Click to expand...
Click to collapse
and i just saw a rom that got some of the motoblur stuff mixed with hero and for the g1. how long do you think till motorola and HTC are here complaining about software on the g1 that isnt supposed to be?
Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.
TunsterX2 said:
I guess now, it'll be down to the individual to decide whether they want the Google Apps in their phone. That's why scripts have been created to give the user a choice on whether to do the illegal act of placing the Google Apps onto their phone.
Click to expand...
Click to collapse
If a user downloads a "ROM" without Google apps on it, downloads an official update.zip from google.com, and then copies the Google apps from the official update into the cooked "ROM", that completely mitigates the problem of unauthorized distribution and only leaves the much less sticky issue of unauthorized usage. Unauthorized usage is typically a lot less offensive to the interested companies and definitely a lot less enforceable. There are likely some EULAs somewhere governing the usage of the Google apps (GMail, Market, etc) and except for Market I would be surprised if they explicitly required the app to run on authorized distributions only. But again like I said, it would be difficult to detect, let alone enforce.
peshkata said:
Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.
Click to expand...
Click to collapse
That's a very good question, and one I sure would like the Android team at Google to answer. The only app I see being a problem would be Market, since it requires a secured app-private to function properly (which would not be guaranteed on a non-GE phone).
Your post nicely presents the legal aspects and rights of Google but IMHO misses the larger point. The open source community was believing in the ideals of open source and looking the other way at the control Google has over this platform. The pieces that Google controls are not easily (if ever practically) replaceable.
Google actions show that they are not that much different than Apple in trying to control the platform and the user experience. Don't be surprised to see Google behave more and more like Apple as the platform gets stronger and Google's need of an open community weakens.
The only bright spot is one that Google may have missed - that is their existing fight with Apple and AT&T regarding GoogleVoice. Their actions against Cyanogen gives Apple and AT&T ammunition in their arguments with the FCC, which is the last thing Google wants.
This is the only lever this community has over Google. Bring up the FCC and Google Voice case, and Google may back off.
For those who pray for Cyanogen to be hired by Google -- that is the last thing you want. We do not need Google having more control over him, but less.
For those who think that creating bypasses with clean roms and user-initiated backups will solve these problem -- these are short-term technical workarounds which Google could close too.
so with it being technically illegal its pointless (IMHO) being open source.
Its fine with taking from the community, but google seem unwilling to give anything back.
Roll on when full open source roms appear, It would be like a linux distro coming with everything but keyboard and mouse drivers.
This is all legally correct. But it misses the point of the uproar.
We did not expect Android to devolve into a squabble over closed source bits when the whole premise is open source. Goog has disappointed, plain and simple. Your sticky is an apologist's point of view since it doesn't address that fundamental issue.
edit: btw, if Goog was upset about the new Market app specifically, they could have blocked its access to the market using a client-check.
rbrahmson said:
This is the only lever this community has over Google. Bring up the FCC and Google Voice case, and Google may back off.QUOTE]
well think about it. where would google make more money, in allowing the deals it made with htc and motorola and stuff to fall apart because they allow none licensed people do distribute there apps, but keeping the community with them, and winning with google voice... OR in screw the community, keeping the deals on good grounds, and losing the google voice fight? seeing how apple is STILL WAY ahead of android in terms of users, its tough. because its basically, either google kills its own OS for phones, or starts letting go of the iphone ideas by starting with screwing the google voice. honestly, from what i can see, google is gonna come out losing either way lol
then again it is GOOGLE. they never loses anything =/ though with that BING thing growing.. the giant may go down some day. its getting attacked on all sides
Click to expand...
Click to collapse
vixsandlee said:
so with it being technically illegal its pointless (IMHO) being open source.
Click to expand...
Click to collapse
That depends on what your objective is. Open source has many benefits, and many of those are retained even if your distribution contains some closed-source elements. Another important aspect to remember is that while x86 PCs have had three decades to mature, smartphones have not had that same luxury. Given enough time, even hw drivers will become open sourced. So "pointless" is a bit hyperbolic.
Its fine with taking from the community, but google seem unwilling to give anything back.
Click to expand...
Click to collapse
The spirit of open source is the spirit of giving. In that vein, Google has invested considerable time building parts of the AOSP from scratch. To say that they are "unwilling to give anything back" is just a plain falsehood.
Roll on when full open source roms appear, It would be like a linux distro coming with everything but keyboard and mouse drivers.
Click to expand...
Click to collapse
Good luck finding an open source 3G radio driver.
If anyone has read any of the dialog between Steve (cyanogen) and some other Google employees about this issue (most notably JBQ), you would realize that the Google employees are trying to work with Steve.
There is dialog about making the AOSP able to be built and fully functional and distributable without infringing on anyone's rights. This includes investigating other avenues for users to acquire and legally install the Google applications.
The current belief is that Google's legal team sent the C&D letter to Steve, and that it was not done so at the request of the Android developers. They most likely would have liked to work with him quietly and amicably.
Also, please remember that the Market application is not a part of AOSP. The Market application is Google's proprietary code; it is not part of the Android base. Not all Android devices have Google's Market—that is why there are other markets and means of installing software.
I have no doubt that this "controversy" will ultimately be for the best. I believe that Steve, JBQ and the rest of Google/Android will find a middle ground that will work best for everyone. (JBQ has an excellent history of working with other developers and finding good solutions for all—I remember back when he was working at Be and how helpful he was to all of those writing applications for BeOS.)
ytj87 said:
We did not expect Android to devolve into a squabble over closed source bits when the whole premise is open source.
Click to expand...
Click to collapse
So what you're saying is you expected everything included in a Google Experience phone to be open source? I think the problem here is you (and the people you lump into "we") don't understand that Android isn't just built for users, it's also built for handset manufacturers. Quote from the OHA website:
Why did you pick the Apache v2 open source license?
Apache is a commercial-friendly open source license. The Apache license allows manufacturers and mobile operators to innovate using the platform without the requirement to contribute those innovations back to the open source community. Because these innovations and differentiated features can be kept proprietary, manufacturers and mobile operators are protected from the "viral infection" problem often associated with other licenses.
Click to expand...
Click to collapse
In light of that, I don't feel its necessary to dignify the rest of your post with a response.
peshkata said:
Why don't Google offer these closed-source apps like they do for Google Maps? They could only benefit from more users having the 'Google Experience', even though their phones don't have them pre-installed.
Click to expand...
Click to collapse
Because they charge companies like T-Mobile to offer the phone "With Google". If Google put them on the market, then, according to google, any android device would be able to get these applications. So why would T-Mobile pay to have them included. This how Google makes money off of android, this is why they bought it in the first place. They didn't develop android for the open source community, they are a publicly traded company, all their share holders want to know is "How is this going to make use money?". But it is great that the platform is open.
But that brings up Google's "response" where they state any android device can get applications via the Android Market. How can ANY android device get these applications from the market, if only "With Google" devices ship with the market...

