Search Result: Android 12

phrase:
attribute:
attribute:
attribute:
order:
per page:
clip:
action:

Results of 1 - 1 of about 725 for Android 12 (1.998 sec.)

android (2801), 12 (27795)

/proprietary/malware-mobiles.html-diff: #score: 5143; @digest: e0d5be28b9041d3dc0a054a66e742e09; @id: 399308; @lang: en; @mdate: 2024-03-13T15:10:13Z; @size: 133859; @type: text/html; content-type: text/html; charset=utf-8; #keywords: mobiles (145536), workshop (102802), malware (40664), encoding (22277), small (21982), samsung (18607), copied (18594), phones (18580), mal (18220), rec (17745), apps (17114), theguardian (15891), android (14086), mobile (13882), facebook (13532), var (13323), https (11823), echo (11580), date (11256), li (9893), phone (9578), href (9557), edit (8906), surveillance (7348), app (7068), tracking (6857), none (6786), privacy (6568), proprietary (6460), tag (6441), malicious (6323), personal (6278);     <title>Malware in Mobile Devices - GNU Project - Free Software Foundation</title>  <link rel="stylesheet" type="text/css" href="/side-menu.css" media="screen,print" /> <style type="text/css" media="print,screen"> </style>  </style>  <div class="nav"> <a id="side-menu-button" class="switch" href="#navlinks"> <img id="side-menu-icon" height="32" src="/graphics/icons/side-menu.png" title="Section contents" alt=" [Section contents] " /> </a> <a href="/"><img src="/graphics/icons/home.png" height="24" alt="GNU Home" title="GNU Home" /></a> / <a href="/proprietary/proprietary.html">Malware</a> / By product / </div>   <div style="clear: both"></div> <div id="last-div" class="reduced-width"> <h2>Malware in Mobile Devices</h2> <a href="/proprietary/proprietary.html">Other examples of proprietary malware</a> <div class="highlight-para"> Malware means class="infobox"> <hr class="full-width" /> Nonfree (proprietary) software designed is very often malware (designed to function mistreat the user). Nonfree software is controlled by its developers, which puts them in ways a position of power over the users; <a href="/philosophy/free-software-even-more-important.html">that is the basic injustice</a>. The developers and manufacturers often exercise that mistreat or harm power to the user. (This does not include accidental errors.) Malware detriment of the users they ought to serve. This typically takes the form of malicious functionalities. <hr class="full-width" /> </div> <div class="article"> Nearly all mobile phones do two grievous wrongs to their users: tracking their movements, and nonfree listening to their conversations. This is why we call them “Stalin's dream”. Tracking users' location is a consequence of how the cellular network operates: it needs to know which cell towers the phone is near, so it can communicate with the phone via a nearby tower. That gives the network location data which it saves for months or years. See <a href="#phone-communications">below</a>. Listening to conversations works by means of a universal <a href="#universal-back-door-phone-modem">back door</a> in the software of the processor that communicates with the phone network. In addition, the nonfree operating systems for “smart” phones have specific malicious functionalities, described in <a href="/proprietary/malware-apple.html">Apple's Operating Systems are Malware</a> and <a href="/proprietary/malware-google.html">Google's Software Is Malware</a> respectively. Many phone apps are malicious, too. See <a href="#TOC">below</a>. <div class="important"> If you know of an example that ought to be in this page but isn't here, please write to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a> to inform us. Please include the URL of a trustworthy reference or two different issues. to serve as specific substantiation. </div> <div class="emph-box"> <h3 id="phone-communications">Network location tracking</h3> This section describes a malicious characteristic of mobile phone networks: location tracking. The difference between phone network <a href="/philosophy/free-sw.html">free software</a> and nonfree href="https://ssd.eff.org/playlist/privacy-breakdown-mobile-phones"> tracks the movements of each phone</a>. Strictly speaking, this tracking is not implemented by any specific software code; it is inherent in <a href="/philosophy/free-software-even-more-important.html"> whether the users cellular network technology. The network needs to know which cell towers the phone is near, so it can communicate with the phone via a nearby tower. There is no technical way to block or avoid the tracking and still have control of cellular communication with today's cellular networks. Networks do not limit themselves to using that data momentarily. Many countries (including the program US and the EU) require the network to store all location data for months or vice versa</a>. It's years, and while stored it is available for whatever use the network permits, or the State requires. This can put the user in great danger. <ul class="blurbs">  <li id="M202208290">  US states that ban abortion talk about making it a question crime to go to another state to get an abortion. They could <a href="https://www.cnn.com/2022/08/29/tech/wireless-carriers-locations-fcc/index.html"> use various forms of what location tracking, including the program does when it runs. However, in practice nonfree software is often malware, because network, to prosecute abortion-seekers</a>. The state could subpoena the developer's awareness data, so that the users network's “privacy” policy would be powerless to fix any malicious functionalities tempts irrelevant. That article explains why wireless networks collect location data, one unavoidable reason and one avoidable (emergency calls). It also explains some of the developer to impose some. </div> Here many ways the location data are examples used. Networks should never do localization for emergency calls except when you make an emergency call, or when there is a court order to do so. It should be illegal for a network to do precise localization (the kind needed for emergency calls) except to handle an emergency call, and if a network does so illegally, it should be required to inform the owner of malware the phone in mobile devices. See also writing on paper, with an apology. </li>  <li id="M202101130">  The authorities in Venice track the <a href="/proprietary/malware-apple.html">the Apple malware page</a> for malicious functionalities specific href="https://edition.cnn.com/travel/article/venice-control-room-tourism/index.html"> movements of all tourists</a> using their portable phones. The article says that at present the system is configured to report only aggregated information. But that could be changed. What will that system do 10 years from now? What will a similar system in another country do? Those are the Apple iThings. <div class="toc"> questions this raises. </li>  <li id="M202006110">  Network location tracking is used, among other techniques, for <a href="https://www.linkedin.com/pulse/location-based-advertising-has-starbucks-coupon-finally-john-craig"> targeted advertising</a>. </li> </ul> Designs for networks that wouldn't track phones have been developed, but using those methods would call for new networks as well as new phones. </div> <div class="malfunctions"> id="TOC" class="toc-inline"> <h3>Types of malware in mobiles</h3> <ul> <li>Type of malware</li> <li><a href="#addictions">Addictions</a></li> <li><a href="#back-doors">Back doors</a></li>  <li><a href="#deception">Deception</a></li> <li><a href="#drm">DRM</a></li> <li><a href="#insecurity">Insecurity</a></li>   <li><a href="#interference">Interference</a></li> <li><a href="#jails">Jails</a></li> <li><a href="#manipulation">Manipulation</a></li> <li><a href="#sabotage">Sabotage</a></li> <li><a href="#surveillance">Surveillance</a></li> <li><a href="#drm">Digital restrictions management</a> or “DRM” means functionalities designed href="#tyrants">Tyrants</a></li> </ul> </div> <h3 id="addictions">Addictions</h3> <ul class="blurbs">  <li id="M201604040">  Many popular mobile games include a random-reward system called <a href="/proprietary/proprietary-addictions.html#gacha"> gacha</a> which is especially effective on children. One variant of gacha was declared illegal in Japan in 2012, but the other variants are still <a href="https://www.forbes.com/sites/olliebarder/2016/04/04/japanese-mobile-gaming-still-cant-shake-off-the-spectre-of-exploitation/"> luring players into compulsively spending</a> inordinate amounts of money on virtual toys. </li> </ul> <h3 id="back-doors">Back Doors</h3> Almost every phone's communication processor has a universal back door which is <a href="https://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html"> often used to restrict what users can do make a phone transmit all conversations it hears</a>. The back door <a class="not-a-duplicate" href="https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/"> may take the form of bugs that have gone 20 years unfixed</a>. The choice to leave the security holes in place is morally equivalent to writing a back door. The back door is in the “modem processor”, whose job is to communicate with the data radio network. In most phones, the modem processor controls the microphone. In most phones it has the power to rewrite the software for the main processor too. A few phone models are specially designed so that the modem processor does not control the microphone, and so that it can't change the software in the main processor. They still have the back door, but at least it is unable to turn the phone unto a listening device. The universal back door is apparently also used to make phones <a href="http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html"> transmit even when they are turned off</a>. This means their computers.