Related
Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!
I don't own a smartphone yet, but I'm thinking about getting an Android phone soon. It will be my first smartphone. I’m also new to XDA-Developers. Please help me, as I have questions about Android security and though I’ve posted this message to several other web sites--android.stackexchange.com, Quora.com, and Reddit--no one has answered all of my questions completely and thoroughly. I’ve only gotten short responses that are a few sentences long and only talk about one or two things. I really need more help than that, and I’m hoping that I can get it here!
I know that this message is long, but please, if anyone can read through it and then try to answer all of my questions, I would REALLY appreciate it!
Here are my questions.
1. Is Android’s stock browser updated directly by Google, or do updates to it have to go through phone manufacturers (Samsung, HTC, etc)?
2. If I buy a phone that runs a manufacturer-customized version of Android, such as the TouchWiz version of the S4 or the Note II, will keeping Android’s stock web browser--as well as any other browser I choose to use--up to date keep me safe from web-based exploits, even if that phone’s manufacturer is slow to deliver updates? (Edit: I want to add that I'm interested in technical details.) By “updates” I mean updates to everything provided by or customized by the phone’s OEM: the customized version of Android, the manufacturer’s pre-installed apps, etc. (Edit: what I'm asking here is whether the OS needs to be kept up to date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date, whatever web browser it is).
3. I have read that OEMs are often slow to update their devices, and because of that I have limited myself to only looking at Nexus devices and Google Play Edition devices. But I really need to know if I SHOULD limit myself to Nexus and GPE devices for the sake of web security. (Again, I'm interested in technical details.) I don't want to buy a phone from a manufacturer that takes months to release security updates, leaving me vulnerable to web browser exploits and malware in the interim. But if I am wrong about ANY of this, please tell me so, because I would like to be able to consider devices that run manufacturer-customized versions of Android, such as the Touchwiz version of the S4 or the Note II (or maybe the future Note III).
(Edit: the answer to question #3 would depend on the answer to question #2; if the answer to #2 is ‘no, the underlying OS does not need to be kept up-to-date to protect you from web browser exploits’, then I guess the answer to #3 would be that I can consider buying a device that runs a manufacturer-customized version of Android that won’t receive OS updates as quickly as a Nexus does. If, on the other hand, the answer to #2 is ‘yes, to protect yourself from web browser exploits you need to keep both your browser AND your OS up-to-date’, then I guess for maximum web security I’d need to buy either a Nexus or a Google Play Edition device.)
4. I’ve read that in-app advertising can be a security risk. I’m really hoping that someone here will explain this to me. (Edit: again, I'm interested in the technical details, but keep in mind that I'm new when it comes to smartphones.)
I’d like to add a few comments:
1. I will only get my apps from the official app store--Google Play--or maybe Amazon.com’s Appstore for Android.
2. I'm concerned about web security and in-app advertising.
3. I don't plan on rooting my phone. I'm not saying I won't, I'm just saying that I don't plan on it.
1. Only nexus devices are updated directly by google. Even htc one Google edition will be updated by htc, so as the browser since it's a part of the software.
2. Manufacture updates are slower than Google. Most of the good apps available should receive updates and solve security issues.
3. If you want to disable advertising then use adaway, notice that you will need root.
1. The stock browser I believe does get updated when the OS is updated. I've read about people getting OS updates to find the stock browser is then faultering and assume this then gets updated. The update of the OS is usually done by the device manufacturer unless you are using a custom rom. Whomever creates the rom used on the device, is responsible for the internal updates for it, to whatever level they wish to support it. I have read that google don't mainstream care about the stock browser as they are pushing Chrome for the win and a separate team deals with the stock browser.