Can someone explain Sun's licensing issues?

Ok, so Im trying to understand why Google developed and used Dalvik in Android instead of Java ME apart from the fact that Dalvik is much better suited for resource limited devices. Ive read several places that Google did it partially to avoid licensing issues with Sun (now Oracle).
here its claimed amongst other things, the following:
Sun released their “free java” source code under the GPLv2 to both win the free software crowd and capture peripheral innovation and bug fixing from the community. For the java standard edition (aka “the cat is out of the bag”) there is an exception to the GPLv2 that makes it “reciprocal” only for the Java platform code itself but not for the user code running on it (or most people wouldn’t even dare touching it with a pole).
But such exception to the GPLv2 is not there for the mobile edition (aka “where the money is”).
Click to expand...
Click to collapse
But I cant see how that would affect Google? Unless you implement the Java ME plattform and make changes to it, you're not affected by GPL at all, and even if you did, Android is open source, so.. Im confused..
My understanding is that Oracle/Sun's lawsuit is based on patent claims, not copyright. The license that J2SE was released under really doesn't matter. For two reasons, none of this is J2SE and Google went out of their way to avoid using Oracle/Sun's code.
So, there is no claim that Google is violating any license associated with J2SE, or even J2ME. The claim is that the Dalvik VM implementation violates patents that Sun invented/filed while creating J2ME.
I haven't looked into things far enough to address whether Dalvik violates any of the patent claims in question or whether the claims are bogus in the original patent.
BTW, IANAL nor an embedded systems developer. I am however a moderately well-informed technologist and experienced professional applications developer.