</li> <li><a href="#jails">Jails</a>—systems movements are tracked, and may also make the listening feature work. <ul class="blurbs">  <li id="M202001090">  Android phones subsidized by the US government come with <a href="https://arstechnica.com/information-technology/2020/01/us-government-funded-android-phones-come-preinstalled-with-unremovable-malware/"> preinstalled adware and a back door for forcing installation of apps</a>. The adware is in a modified version of an essential system configuration app. The back door is a surreptitious addition to a program whose stated purpose is to be a <a href="https://www.zdnet.com/article/unremovable-malware-found-preinstalled-on-low-end-smartphone-sold-in-the-us/"> universal back door for firmware</a>. In other words, a program whose raison d'être is malicious has a secret secondary malicious purpose. All this is in addition to the malware of Android itself. </li>  <li id="M201908270">  A very popular app found in the Google Play store contained a module that impose censorship was designed to <a href="https://arstechnica.com/information-technology/2019/08/google-play-app-with-100-million-downloads-executed-secret-payloads/">secretly install malware on application programs.</li> <li><a href="#tyrants">Tyrants</a>—systems that reject the user's computer</a>. The app developers regularly used it to make the computer download and execute any operating system code they wanted. This is a concrete example of what users are exposed to when they run nonfree apps. They can never be completely sure that a nonfree app is safe. </li>  <li id="M201609130">  Xiaomi phones come with <a href="https://web.archive.org/web/20190424082647/http://blog.thijsbroenink.com/2016/09/xiaomis-analytics-app-reverse-engineered/"> a universal back door in the manufacturer.</li> </ul> </div> </div> <h3 id="back-doors">Mobile Back Doors</h3> <ul> <li>The application processor, for Xiaomi's use</a>. This is separate from <a href="#universal-back-door-phone-modem">the universal back door in portable phones the modem processor that the local phone company can use</a>. </li>  <li id="M201511090">  Baidu's proprietary Android library, Moplus, has a back door that <a href="https://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html">is employed to listen through their microphones</a>. href="https://www.eff.org/deeplinks/2015/11/millions-android-devices-vulnerable-remote-hijacking-baidu-wrote-code-google-made"> can “upload files” as well as forcibly install apps</a>. It is used by 14,000 Android applications. </li> <li>Most  <li id="M201412180">  <a href="https://www.theguardian.com/technology/2014/dec/18/chinese-android-phones-coolpad-hacker-backdoor"> A Chinese version of Android has a universal back door</a>. Nearly all models of mobile phones have a <a href="#universal-back-door-phone-modem"> universal back door, which has been used door in the modem chip</a>. So why did Coolpad bother to <a href="http://www.slate.com/blogs/future_tense/2013/07/22/nsa_can_reportedly_track_cellphones_even_when_they_re_turned_off.html"> turn them malicious</a>. introduce another? Because this one is controlled by Coolpad. </li> <li><a  <li id="M201403120.1">  <a href="https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor"> Samsung Galaxy devices running proprietary Android versions come with a back door</a> that provides remote access to the data files stored on the device. </li> <li><a href="/proprietary/proprietary-back-doors.html#samsung"> Samsung's back door</a> provides </ul> <h3 id="deception">Deception</h3> <ul class="blurbs">  <li id="M202002020">  Many Android apps fool their users by asking them to decide what permissions to give the program, and then <a href="https://nakedsecurity.sophos.com/2019/07/10/android-apps-sidestepping-permissions-to-access-sensitive-data/"> bypassing these permissions</a>. The Android system is supposed to prevent data leaks by running apps in isolated sandboxes, but developers have found ways to access the data by other means, and there is nothing the user can do to any file on stop them from doing so, since both the system. system and the apps are nonfree. </li> <li> In Android, </ul> <h3 id="drm">DRM</h3> Digital restrictions management, or “DRM,” refers to functionalities designed to restrict what users can do with the data in their computers. <ul class="blurbs">  <li id="M201501030">  The Netflix Android app <a href="http://www.computerworld.com/article/2506557/security0/google-throws--kill-switch--on-android-phones.html"> href="https://torrentfreak.com/netflix-cracks-down-on-vpn-and-proxy-pirates-150103/"> forces the use of Google DNS</a>. This is one of the methods that Netflix uses to enforce the geolocation restrictions dictated by the movie studios. </li> </ul> <h3 id="insecurity">Insecurity</h3> These bugs are/were not intentional, so unlike the rest of the file they do not count as malware. We mention them to refute the supposition that prestigious proprietary software doesn't have grave bugs. <ul class="blurbs">  <li id="M202208240">  A security researcher found that the iOS in-app browser of TikTok <a href="https://www.theguardian.com/technology/2022/aug/24/tiktok-can-track-users-every-tap-as-they-visit-other-sites-through-ios-app-new-research-shows"> injects keylogger-like JavaScript code into outside web pages</a>. This code has a back the ability to track all users' activities, and to retrieve any personal data that is entered on the pages. We have no way of verifying TikTok's claim that the keylogger-like code only serves purely technical functions. Some of the accessed data could well be saved to the company's servers, and even sent to third parties. This would open the door to remotely delete apps.</a> (It extensive surveillance, including by the Chinese government (to which TikTok has indirect ties). There is in a program called GTalkService). Google can also <a href="https://web.archive.org/web/20150520235257/https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/" title="at a risk that the Wayback Machine (archived May 20, 2015)">forcibly data would be stolen by crackers, and remotely install apps</a> through GTalkService (which seems, since used to launch malware attacks. The iOS in-app browsers of Instagram and Facebook behave essentially the same way as TikTok's. The main difference is that article, Instagram and Facebook allow users to access third-party sites with their default browser, whereas <a href="https://web.archive.org/web/20221201065621/https://www.reddit.com/r/Tiktokhelp/comments/jlep5d/how_do_i_make_urls_open_in_my_browser_instead_of/"> TikTok makes it nearly impossible</a>. The researcher didn't study the Android versions of in-app browsers, but we have been merged into Google Play). This adds up no reason to assume they are safer than the iOS versions. Please note that the article wrongly refers to crackers as “hackers.” </li>  <li id="M201908020">  Out of 21 gratis Android antivirus apps that were tested by security researchers, eight <a href="https://www.comparitech.com/antivirus/android-antivirus-vulnerabilities/"> failed to detect a universal back door. Although Google's exercise test virus</a>. All of this power has not been malicious so far, them asked for dangerous permissions or contained advertising trackers, with seven being more risky than the point is average of the 100 most popular Android apps. (Note that nobody the article refers to these proprietary apps as “free”. It should have said “gratis” instead.) </li>  <li id="M201807100">  