2. The world and his hedgehog are not safe from hack exploits. The quality of protection out there in any sense is mirrored by the quality of hacker. If you have a crap security level, any old hacker can exploit it. If you have the worlds most renowned secure, then the best hackers will break in at some stage while the wannabe hackers struggle to threaten their way out of a paper bag. However with some people, they need gold bullion and jail style security while others wonder why they need it. People can recommend you do this or do that, and some recs are excellent while others are not quite but almost hilarious but at the end of the day, if a child can hack into high security places, our devices are not so hard to get into. That said... we can run paranoid while there may be no threat at all. If you are concerned, just be careful of what you do with your device. Myself, I use it for every day communication and have not yet used a credit card on it with no real need to.
3. Even the greatest have not updated their OS. The Motorola Xoom promised one from purchase yet people were moaning long after the stock sold out that it never came. Granted it surely must be true that certain companies are quicker to advocate update releases than others. But the higher paying vs the cheap low end thing isn't something to run with either. I have a very cheap quad core tablet and that has just had a firmware update from last week and as far as I can see, it's an almost brand new device, market wise so it seems the update from them was fluid. Again, that said, the updates seem to be more about the OS running well, with the hardware and app capabilities than security although I dare say there are some inevitable security fixes in there too. My quad tablet was sluggish to some extent and a bit crashy but so far, it is fine after the update although I have only done it a few hours ago... everything me and the kids have tried, has either worked better of been flawless. No sign of lag yet anyway.
4. In-app advertising can be dangerous for a few reasons i guess. but the reality again, is I think any file can have dangerous code attached and configured in a way that the OS or security cannot smell it. Of course there is the ability of spam links to scam sites. There is also false flag things that are or maybe are possible too. For example, using x file with y file and requesting a cup of tea from z file can make a security team think your couch is about to disappear and your granny is about land bump on the floor, when indeed an app just wanted to execute a command using an ancient method of pressing Q. This is something I learned in windows based operating systems where using certain dll files with certain other files can trigger an alarm, as innocent as the intentions were. I built a website not so long ago and called some iFrames in that had no < head > or < body > tags. the pages worked perfectly but some chinese company employed to protect a british isp flagged the site as a security risk and blocked any visitors from viewing it. Thankfully, long gone are the days that visiting a website would fry your motherboard.
On your remaining comments.. seems like wise advice as of course there are scammers out there who will give your granny that bumpy ride off the disappearing couch onto the floor or steal your account and all those types of greed based madness which is a shame because it ruins the experience of say if a friend is trying to build an app and they ask you to give it a go, you are somewhat rightfully not willing to play ball.
FYI I have been around computers for a long time but am by no stretch of the imagination an android expert at all. I hope what I have wrote above is helpful and not by any means, wrong. I have not long posed the question about rooting and security as I do not qualify understanding the realm at all. I dare say it is a huge question, to some extent.
Also, security risk aside as no smartphone tablet or computer escapes that realm, Android for me is the best device, then IPhone, then Windows Phones, then Crapberry. I would never purchase the latter three.
Hi codQuore,
Thank you for your responses to my questions. I need to clarify two of my questions in my original post. (I have edited my original post to include these clarifications.) In question #2, I was attempting to ask whether the OS needs to be kept up to date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date (whatever web browser it is). In question #3 I asked whether I should only look at Nexus and Google Play Edition devices for the sake of web security, and the answer to that would depend on the answer to question #2; if the answer to #2 is ‘no, the underlying OS does not need to be kept up-to-date to protect you from web browser exploits’, then I guess the answer to #3 would be that I can consider buying a device that runs a manufacturer-customized version of Android that won’t receive OS updates as quickly as a Nexus does. If, on the other hand, the answer to #2 is ‘yes, to protect yourself from web browser exploits you need to keep both your browser AND your OS up-to-date’, then I guess for maximum web security I’d need to buy either a Nexus or a Google Play Edition device.
What are your answers to those two questions?
Truth_Seeker1 said:
What are your answers to those two questions?
Click to expand...