[APP] TaintDroid - Realtime Privacy Monitoring

Just read this article via gizmodo and this is definetly a must have for some of us who are paranoid which is just about everyone .
Overview
A joint study by Intel Labs, Penn State, and Duke University has identified that publicly available cell-phone applications from application markets are releasing consumers' private information to online advertisers. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications "downloaded" to consumer phones. In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers.
Source:http://www.appanalysis.org/
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
markwil said:
It´s not released yet. Are there any other similar monitoring apps out there? This was something I´ve been thinking / worrying about since getting my sgs 3 weeks ago...
Near enough every app you install requires / wants at least full internet access. Not sure what private data is accessible, but this is a great source for profiling and could of course be used maliciously.
Click to expand...
Click to collapse
It looks like it will be soon.
Where can I get TaintDroid?
We will be making TaintDroid open source. Information to obtain the TaintDroid source code will be posted to this page.
Won't be an APK though, they have updated to say it's need to be built in to the ROM. Source should be realised and nothing stopping the modders from adding to their ROMs.
Update for those interested in installing TaintDroid: Tracking how apps use sensitive information required integrating our software into the Android platform at a low level. As a result, it was not possible to implement TaintDroid as a stand-alone app. Instead, to use TaintDroid you must flash a custom-built firmware to your device, similar to a number of popular community-supported Android ROMs. In the coming days we will open-source our code through a publicly-accessible repository. Please send an email to [email protected] if you are interested in receiving a notification when the source code is available. Thank you for your interest in TaintDroid!
Click to expand...
Click to collapse
That works for most off us here who are rooted.
Sent from my Nexus One using XDA App
Sounds interesting, but I have to laugh at the use of the word 'taint'. Was DurfDroid taken?
The source code and instructions for compiling into kernel (Nexus One) are now given at the site:
http://appanalysis.org/download.html
This cannot be installed as an app (.apk), it's a compile into your own kernal effort at this stage.

How to pick an open source license

You've made the decision to release your code as "open source". Ok, what does that mean, what is an open source license, and how do you pick the right one? This question comes up all the time so I thought I'd write up a simple decision tree to try to explain the choices.Many people use GPL without realizing the implications or understanding the other options. This isn't legal advice, and I'm not a lawyer, and I'm probably over-simplifying some of the points, but I hope you find it helpful.
First of all, if you write some code, it's your code and you get to decide how other people can use it. Period. Nobody but you can say how your code can be used, either by putting restrictions on it or taking them off, without your permission. That's a very important point to keep in mind while reading this article.
The second point to keep in mind is that nobody but you can even use your code unless you explicitly give them permission. Another way of saying this is that all source code is closed and proprietary and off limits until you, the author, open it.
Note: The text of all the licenses mentioned here can be found at opensource.org.
Decision 1: Do you want to relinquish any control over how your code is used and distributed?
If yes, then don't copyright it, and don't license it. Put it in the public domain, and you're done. This is a good choice for examples, templates, and other illustrative code where the whole point is that you want everybody to feel free to use what you've written. [Alert readers pointed out that "public domain" is is not a good choice because in many jurisdictions you can't give up your copyright. Use a liberal license like MIT/BSD instead. -22jun/ebb] Example: code listings in a book or article.
If no, then Copyright the code (paste copyright notices all over it) and continue with decision 2.
Hint: Just to make sure your intent is clear, either put in explicit copyright notices, or put in explicit notices that the code is in the public domain. Copyright is how you retain control. Without a copyright, there is no control. [Technically the notices might not be necessary but they don't hurt and are still recommended. -22jun/ebb]
Decision 2: Do you want to allow people to use your code in non open-source programs?
If yes, then continue to decision 3.
If no, then release your code under the GPL, a restrictive "free (libre) software" license that actively promotes user choice at the expense of direct commercial interests. For the most part, GPL'd code can only be used with other GPL'd code, and in fact if you start using [and distributing -22jun/ebb] some GPL code in a program you wrote then you either have to release your program under GPL as well or quit using that code. This is why GPL is sometimes described as "viral". Examples: Emacs, Linux kernel.
Hint: Don't take this choice unless you really mean it. Many people use GPL without realizing the implications or understanding the other options, and thus lock the code away from a whole segment of potential users, so please read the rest of the choices first.
Decision 3: If somebody uses your code in their program and sells their program for money, do you want some of that money?
If yes, then you have two choices. The first choice (3a) is not to release it as open source at all, i.e., use closed source and you're done. This would preclude anyone from using your code in free (no cost) packages. And it would only allow people to use your code in commercial programs if they came to your first and worked out a deal for a commercial license. Note that even if the source is "closed" you can give permission if you like for certain people to have access to the source and use it in limited ways. Example: Microsoft Windows, Sun Java (sort of).
The second choice (3b) is dual license. I'll talk about licenses more in a moment, but dual license just means you give permission for people to use your code under two or more licenses. You pick one license (probably GPL) for free (no cost) programs, and one for commercial ($$$) programs. This is a good choice if you're trying to make a living off licensing fees for the code itself. Examples: MySQL, JBoss, SleepyCat. Continue to decision 4.
If no, then give permission for others to use your code under one or more "commercial friendly" licenses. This is a good choice if you want your code to get into as many hands as possible and either you don't care about the money or you plan to make money in other ways, for example by selling your own programs that use the code or from consulting or support. Examples: Apache HTTPD, Eclipse, Firefox. Continue to decision 4.
Decision 4: If somebody uses [and distributes -22jun/ebb] your code and improves it (fixes bugs or adds features) do you want to make them give you the improvements back so you can use them too?
If yes, then use a "reciprocal" license. Any modifications to your code need to be made available under the same licensing terms as your original code. This is useful if you're worried somebody will take your code and go off on their own private "fork". Examples: Eclipse (EPL), Solaris (CDDL), and Firefox (MPL). Done.
If no, then use a non-reciprocal license. Often times the people using your code will send back improvements anyway, especially if you have a history of frequent releases and they get tired of having to re-merge in their changes every time. This is the most wide open type of license so it will get you the most exposure and users, but it can also relegate the original writer(s) to the sidelines. Example: FreeBSD (BSD). Done.
In a follow-up article I'll explain how the most commonly used open source licenses fall in the categories like "commercial friendly" and "reciprocal", and address any concerns raised by commenters. So whether you agree or disagree with my points above please give me some feedback in the talkback section.

