[hitodev]

Hello,

I recently got my first Blackberry, a used Key2.

My first impression was astonishment when I noticed that many services and applications were connected to Google.

Internet browsing history
Youtube history
Location
Location history
User name and password...

Obviously all of this for free and just for "convenience" and "smart usage". Really?

Blackberry has a reputation for security and advertises on "privacy-oriented" devices. I'm wondering about the opportunity to interconnect so many services by default, some of which even offer to save user names and passwords to our greatest friends at all: Google.

What did you think?

In fact, I have never seen so much Google interconnectivity since I have my Key2...

Is Blackberry's advertising on data security a pure scam in the best case? Or a trap in the worst case?

Or maybe I misunderstood the Blackberry philosophy?

-- On the off chance, would there be a feature that would allow in "one-click" to disable all exchanges with Google services and that would enable them to reactivate, case by case if necessary?

[DanielDallas]

android... yeah it's too bad there isn't any mayor competition in mobile phone os field. It's iOS which is proprietary and tied to it's own hardware. They seem to be more dedicated to privacy than any other. And there is Googles android, which of course is an open source project, but in reality it very tightly connect to Google services. Now there are some alternatives as copperheasos and librem doing cool things, but they don't play the mayor league. The only other realistic option if you wanted a stable mobiles OS supported by a big company, you had was Blackberry. Even tough I switched to the keyone. I don't think google is very interested in privacy (they are in security) since they are world's biggest ad platform. If you want more control over your privacy on your bbmobile phone I suggest to install Netguard of blokada (f-droid store)

[chetmanley]

Hello...


.....What did you think?

In fact, I have never seen so much Google interconnectivity since I have my Key2...

Is Blackberry's advertising on data security a pure scam in the best case? Or a trap in the worst case?

Or maybe I misunderstood the Blackberry philosophy?

-- On the off chance, would there be a feature that would allow in "one-click" to disable all exchanges with Google services and that would enable them to reactivate, case by case if necessary?

Welcome to the forum,

A number of us on here share your concerns. There are ways to mitigate them. Please see the threads below for how.

First is a thread discussing this very topic (It's a bit long but its a good discussion and it highlights the difference between device security and data privacy):
'Plea to BB: Make a private phone'
https://forums.crackberry.com/blackb...phone-1161476/

And here are the solutions which a user can implement until BB does make their Android BB more private by default.

'Keyone De-Googled' (Works on all BB Android Devices)
https://forums.crackberry.com/blackb...esome-1114355/

'How-To: Netguard + Orbot' (This is important for connection control/monitoring and anonymous internet)
https://forums.crackberry.com/blackb...orbot-1134676/

'Disabling System Apps - XDA Method' (This is great for deleting/disabling system apps that collect telemetry)
https://forums.crackberry.com/blackb...ethod-1168996/

In my opinion which is based on open source information, BB10 and BB Android are the most secure devices on the market.

That is different than data privacy. Out of the box, BB Android is not very private compared to iOS or BB10 because Google is on by default.

However, as you'll learn in the threads I posted, BB Android very easily becomes the most private option because of the flexibility we have in the OS. We can install firewalls to monitor and control rogue connections and run Tor to keep our usage anonymous.

Those are two things iOS and BB10 can't do.

Cheers

[hitodev]

Thank you very much for your replies!
I'll take the time read all this :-)

[Emaderton3]

So are you talking about privacy or security?

[Invictus0]

However, as you'll learn in the threads I posted, BB Android very easily becomes the most private option because of the flexibility we have in the OS. We can install firewalls to monitor and control rogue connections and run Tor to keep our usage anonymous.

Those are two things iOS and BB10 can't do.

Cheers

You can use local firewalls on iOS via the VPN feature (like Privacy Pro), this is also how Android VPN's like NetGuard work. In theory, the same should be possible on BB10 but I don't think anyone has developed an app to do it yet.