Siri, Alexa, and all the other voice-control systems can be <a href="https://www.fastcompany.com/90139019/a-simple-design-flaw-makes-it-astoundingly-easy-to-hack-siri-and-alexa"> hijacked by programs that play commands in ultrasound that humans can't hear</a>. </li>  <li id="M201807020">  Some Samsung phones randomly <a href="https://www.theverge.com/circuitbreaker/2018/7/2/17528076/samsung-phones-text-rcs-update-messages">send photos to people in the owner's contact list</a>. </li>  <li id="M201704050">  Many Android devices <a href="https://arstechnica.com/information-technology/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/"> can be hijacked through their Wi-Fi chips</a> because of a bug in Broadcom's nonfree firmware. </li>  <li id="M201703070">  The CIA exploited existing vulnerabilities in “smart” TVs and phones to design a malware that <a href="https://www.independent.co.uk/tech/wikileaks-vault-7-android-iphone-cia-phones-handsets-tv-smart-julian-assange-a7616651.html"> spies through their microphones and cameras while making them appear to be turned off</a>. Since the spyware sniffs signals, it bypasses encryption. </li>  <li id="M201702170">  The mobile apps for communicating <a href="https://www.bleepingcomputer.com/news/security/millions-of-smart-cars-vulnerable-due-to-insecure-android-apps/">with a smart but foolish car have very bad security</a>. This is in addition to the fact that the car contains a cellular modem that tells big brother all the time where it is. If you own such power, which could also a car, it would be used maliciously. You might well decide wise to let disconnect the modem so as to turn off the tracking. </li>  <li id="M201701270">  Samsung phones <a href="https://www.bleepingcomputer.com/news/security/sms-exploitable-bug-in-samsung-galaxy-phones-can-be-used-for-ransomware-attacks/">have a security service remotely deactivate programs hole that allows an SMS message to install ransomware</a>. </li>  <li id="M201701130">  WhatsApp has a feature that <a href="https://techcrunch.com/2017/01/13/encrypted-messaging-platform-whatsapp-denies-backdoor-claim/"> has been described as a “back door”</a> because it would enable governments to nullify its encryption. The developers say that it considers malicious. wasn't intended as a back door, and that may well be true. But there is no excuse for allowing that leaves the crucial question of whether it functions as one. Because the program is nonfree, we cannot check by studying it. </li>  <li id="M201612060.1">  The “smart” toys My Friend Cayla and i-Que can be <a href="https://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws/">remotely controlled with a mobile phone</a>; physical access is not necessary. This would enable crackers to delete listen in on a child's conversations, and even speak into the programs, toys themselves. This means a burglar could speak into the toys and you should have ask the right child to decide who (if anyone) unlock the front door while Mommy's not looking. </li>  <li id="M201607290">  <a href="https://techcrunch.com/2016/07/29/research-shows-deleted-whatsapp-messages-arent-actually-deleted/">“Deleted” WhatsApp messages are not entirely deleted</a>. They can be recovered in various ways. </li>  <li id="M201607280">  A half-blind security critique of a tracking app: it found that <a href="https://www.consumerreports.org/mobile-security-software/glow-pregnancy-app-exposed-women-to-privacy-threats-a1100919965/"> blatant flaws allowed anyone to trust snoop on a user's personal data</a>. The critique fails entirely to express concern that the app sends the personal data to a server, where the developer gets it all. This “service” is for suckers! The server surely has a “privacy policy,” and surely it is worthless since nearly all of them are. </li>  <li id="M201607190">  A bug in a proprietary ASN.1 library, used in cell phone towers as well as cell phones and routers, <a href="https://arstechnica.com/information-technology/2016/07/software-flaw-puts-mobile-phones-and-networks-at-risk-of-complete-takeover/">allows taking control of those systems</a>. </li>  <li id="M201605020">  Samsung's “Smart Home” has a big security hole; <a href="https://arstechnica.com/information-technology/2016/05/samsung-smart-home-flaws-lets-hackers-make-keys-to-front-door/"> unauthorized people can remotely control it</a>. Samsung claims that this way. is an “open” platform so the problem is partly the fault of app developers. That is clearly true if the apps are proprietary software. Anything whose name is “Smart” is most likely going to screw you. </li> </ul> <h3 id="insecurity">Mobile Insecurity</h3> <ul> <li>  <li id="M201603100">  Many proprietary payment apps <a href="http://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data"> transmit href="https://www.bloomberg.com/news/articles/2016-03-10/many-mobile-payments-startups-aren-t-properly-securing-user-data">transmit personal data in an insecure way</a>. However, the worse aspect of these apps is that <a href="/philosophy/surveillance-vs-democracy.html">payment is not anonymous</a>. anonymous</a>. </li>  <li id="M201505294">  <a href="https://phys.org/news/2015-05-app-vulnerability-threatens-millions-users.html"> Many smartphone apps use insecure authentication methods when storing your personal data on remote servers</a>. This leaves personal information like email addresses, passwords, and health information vulnerable. Because many of these apps are proprietary it makes it hard to impossible to know which apps are at risk. </li>  <li id="M201405190">  An app to prevent “identity theft” (access to personal data) by storing users' data on a special server <a href="https://arstechnica.com/tech-policy/2014/05/id-theft-protector-lifelock-deletes-user-data-over-concerns-that-app-isnt-safe/">was deactivated by its developer</a> which had discovered a security flaw. That developer seems to be conscientious about protecting personal data from third parties in general, but it can't protect that data from the state. Quite the contrary: confiding your data to someone else's server, if not first encrypted by you with free software, undermines your rights. </li> <li><a href="http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html">  <li id="M201402210">  The <a href="https://arstechnica.com/information-technology/2014/02/crypto-weaknesses-in-whatsapp-the-kind-of-stuff-the-nsa-would-love/">insecurity of WhatsApp</a> makes eavesdropping a snap. </li>  <li id="M201311120">  <a href="https://web.archive.org/web/20180816030205/http://www.spiegel.de/international/world/privacy-scandal-nsa-can-spy-on-smart-phone-data-a-920971.html"> The NSA can tap data in smart phones, including iPhones, Android, and BlackBerry</a>. While there is not much detail here, it seems that this does not operate via the universal back door that we know nearly all portable phones have. It may involve exploiting various bugs. There are <a href="http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone"> href="https://www.osnews.com/story/27416/the-second-operating-system-hiding-in-every-mobile-phone/"> lots of bugs in the phones' radio software</a>. </li> </ul> <h3 id="surveillance">Mobile Surveillance</h3> <ul> <li> id="interference">Interference</h3> This section gives examples of mobile apps harassing or annoying the user, or causing trouble for the user. These actions are like sabotage but the word “sabotage” is too strong for them. <ul class="blurbs">  <li id="M202311090">  <a href="https://web.archive.org/web/20231011121908/https://www.makeuseof.com/how-to-remove-ads-on-samsung/">Samsung's Push Service proprietary app</a> sends notifications to the user's phone about “updates” in Samsung apps, including the Gaming Hub, but these updates only sometimes have to do with a new version of the apps. Many times, the notifications from Gaming Hub are simply ads for games that they think the user should install based on the data collected from the user. Most importantly, <a href="https://getfastanswer.com/3486/how-to-remove-samsung-push-service-on-a-smartphone">it cannot be permanently disabled.