Are PRIVACY concerns overrated?

The single most important, most debated subject of being online - privacy and security.
While security is undisputed, privacy aspect is.
So what exactly is the concern? As normal people in normal professions (which is easily more than 90% of the population), is there a need for worry?
For a long time since I started using smartphones, I had a natural inclination towards remaining anonymous and private online. I would always use incognito browsing for everything I do online, never create an account with a service as much as possible (e.g. I would watch YouTube videos without signing in), etc.
With time, I began realizing that I am actually missing out on so many interesting things that matter to me, and much of the content that would interest me would be made available to me without much effort using machine learning and artificial intelligence, an area where huge investments are being made.
So slowly I started accessing content and using services with my Google account. Over time, everything from Google feed to YouTube videos were showing me content that I am interested in, and sometimes they were so intelligent that I have been amazed with the whole technology that is at works. Surely, you cannot expect a doctor to give you the right prescription without giving him complete details about your problems. You can't talk privacy there. So unless the system learns what you like and what you don't, there is no way it will present stuff (including ads) that will be interesting to you.
With that said, why are are we overemphasizing this aspect of our lives? Is the privacy lobby inflating the privacy problem more than is necessary? Especially since much of what Google learns (according to them) about you is private, and only you can access/ control it, and also because the open-source alternatives are overrated. I say overrated because there are no audit reports (from trustworthy audit entities) available. Their codes may be available for audit, but is there a trustworthy source that is actually auditing them? Are the platforms where they are available being audited? So the issue of privacy and security applies to these platforms too, and more so because they aren't scrutinized as heavily as Google products and services.
As far as more personal info is concerned, like location, age, gender, searches I perform, accounts, mobile number, etc - Google already has all those because I provided them with much of that info when I created my account. Sure, one can always provide fake info for some of them. But if you use 'Find my Device', you are pretty much giving away your location to Google REAL-TIME. While this can potentially be misused, how else is Google supposed to help you if you were to lose your device? Mobile numbers and email addresses are necessarily required to be correct because they are needed when you are locked out of your account. They are the only means to get your account back.
While I am a strong proponent of privacy, I also feel that too much is made out about a lot of stuff that aren't really something to worry about. Those stuff are essential to get the service we expect in return, in other words, putting technology to use.
That said, it is still important not to give anyone a free hand over data, and there has to be several layers of checks and balances, and accountability for safeguarding and using them.
All that said, my current position is this. Make best use of the technology at hand, because if you don't provide the necessary inputs, there cannot be a proper output.
As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine.
For everything else, use GOOGLE (assuming there is accountability and severe penalties for violations).
Reserved for additional info.
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Sridhar Ananthanarayanan said:
@Ultramanoid
We may continue the discussion here.
I have a few specific questions for which I haven't found answers. May be you or others could answer them. I'll compile them and post these later.
Click to expand...
Click to collapse
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
 