Click to collapse
At a guess I would say, for browsers that are built in to the OS, there will be two ways this can update, via the OS update and independently. The OS update would be a total OS replacement that is not automated and you would need to use a built in checking feature (if available) or manually check yourself periodically. Browsers that you add yourself will be offered updates from notification unless the ability to auto update is allowed then it should happen seamlessly of course letting you know. Google "android chrome update" to see something along the lines of what the update history shows.
Yes, you would want to update but I would recommend having a read first as on any computer device, an update can be flawed or give more problems than it's worth. Although more often than not, an update should be an improvement on performance and stability and of course for security.
If you are working blind, then do an update and assume security improvements are happening and go for it. If not, then you will know what is happening. I have never gone to the lengths of checking an update list before updating for android, but with pcs I do depending on what is updating, check what the update is worth and how people are getting on with the update. I did beta testing for years (hence the knowledge of flawed updates and reluctance to do the updates) so for me it's one of those do you risk it scenarios.
Sadly as I said above, we are never safe from hacks but with some hindsight and genuine attempt to protect, we are safe from the majority. For me it's 90% "what are you worried about?" and 10% "I don't blame you for being paranoid!"
As for the preference of buying google branded devices, the foundation of an android release is surely never set for these devices "out of the box" so to speak. I would assume that the team who look after these devices have the same process of having to streamline the OS thereafter before they can release it for their device update. This is somewhat proven by people wanting to put a custom rom on their Nexus and such. For some reason, people aren't happy with the normal rom and want or need to replace it. naturally, it is easy to think a nexus device for example, is closer to home and should by rights get updated a bit quicker than my Ampe tablet but in some respects I think this could be a bit of swings and roundabouts, again depending on the company and their apportioned team force to output the update. Yes you should be better off with a more directly linked device, to google but in my opinion, the concern is not a great one. You would be better off thinking about your budget, what you can save and ultimately do with the extra cash alongside the knowledge of which devices and companies actually do spend an effort on looking after them.
I'm in no position to afford these devices and if I were, I would rather throw my money in the bin (or spend it on my loved ones) than give it to the highest bidder.
So in the end, yes updates are 99/100 important and should be done. Be careful of what you browse and do all secure data passing before you go out on the internet highway and risk getting robbed. It is probably safer to "remember my password" to avoid future keysniffers than worry about indepth data mining. Of course, anyone can give you a sniffer but data mining is more clinical, I would say.
Finally, i wouldn't worry about these things too much but as concerned as you are, do some research. But do remember that in one hand, the UK government said "the internet isn't safe so we don't use it" yet on the other, the majority of secure usage is 'watched' by paid professionals for banking and such and is alot safer than you may think aswell as protection for credit card fraud and such.
Thanks again codQuore. I understand your point that there is no such thing as 100% bullet-proof security, but I still need to know whether both the OS and the browser need to be kept up-to-date to protect against web-based exploits, or is that accomplished solely by keeping the web browser up-to-date (whatever web browser it is).
You are most welcome, TS. I would say generally yes, to both, to be on the safe side. I'd like to guarantee the OS update will update the browser if it has been updated in the update and that the browser can be updated on it's own. However, I think I am right in saying you have to check for OS updates yourself and the same for certain apps whilst some apps will auto offer the update. You may be able to force this auto update for all apps, but how this is done per different version of android, escapes me. I do remember seeing the option come up after a factory reset or buying a new device and running the first time setup of playstore and such. There's an option for it somewhere. but I don't think the OS itself offers an auto update, it has to be checked for, in my experience. I have just done my tablet and it required installing some software on my pc from the tablet manufacturer and getting that to update the firmware/os. It was a 525MB download and everything was in chinese lol. I managed it with the help of google translate but it also helped that I had previously done the same thing on a t-mobile vivacity for my daughter after her OS died and got stuck at the rotating t-mobile logo on first boot.