</a> </li>  <li id="M202104060">  The <a href="https://www.wired.com/story/weddings-social-media-apps-photos-memories-miscarriage-problem/">WeddingWire app saves people's wedding photos forever and hands over data to others</a>, giving users no control over their personal information/data. The app also sometimes shows old photos and memories to users, without giving them any control over this either. </li>  <li id="M201901110">  Samsung phones come preloaded with <a href="https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebook"> a version of the Facebook app that can't be deleted</a>. <a href="https://www.infopackets.com/news/10484/truth-behind-undeletable-facebook-app"> Facebook claims this is a stub</a> which doesn't do anything, but we have to take their word for it, and there is the permanent risk that the app will be activated by an automatic update. Preloading crapware along with a nonfree operating system is common practice, but by making the crapware undeletable, Facebook and Samsung (<a class="not-a-duplicate" href="https://www.bloomberg.com/news/articles/2019-01-08/samsung-phone-users-get-a-shock-they-can-t-delete-facebook">among others</a>) are going one step further in their hijacking of users' devices. </li> </ul> <h3 id="manipulation">Manipulation</h3> <ul class="blurbs">  <li id="M201905300">  The Femm “fertility” app is secretly a <a href="https://www.theguardian.com/world/2019/may/30/revealed-womens-fertility-app-is-funded-by-anti-abortion-campaigners"> tool for propaganda</a> by natalist Christians. It spreads distrust for contraception. It snoops on users, too, as you must expect from nonfree programs. </li> </ul> <h3 id="sabotage">Sabotage</h3> <ul class="blurbs">  <li id="M202311301">  <a href="https://web.archive.org/web/20231213150111/https://www.nytimes.com/2023/11/12/technology/iphone-repair-apple-control.html">To block non-Apple repairs, Apple encodes the iMonster serial number in the original parts</a>. This is called “parts pairing”. Swapping parts between working iMonsters of the same model causes malfunction or disabling of some functionalities. Part replacement may also trigger persistent alerts, unless it is done by an Apple store. </li>  <li id="M202011060">  A half-blind security critique new app published by Google <a href="https://www.xda-developers.com/google-device-lock-controller-banks-payments/">lets banks and creditors deactivate people's Android devices</a> if they fail to make payments. If someone's device gets deactivated, it will be limited to basic functionality, such as emergency calling and access to settings. </li>  <li id="M202010120">  Samsung is forcing its smartphone users in Hong Kong (and Macau) <a href="https://blog.headuck.com/2020/10/12/samsung-phones-force-mainland-china-dns-service-upon-hong-kong-wifi-users/">to use a public DNS in Mainland China</a>, using software update released in September 2020, which causes many unease and privacy concerns. </li>  <li id="M201902041">  Twenty nine “beauty camera” apps that used to be on Google Play had one or more malicious functionalities, such as stealing users' photos instead of “beautifying” them, <a href="https://www.androidpolice.com/2019/02/03/google-bans-29-beauty-camera-apps-from-the-play-store-that-steal-your-photos/"> pushing unwanted and often malicious ads on users, and redirecting them to phishing sites</a> that stole their credentials. Furthermore, the user interface of most of them was designed to make uninstallation difficult. Users should of course uninstall these dangerous apps if they haven't yet, but they should also stay away from nonfree apps in general. All nonfree apps carry a potential risk because there is no easy way of knowing what they really do. </li>  <li id="M201810240">  Apple and Samsung deliberately <a href="https://www.theguardian.com/technology/2018/oct/24/apple-samsung-fined-for-slowing-down-phones">degrade the performance of older phones to force users to buy their newer phones</a>. </li> </ul> <h3 id="surveillance">Surveillance</h3> See above for the general universal back door in essentially all mobile phones, which permits converting them into <a class="not-a-duplicate" href="#universal-back-door-phone-modem"> full-time listening devices</a>. <ul class="blurbs">  <li id="M202308080">  The Yandex company has started to <a href="https://meduza.io/en/feature/2023/08/08/user-x-with-driver-y-traveled-from-point-a-to-point-b"> give away Yango taxi ride data to Russia's Federal Security Service (FSB)</a>. The Russian government (and whoever else receives the the data) thus has access to a wealth of personal information, including who traveled where, when, and with which driver. Yandex <a href="https://yandex.ru/legal/confidential/?lang=en"> claims that it complies with European regulations</a> for data collected in the European Economic Area, Switzerland or Israel. But what about the rest of the world? </li>  <li id="M202304030">  The Pinduoduo app <a href="https://edition.cnn.com/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html"> snoops on other apps, and takes control of them</a>. It also installs additional malware that is hard to remove. </li>  <li id="M202206020">  Canada has fined the company Tim Hortons for making <a href="https://arstechnica.com/tech-policy/2022/06/tim-hortons-coffee-app-broke-law-by-constantly-recording-users-movements/"> an app that tracks people's movements</a> to learn things such as where they live, where they work, and when they visit competitors' stores. </li>  <li id="M202201270">  The data broker X-Mode <a href="https://themarkup.org/privacy/2022/01/27/gay-bi-dating-app-muslim-prayer-apps-sold-data-on-peoples-location-to-a-controversial-data-broker">bought location data about 20,000 people collected by around 100 different malicious apps</a>. </li>  <li id="M202106170">  <a href="https://www.theguardian.com/technology/2021/jun/17/nine-out-of-10-health-apps-harvest-user-data-global-study-shows">Almost all proprietary health apps harvest users' data</a>, including sensitive health information, tracking app: identifiers, and cookies to track user activities. Some of these applications are tracking users across different platforms. </li>  <li id="M202106030">  <a href="https://techcrunch.com/2021/06/03/tiktok-just-gave-itself-permission-to-collect-biometric-data-on-u-s-users-including-faceprints-and-voiceprints/">TikTok apps collect biometric identifiers and biometric information from users' smartphones</a>. The company behind it found does whatever it wants and collects whatever data it can. </li>  <li id="M202102010">  Many cr…apps, developed by various companies for various organizations, do <a href="https://www.expressvpn.com/digital-security-lab/investigation-xoth"> location tracking unknown to those companies and those organizations</a>. It's actually some widely used libraries that do the tracking. What's unusual here is that proprietary software developer A tricks proprietary software developers B1 … B50 into making platforms for A to mistreat the end user. </li>  <li id="M202012070">  Baidu apps were <a href="http://www.consumerreports.org/mobile-security-software/glow-pregnancy-app-exposed-women-to-privacy-threats/"> blatant flaws allowed anyone href="https://www.zdnet.com/article/baidus-android-apps-caught-collecting-sensitive-user-details/"> caught collecting sensitive personal data</a> that can be used for lifetime tracking of users, and putting them in danger. More than 1.4 billion people worldwide are affected by these proprietary apps, and users' privacy is jeopardized by this surveillance tool. Data collected by Baidu may be handed over to the Chinese government, possibly putting Chinese people in danger. </li>  <li id="M202006260">  Most apps are malware, but Trump's campaign app, like Modi's campaign app, is <a href="https://www.technologyreview.com/2020/06/21/1004228/trumps-data-hungry-invasive-app-is-a-voter-surveillance-tool-of-extraordinary-scope/"> especially nasty malware, helping companies snoop on users as well as snooping on them itself</a>. The article says that Biden's app has a less manipulative overall approach, but that does not tell us whether it has functionalities we consider malicious, such as sending data the user has not explicitly asked to send. </li>  <li id="M202004300">  Xiaomi phones <a href="https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/">report many actions the user takes</a>: starting an app, looking at a folder, visiting a website, listening to a song. They send device identifying information too. Other nonfree programs snoop too. For instance, Spotify and other streaming dis-services make a dossier about each user, and <a href="/malware/proprietary-surveillance.html#M201508210"> they make users identify themselves to pay</a>. Out, out, damned Spotify! Forbes exonerates the same wrongs when the culprits are not Chinese, but we condemn this no matter who does it. </li>  <li id="M202004131">  Google, Apple, and Microsoft (and probably some other companies) <a href="https://www.lifewire.com/wifi-positioning-system-1683343">are collecting people's access points and GPS coordinates (which can identify people's precise location) even