Ultramanoid said:
I have a hard time understanding how you can say you're a strong proponent of privacy, while at the same time justifying how you exchange yours for convenient services.
I can't justify that exchange, and yet use, work in, and develop in an IT field. No Google account here. So it'd be difficult to discuss the issue when our basic premises and understanding of the situation are completely opposed.
I want a good mail service, so I PAY for it, with MONEY, and I assure you it beats all the tech prowess and illusions of magic that GMail and its indecent, immoral, and insulting data mining and tracking provide. Same for everything else.
The aberration that is 'service' ( lower quality feature set, no support, security issues, client is the product ) for information, which, as mentioned in MiX's thread, also has the tremendously damaging side effect of reducing to zero the value of good honest developer work. 'Google gives it for free' -- No, it doesn't, and no, it's not free.
Edit : And by the way, giving your data away not only puts you at risk, it puts others at risk as well. Unacceptable.
 
Click to expand...
Click to collapse
You spoke of making 'reasonable compromises' on the MiX thread.
I have only elaborated the same. How does it matter if Google learns what I like to search on the internet? I am willing to give them that information so that they can provide me with content I am interested in, so that my news feed is mostly content I like to read/ watch, and little garbage. In the process, if they are showing me ads relevant to me, what is wrong with it?
My view is based only on this premise that this is how my data is being used. I have never had a financial security issue (like money being stolen from my account) because of what Google learns about my internet activity.
Also, I am assuming that Google won't learn anything about the searches I may do in incognito mode. They are supposed to respect the privacy. I'm aware they have been sued for not adhering to it strictly.
So assuming that they stick with usage of data as per their declared privacy policies and in accordance with laws, what is the problem?
Sridhar Ananthanarayanan said:
You spoke of making 'reasonable compromises' on the MiX thread.
Click to expand...
Click to collapse
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
 
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Ultramanoid said:
As to security. As long as you rely on someone else's software, some company's cables and infrastructure, there's no other way.
No reasonable compromise on privacy in the "service x information" business model. It needs to die.
Edit : Have a look at this; https://privacytools.io ( "Privacy? I don't have anything to hide." )
 