It is essential to update but across the board it's not majorly important to check every minute, so to speak. You'll be fine. For the record though, my quad core tablet cost £70 from singapore and I knew I was taking a bit of a gamble but was protected by returns if all went wrong and get my money back. A similar tablet is something like £120. I plan on doing the same thing for my next phone upgrade too... but I don't have a contract phone running, I am on pay as you go and all I use is internet, no calls. Incidentally, I pay £20 for 6months net from t-mobile and the only limit is 1gb per month on video. when that expires, youtube and such stops working, some video sites carry on and everything else, FB mail, tethering, ftp via pc and stuff, all still works. I have even streamed radio from my android phone, flawlessly.
codQuore said:
I'd like to guarantee the OS update will update the browser if it has been updated in the update and that the browser can be updated on it's own.
Click to expand...
Click to collapse
LOL, I had to read that sentence several times in order to process it because you used the word "update" so many times :laugh:
If I remember what you said earlier, I think you said that the stock browser doesn't get updated on its own, but only as part of big OS updates? So it won't receive security patches as vulnerabilities are discovered, and won't be updated until the next version of Android arrives?
If this is true, then I'll use a different browser. But even if I use a different browser, is code from the stock browser used in other things, meaning that it is STILL a security risk if it isn't kept up-to-date?
It also occurred to me that if an OEM is slow to release OS updates for its phones, will it be just as bad at keeping its pre-installed apps up-to-date, and if so, does that pose a security risk.
Haha, looking back I can't believe I wrote that and am wondering if its a valid statement. I'll leave it for someone else to contradict lmao.
The core of the os and apps that run built are updated I guess separately and together. EG, say the browser gets an update to 1.1 the next update of the OS will most likely carry that updated version but if it doesn't it should still offer an update after you hit the playstore setup. naturally, these apps use core parts of the OS and i think some updates for apps will carry their own additional bypass of outdated os core, where applicable. That said, the bypass could be more secure in one sense and less secure in another. I'm guessing this is even possible. One thing I am yet to see, knowing how windows and linux works a little, is android have to update x- because something app wise has been installed that requires it. Alot of software on windows, requires things like framework to be added, linux is or can be the same.
The chances are you will be 99% secure in any event. The core defence for mobile phones is the phone companies themselves as that is in the realms of trillions of dollars at risk. They've been cracked before and they know it, so there is some possible reassurance for the devices, from that angle.
A few weeks ago, I posted a very unfortunate Google+ post of the creator of Focal and why it was removed from the CM codebase. It was a depressing story and it really started to make you wonder about where CM is going.
This time, after reading an extremely well-written article, I've come to a similarly depressing conclusion: Android by Google is slowly becoming as locked down as iOS, but not in the sense that you think; it's not about what apps let you do what, it's the developers.
We've finally arrived at a critical flaw with the way Android is developed and these days, I can no longer claim that Android (by Google) is "open" anymore.
Feel free to give this a read (Disclaimer: I am not affiliated with Ars Technica in any way).
http://arstechnica.com/gadgets/2013...ntrolling-open-source-by-any-means-necessary/
It's not just about Amazon's version of Android; CyanogenMod is for all intents and purposes a "fork" of Android. It is designed to work without Google Apps and as we all know, we flash those seperately. But that's the problem, the answer isn't just "Well, I'll just flash the Gapps and it will work like it should". What will happen if new Play Store apps start referring to features in the framework that don't exist in a form that we can flash? What if the license to flash the Gapps gets revoked?
How will CyanogenMod start adding features to apps that were originally AOSP but are now closed source? What will happen when the open source Messaging app is abandoned and turns into a Hangouts feature? How can CM stay on top of that?
It's not as simple as "take the source we currently have and work with it", because what will happen when Google adds a killer feature to an app that depends on some API that is no longer open source?
These are some rather frightening questions to deal with. I don't know where Android is going, but I'm certainly starting to wonder what's going to happen to it.
I'd appreciate any and all input on this.