if their GPS is turned off</a>, without the person's consent, using proprietary software implemented in person's smartphone. Though merely asking for permission would not necessarily legitimize this. </li>  <li id="M202003010">  The Alipay Health Code app estimates whether the user has Covid-19 and <a href="https://www.nytimes.com/2020/03/01/business/china-coronavirus-surveillance.html"> tells the cops directly</a>. </li>  <li id="M201912220">  The ToToc messaging app seems to be a <a href="https://www.nytimes.com/2019/12/22/us/politics/totok-app-uae.html"> spying tool for the government of the United Arab Emirates</a>. Any nonfree program could be doing this, and that is a good reason to use free software instead. Note: this article uses the word “free” in the sense of “gratis.” </li>  <li id="M201912090">  iMonsters and Android phones, when used for work, give employers powerful <a href="https://www.fastcompany.com/90440073/if-you-use-your-personal-phone-for-work-say-goodbye-to-your-privacy"> snooping and sabotage capabilities</a> if they install their own software on the device. Many employers demand to do this. For the employee, this is simply nonfree software, as fundamentally unjust and as dangerous as any other nonfree software. </li>  <li id="M201909091">  The Facebook app <a href="https://eu.usatoday.com/story/tech/talkingtech/2019/09/09/facebook-app-social-network-tracking-your-every-move/2270305001/"> tracks users even when it is turned off</a>, after tricking them into giving the app broad permissions in order to use one of its functionalities. </li>  <li id="M201909090">  Some nonfree period-tracking apps including MIA Fem and Maya <a href="https://www.buzzfeednews.com/article/meghara/period-tracker-apps-facebook-maya-mia-fem"> send intimate details of users' lives to Facebook</a>. </li>  <li id="M201909060">  Keeping track of who downloads a proprietary program is a form of surveillance. There is a proprietary program for adjusting a certain telescopic rifle sight. <a href="https://www.forbes.com/sites/thomasbrewster/2019/09/06/exclusive-feds-demand-apple-and-google-hand-over-names-of-10000-users-of-a-gun-scope-app/"> A US prosecutor has demanded the list of all the 10,000 or more people who have installed it</a>. With a free program there would not be a list of who has installed it. </li>  <li id="M201907081">  Many unscrupulous mobile-app developers keep finding ways to <a href="https://www.cnet.com/tech/mobile/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/"> bypass user's settings</a>, regulations, and privacy-enhancing features of the operating system, in order to gather as much private data as they possibly can. Thus, we can't trust rules against spying. What we can trust is having control over the software we run. </li>  <li id="M201907080">  Many Android apps can track users' movements even when the user says <a href="https://www.theverge.com/2019/7/8/20686514/android-covert-channel-permissions-data-collection-imei-ssid-location"> not to allow them access to locations</a>. This involves an apparently unintentional weakness in Android, exploited intentionally by malicious apps. </li>  <li id="M201905280">  In spite of Apple's supposed commitment to privacy, iPhone apps contain trackers that are busy at night <a href="https://www.oregonlive.com/opinion/2019/05/its-3-am-do-you-know-who-your-iphone-is-talking-to.html"> sending users' personal data</a>. information to third parties</a>. The article mentions specific examples: Microsoft OneDrive, Intuit's Mint, Nike, Spotify, The critique fails entirely Washington Post, The Weather Channel (owned by IBM), the crime-alert service Citizen, Yelp and DoorDash. But it is likely that most nonfree apps contain trackers. Some of these send personally identifying data such as phone fingerprint, exact location, email address, phone number or even delivery address (in the case of DoorDash). Once this information is collected by the company, there is no telling what it will be used for. </li>  <li id="M201905060">  BlizzCon 2019 imposed a <a href="https://arstechnica.com/gaming/2019/05/blizzcon-2019-tickets-revolve-around-invasive-poorly-reviewed-smartphone-app/"> requirement to express concern run a proprietary phone app</a> to be allowed into the event. This app is a spyware that can snoop on a lot of sensitive data, including user's location and contact list, and has <a href="https://web.archive.org/web/20220321042716/https://old.reddit.com/r/wow/comments/bkd5ew/you_need_to_have_a_phone_to_attend_blizzcon_this/emg38xv/"> near-complete control</a> over the phone. </li>  <li id="M201904131">  Data collected by menstrual and pregnancy monitoring apps is often <a href="https://www.theguardian.com/world/2019/apr/13/theres-a-dark-side-to-womens-health-apps-menstrual-surveillance"> available to employers and insurance companies</a>. Even though the data is “anonymized and aggregated,” it can easily be traced back to the woman who uses the app. This has harmful implications for women's rights to equal employment and freedom to make their own pregnancy choices. Don't use these apps, even if someone offers you a reward to do so. A free-software app sends that does more or less the same thing without spying on you is available from <a href="https://search.f-droid.org/?q=menstr">F-Droid</a>, and <a href="https://dcs.megaphone.fm/BLM6228935164.mp3?key=7e4b8f7018d13cdc2b5ea6e5772b6b8f"> a new one is being developed</a>. </li>  <li id="M201903251">  Many Android phones come with a huge number of <a href="https://web.archive.org/web/20190326145122/https://elpais.com/elpais/2019/03/22/inenglish/1553244778_819882.html"> preinstalled nonfree apps that have access to sensitive data without users' knowledge</a>. These hidden apps may either call home with the data, or pass it on to user-installed apps that have access to the network but no direct access to the data. This results in massive surveillance on which the user has absolutely no control. </li>  <li id="M201903211">  The MoviePass dis-service <a href="https://www.cnet.com/culture/entertainment/moviepass-founder-wants-to-use-facial-recognition-to-score-you-free-movies/"> is planning to use face recognition to track people's eyes</a> to make sure they won't put their phones down or look away during ads—and trackers. </li>  <li id="M201903201">  A study of 24 “health” apps found that 19 of them <a href="https://www.vice.com/en/article/pan9e8/health-apps-can-share-your-data-everywhere-new-study-shows"> send sensitive personal data to third parties</a>, which can use it for invasive advertising or discriminating against people in poor medical condition. Whenever user “consent” is sought, it is buried in lengthy terms of service that are difficult to understand. In any case, “consent” is not sufficient to legitimize snooping. </li>  <li id="M201902230">  Facebook offered a convenient proprietary library for building mobile apps, which also <a href="https://boingboing.net/2019/02/23/surveillance-zucksterism.html"> sent personal data to Facebook</a>. Lots of companies built apps that way and released them, apparently not realizing that all the personal data they collected would go to Facebook as well. It shows that no one can trust a server, where nonfree program, not even the developer developers of other nonfree programs. </li>  <li id="M201902140">  The AppCensus database gives information on <a href="https://www.appcensus.io/"> how Android apps use and misuse users' personal data</a>. As of March 2019, nearly 78,000 have been analyzed, of which 24,000 (31%) transmit the <a href="/proprietary/proprietary-surveillance.html#M201812290"> Advertising ID</a> to other companies, and <a href="https://blog.appcensus.io/2019/02/14/ad-ids-behaving-badly/"> 18,000 (23% of the total) link this ID to hardware identifiers</a>, so that users cannot escape tracking by resetting it. Collecting hardware identifiers is in apparent violation of Google's policies. But it seems that Google wasn't aware of it, and, once informed, was in no hurry to take action. This proves that the policies of a development platform are ineffective at preventing nonfree software developers from including malware in their programs. </li>  <li id="M201902060">  Many nonfree apps have a surveillance feature for <a href="https://techcrunch.com/2019/02/06/iphone-session-replay-screenshots/"> recording all the users' actions</a> in interacting with the app. </li>  <li id="M201902010">  An investigation of the 150 most popular gratis VPN apps in Google Play found that <a href="https://www.top10vpn.com/research/free-vpn-investigations/risk-index/"> 25% fail to protect their