Click to expand...
Click to collapse
I think the moment you are online, you are presenting yourself to be tracked. No matter what tools you use to safeguard your privacy, a country's intelligence has an upper hand because they have the resources and much more advanced technology that is not commercially available.
They can also set up something like the link you shared as just another means to track you (by misleading you into believing that you are remaining private and anonymous).
I think one can truly stay private only by staying away from technology. Otherwise, you are just opening yourself up for tracking.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
indestructible master said:
nope, check here
XDAevDB Information
[ROM][UNOFFICIAL][10.0.0][raphael] LineageOS 17.1, ROM for the Redmi K20 Pro
Source Code: http://bigota.d.miui.com/V11.0.1.0....NGlobal_V11.0.1.0.QFKINXM_5e75bba584_10.0.zip
this is source code for ROM, they are always released somewhere, github, dont matter, but they are released, you just need to look it up
Click to expand...
Click to collapse
This is not a source code ... Just because it says source code, it doesn't mean it's a source code. That's a zip file containing the OEM firmware from Xiaomi.
indestructible master said:
my view on this is:
i agree, you should protect privacy as much you're able to, but if you need some services and you need "to give up privacy" for acquiring that service you need, then for me it's legit.
i wouldnt go all crazy on privacy as many go (to completely ditch google, windows, and become open source - privacy - government consipiracy evangelist), but i wouldnt rely on them for my whole life.
yes, i use google calendar and notes and all my data is on google, and if google go down or misuse my data, maybe i will lose that data but still i can easily use on another platform one stop working or is not trustworthy (publicly misuses data)
i love to use custom ROMs not to ditch google or become privacy conscious (using f-droid and living under rock without google services) but to ditch stock ROM from manufacturer as i dont like any manufacturer stock ROM, i want just their hardware, and software i want to be my choise.
for normal people storing something on google, microsoft, apple is not at all bad idea, when you store not that important or sensitive data on google. but i would never upload any top secret, sensitive data on any those services, as they WILL allow governemnt to exctract data (like edward snowden said ), so anyone from governemnt can access it or even misuse it, but if you dont store top secret sensitive info on those services you are fine.
if you want to store top secret sensitive data you would make it and encrypt it and store local copies.
and for google search, same applies, you will be fine with normal use, use firefox and duckgo , and also ingonito dont respect any privacy, it just make to browser not to store history, everything else is visible to them, unless you use firefox and duckgo.
and also many say vpn secure you (ones you buy) , but i wouldnt trust not even them (even if you pay), if you want to have encrypted connection you better MAKE your own VPN server (you can buy remote linux server online and make it as VPN), carrier to whom you pay for server dont care what you store on server (because you pay for it) and if governement comes to there he wont be able to provide anything.
but still even with all said, i dont advocate on trusting government as they dont care about freedom or rights, they care just about power, so protect privacy as much you are able to, but dont go all crazy on it, because best way to be secure on internet is not to use it at all, as at the end of the day dont forget that all intel, arm, amd chips (hardware) are hackable and exploitable to survevilance if they want to
EDIT: and also always remmeber, if you are censored for your rights, you have full right to protect your right, but i didnt got censored for searching for something on google. maybe google censored it to control media, but everyone do it, even media is manipulating you with fake news.
like if i am in china and i cant open news that reveal china government because china censorshiped that source "for greated good", i would use linux, tor and vpn so i can bypass censorship to know what's right. as long you dont face censorship for your rights it still okay to use those services, but if someone censorship for your rights, then its time to act and stand up for yourself, and not accept anyone's "censorship for greater good".
Click to expand...
Click to collapse
As I said, we are overemphasizing on many of the things and linking them to privacy. Much of the seemingly private things have no bearing in real life, even when made public. Because, no matter where you are, you have to adhere to the local laws and your internet activity isn't important (unless one is into prohibited activities).
It is a very niche segment of people (like those working for intelligence, journalists, etc.) that must pay special attention. For most others, there isn't too much to worry about, as long as the companies providing services adhere to data regulations and act with responsibility.
atttoush said:
You know what's funny, people talking about privacy (intrinsically security also), yet many (and by many I mean the majority) of ROMs released on XDA are released without source code. Devs link to some other sources other than the source to be able to build the project. Here is an example. So while privacy is important, security is highly problematic with this modding model we all follow. Not to mention flashing different unchecked magiks modules.
Click to expand...
Click to collapse
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
It's not the case with few established ROMs. Lineage OS comes to mind. As they encourage people to build ROMs from source. But device support is problematic. That's why I turn to custom ROMs. It's a great idea, but I thought XDA ROMs guaranteed security with the GPL and Open source philosophy. But it's being violated all over the place.
Sridhar Ananthanarayanan said:
Few months back, I made a decision to stop using custom ROMs. This decision is made easier by OEMs promising 3 to 4 years of software/ security updates.
OEM ROMs are largely scrutinized. Custom ROMs are not. You never know what they bake into their codes. There is absolutely no assurance on them respecting your privacy or security.
Click to expand...
Click to collapse
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
 
Ultramanoid said:
Which OEMs are these ? Please mention one and point to where and how their code can be reviewed. Almost none provide support for a device after 2 or 3 years. Almost none are scrutinized because their additions to Android are proprietary and closed source, they barely release kernel changes and those only because they are legally obliged, sometimes even after the device which uses that kernel is not even on sale anymore.
Partial exception for SONY, that provides repositories for AOSP support for many of their devices, and sometimes have released blobs ( not code ) for their drivers and cameras. This is the rare exception, not the rule.
Almost no OEMs provide timely security updates incorporating Google's monthly patches for critical vulnerabilities. Some pile them up in batches, leaving devices vulnerable for months and even years. Stagefright, bluetooth, Qualcomm ... They don't give a crap.
Get the facts straight.
Lineage, in contrast, is developed in plain sight by hundreds of developers revising the code every single day, include Google's vulnerability patches religiously every month and have provided fixes time and again for things Google and OEMs don't bother to fix. They also support devices securely years after OEMs have completely abandoned them.
LineageOS
A free and open-source operating system for various devices, based on the Android mobile platform. This is a mirror of https://review.lineageos.org/ - LineageOS
github.com
Edit : Remember that this is a developers' forum, by developers for developers. Checking and editing code daily is what we do.
Edit 2 : Can't comment as to other 'custom ROMs', from which it may very well be better to stay away.
 
