[Emaderton3]

What device do you use?

Posted via CB10

Sorry, I should have clarified--on my computer.

Posted via CB10

[Superdupont 2_0]

I get targeted ads regardless of what browser I use and if I'm logged in or not. It is pervasive and not limited to Google.

Posted via CB10

I sometimes get some ads, but certainly never targeted ads (on any device or computer).
Webfiltering isn't so hard.

- Block certain domains in a (free) OpenDNS account and the domain blacklist of my routers.
- Disable 3rd party cookies in browsers (if available) and use Adblock (preferably uBlock if available).
- Don't use Google accounts.

[markmall]

This raises a question I have. If we use a Gmail account on our bb10 device, does it take over and steal all of our data? This is not the same as if you were using an Android device, right?

I thought it just steals our email data on our Gmail account.

Posted via CB10

[Soulstream]

This raises a question I have. If we use a Gmail account on our bb10 device, does it take over and steal all of our data? This is not the same as if you were using an Android device, right?

I thought it just steals our email data on our Gmail account.

Posted via CB10

All apps can "steal" information you give them access to. That is true on all OSs (even BB10). An app that does not have access to contacts for example will not be able to use them in any way.

Now for some examples:
1. BBM on all platforms can have access to your photos/files in order to be able to send another user that photo/file. You have to trust that BBM will not mishandle or abuse that access and upload ALL your photos/files to some remote server.
2. On Android for example Google will NOT have direct access to your browsing history if you use another browser other than Chrome. Android apps are designed to not have access to data from other apps unless specifically shared to by the user. Of course, if you use Firefox for example you have to trust that they will not mishandle your browser history.

In short, for every app you use you must put some trust into the app developer that they will not misuse the permissions that you have given to their app.

[Sue-zz]

Android App security can be locked down with a couple of apps, NetGuard (Playstore) sinks data requests into a black-hole VPN on either Wifi or mobile data, or both.

NetGuard also has a log function which shows where data is going, and when. It makes for 'interesting' reading.

PrivacyGuard (CyanoGen Mod phones) limits app permissions, so you can restrict app permissions from accessing your location, contacts and SMS messages.

With both installed the phone can locked to the extent that nothing gets out unless permissions are granted. Blocking Play Services also prevents push services from Google, and limits the phone's usability.

Even with no Google account installed, Google is accessed from the phone up to 2000 times per hour, according to my logs.

'Signal Private Messenger' is the current hot-app for end-to-end encryption (PlayStore) but won't install on older versions of Android or Tablets. (yet)

Wifi always on in Android is another 'feature'. (On some phones.) Even when the phone is asleep it is still transferring data. It can be de-activated on some phones.

However, social networking and corporate moves to FaceBook/Whatsapp etc mean that work phones often can't be locked down.

There's a small 'resurgence' movement in the return to BBOs-7 and BIS, or a newer BB10 Bis-free device. I haven't tried the DTeks yet so can't comment.

[Soulstream]

Android App security can be locked down with a couple of apps, NetGuard (Playstore) sinks data requests into a black-hole VPN on either Wifi or mobile data, or both.

PrivacyGuard (CyanoGen Mod phones) limits app permissions, so you can restrict app permissions from accessing your location, contacts and SMS messages.

With both installed the phone can locked to the extent that nothing gets out unless permissions are granted. Blocking Play Services also prevents push services from Google, and limits the phone's usability.

'Signal Private Messenger' is the current hot-app for end-to-end encryption (PlayStore) but won't install on older versions of Android or Tablets. (yet)

Wifi always on in Android is another 'feature'. (On some phones.) Even when the phone is asleep it is still transferring data. It can be de-activated on some phones.

However, social networking and corporate moves to FaceBook/Whatsapp etc mean that work phones often can't be locked down.

There's a small 'resurgence' movement in the return to BBOs-7 and BIS, or a newer BB10 Bis-free device. I haven't tried the DTeks yet so can't comment.

Newer Android versions have granular permissions built-in so apps like PrivacyGuard will not be needed in the near future when most devices use these newer versions of Android.

About blocking apps from internet access, it all sound great in theory, but what do you do with apps that really do require internet access for them to be useful. A good example for this is Whatsapp or BBM (or any messenger for that matter); without a working internet connection these apps are pretty much useless. You still have to trust that the apps will not misuse the permissions you give them.

[JSmith422]

Android App security can be locked down with a couple of apps, NetGuard (Playstore) sinks data requests into a black-hole VPN on either Wifi or mobile data, or both.