users' privacy</a> due to DNS leaks. In addition, 85% feature intrusive permissions or functions in their source code—often used for invasive advertising—that could potentially also be used to spy on users. Other technical flaws were found as well. Moreover, a previous investigation had found that <a href="https://www.top10vpn.com/research/free-vpn-investigations/ownership/">half of the top 10 gratis VPN apps have lousy privacy policies</a>. (It is unfortunate that these articles talk about “free apps.” These apps are gratis, but they are not <a href="/philosophy/free-sw.html">free software</a>.) </li>  <li id="M201901050">  The Weather Channel app <a href="https://www.theguardian.com/technology/2019/jan/04/weather-channel-app-lawsuit-location-data-selling"> stored users' locations to the company's server</a>. The company is being sued, demanding that it notify the users of what it will do with the data. We think that lawsuit is about a side issue. What the company does with the data is a secondary issue. The principal wrong here is that the company gets that data at all. <a href="https://www.vice.com/en/article/gy77wy/stop-using-third-party-weather-apps"> Other weather apps</a>, including Accuweather and WeatherBug, are tracking people's locations. </li>  <li id="M201812290">  Around 40% of gratis Android apps <a href="https://privacyinternational.org/report/2647/how-apps-android-share-data-facebook-report"> report on the user's actions to Facebook</a>. Often they send the machine's “advertising ID,” so that Facebook can correlate the data it all. obtains from the same machine via various apps. Some of them send Facebook detailed information about the user's activities in the app; others only say that the user is using that app, but that alone is often quite informative. This spying occurs regardless of whether the user has a Facebook account. </li>  <li id="M201812060">  Facebook's app got “consent” to <a href="https://www.theguardian.com/technology/2018/dec/06/facebook-emails-reveal-discussions-over-call-log-consent"> upload call logs automatically from Android phones</a> while disguising what the “consent” was for. </li>  <li id="M201810244">  Some Android apps <a href="https://web.archive.org/web/20210418052600/https://www.androidauthority.com/apps-uninstall-trackers-917539/amp/"> track the phones of users that have deleted them</a>. </li>  <li id="M201806110">  The Spanish football streaming app <a href="https://boingboing.net/2018/06/11/spanish-football-app-turns-use.html">tracks the user's movements and listens through the microphone</a>. This makes them act as spies for licensing enforcement. We expect it implements DRM, too—that there is no way to save a recording. But we can't be sure from the article. If you learn to care much less about sports, you will benefit in many ways. This “service” is one more. </li>  <li id="M201804160">  More than <a href="https://www.theguardian.com/technology/2018/apr/16/child-apps-games-android-us-google-play-store-data-sharing-law-privacy">50% of the 5,855 Android apps studied by researchers were found to snoop and collect information about its users</a>. 40% of the apps were found to insecurely snitch on its users. Furthermore, they could detect only some methods of snooping, in these proprietary apps whose source code they cannot look at. The other apps might be snooping in other ways. This is evidence that proprietary apps generally work against their users. To protect their privacy and freedom, Android users need to get rid of the proprietary software—both proprietary Android by <a href="https://replicant.us">switching to Replicant</a>, and the proprietary apps by getting apps from the free software only <a href="https://f-droid.org/">F-Droid store</a> that <a href="https://f-droid.org/docs/Anti-Features/"> prominently warns the user if an app contains anti-features</a>. </li>  <li id="M201804020">  Grindr collects information about <a href="https://www.commondreams.org/news/2018/04/02/egregious-breach-privacy-popular-app-grindr-supplies-third-parties-users-hiv-status"> which users are HIV-positive, then provides the information to companies</a>. Grindr should not have so much information about its users. It could be designed so that users communicate such info to each other but not to the server's database. </li>  <li id="M201803050">  The moviepass app and dis-service spy on users even more than users expected. It <a href="https://techcrunch.com/2018/03/05/moviepass-ceo-proudly-says-the-app-tracks-your-location-before-and-after-movies/">records where they travel before and after going to a movie</a>. Don't be tracked—pay cash! </li>  <li id="M201711240">  Tracking software in popular Android apps is pervasive and sometimes very clever. Some trackers can <a href="https://theintercept.com/2017/11/24/staggering-variety-of-clandestine-trackers-found-in-popular-android-apps/"> follow a user's movements around a physical store by noticing WiFi networks</a>. </li>  <li id="M201711230">  AI-powered driving apps can <a href="https://www.vice.com/en/article/43nz9p/ai-powered-driving-apps-can-track-your-every-move"> track your every move</a>. </li>  <li id="M201708270">  The Sarahah app <a href="https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/"> uploads all phone numbers and email addresses</a> in user's address book to developer's server. (Note that this article misuses the words “<a href="/philosophy/free-sw.html">free software</a>” referring to zero price.) </li>  <li id="M201707270">  20 dishonest Android apps recorded <a href="https://arstechnica.com/information-technology/2017/07/stealthy-google-play-apps-recorded-calls-and-stole-e-mails-and-texts/">phone calls and sent them and text messages and emails to snoopers</a>. Google did not intend to make these apps spy; on the contrary, it worked in various ways to prevent that, and deleted these apps after discovering what they did. So we cannot blame Google specifically for suckers! the snooping of these apps. On the other hand, Google redistributes nonfree Android apps, and therefore shares in the responsibility for the injustice of their being nonfree. It also distributes its own nonfree apps, such as Google Play, <a href="/philosophy/free-software-even-more-important.html">which are malicious</a>. Could Google have done a better job of preventing apps from cheating? There is no systematic way for Google, or Android users, to inspect executable proprietary apps to see what they do. Google could demand the source code for these apps, and study the source code somehow to determine whether they mistreat users in various ways. If it did a good job of this, it could more or less prevent such snooping, except when the app developers are clever enough to outsmart the checking. But since Google itself develops malicious apps, we cannot trust Google to protect us. We must demand release of source code to the public, so we can depend on each other. </li>  <li id="M201705230">  Apps for BART <a href="https://web.archive.org/web/20171124190046/https://consumerist.com/2017/05/23/passengers-say-commuter-rail-app-illegally-collects-personal-user-data/"> snoop on users</a>. With free software apps, users could make sure that they don't snoop. With proprietary apps, one can only hope that they don't. </li>  <li id="M201705040">  A study found 234 Android apps that track users by <a href="https://www.bleepingcomputer.com/news/security/234-android-applications-are-currently-using-ultrasonic-beacons-to-track-users/">listening to ultrasound from beacons placed in stores or played by TV programs</a>. </li>  <li id="M201704260">  Faceapp appears to do lots of surveillance, judging by <a href="https://web.archive.org/web/20170426191242/https://www.washingtonpost.com/news/the-intersect/wp/2017/04/26/everything-thats-wrong-with-faceapp-the-latest-creepy-photo-app-for-your-face/"> how much access it demands to personal data in the device</a>. </li>  <li id="M201704190">  Users are suing Bose for <a href="https://web.archive.org/web/20170423010030/https://www.washingtonpost.com/news/the-switch/wp/2017/04/19/bose-headphones-have-been-spying-on-their-customers-lawsuit-claims/"> distributing a spyware app for its headphones</a>. Specifically, the app would record the names of the audio files users listen to along with the headphone's unique serial number. The server surely suit accuses that this was done without the users' consent. If the fine print of the app said that users gave consent for this, would that make it acceptable? No way! It should be flat out <a href="/philosophy/surveillance-vs-democracy.html"> illegal to design the app to snoop at all</a>. </li>  <li id="M201704074">  Pairs of Android apps can collude to transmit users' personal data to servers. <a href="https://www.theatlantic.com/technology/archive/2017/04/when-apps-collude-to-steal-your-data/522177/">A study found tens of thousands of pairs that collude</a>. </li>  <li id="M201703300">  Verizon <a href="https://yro.slashdot.org/story/17/03/30/0112259/verizon-to-force-appflash-spyware-on-android-phones"> announced an opt-in proprietary search app that it will</a> pre-install on some of its phones. The app will give Verizon the same information about the users' searches that Google normally gets when they use its search engine. Currently, the app is <a href="https://www.eff.org/deeplinks/2017/04/update-verizons-appflash-pre-installed-spyware-still-spyware"> being pre-installed on only one phone</a>, and the user must explicitly opt-in before the app takes effect. However, the app remains spyware—an “optional” piece of spyware is still spyware. </li>  <li id="M201703140">  A computerized vibrator <a href="https://www.theguardian.com/technology/2016/aug/10/vibrator-phone-app-we-vibe-4-plus-bluetooth-hack"> was snooping on its users through the proprietary control app</a>. The app was reporting the temperature of the vibrator minute by minute (thus, indirectly, whether it was surrounded by a person's body), as well as the vibration frequency. Note the totally inadequate proposed response: a labeling standard with which manufacturers would make statements about their products, rather than free software which users could have checked and changed. The company that made the vibrator <a href="https://www.theguardian.com/us-news/2016/sep/14/wevibe-sex-toy-data-collection-chicago-lawsuit"> was sued for collecting lots of personal information about how people used it</a>. The company's statement that it was anonymizing the data may be true, but it doesn't really matter. If it had sold the data to a data broker, the data broker would have been able to figure out who the user was. Following this lawsuit, <a href="https://www.theguardian.com/technology/2017/mar/14/we-vibe-vibrator-tracking-users-sexual-habits"> the company has been ordered to pay a “privacy policy,” total of C$4m</a> to its customers. </li>  <li id="M201701210">  The Meitu photo-editing app <a href="https://theintercept.com/2017/01/21/popular-selfie-app-sending-user-data-to-china-researchers-say/">sends user data to a Chinese company</a>. </li>  <li id="M201611280">  The Uber app tracks <a href="https://techcrunch.com/2016/11/28/uber-background-location-data-collection/">clients' movements before and surely after the ride</a>. This example illustrates how “getting the user's consent” for surveillance is inadequate as a protection against massive surveillance. </li>  <li id="M201611160">  A <a href="https://research.csiro.au/isp/wp-content/uploads/sites/106/2016/08/paper-1.pdf"> research paper</a> that investigated the privacy and security of 283 Android VPN apps concluded that “in spite of the promises for privacy, security, and anonymity given by the majority of VPN apps—millions of users may be unawarely subject to poor security guarantees and abusive practices inflicted by VPN apps.” Following is a non-exhaustive list, taken from the research paper, of some proprietary VPN apps that track users and infringe their privacy: <dl class="compact"> <dt>SurfEasy</dt> <dd>Includes tracking libraries such as NativeX and Appflood, meant to track users and show them targeted ads.</dd> <dt>sFly Network Booster</dt> <dd>Requests the <code>READ_SMS</code> and <code>SEND_SMS</code> permissions upon installation, meaning it has full access to users' text messages.</dd> <dt>DroidVPN and TigerVPN</dt> <dd>Requests the <code>READ_LOGS</code> permission to read logs for other apps and also core system logs. TigerVPN developers have confirmed this.</dd> <dt>HideMyAss</dt> <dd>Sends traffic to LinkedIn. Also, it stores detailed logs and may turn them over to the UK government if requested.</dd> <dt>VPN Services HotspotShield</dt> <dd>Injects JavaScript code into the HTML pages returned to the users. The stated purpose of the JS injection is worthless since nearly to display ads. Uses roughly five tracking libraries. Also, it redirects the user's traffic through valueclick.com (an advertising website).</dd> <dt>WiFi Protector VPN</dt> <dd>Injects JavaScript code into HTML pages, and also uses roughly five tracking libraries. Developers of this app have confirmed that the non-premium version of the app does JavaScript injection for tracking the user and displaying ads.</dd> </dl> </li>  <li id="M201611150">  Some portable phones <a href="https://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmware-that-transmitted-personally-identifiable-information-pii-without-user-consent-or-disclosure-300362844.html">are sold with spyware sending lots of data to China</a>. </li>  <li id="M201606050">  Facebook's new Magic Photo app <a href="https://www.theregister.com/2015/11/10/facebook_scans_camera_for_your_friends/"> scans your mobile phone's photo collections for known faces</a>, and suggests you circulate the picture you take according to who is in the frame. This spyware feature seems to require online access to some known-faces database, which means the pictures are likely to be sent across the wire to Facebook's servers and face-recognition algorithms. If so, none of Facebook users' pictures are private anymore, even if the user didn't “upload” them to the service. </li>  <li id="M201605310">  Facebook's app listens all the time, <a href="https://www.independent.co.uk/tech/facebook-using-people-s-phones-to-listen-in-on-what-they-re-saying-claims-professor-a7057526.html">to snoop on what people are listening to or watching</a>. In addition, it may be analyzing people's conversations to serve them with targeted advertisements. </li>  <li id="M201604250">  A pregnancy test controller application not only can <a href="https://www.theverge.com/2016/4/25/11503718/first-response-pregnancy-pro-test-bluetooth-app-security"> spy on many sorts of data in the phone, and in server accounts, it can alter them are. too</a>. </li> <li>Apps  <li id="M201601130">  Apps that include <a href="http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/"> href="https://web.archive.org/web/20180913014551/http://techaeris.com/2016/01/13/symphony-advanced-media-software-tracks-your-digital-life-through-your-smartphone-mic/"> Symphony surveillance software snoop on what radio and TV programs are playing nearby</a>. Also on what users post on various sites such as Facebook, Google+ and Twitter. </li> <li>More than 73% and 47% of mobile applications, both  <li id="M201601110">  The natural extension of their users with third parties. monitoring people through “their” phones is <a href="https://news.northwestern.edu/stories/2016/01/fool-activity-tracker"> proprietary software to make sure they can't “fool” the monitoring</a>. </li> <li>“Cryptic  <li id="M201511190">  “Cryptic communication,” unrelated to the app's functionality, was <a href="http://news.mit.edu/2015/data-transferred-android-apps-hiding-1119"> href="https://news.mit.edu/2015/data-transferred-android-apps-hiding-1119"> found in the 500 most popular gratis Android apps</a>. The article should not have described these apps as “free”—they are not free software. The clear way to say “zero price” is “gratis.” The article takes for granted that the usual analytics tools are legitimate, but is that valid? Software developers have no right to analyze what users are doing or how. “Analytics” tools that snoop are just as wrong as any other snooping. </li> <li>Many proprietary apps for  <li id="M201510300">  More than 73% and 47% of mobile devices report which other apps the user has installed. applications, for Android and iOS respectively <a href="http://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter is doing this in a way that at least is visible href="https://techscience.org/a/2015103001/">hand over personal, behavioral and optional</a>. Not as bad as what the others do. location information</a> of their users to third parties. </li> <li>Portable  <li id="M201510050">  According to Edward Snowden, <a href="https://www.bbc.com/news/uk-34444233">agencies can take over smartphones</a> by sending hidden text messages which enable them to turn the phones with GPS will send their GPS on and off, listen to the microphone, retrieve geo-location data from the GPS, take photographs, read text messages, read call, location and web browsing history, and read the contact list. This malware is designed to disguise itself from investigation. </li>  <li id="M201508210">  Like most “music screaming” disservices, Spotify is based on remote command proprietary malware (DRM and users cannot stop them: snooping). In August 2015 it <a href="http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers"> http://www.aclu.org/government-location-tracking-cell-phones-gps-devices-and-license-plate-readers</a>. (The US says href="https://www.theguardian.com/technology/2015/aug/21/spotify-faces-user-backlash-over-new-privacy-policy"> demanded users submit to increased snooping</a>, and some are starting to realize that it will eventually require all new portable phones is nasty. This article shows the <a href="https://www.theregister.com/2015/08/21/spotify_worse_than_the_nsa/"> twisted ways that they present snooping as a way to “serve” users better</a>—never mind whether they want that. This is a typical example of the attitude of the proprietary software industry towards those they have GPS.) subjugated. Out, out, damned Spotify! </li> <li>Spyware in Cisco TNP IP phones: <a href="http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html"> http://boingboing.net/2012/12/29/your-cisco-phone-is-listening.html</a>.