Click to expand...
Click to collapse
I didn't say that OEMs make their source codes available. I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition. There is lot of benefits by doing so because OEMs can use this as an opportunity to push sales of their own devices. Example is the clipboard scandal of OnePlus, as well as others.
Compare that to custom ROMs. There are so many custom ROMs available for popular devices. Official builds, unofficial builds, nightlies, etc. etc. The ROMs are available for free. Who cares to audit/ scrutinize these? No one cares because there is nothing to gain. This is also because a very minute % of Android users actually install custom ROMs. So no one cares.
Just like root, the need for custom ROMs is decreasing by the day. OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices. And now the Google-Qualcomm partnership that is making these upgrades easier and faster. Unlike in the past, OEMs are much faster in releasing security updates today.
Lineage official builds, in my experience, isn't feature rich like some other custom ROMs or unofficial forks of Lineage. People may opt for Lineage official builds primarily for two reasons:
1. Debloat their OEM software like those from Xiaomi, Huawei, even Samsung.
2. OEM has stopped providing official support (this is now changing because 3 to 4 years of official support is synonymous to life of the device because a large % of people usually buy a new device every 3 or 4 years).
Some of the developers of custom ROMs are arrogant arses. That's another reason to tell them to eff-off.
Sridhar Ananthanarayanan said:
I said they are scrutinized. Scrutinized by security researchers around the world, who may or may not be funded by competition.
OEMs are now promising upto 3 years of Android upgrades and 4 years of security updates, atleast for their flagship devices.
Click to expand...
Click to collapse
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
One thing is to express an opinion, another to give facts.
 
Ultramanoid said:
1. Which security experts ? We have some in XDA whose daily job is precisely that, have you spoken to them ? I don't know of a single audit of any OEM's version of Android. Please mention or link at least one if you think they exist.
2. Which OEMs ? I don't know of a single OEM providing support of any kind for any of their devices ( maybe OnePlus barely reaches 3 for some of theirs, again, a very rare exception ) beyond 3 years, much less 4.
Provide real data points or stop speculating on vague promises and supposed security experts somewhere. When I say LineageOS is available, you can see it is. You can also build SONY's AOSP from their code. ( Edit : https://developer.sony.com/develop/open-devices/ )
Click to expand...
Click to collapse
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Ultramanoid said:
One thing is to express an opinion, another to give facts.
Click to expand...
Click to collapse
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Sridhar Ananthanarayanan said:
Fact 1: OnePlus is collecting your private data without permission
Fact 2: Engineer Mode
Fact 3: Clipboard Scandal
Fact 4: Shot on OnePlus
Fact 5: MiUI stealthily sending user data back to China
Fact 6: Xiaomi Recording Millions Of People’s ‘Private’ Web And Phone Use
...
Thats just some of them. If you search, you will find more.
In most of these cases, it is some security researcher somewhere in the world who found a questionable activity that goes against acceptable privacy and security standards. In other cases, it was some random user who found a vulnerability or some unacceptable practice.
The point? Number of users of stock ROMs are way way higher than those that use custom ROMs, and as a result someone somewhere might find something either accidentally, or as part of security research work (paid by competition or otherwise).
OEMs will be careful when they make their ROMs. They are not only under scrutiny, but also need to ensure they stick with doing the right things because they have a business to run. The same isn't true for custom ROMs that some nobody will make and act like trash when questioned. Thats also because the product is free (or may not be depending on what is baked into the codes) and so the developer may think he isn't answerable.
Now you may point out the opinions. All the above are actually facts, that support my previous comment.
Click to expand...
Click to collapse
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
 
Ultramanoid said:
What all that proves is that OEMs are pure solid garbage, thank you for agreeing. Rest the case already. ^_^
Sorry to hear you still prefer to stand by out of date systems, unsecured protocols, and shady immoral companies. It is useless to discuss when you keep insisting on sustaining your biased opinion against hard evidence -- that YOU yourself provided.
Cheers !
 
Click to expand...
Click to collapse
You are simply exaggerating it.
Like the saying goes, better to trust the known devil than the unknown angel.
Cheers!

Categories

Resources