NetGuard also has a log function which shows where data is going, and when. It makes for 'interesting' reading.

PrivacyGuard (CyanoGen Mod phones) limits app permissions, so you can restrict app permissions from accessing your location, contacts and SMS messages.

With both installed the phone can locked to the extent that nothing gets out unless permissions are granted. Blocking Play Services also prevents push services from Google, and limits the phone's usability.

Even with no Google account installed, Google is accessed from the phone up to 2000 times per hour, according to my logs.

'Signal Private Messenger' is the current hot-app for end-to-end encryption (PlayStore) but won't install on older versions of Android or Tablets. (yet)

Wifi always on in Android is another 'feature'. (On some phones.) Even when the phone is asleep it is still transferring data. It can be de-activated on some phones.

However, social networking and corporate moves to FaceBook/Whatsapp etc mean that work phones often can't be locked down.

There's a small 'resurgence' movement in the return to BBOs-7 and BIS, or a newer BB10 Bis-free device. I haven't tried the DTeks yet so can't comment.

OK, your post really intrigued me.

So if I'm understanding correctly, if you're not on WiFi, then Google is "phoning home" 2000 times per hour and using your mobile data? Or is only on WiFi?

1.) do you know what they're sending?

2.) is there a way to stop it and only give intermittent permission, so that only information you allow leaves the device? With bb10, I have all permissions shut off, and if an app needs something, the phone usually pops up with a message "xyz app is trying to access your (insert data here, location, files, etc) would you like to give it access (or something to that effect). And then I can either cancel it if I don't want to, or say yes and it will take me right to the app permission.

3.) does this "phoning home" still happen if you remove Google play?

With NetGuard, when you say "sinks data requests into a black hole VPN," do you mean that the request is rerouted through the VPN, therefore gives you privacy? I'm not sure I'm completely following what it does, but I'm intrigued. Can you tell us more?



Posted via CB10

[markmall]

This is big. Microsoft is reversing course (maybe) on Windows 10 data collection. Maybe we will get a good Surface phone that respects our privacy. Forbes Welcome

[Dr_BlackBerry]

This is a great thread! Appreciate all your input on this important subject which I believe should be of interest to all phone users, although sadly I know we are in the minority.

My take is that there are two separate and very different issues for Internet connected users:

1. Security
- we would all seek to have personal/sensitive data protected from malicious threats which could lead to such adverse consequences as identity or financial theft.

- my impression (and it's only that, for I'm know expert) is that MS, Apple, Google and BlackBerry all do a good job in protecting our data (although of course there have been some notable breeches of cloud stored material)

- We too have some responsibility with regards to our own data. Facebook being an excellent example. Never ceases to amaze me how much sensitive information people put out there about themselves.

2. Privacy
- the 'trickier' of the two. As a number of you have eluded to, if you've been connected to the Internet then some of your data, activity has been recorded/harvested - end of story!

- I think what's important here is transparency and control. Both of which have been lacking and hopefully is improving

- it's quite clear the more you lock down your personal data the less functionality you will obtain from your device and vice versa. That classic example of BBM and its request to access your contacts - deny it and BBM is useless.

I have been such a happy BB10 user for a number of years now but with its inevitable demise I've had to start to have a look around:

Google/Android - the obvious choice would seem a shift to BlackBerry Android, however I cannot in all conscience stomach a shift to Google on privacy grounds - will never forget the targeted ads I received based on the CONTENT of some of my old Gmail emails - not happy

Apple/iOS. Cannot handle being locked into the Apple software/hardware ecosystem

Microsoft - this leaves me with Windows 10 Mobile. Although one could understandably regard this as a dying platform I am one of those people that believe MS will not give up on the mobile platform and their goal to unify through the Surface phone.

- I also appreciate some of the steps they have now taken in terms of privacy transparency and user control - interesting article from Forbes Markmall, thanks for that.

Anyway look forward to some more input from the great CB community :-)


Posted via CB10

[Richard Buckley]

I get targeted ads regardless of what browser I use and if I'm logged in or not. It is pervasive and not limited to Google.

Posted via CB10

This just means you are leaking personal data the way you are using the browser. For example:

If you ever see a "like us on Facebook" button active on a website that is because the way you are using the browser lets Facebook track your movements on the web.

If you are able to use the check box "I am not a robot" captcha the you are similarly leaking data to Google the same way.

There are many other "web bugs" around the Internet that do similar things, most of which will result in targeted adds. The very biggest of these is probably OAuth (login with Facebook, Google, etc). Browsers are written to make these easy for companies to use, and difficult for users to avoid.

LeapSTR100-2/10.3.3.2163

[Asuhmiaseh]

What VPN service do you use?

Posted via CB10

I use PureVPN which supports the IKEV2 protocol useable by BB10 devices.

Fwiw, Torbrowser is also an option for reducing the data collection from your browsing (on PC/laptop).

Posted via CB10

[Sue-zz]

OK, your post really intrigued me.

So if I'm understanding correctly, if you're not on WiFi, then Google is "phoning home" 2000 times per hour and using your mobile data? Or is only on WiFi?

1.) do you know what they're sending?

2.) is there a way to stop it and only give intermittent permission, so that only information you allow leaves the device? With bb10, I have all permissions shut off, and if an app needs something, the phone usually pops up with a message "xyz app is trying to access your (insert data here, location, files, etc) would you like to give it access (or something to that effect). And then I can either cancel it if I don't want to, or say yes and it will take me right to the app permission.

3.) does this "phoning home" still happen if you remove Google play?

With NetGuard, when you say "sinks data requests into a black hole VPN," do you mean that the request is rerouted through the VPN, therefore gives you privacy? I'm not sure I'm completely following what it does, but I'm intrigued. Can you tell us more?


Posted via CB10

The test phone was a 2016 WileyFox Swift with CyanogenMod (Dec 1st 2016 security upgrade) installed. It loads from a cold start with PrivacyGuard installed. I added NetGuard, (in the PlayStore) enabled the advanced features and logged all the connection requests. The phone was left logging with the Google account deleted and no sim installed, but connected to wifi.

Google Play services was the main culprit, making a request every three seconds when blocked. (Wifi) The YouTube app also tried to connect repeatedly. There were three other persistent Google services making requests, but I'm away from the logs at the moment.

The attempts to connect are hardly surprising, but the 24 hour time period involved 28,800 attempts. This may not be typical. Data collected would include location, adjacent wifi networks, contacts, MAC addresses, email account and calendar data, handset type and OS, SMS messages, and installed apps, app usage. Etc Etc.

Disabling various Google services like Play store stopped all of the data exiting, but it will also prevent many apps from working. If G.P. services are re-enabled, the phone will re-enable those other Google services the user has disabled in the System Apps prefs.

There are enhanced versions of NetGuard available outside the Play store, you can read an version of its capabilities here: https://github.com/M66B/NetGuard/blo...er/FAQ.md#FAQ1

I'm not affiliated with NetGuard in any way. :-)

As to later versions of Android providing 'granular' permissions, this true to some extent, but there are around 20 Android vulnerability paths, the user being at least two of them. Also app developers tend to take a too-broad approach to what permissions are required to enable an app, so the tendency of the user to accept them all, just to get the app working.

The attempts by Here maps to read user's contacts is one example, the uploading of contact phone numbers to TrueCaller is another. If one of your friends has TrueCaller installed, your phone number and name is already logged and stored. This doesn't matter to some, but my phone number is one of the security log-ins for a number of accounts, including Google and Amazon, with 2 stage verification, and it's easy to twin it with brute-force passwords on sites which use it as a login.

Another 'foible' with Google Play Store is that apps which block advertising are banned from it. This might explain why users are complaining that the Android Play Store version of BBM pops up ads. A second is the re-enabling of disabled Play Store services when Play Services auto-updates.

My review was on the basis of an experiment to see if Android (Marshmallow) on a budget phone could provide true security; defined as no covert data exiting the phone without the user's permission. It can but dependent apps won't work and GP services makes every attempt to re-enable (bypass) Google blocking permissions set by the user.

It's an easy shot to define security conscious users as 'Tin-Foil hatters' but there are reasons in the corporate world for retaining commercially sensitive data in the handset while retaining some 'smartphone' functionality. The Boing Black is an example of a firewalled phone, there are others. I haven't analysed a Dtek.

'Security' has different meanings for different users; most smartphone users cheerfully accept that Google/Microsoft/Apple/Blackberry mines their data in exchange for enhanced functionality. It's also easy to trot out the mantra that 'Privacy is dead' but of course, in the commercial, research, academic and political world, privacy of data is paramount.

Developments like Samsung Knox, and other handset encryption and containerisation within Android are becoming common, so clearly, the demand is there. NIAP certification is in place for BBos 7 & 10, but only with an IT policy on the handset, which implies BES. Windows Lumia 635 is also NIAP certified, similarly.

This is in no way a scientific or exhaustive 'controlled' test, but the amount of access attempts is revealing, especially if those also occur over mobile data, even at lower frequency.

It is possible to lock down an Android phone and produce a 'secure' version, using techniques like containerisation and virtual machine sandboxing, with some effort and loss of functionality; there's a very full taxonomy of those here:

http://oar.a-star.edu.sg/jspui/bitst...ndroid-OAR.pdf

[JSmith422]

The test phone was a 2016 WileyFox Swift with CyanogenMod (Dec 1st 2016 security upgrade) installed. It loads from a cold start with PrivacyGuard installed. I added NetGuard, (in the PlayStore) enabled the advanced features and logged all the connection requests. The phone was left logging with the Google account deleted and no sim installed, but connected to wifi.

Google Play services was the main culprit, making a request every three seconds when blocked. (Wifi) The YouTube app also tried to connect repeatedly. There were three other persistent Google services making requests, but I'm away from the logs at the moment.

The attempts to connect are hardly surprising, but the 24 hour time period involved 28,800 attempts. This may not be typical. Data collected would include location, adjacent wifi networks, contacts, MAC addresses, email account and calendar data, handset type and OS, SMS messages, and installed apps, app usage. Etc Etc.

Disabling various Google services like Play store stopped all of the data exiting, but it will also prevent many apps from working. If G.P. services are re-enabled, the phone will re-enable those other Google services the user has disabled in the System Apps prefs.

There are enhanced versions of NetGuard available outside the Play store, you can read an version of its capabilities here: https://github.com/M66B/NetGuard/blo...er/FAQ.md#FAQ1

I'm not affiliated with NetGuard in any way. :-)

As to later versions of Android providing 'granular' permissions, this true to some extent, but there are around 20 Android vulnerability paths, the user being at least two of them. Also app developers tend to take a too-broad approach to what permissions are required to enable an app, so the tendency of the user to accept them all, just to get the app working.

The attempts by Here maps to read user's contacts is one example, the uploading of contact phone numbers to TrueCaller is another. If one of your friends has TrueCaller installed, your phone number and name is already logged and stored. This doesn't matter to some, but my phone number is one of the security log-ins for a number of accounts, including Google and Amazon, with 2 stage verification, and it's easy to twin it with brute-force passwords on sites which use it as a login.

Another 'foible' with Google Play Store is that apps which block advertising are banned from it. This might explain why users are complaining that the Android Play Store version of BBM pops up ads. A second is the re-enabling of disabled Play Store services when Play Services auto-updates.

My review was on the basis of an experiment to see if Android (Marshmallow) on a budget phone could provide true security; defined as no covert data exiting the phone without the user's permission. It can but dependent apps won't work and GP services makes every attempt to re-enable (bypass) Google blocking permissions set by the user.

It's an easy shot to define security conscious users as 'Tin-Foil hatters' but there are reasons in the corporate world for retaining commercially sensitive data in the handset while retaining some 'smartphone' functionality. The Boing Black is an example of a firewalled phone, there are others. I haven't analysed a Dtek.

'Security' has different meanings for different users; most smartphone users cheerfully accept that Google/Microsoft/Apple/Blackberry mines their data in exchange for enhanced functionality. It's also easy to trot out the mantra that 'Privacy is dead' but of course, in the commercial, research, academic and political world, privacy of data is paramount.

Developments like Samsung Knox, and other handset encryption and containerisation within Android are becoming common, so clearly, the demand is there. NIAP certification is in place for BBos 7 & 10, but only with an IT policy on the handset, which implies BES. Windows Lumia 635 is also NIAP certified, similarly.

This is in no way a scientific or exhaustive 'controlled' test, but the amount of access attempts is revealing, especially if those also occur over mobile data, even at lower frequency.

It is possible to lock down an Android phone and produce a 'secure' version, using techniques like containerisation and virtual machine sandboxing, with some effort and loss of functionality; there's a very full taxonomy of those here:

http://oar.a-star.edu.sg/jspui/bitst...ndroid-OAR.pdf

Interesting adjunct to this discussion, I was just reviewing my mobile data usage on a Z30 and saw 8kb downloaded and 11kb uploaded to/from Android Player......I do NOT have ANY android apps on the device. Where is this data being sent to, where is it coming from, and what exactly is it sending/receiving?

Posted via CB10

[ciaoenrico]

Personally, I'll be getting a flip phone when this thing stops working. iOS is too expensive for what you get, and Android just makes me feel gross.

Posted via CB10

[JSmith422]

Personally, I'll be getting a flip phone when this thing stops working. iOS is too expensive for what you get, and Android just makes me feel gross.

Posted via CB10

".....Android just makes me feel gross." Literally laughed out loud when I read that.

Posted via CB10

[Sue-zz]

Interesting adjunct to this discussion, I was just reviewing my mobile data usage on a Z30 and saw 8kb downloaded and 11kb uploaded to/from Android Player......I do NOT have ANY android apps on the device. Where is this data being sent to, where is it coming from, and what exactly is it sending/receiving?

Posted via CB10

It would be hard to say without a firewall log analysis. But Z30 is BB10 based, and purists might hope for no data transfer to Google without permission. Android Player is needed in BB10 for running Android apps and has been criticised for using data over mobile connections, here:

https://supportforums.blackberry.com...a/td-p/3152824

Further work today revealed a 2016 Lenovo Yoga 3-10 tablet (Android Marshmallow) shipping data back to China Telecom once a second and again to GMO Internet Inc, Japan. The tablet has 'Participate in the Lenovo User Experience' turned off.

The China Telecom (CT) leak is slightly worrying, given CT's previous hijacking of internet traffic from Dell and others, in 2010 and accessing personal data in 2016. Data is only sent when the tablet is quiescent, with as many apps and background services as is possible locked out.

It's possible it could be as harmless as an NTP time server request, but its presence is unwanted and can't be turned off anywhere, other than by blocking it with the firewall.

This is different to to the China Telecomm/Adup covert data-slurp recorded in 2016: Here:

https://www.nytimes.com/2016/11/16/u...rity.html?_r=0

One of the catalysts in starting this examination was a comparison of mobile data usage between BisBerrys (Bold 9990-OS7) and OS10 Blackberrys (Z10). Whether users regard covert Android data use permissible, even when no Android apps are installed is a question of personal preference. But there's a growing resistance to having personal data siphoned, especially over relatively expensive mobile connections.

In its mildest form this is an irritation, or, in the case of the Yoga Tab/China Telecomm data feed; somewhat guilty of covert privilege-escalation, until proven otherwise. The whois data shows a backfeed from China Telecomm to Lenovo for push api services. Service update notifications?

https://www.threatcrowd.org/domain.p...w.lenovomm.com

The log below is about two minutes worth of access attempts. There are plenty more.

As previously stated, this leakage over the internet isn't necessarily malevolent, but it's increasingly unwanted, and can't easily be blocked.

[JSmith422]

It would be hard to say without a firewall log analysis. But Z30 is BB10 based, and purists might hope for no data transfer to Google without permission. Android Player is needed in BB10 for running Android apps and has been criticised for using data over mobile connections, here:

https://supportforums.blackberry.com...a/td-p/3152824

Further work today revealed a 2016 Lenovo Yoga 3-10 tablet (Android Marshmallow) shipping data back to China Telecom once a second and again to GMO Internet Inc, Japan. The tablet has 'Participate in the Lenovo User Experience' turned off.

The China Telecom (CT) leak is slightly worrying, given CT's previous hijacking of internet traffic from Dell and others, in 2010 and accessing personal data in 2016. Data is only sent when the tablet is quiescent, with as many apps and background services as is possible locked out.

It's possible it could be as harmless as an NTP time server request, but its presence is unwanted and can't be turned off anywhere, other than by blocking it with the firewall.

This is different to to the China Telecomm/Adup covert data-slurp recorded in 2016: Here:

https://www.nytimes.com/2016/11/16/u...rity.html?_r=0

One of the catalysts in starting this examination was a comparison of mobile data usage between BisBerrys (Bold 9990-OS7) and OS10 Blackberrys (Z10). Whether users regard covert Android data use permissible, even when no Android apps are installed is a question of personal preference. But there's a growing resistance to having personal data siphoned, especially over relatively expensive mobile connections.

In its mildest form this is an irritation, or, in the case of the Yoga Tab/China Telecomm data feed; somewhat guilty of covert privilege-escalation, until proven otherwise. The whois data shows a backfeed from China Telecomm to Lenovo for push api services. Service update notifications?

https://www.threatcrowd.org/domain.p...w.lenovomm.com

The log below is about two minutes worth of access attempts. There are plenty more.

As previously stated, this leakage over the internet isn't necessarily malevolent, but it's increasingly unwanted, and can't easily be blocked.

I'm curious, what happens if you take a stock Android and delete everything Google from the phone?

Posted via CB10