Not very continuous, but here's my thoughts about the article:
The Gapps license is meant to lock the makers of Android phones into Google, so users get locked within Google and Google can gain revenue from the users. After going to that extent to make sure Google gets to keep the device's user, what's to gain if Google users of the device who flash CM to be locked out of the system instead of keeping them "trapped" with the Google ecosystem even with a non Google ROM? Doesn't make any sense does it?
I suppose we will still have to flash them like we flash the Play Store now. Unlike Amazon, CM (for now) actually still relies on Google and doesn't "divert" revenue to another company and therefore Google would be more than happy to let their apps be used. But if CM does start going the Amazon way, I believe Google may lock CM out.
Those APIs take time to develop, take the Maps API for example - you think they spent millions, if not billions mapping the entire world and even roaming every street just to make sure you can find your way around for free? They'll need to recoup their costs somehow.
While Android is open source and contributed by Google for free, don't forget Google is a company, not a charity. They have to make money or their shareholders won't be happy. Even if their shareholders are massive fans of open source they also have thousands of employees to pay, and all that costs money. And don't forget, when a company is providing free stuff for you to use, you are not their customer - you are their product. Android will change in ways that will keep Google profitable and keep competitiors unprofitable, while keeping the users as comfortable as possible so they will continue to be their product.
cccy said:
Not very continuous, but here's my thoughts about the article:
The Gapps license is meant to lock the makers of Android phones into Google, so users get locked within Google and Google can gain revenue from the users. After going to that extent to make sure Google gets to keep the device's user, what's to gain if Google users of the device who flash CM to be locked out of the system instead of keeping them "trapped" with the Google ecosystem even with a non Google ROM? Doesn't make any sense does it?
I suppose we will still have to flash them like we flash the Play Store now. Unlike Amazon, CM (for now) actually still relies on Google and doesn't "divert" revenue to another company and therefore Google would be more than happy to let their apps be used. But if CM does start going the Amazon way, I believe Google may lock CM out.
Those APIs take time to develop, take the Maps API for example - you think they spent millions, if not billions mapping the entire world and even roaming every street just to make sure you can find your way around for free? They'll need to recoup their costs somehow.
While Android is open source and contributed by Google for free, don't forget Google is a company, not a charity. They have to make money or their shareholders won't be happy. Even if their shareholders are massive fans of open source they also have thousands of employees to pay, and all that costs money. And don't forget, when a company is providing free stuff for you to use, you are not their customer - you are their product. Android will change in ways that will keep Google profitable and keep competitiors unprofitable, while keeping the users as comfortable as possible so they will continue to be their product.
Click to expand...
Click to collapse
First, I appreciate the input! I was looking forward to intelligent discussion and it's great that the first reply is just that.
I would like to clarify though; my concern is not so much about Google making money; they are a business and deserve to make money in whatever way they see fit. We have something they want (ad clicks and search history) and as long as they provide an experience worth using, I don't mind that transaction at all.
My worries start with what the custom development scene will look like one or two years from now if the base apps that make Android useful on its own (and by extension, useful to custom developers) have been molded into Google Play apps or frameworks or APIs.
In parallel, it's also starting to make sense why Cyanogen continues to put effort into alternate applications such as Apollo and Focal; they saw this coming way before we did.
LiquidSolstice said:
First, I appreciate the input! I was looking forward to intelligent discussion and it's great that the first reply is just that.
I would like to clarify though; my concern is not so much about Google making money; they are a business and deserve to make money in whatever way they see fit. We have something they want (ad clicks and search history) and as long as they provide an experience worth using, I don't mind that transaction at all.
My worries start with what the custom development scene will look like one or two years from now if the base apps that make Android useful on its own (and by extension, useful to custom developers) have been molded into Google Play apps or frameworks or APIs.
In parallel, it's also starting to make sense why Cyanogen continues to put effort into alternate applications such as Apollo and Focal; they saw this coming way before we did.