</li> <li>Spyware in Android phones (and Windows? laptops): The Wall Street Journal (in an article blocked  <li id="M201507281">  Many retail businesses publish cr…apps that ask to <a href="http://www.theverge.com/2013/8/1/4580718/fbi-can-remotely-activate-android-and-laptop-microphones-reports-wsj"> the FBI can remotely activate href="https://www.delish.com/kitchen-tools/a43252/how-food-apps-use-data/"> spy on the GPS and microphone user's own data</a>—often many kinds. Those companies know that snoop-phone usage trains people to say yes to almost any snooping. </li>  <li id="M201507030">  Samsung phones come with <a href="https://arstechnica.com/gadgets/2015/07/samsung-sued-for-loading-devices-with-unremovable-crapware-in-china/">apps that users can't delete</a>, and laptops</a>. (I suspect this means Windows laptops.) Here they send so much data that their transmission is a substantial expense for users. Said transmission, not wanted or requested by the user, clearly must constitute spying of some kind. </li>  <li id="M201506264">  <a href="https://www.cl.cam.ac.uk/~arb33/papers/FerreiraEtAl-Securacy-WiSec2015.pdf"> A study in 2015</a> found that 90% of the top-ranked gratis proprietary Android apps contained recognizable tracking libraries. For the paid proprietary apps, it was only 60%. The article confusingly describes gratis apps as “free”, but most of them are not in fact <a href="http://cryptome.org/2013/08/fbi-hackers.htm">more info</a>. href="/philosophy/free-sw.html">free software</a>. It also uses the ugly word “monetize”. A good replacement for that word is “exploit”; nearly always that will fit perfectly. </li> <li>Some Motorola phones modify  <li id="M201505060">  Gratis Android to apps (but not <a href="http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html"> send personal data href="/philosophy/free-sw.html">free software</a>) connect to Motorola.</a> </li> <li>Some manufacturers add a 100 <a href="http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/"> hidden general surveillance package such as Carrier IQ.</a> href="https://www.theguardian.com/technology/2015/may/06/free-android-apps-connect-tracking-advertising-websites">tracking and advertising</a> URLs, on the average. </li> <li>Widely  <li id="M201504060">  Widely used <a href="https://freedom-to-tinker.com/blog/kollarssmith/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary href="https://freedom-to-tinker.com/2015/04/06/scan-this-or-scan-me-user-privacy-barcode-scanning-applications/">proprietary QR-code scanner apps snoop on the user</a>. This is in addition to the snooping done by the phone company, and perhaps by the OS in the phone. Don't be distracted by the question of whether the app developers get users to say “I agree”. That is no excuse for malware. </li> </ul> <h3 id="drm">Mobile DRM</h3> <ul> <li>Android  <li id="M201411260">  Many proprietary apps for mobile devices report which other apps the user has installed. <a href="https://developer.android.com/reference/android/drm/package-summary.html">contains facilities specifically href="https://techcrunch.com/2014/11/26/twitter-app-graph/">Twitter is doing this in a way that at least is visible and optional</a>. Not as bad as what the others do. </li>  <li id="M201403120">  <a href="/proprietary/proprietary-back-doors.html#samsung"> Samsung's back door</a> provides access to support DRM</a>. any file on the system. </li>  <li id="M201401150.1">  The Simeji keyboard is a smartphone version of Baidu's <a href="/proprietary/proprietary-surveillance.html#baidu-ime">spying <abbr title="Input Method Editor">IME</abbr></a>. </li>  <li id="M201312270">  The nonfree Snapchat app's principal purpose is to restrict the use of data on the user's computer, but it does surveillance too: <a href="https://www.theguardian.com/media/2013/dec/27/snapchat-may-be-exposed-hackers"> it tries to get the user's list of other people's phone numbers</a>. </li>  <li id="M201312060">  The Brightest Flashlight app <a href="https://www.theguardian.com/technology/2013/dec/06/android-app-50m-downloads-sent-data-advertisers"> sends user data, including geolocation, for use by companies</a>. The FTC criticized this app because it asked the user to approve sending personal data to the app developer but did not ask about sending it to other companies. This shows the weakness of the reject-it-if-you-dislike-snooping “solution” to surveillance: why should a flashlight app send any information to anyone? A free software flashlight app would not. </li>  <li id="M201307000">  Portable phones with GPS <a href="https://www.aclu.org/issues/privacy-technology/location-tracking/you-are-being-tracked"> will send their GPS location on remote command, and users cannot stop them</a>. (The US says it will eventually require all new portable phones to have GPS.) </li>  <li id="M201212100">  FTC says most mobile apps for children don't respect privacy: <a href="https://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/"> https://arstechnica.com/information-technology/2012/12/ftc-disclosures-severely-lacking-in-kids-mobile-appsand-its-getting-worse/</a>. </li>  <li id="M201111170">  Some manufacturers add a <a href="https://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/"> hidden general surveillance package such as Carrier IQ</a>. </li> </ul> <h3 id="jails">Mobile Jails</h3> <ul> <li><a href="https://fsf.org/campaigns/secure-boot-vs-restricted-boot/">Mobile devices id="jails">Jails</h3> Jails are systems that come with impose censorship on application programs. <ul class="blurbs">  <li id="M201210080">  <a href="https://web.archive.org/web/20190917162027/https://www.itworld.com/article/2832657/microsoft-metro-app-store-lock-down.html"> Windows 8 are tyrants</a>. <a href="http://www.itworld.com/article/2832657/operating-systems/microsoft-metro-app-store-lock-down.html">Windows 8 on “mobile devices” is (now defunct) was a jail.</a> jail</a>. </li> </ul> <h3 id="tyrants">Mobile Tyrants</h3> <ul> <li><a href="http://blog.azimuthsecurity.com/2013/04/unlocking-motorola-bootloader.html"> Some Android phones id="tyrants">Tyrants</h3> Tyrants are tyrants</a> (though someone found a way to crack systems that reject any operating system not “authorized” by the restriction). Fortunately, most Android manufacturer. <ul class="blurbs">  <li id="M201110110">  <a href="https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/"> Mobile devices that come with Windows 8 are not tyrants. tyrants</a>. </li> </ul> </div>  <div id="footer"> id="footer" role="contentinfo"> <div class="unprintable"> Please send general FSF & GNU inquiries to <a href="mailto:gnu@gnu.org"><gnu@gnu.org></a>. There are also <a href="/contact/">other ways to contact</a> the FSF. Broken links and other corrections or suggestions can be sent to <a href="mailto:webmasters@gnu.org"><webmasters@gnu.org></a>.  Please see the <a href="/server/standards/README.translations.html">Translations README</a> for information on coordinating and submitting contributing translations of this article. </div>  Copyright © 2014, 2015, 2016 2014-2024 Free Software Foundation, Inc. This page is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nd/4.0/">Creative href="http://creativecommons.org/licenses/by/4.0/">Creative Commons Attribution-NoDerivatives Attribution 4.0 International License</a>.  Updated:  $Date: 2024/03/13 15:09:59 $  </div> </div> </div> </body> </html> ...; http://www.gnu.org/proprietary/po/malware-mobiles.ja-diff.html - [detail] - [similar]

PREV NEXT