The biggest issue with BB Android (and most Android devices) is you can de-Google them but you can't replace System WebView without root. It's based on Chromium and used to render certain apps, it's updated frequently on Google Play so you're opening yourself up to potential security risks and app incompatibility without updates.

[chetmanley]

You can use local firewalls on iOS via the VPN feature (like Privacy Pro), this is also how Android VPN's like NetGuard work. In theory, the same should be possible on BB10 but I don't think anyone has developed an app to do it yet.

The biggest issue with BB Android (and most Android devices) is you can de-Google them but you can't replace System WebView without root. It's based on Chromium and used to render certain apps, it's updated frequently on Google Play so you're opening yourself up to potential security risks and app incompatibility without updates.

Interesting, the last time I looked at Privacy Pro, it appeared to require their VPN servers to filter traffic which would be less than ideal.
They have a free version which allows for filtering individual connection attempts on device.

I have some questions however - it has an option to "encrypt DNS". But I can't yet find any documentation on what DNS it is using (theirs or ISP in Automatic mode). Edit: I found the Manual mode option to be able to assign any DNS.

Privacy Pro doesn't yet differentiate between applications like Netguard, so it's not possible to tell which app is causing a particular connection, nor is it possible to block the app at install by default in order to monitor connections at first start to block particular servers to prevent leaks.

Netguard also allows for routing connections through Tor, while Privacy Pro requires a paid subscription to use their VPN service - so not anonymous.

This is great news for the iOS community, regardless. Hope the app continues to evolve with more control and functionality.

As for WebView, it can be updated without issue via Google Play Emulators like Yalp and Aurora, or from sites like APKMirror.

[chetmanley]

Out of interests sake I've been experimenting further with Privacy Pro (Disconnect) for anyone who may be trying to make whatever iOS devices they might own more private.

I've proxied an iPad's connections through my Key2 with Netguard running so I can monitor all the connections being made by the iPad to compare what Disconnect is reporting against Netguard.

Here are my initial findings.

Encrypt DNS option: If enabled, a connection is made to cloudflare-dns.com/443 which signifies to me that the app is using Cloudflares DoH (1.1.1.1) This connection is not reported in Disconnect.

The Privacy Pro app itself calls home to disconnect.me anytime it is connected or disconnected. The disconnect is not recorded because the Recent Activity log is cleared when disconnected, but the connect is recorded. So it does appear to be reporting it's own connections when on.

Overall it appears to do a good job reporting connection attempts. I'm not sure what information it might be sending back to disconnect.me in terms of telemetry. Their privacy policy claims they do not keep user data. It appears to be possible to block this disconnect.me address based on what is reported in the Recent Activity log post connection.

Definitely a long way to go before it's as powerful as Netguard, but it's a good start in my opinion.

[Invictus0]

Interesting, the last time I looked at Privacy Pro, it appeared to require their VPN servers to filter traffic which would be less than ideal.
They have a free version which allows for filtering individual connection attempts on device.

I have some questions however - it has an option to "encrypt DNS". But I can't yet find any documentation on what DNS it is using (theirs or ISP). Netguard allows for the option to use any DNS.

Privacy Pro doesn't yet differentiate between applications like Netguard, so it's not possible to tell which app is causing a particular connection, nor is it possible to block the app at install by default in order to monitor connections at first start to block particular servers to prevent leaks.

According to their FAQ they don't route traffic through a server (I assume unless you enable the encrypt option),

We use Virtual Private Network (VPN) technology to set a configuration profile that prevents trackers and hackers from accessing your Internet activity. Unlike full-fledged VPNs this product does not slow down your Internet, route your traffic through our servers, or mask your IP address.

https://disconnect.me/help#how-does-...rk-is-it-a-vpn

On iOS I'm not sure Apple allows apps to see what else is installed on the device so that might be why there's no breakdown.

As for WebView, it can be updated without issue via Google Play Emulators like Yalp and Aurora, or from sites like APKMirror.

True but it's still a Google service that you can't get rid of without root. I suppose it's down to how much you trust Chromium for it to be an issue.

[chetmanley]

As far as I can tell, Webview is benign. It doesn't make connections on its own, and if it were to make rogue connections from within the apps that use it, that should also be apparent in Netguard.

In any case, I block Webview's internet access in Netguard and haven't had any issues. If it does connect to the net, it must be doing it via the apps which use it, so any connections through Webview must be concealed within that app's connections.

In addition, Exodus doesn't report any trackers and it's only two permissions are Internet and Access network state.

The alternative is Chrome, which I think is the default option when it's available (not disabled by user) - Rather sneaky of Google...

[Invictus0]

As far as I can tell, Webview is benign. It doesn't make connections on its own, and if it were to make rogue connections from within the apps that use it, that should also be apparent in Netguard.

In any case, I block Webview's internet access in Netguard and haven't had any issues. If it does connect to the net, it must be doing it via the apps which use it, so any connections through Webview must be concealed within that app's connections.

In addition, Exodus doesn't report any trackers and it's only two permissions are Internet and Access network state.

The alternative is Chrome, which I think is the default option when it's available (not disabled by user) - Rather sneaky of Google...

I don't believe any Google apps show trackers on Exodus. There are projects like ungoogled-chromium which remove Google dependencies from Chromium. I'm not sure what the extent of it is though.

For most users I think it would just be easier to get an iOS device if you want to cut down on Google's presence but you'll never get away from them completely.

[chetmanley]

I don't believe any Google apps show trackers on Exodus. There are projects like ungoogled-chromium which remove Google dependencies from Chromium. I'm not sure what the extent of it is though.

Do you know if ungoogled-chromium offers a Webview replacement, or is it just a stripped down version of Chrome Browser? I can't tell based on the documentation.

That got me looking at what Mozilla is working on. Looks like Geckoview will be their answer to Webview. Not sure if it will be something we can install and select as the default "webview" or not.

A number of Google apps do have tracker links which are shown through Exodus (Maps and Photos are two examples).

But some don't. A perfect example is Chrome. It doesn't have any traditional trackers which are detected by Exodus. But we know it is one of the primary data collection avenues for Google on Android. So unfortunately, we can't always go by whether or not an app has traditional trackers or not.

For most users I think it would just be easier to get an iOS device if you want to cut down on Google's presence but you'll never get away from them completely

If the user's only concern is Google, then getting an iOS device will help with that out of the box in terms of what the system is doing.

But as soon as they start installing apps (Google Maps, gmail, chrome, Adobe, Any travel site app Facebook etc), Google is back in the picture along with Facebook and countless others.

That Privacy Pro/Disconnect app is really promising. It appears to give at least some protection against trackers on iOS which is great.

If the user's concern goes beyond just Google, then iOS is too limited. There are no official Tor offerings which provide system wide protection. Tor Project describes this as an iOS limitation, and not just due to a lack of developer interest.

Combine that with the ability to root iOS and that at least one company advertises it's capability to bypass system locks on all versions of iOS to date... that would lead most users who are genuinely concerned about data privacy and device security back to BB Android in my opinion.

iOS may one day match Android in it's flexibility to provide privacy and maybe one day they'll actually build an OS that is secure, but I don't think it is yet. Couple that with the exuberant cost... I'll be sticking with BB Android personally.

[Invictus0]

Do you know if ungoogled-chromium offers a Webview replacement, or is it just a stripped down version of Chrome Browser? I can't tell based on the documentation.

That got me looking at what Mozilla is working on. Looks like Geckoview will be their answer to Webview. Not sure if it will be something we can install and select as the default "webview" or not.

A number of Google apps do have tracker links which are shown through Exodus (Maps and Photos are two examples).

But some don't. A perfect example is Chrome. It doesn't have any traditional trackers which are detected by Exodus. But we know it is one of the primary data collection avenues for Google on Android. So unfortunately, we can't always go by whether or not an app has traditional trackers or not.

Bromite is a WebView replacement, it looks like they recently added a method to install it without root but it comes with a couple of disclaimers so your mileage may vary.

https://github.com/bromite/bromite/w...-SystemWebView

Out of the box Android doesn't allow WebView replacement unless you root the device or flash a custom ROM.

If the user's only concern is Google, then getting an iOS device will help with that out of the box in terms of what the system is doing.

But as soon as they start installing apps (Google Maps, gmail, chrome, Adobe, Any travel site app Facebook etc), Google is back in the picture along with Facebook and countless others.

That Privacy Pro/Disconnect app is really promising. It appears to give at least some protection against trackers on iOS which is great.

If the user's concern goes beyond just Google, then iOS is too limited. There are no official Tor offerings which provide system wide protection. Tor Project describes this as an iOS limitation, and not just due to a lack of developer interest.

Combine that with the ability to root iOS and that at least one company advertises it's capability to bypass system locks on all versions of iOS to date... that would lead most users who are genuinely concerned about data privacy and device security back to BB Android in my opinion.

iOS may one day match Android in it's flexibility to provide privacy and maybe one day they'll actually build an OS that is secure, but I don't think it is yet. Couple that with the exuberant cost... I'll be sticking with BB Android personally.

Apps will always be the biggest risk to a users privacy on any platform. If you de-Google Android or flash a custom ROM and only stick to web apps and F-Droid I think it's fine. But if you still want access to major apps and use third party sources to get them then you're opening up your device to a lot of risks. Unless the developer provides the download or a file hash there's no way to verify the apk hasn't been changed.

[Emaderton3]

It's not all necessarily all Google either. A report recently came out about major Android apps taking your data even when permissions are all turned off.

[skinnymike1]

It's not all necessarily all Google either. A report recently came out about major Android apps taking your data even when permissions are all turned off.

Do you have a source for that? Interested in checking it out.

[Emaderton3]

Do you have a source for that? Interested in checking it out.

https://www.cnet.com/news/more-than-...y-permissions/

[skinnymike1]

Thank you! I couldn't find it when I searched.

[chetmanley]

Bromite is a WebView replacement, it looks like they recently added a method to install it without root but it comes with a couple of disclaimers so your mileage may vary.

https://github.com/bromite/bromite/w...-SystemWebView

Out of the box Android doesn't allow WebView replacement unless you root the device or flash a custom ROM.

Thanks for the link. Unfortunately Webview is stubborn, can't even disable it using ADB unlike all the other system apps on our phones.

Apps will always be the biggest risk to a users privacy on any platform. If you de-Google Android or flash a custom ROM and only stick to web apps and F-Droid I think it's fine. But if you still want access to major apps and use third party sources to get them then you're opening up your device to a lot of risks. Unless the developer provides the download or a file hash there's no way to verify the apk hasn't been changed.

Yalp and Aurora pull apps from Google. Sure, maybe there is a way to inject a bad app via these stores, but if the signatures don't match, then it wont install. So for example, if I try to update a system app via Yalp/Aurora, or even APK mirror for that matter, if the signatures don't match the original, then that could be a sign the app is fake or has been tampered with.

The risk comes if installing a non system app for the first time, then there's no signature to compare against, and therefore is important to be able to trust the source of the app.

[Invictus0]

Thanks for the link. Unfortunately Webview is stubborn, can't even disable it using ADB unlike all the other system apps on our phones.

Yeah unfortunately it's pretty deeply integrated.

Yalp and Aurora pull apps from Google. Sure, maybe there is a way to inject a bad app via these stores, but if the signatures don't match, then it wont install. So for example, if I try to update a system app via Yalp/Aurora, or even APK mirror for that matter, if the signatures don't match the original, then that could be a sign the app is fake or has been tampered with.

The risk comes if installing a non system app for the first time, then there's no signature to compare against, and therefore is important to be able to trust the source of the app.

Absolutely, it's all down to the first install. There's always a certain degree of risk when using a smartphone, it's just down to what every user deems acceptable.

I've personally cut down on a lot of Google services but resigned myself to using System WebView and the Play Store (assuming there isn't a mobile site or F-Droid alternative I can use in its place).