Click to expand...
Click to collapse
I believe the custom development scene wouldn't get affected much. After all, remember the old XDA-Developers? Windows was all locked down, but the cooks still managed to make customized ROMs. What's more, Google wouldn't want to lose their "products" - Google wants us to continue to use their services so they can earn money, they wouldn't lock us out.
What competitors lack is the capability to access Google's services (Frameworks, APIs, etc) as Google has ways to block them (Which is why we had circumvents like device spoofing). If you had a device designed for Google's version of Android, I am sure Google would still enable access if you use a custom ROM. The point of locking those competitors out is to force them to embrace Google's version of Android and not use their own forks which would keep Google out of certain aspects of the user's phone, decreasing revenue. Therefore, if you could roll your own custom ROM, it makes sense for Google to continue supporting you so you still completely rely on them instead of "outsourcing" to other competitors.
CM puts effort into alternate applications because as you can see right now, CM's starting to roll their own commercial forked devices - what happens after that? If you have seen the ways of other commercial versions of Android (Amazon, China brands, etc), they start replacing certain revenue generating aspects of the phone to use their own service instead of Google's. Certainly not what Google wants.
In short, I would say, if you are a small custom ROM user, Google isn't going to come after you, they want you to use their services! But if you are a competing company, expect your devices to be locked out from Google in the hopes that they eventually force you to bow to them and convert all your users completely to Google's "products".
help guys i think we should make a petition to stop carrier bloatware i need help, idk how to make one
Since smartphones need to run as efficiently as possible in a small memory space, the issue of Bloatware has become more of an issue. Is anyone doing anything about it?
What is Bloatware
The term Bloatware is used in many ways. As used here it refers to the inclusion of software into a device (smartphone, pad, PC, Smart TV, …) that the user did not request, cannot be used without extra fees or privacy compromises, cannot be removed, and that use up storage and/or processing resources. Not sure, but this may be primarily an American consumer issue. The EU may have more laws regarding this.
Why Bloatware
Lets give the manufactures and sellers some slack and say that they have perfectly good reasons for the use of Bloatware. There must be some remuneration involved, and this ultimately brings down the final price the user pays. There are also various non-directly financial reasons, like Zawinski’s law of software envelopment. Thus, we have systems with eye-tracking that can’t see, gesture recognition that ignores, and bells and whistles that only hum.
Removing Bloatware
If you search, you’ll find many sites giving info on how to remove this software. Unfortunately, these approaches are not very practical. Only a small subset of users would wipe a PC or install a custom ROM in their smartphone by Rooting to get rid of junk. In fact, I’m sure many consumers don’t really have a concept of Bloatware. Regarding rooting a phone, see The Pros and Cons of Rooting Your Phone.
Issues with Bloatware
They take up space. One article says up to 45% on some devices
Sometimes cannot be removed or disabled
May be trialware
Could be compromised since will not be updated by user
May be secretly active
May be sending usage and other information
Can pull in unwanted supporting libraries or programs
A source of advertising
Are just fronts for paid services, sometimes with free trial periods
Unused and unwanted
Adware and Snoopware
This situation is even worse than it appears. Two other issues are making things even worse: Adware and Snoopware. Adware is also running amok in the industry. Everything and anything is a vector for targeted ads and upselling. This adware also takes up bandwidth and processing resources. The other, Snoopware, is the bandwidth being used to invade privacy and security. This is being done by the large social media and search giants but also by the small players. Snoopware is also used by the law enforcement agencies and is also a bandwidth and processing drain.
Thus, Bloatware, Adware, Snoopware, are reducing the frictionless use of what we are paying for.
Apple and Bloatware
Not being a fan boy, I’m not up on the Apple side of the house. Since Apple products are in a sense a ‘walled garden’, one could say they are the bloat. The premium pricing is payment for not getting other people’s bloat.
What could be done
Make this a more visible issue
Start a petition to make Bloatware illegal
Disclosure: System vendors must supply a truth in packaging document listing the Bloatware. They don’t have to use the term “Bloatware”, just list which software or devices are ‘extras’ supplied by 3rd parties and are not required to use the system. And, what are the true costs of using these extras. This will info so concerned consumers can make a better buying decision. Of course, this will do nothing; who reads the EULA?
A default opt-out of the use of any Bloatware must be in effect. This is critical if said software will eventually require a fee for its use. Navigation and communication apps are a prime example.
Models of the system must be made available that have no extras installed.
Must provide ability to not only disable but also remove any Bloatware.
Congressional bills (or whatever in your country) to put some rational guidelines on this. (yes, rational and politics are contradictory).
Boycott devices that contain Bloatware
Create a non-carrier carrier
Bypass commercial carriers using a dynamically allocated peer mesh network
really guys no one want to stop bloatware
I'll sign your petition! Although all my stuff is rooted already because of things like bloatware, it really makes sense for those who want to free up that space for more useful things!
Sent from my XT897 using xda app-developers app
Bloatware sucks!
about root and privacy
Introduction:
nowadays android phones are much more controllable without root access, and bloatwares can be deleted or disabled without root permissions by using the android's settings app, or through the developers' ADB shell. and even firewalls like "Netguard" don't need root access nowadays in order to control the network, and there are so many other opensource apps like "Blokada" and "ublock" that don't require root anymore in order to block ads, YouTube Vanced to watch videos without ads... all of this was impossible to perform three or four years ago, so why still bother with rooting ?
about root:
Root is gaining super user permissions in linux, or being an administrator. you don't need me to mention how many years this super user wasted in order to be able to understand and to become an administrator, or super user.
what I'm trying to say if you don't know what you're doing while acquiring "Root" privileges on your phone, don't do it just for fun.
Root exposes the user to some higher risks even from the trusted play store apps.
"With great powers comes great responsibilities", if you can't assume total control of every aspect of your rooted phone (thousands of files) then don't root it.
and I'm not saying you should let everything to Google or even trust the google softwares, in fact I created a thread especially to limit their disrespectful or exaggerated behaviors by debloating and using firewalls.
real hackers or developers who understands how a mobile operating system works, and how hacking works, can hack a rooted phone much more easier than hacking a non rooted phone.
speaking for myself I can't fully control a rooted smartphone because there are thousands of files : which are written in different development languages, doing different tasks, and they have different dependencies..
and contrary to what some people think, using strong long passwords can't sometimes help, and installing an realtime antivirus protection can't sometimes detect a hacker intrusion (when your phone is being truly exploited and completely controlled by strangers)
I'm not only saying don't root if you aren't an android developer, but you should limit Google and your installed apps behaviors as well.
nothing is unbreakable, and backdoors exist within the google O.S and within google or the manufacturer apps or else, but a firewall can limit some of their behaviors.
a word of truth :
very few people can actually be a super user of a complicated mobile operating system such as android, but if you're one of them, then you already know more than all of this.
I hope this can help anyone, feel free to copy paste, modify and share on your website.
and feel free to comment, debate, saying thanks, or providing some more informations.
I just wanted to share this for anyone who is concerned by root's real life review, from a privacy oriented point of view.
....or another point of view is that unaccountable multinationals like Alphabet who own Google and companies like Samsung and Apple have no moral or ethical compass and are building up a long track record of trust-breaking behaviour that is only accelerating. Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
jajk said:
..... Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
Click to expand...
Click to collapse
Thanks for your reply :fingers-crossed: , well I think telemetry services are linked to the 'Google play services', and if we don't use any Google accounts and disable and block the Google play services from sending usage data to Amazon and Google servers by using a non-root firewall like 'netguard' (like I specified in this thread) then they can't have anything or too little from us, :laugh: I have set up the firewall to block everything except my open source browser see attachment :laugh::laugh: