Does Google Spy on Android Custom ROMs?
Вставка
- Опубліковано 2 сер 2024
- Can Google spy on Custom ROMs like LineageOS & CalyxOS? If so, is it on the software level the hardware level, or something else. Tune in to see if degoogling your android device truly degoogles it.
This video is sponsored by Privacy.com. Protect your financial identity online using virtual cards and get $5 off your first purchase: privacy.com/techlore
Resources:
Our Android Privacy & Security Guide: • The Complete Android P...
How to properly threat model guide: • How to PROPERLY threat...
Fun Research to dig into (This is always expanding and not completed): github.com/henryistaken/priva...
How to degoogle ROMs Guide (Keep in mind it's from 2019 and may be outdated! Proceed with caution!): / how_to_degoogle_lineag...
🔐 Our Website: techlore.tech
🕵 Go Incognito Course - to learn about privacy: techlore.tech/goincognito
🏫 Techlore Coaching - to get direct support: techlore.tech/coaching
💻 Techlore Forum - to connect with other advocates: discuss.techlore.tech
🦣 Mastodon - to stay updated: social.lol/@techlore
We cannot provide our content without our Patrons, huge thanks to:
BRIGHTSIDE, Clark, Ente, Larry, Afonso, Boori, Brad, Casper, Cookie, Floyd, JohnnyO, kevin, love your content, NotSure, Poaclu, x
🧡 Join them on Patreon: / techlore
💚 To see our production gear, privacy tools we use, and other affiliates: techlore.tech/affiliates
💖 All Techlore Support Methods: techlore.tech/support
00:00 Introduction
00:17 Our Sponsor!
00:37 Context & Important Details
01:29 1 - Necessary Terminology
02:15 2 - AOSP Spying?!
04:35 3 - Google Play Services Spying?!
06:24 4 - Hardware Spying?!
08:49 5 - Other Forms of Spying?!
11:06 So what DOES Google do?
12:06 Our Sponsor!
12:39 Very important addendums!
14:50 Final Thoughts
#google #android #privacy - Наука та технологія
Thanks for watching everyone! This video is sponsored by Privacy.com. Protect your financial identity online using virtual cards and get $5 off your first purchase: privacy.com/techlore
> *Resources:*
Our Android Privacy & Security Guide: ua-cam.com/video/dMWEym0KPcA/v-deo.html
How to properly threat model guide: ua-cam.com/video/DHZRhboZhfI/v-deo.html
Fun Research to dig into (This is always expanding and not completed): github.com/henryistaken/privacyresources#mobile-1
How to 'degoogle' ROMs Guide (Keep in mind it's from 2019 and may be outdated! Proceed with caution!): www.reddit.com/r/degoogle/comments/cldohl/how_to_degoogle_lineageos_in_2019/
Good video otherwise, but you didn't mention a huge way in which Google tracks users. Firebase analytics (developed by google, proven to track users) comes bundled with most android apps, even open source ones like Firefox or Lichess.
This channel is excellent in making high quality videos without over-producing. They don't use fancy intro, outro, extreme editing, etc. Even the video format is simple, the guy just talks to the camera mostly. Yet, in the information realm there's extreme thought and very good research and organization, which makes the end result amazing yet efficient to make. Good job you guys!
GCP Firebase is a toolkit from Google that let your web / mobile development so smooth. I'm surprised it was not mentioned in this video as it probably plays a HUGE role in their data collection schema
Hmm, I would've liked to see you talk much more about DNS, WebView, Captive Portal, SUPL etc. Even if its main purpose (like you said) is probably not to gather valuable user data. But still these are ways in which google receives user data (even from supposedly "degoogled" phones). From my understanding, "degoogling" means more than just flashing a custom ROM w/o GApps and changing the browser search. As I think there are quite some people in the privacy bubble, that may not even be aware of that. So if you have the chance, maybe interview a privacy researcher and do a follow up. Thank you!
Quad9
I thought this video was about just that but he only scratched the surface
I learn so much from this channel. Super informative, clear and concise. Techlore is top tier quality content
Great video concept! This channel is sooooo valuable.
Inspired by your channel, about 4 months ago I bought a pixel 4a and installed GraphenenOS. It's been a great experiene. The installation went fairly smoothly and daily use has been better! One thing that I really like is really a by-product. Some of my apps no longer give push notifications. At first it annoyed me. But now I love it. I realised that the majority of notifications I previously thought essential aren't. Less picking upand staring at a screen. FAR less non essential apps on my phone too. All the essential services I need are supported. Often using FOSS alternatives. Thanks for the inspiration. Forever de-googled and loving it. I'm eagerly awaiting your Nextcloud series. Great channel.
.
Aged like milk
@@Getyourwishh In what way?
@@MrBrockHeinz Techlore no longer uses cutsom roms for his daily use
@@Getyourwishh do you worship him like a god?
This was solid info. Thanks Henry.
Great! very valuable your information here, I had a brief experience with LineageOs 19.1 in my POCO F1, and soon after seeing that GApps is a choice to analyze well, recently encouraged by the /e/Os Project and I couldn't help but invest a little I took the time to test it and I realized from the beginning the depth of the focus on security and privacy. But... I have to agree with you that even in the face of this focus, in order to achieve the maximum that all these projects suggest, it depends a lot on each user, because we are part of it, it is necessary to follow certain precautions that are the responsibility of each user. . Thank you very much for your cooperation and your brilliant clarifications.
This is a very good and clear analysis. Thank You.
FYI, private DNS in network settings are set to default (Google: 8.8.8.8 / 8.8.4.4) on almost every custom ROM
What would you recommend?
That's hilarious.
Can't wait to get my Pixel in the mail and drop Calyx on it. Thank you for all the information you seek out and make easy for us to understand!
Is calyx better than graphene and why?
@@henrysosa8565 Hell no. There's a detailed article on Privacy Guides why you should be using GrapheneOS and not Techlore advertised CalyxOS
Well made points, thx a lot! Can u pls compare Graphene with the /e ROM?
Great video thanks excellent points. Re: Reputation, I think we have reached a saturation point where the number of people who care enough to base a purchase of a product on privacy is so low. I.e. spying and collection of data is expected. That all Google would need do if "caught in the act" of collection of data via AOSP or any other means (outside Gservices) would easily be brushed aside by siting "improved user experience". Only those watching videos like this one care sadly. We are very few and do not have the power to stop them at this time in history.
One trend I've noticed is Google (following Apple) are making it harder for 3rd party tracking. Why? Because limits on 3rd party tracking give an advantage to 1st party tracking. Granted Google is also trying to make 1st party tracking more private well continuing to advertise whether their plans to achieve that goal actually works or not is another story.
Thanks for the video!
Best vid you've made that I've seen.
What is the alternative for play services? does micro g works? isn't that open source? also, Loved the channel and subscribed❤️
Regarding the app store, a lot of people do just fine with Huawei's app galery, its not an insignificant number. Also, in China phones dont come with play services
great video!
With respect to hardware spying in minute 8:31. Anyone using GrapheneOS is using a Pixel by default these days. And many of us are not using Google Play Services. So, we are out there - don't know how many we are.
Speaking of degoogled phones and MICRO G,
element secure messenger (matrix client) notifications don't come through very reliably ):
so I have to have fluffychat (matrix client) to get my notifications better ): suppose it just makes it nice matrix has multiple client apps
It's funny that a lot of people are concerned about these privacy issues but then proceeds to posting on social media about what they're doing, installing dumb apps ( facebook, tiktok etc etc )
Hey so would an iPhone or Android be more privacy friendly? I would say I’m quite techy so I can definitely do hardening.
Google will still track you using apps using some sort of Android development APIs, as well as those who have ads in them (mostly are Double Click which is a Google product)
Just use VPN bruh
What about via BLE - Amazon and Apple already using it
One of the big things missing here are the phone makers (Hauwei springs to mind) that don't or can't use Google Play Services. I don't think this changes much - especially given that a lot of users are going to be installing/sideloading google apps anyway but I think these people probably make up the majority of people without Google Play Services, not people with custom ROMs and no Google Play Services.
Here in Portugal I actually see people going the otger way around and removing everything google to install huawei services, besides those who buy huawei to begin with, of course
@@fgsaramago I rather let google spy on me than the ccp.
Not trying to plug but the latest releases of GrapheneOS has Sandboxed Google Play so you can actually use GApps including Play Store in a sandbox. This allows you to actually use Google minus the spying, which some people prefer over installing dubious third party services that try to emulate Google Store/Services but don't actually come close to the real thing.
what is the other channel? I see you and Braxman mentioning the same stuff, however I can't find those people.
Thank you as always for communicating such important topics! :)
I don't like Braxman.
Yeah I saw that from Braxman as well. For a moment I thought it could have been Techlore or New Oil trashtalking but they have more class than this.
@@canabitter agreed
Can make a video on Intel ME?
My Calyx OS no longer connects to wifi. Still trying to figure it out.
can you explain what wickr shredder does?
Have you tried BraX2 privacy phone using BraxOS?
The radio software is the most likely location of any backdoor.
Is there any workaround?
@@henrysosa8565 None that I know of.
@@RockawayCCW thank you
@@RockawayCCWnot to mention he says Wireshark could be used to detect the traffic, however, he doesn't know about the very realistic possibility that Google and other big tech companies in cooperation with intelligence agencies have developed a secret protocol for undetected network communication.
I am about to migrate my custom domain emails to protonmail, in part thanks to you!!
why are you going to do that?
@@aa-vb9tj ProtonMail is supposedly very secure and private
You just answred my question about the new google chips . thanks
Is using ORBOT TOR GOOD
I'm using AOSP
This is interesting to me, consider that I will buy Google Pixel eventually and then flash custom ROMs.
@TimBo So odd. I am using a Galaxy A12, and the fingerprint sensor works just as well (if not better than) as my old S8 did. Is it having trouble detecting touch input? Or do you suspect it's not registering your fingerprint accurately at all?
@TimBo should I wait for the Pixel 7 or do you mean to steer clear from Google phones altogether?
@TimBo is it okay to use fingerprint sensor if our aim is privacy?
7:24 what about when the Government (ik the video is focused on Google) has physical possession of your phone. Couldn't hardware backdoors become a real problem then?
Halium runs reasonably well on my Pixel1. Debian and Manjaro have much better userlands than Android. Still, it sucks to be stuck with the ancient kernel.
too much echo in the audio. Great content though!
My biggest concern about tracking is - if vendors like xiaomi, samsung etc can spy on me through blobs and other system resources like kernel. If I'm gonna build my own custom rom from aosp source code plus blobs and kernel gotten from my device, could it spying?
lol, the problem is Google is at the protocol level. Phones are network devices so is anti-private by definition. The device has to identify uniquely to the network to work. Minimal disclosure is the best that can be done.
how does the device uniquely identify to the network? can it be spoofed?
@@aa-vb9tj not really the keys are bigger than the network - the keys ARE finite so in principle they can be spoofed BUT it is multiple keys, each needing a diffrent spoof :( & it is dynamic. a phone has a SIM which identifies it to the carrier {phone number & accounting} the SIM binds the MAC to counter phone jacking fraud. Then you have as many softkeys as apps in the OSs' - it is also incidental as routing data must be :) resolvable it is the nature of a phone:
You play wackamole with metadata
Calyx os user here without Google. It's running just fine and with UA-cam capability too because of signature spoofing and microg.
Wait, so Android really ís fully open source?
I was under the impression that there's a small piece that's not. Supposedly dealing with low level system stuff.
The base OS is, but you have to have hardware to run it. And that hardware's drivers often aren't open source(looking at you, Qualcomm...)
@@Acorn_Anomaly what's the problem with qualcomm?
@@aa-vb9tj it, like most CPUs, have closed source backdoors in the processors that have top-level access. In other words, they can inject code regardless of the operating system.
@@trollerjakthetrollinggod-e7761 like most cpus? which ones are actually safe?
Can't wait for virtual cards to be available in the EU. Good debunking!
Africa too. But it will be years before it gets here.
what is a virtual card?
@@aa-vb9tj It's been a while, but I think they talk about virtual credit cards in this video. Only having access to a couple cards with my real name on them is a huge drag for privacy in my case - PaySafeCard is our only prepaid option here, and it's not widely supported online.
@@Slugbunny the governments of the world have worked to get rid of all privacy citizens can have. Privacy is one of the big reasons I am excited about Cryptocurrency.
@@aa-vb9tj At least cash is still private, and that's government-issue. Monero is promoted by Techlore, and it seems truly private. I'd like to use it for online purchases for sure.
I call them the G Men for well-founded reasons
… but then I’m an old cypherpunk and DoD {no more} security contractor. They dictate parameters of compilers to limit others and leave cracks for themselves. Basic spyware on state level.
Just a comment to boost the video
the problem that some companies making it hard to unlock the bootloader and root your phone to install custom rom
It's for your protection if you install a custom ROM it will make your phone less secure and most importantly we won't be able to spy on you
@@DraXaly indeed if you install custom rom they wont be able to spy on users but isn't the customer purchased the device so they own it? so if you want to change something in anything you own , the company haven't any right to stop you?
@@senpaiiiiiiiiiiiii950 In theory they should not
Within Googles extensive database and AI integration can generally pinpoint you as an individual by your habits, hardware or profile building by the 3rd to 5th website visited. The best thing offered against google is Disinformation rather than no information or an alternative with better policies and practices.. Pardon my intrusion, but I thought it was one thing to not send data, but was another to prevent data collection. Even if an unknown machine, from the first web query, your profile begins.
I havnt watched yet but I'm on calyxos on a pixel and it says google and "your device is running a custom ROM" so clearly they have some sort of presence
So google knows you have a phone with a custom rom, that's scary. Did you log into any google apps on it?
This is just the phone being aware it's flashing something not signed by Google. Not rocket science. Basic DDG search away:
- github.com/AndroidHardeningArchive/legacy_bugtracker/issues/265
- www.reddit.com/r/GrapheneOS/comments/imd6dr/your_device_is_loading_a_different_operating/
Stock android is signed with a key. If something isn't signed with the same key, you get the warning. There is no "presence" outside verified boot checking the signing keys.
@@levelup1279 I got youtube vanced. I'm not taking it 100% seriously though. Feels pointless and worth saving my time/focus/energy for other stuff. If I ever do something illegal I will use tails lol
He has never heard of Intels management engine on all x86 CPUs or ring negative 1.
I got one question, where is your mic for these videos, so no echo happens and so there's higher quality sound
did you go to UH???
What about the default Android System Webview from LineageOS?
Refer to the "degoogle" guide referenced in the video, linked in the description, and the pinned comment. It's directly addressed.
@@techlore Nice, thanks
maybe they do it like like AMD and Intel
yes or no?
Yes, if you install gapps
Otherwise no
Check if your "degoogled"Rom does not have a Backdoor/spyware...but if you wanna get rid off it install linux on your Smartphone...
Can Linux be installed on any android phone?
❤
Replicant os
15:29 or you just say "yeah, well, that's just like, your opinion man.
What about the sim card? Not sure which video say that chip can do more functions. Like those SD card.
Doesn't Intel and amd spy on their chips already? Do they upload it?
hardware spying not reasonable , but intel can do it (remote access anytime) ;)
so if everybody can do wireshark analysis.. why didnt you do it?
Do you now understand why I call it ironic to degoogle your phone and then use a Google account to login on a Google service? You end up with a phone that still collects data for Google. 😉
A re-googled phone😄
Uhm but a custom ROM with Gapps cant even be considered as degoogled
No mention of GrapheneOS? Unsubing TechLore. Adios...
I got a cheap old 20 dollar smart fone. After watchin a bunch on here, first thing I did was disable google play store and FB. And youtube and a bunch others. Run duckduckgo search and browser, f-droid, newpipe, and session. I have Linux at home. Thumbs up as always.
The best way is to not use a phone 👍
the hardware angle, impossible.. uhm low power bluetooth anyone??????
Sure. What's it talking to?
Web RTC or RTT
That's what a google employee would say
- 3:52 Chromium is also open-source and look what Google did to that. 🙄 Being open-source doesn't mean good, it can be open-source and still have lots of garbage in it. Open-source isn't a panacea, somebody still has to step up and fix it.
- 5:40 Yeah, just look at all the placebo privacy settings in Windows 10. 😒
- 6:45 Ugh, I practically wrote a novella on why back-doors make no sense on a recent SomeOrdinaryGamers video.
- 7:00 Analogy: China and North Korea have a lot "security" and zero privacy. In fact, not only are privacy and security not the same thing, even security doesn't mean security. I could lock you in a cell to secure myself from you, but that doesn't make you secure. "Security" in China and North Korea protect the government from the people, not the people from the government.
- 7:20 That's another factor of all the telemetry from these selfish companies stealing your data uses bandwidth and if you have data caps, you end up wasting your bandwidth and possibly even paying overage fees. And don't think telemetry is minimal, check your phone and computer and you'll be surprised how much data it sends when it "phones home". An iPhone is _constantly_ phoning-home, all day long. A couple of weeks ago, Louis Rossmann did a video ("The fight for your car's data; is it yours or is it the auto manufacturer's?") about cars sending data to the manufacturer and they can apparently send *_25GB_* per month!!! 😲 WTAF‽ Don't forget that this is wireless data, so you have to pay for a wireless service with at least 25GB of data per month just for the car to send your data to the manufacturer for THEIR benefit and you get NOTHING! 😠
- 7:50 Sure, it would be a massive scandal. So what? 🤷 How many times have we seen big corporations get slammed with massive scandals and survive? How many actually went down? 🤨 Remember Cambridge-Analytica? Remember 533,000,000 users' data leaked? Yet Facebook still exists (unfortunately). Getting caught doing bad stuff means nothing anymore, at least not if you've reached critical-mass. These days, corporation (especially Big Tech) specifically budget for fines because the fines are always too low to make a dent. They can get hit with a $20,000,000 fine and make that back in minutes. They embrace the adage "better to ask for forgiveness than for permission". 😠
- 8:25 Sure, anyone can discover what they're doing and expose them. But again, _so what?_ What's anybody going to do about it? Nobody is going to stop using their stuff, especially when there's a monopoly. People won't even boycott or "vote with their wallets" on inane stuff like movies and video-games; they'll complain that something is awful before it comes out, pay for it, then complain again after. 🤦 Let alone stuff like phones and web services. They can do whatever bad stuff they want with absolute impunity.
- 8:40 You're definitely committing some sort of fallacy by arguing that it doesn't (currently) make sense since there's too little benefit for them. Maybe by doing it like that, they're laying the foundation for something bigger and worse that affects more people later. Maybe they're grooming people to get used to having no privacy. Maybe they're targeting the few people who resist their invasion to remove any remaining resistance to an outright takeover. Maybe something I can't even think of. 🤷 You being unable to think of a reason is not proof that it can't be true.
And it doesn't have to benefit them _now._ Why do you think Microsoft has been so pushy about TPM for the past 20 years? They say it's for "security", but it's really just for DRM to lock the system down to take away all control form the user and give it all to Microsoft. They even tried rolling out Windows S editions which couldn't run programs _only_ from the Windows Store, not third-party programs, trying to make a walled-garden like Apple, but it failed. Now, with Windows 11, they finally made TPMs mandatory, so don't be surprised if Windows 11 becomes dystopian.
- 9:18 Conspiracy-theorists always ignore the fact that if their theory were true, it would require ALL of the countless people that are "in on it" to reliably keep the secrets and not one of them leak it for any reason, not for money, not for attention, not for revenge after being fired or whatever. That's an even bigger accomplishment that the thing itself. 🙄
- 9:28 Like the whole microchip in the shot thing. Even if it were possible to transplant an actually-usable microchip, to what end? Most people already carry around a phone that contains all their data and tracks their location to a disturbingly accurate level, so what would a microchip you'd have to get within an inch to read and have just an ID number be good for? 🤨
- 10:15 The UA-cam app is useless. Just watch the videos in Brave (it's the only browser that's actually able to block ads, so ostensibly that means the other browsers that can't-even with an ad-blocker addon-are probably not very private or secure in other ways as well 🤔).
- 15:25 I don't have any F's left to give, I already used them all up and am in F-debt at this point, I owe so many F's.
I disagree on the hardware level. And the AOSP. Since you can put in easily exploits in opensource code. Don't tell me log4j was a acident. Also when it comes to the hardware level it can also be a prism thing in where the feds force the company to put in shit. Just like with AMD psp or Intel ME.
I mean intel ME and AMD PSP are enterprise features (I.e remote management by the IT department) that are (mostly) disabled on consumer chips. Accessing intel ME/AMD PSP, even when enabled, can only be accessed via the local network. Exploiting hardware backdoors is extremely non-trivial today and usually requires physical/near-by access anyway, in which case you're fucked regardless.
@@dankmemer3453 damn right. It's extremely difficult. It can only be used for a targeted person. Not in a group of people
@Imran A Of course, its impossible to know exactly what proprietary software does. Nevertheless, we do have some insight on how this remote management stuff works. We know it requires certain network interfaces for the network stack to work, for example. I'm all for open source hardware and software and try to use non-proprietary stuff whenever I can, but I also hate when people spread paranoia on stuff that doesn't matter too much: we have much more to fear from the proprietary software we run on our systems everyday, whether it be a browser or a driver.
absolutely rubbish
Censorship of risk of your affiliate. My comment keeps instantly disapearing! I'll try one more time.....
Here goes:
Dude, please inform us of the risks when you advertise!
"
We Share Personal Data Under Controlled Circumstances:
With third parties, within the United States and in other countries, who may access data about you to perform functions on our behalf;
With financial institutions, processors, payment card associations and other entities that are involved in the payment process;
With *government and law enforcement where reasonably necessary to comply with applicable law, regulation, legal process, governmental request;*
With others where reasonably necessary to protect the security or integrity of our Services or user safety;
In Connection with, or *during the negotiation of, ANY merger, sale of company stock or assets, financing, acquisition, divestiture or dissolution of all or a portion of our business;*
With your consent."
Well, my joyous first reply was deleted but seems comment posted. Someone reply so I know I'm not in the shadows
Pryvusee daught calm is not private. Don't use it. Written weird so it may not be instantly "curated"
Lmao at this point, y'all should just get iPhones. Pretty damn simple solution.
I'm not exactly sure what was the point you were trying to make however, the analysis was very superficial, quite naive I should add - sorry. Any Android system with an associated registered Google account, Google Play Services, Google Play Store, Maps, arguably even Android System WebView, is definitely privacy compromised.
As for hardware, you haven't mentioned anything about BT BLE, WiFi scanning, nearby device scanning, WiFi multicast, WiFi triangulation, cell and GPS location tracking, camera and microphone - which could very easily be forced on without user's consent. I didn't even touch on Google's new chip proprietary architecture, which is another privacy mess in itself.
Coming back to software, Google Play Services is undoubtedly the weakest link, the absolute privacy killer - hence the development of microG which is not a perfect solution, it has its own privacy holes since it needs to emulate the very gms and gsf services for a Google registered account to properly work. In other words, even custom ROMs have lots of privacy cracks, although admittedly far less than a regular Android system, which is no less than a sofisticated spying tool with a nice user's interface and a phone.
You should probably also add that the newer the Android version, the system's security arguably gets better, BUT the user's privacy gets trampled to a point where it eventually becomes a thing of the past. With that being said, unless you're forced to use say, Android 11 or 12 because you just got a new phone, don't buy the "upgrading" hype just because it's trendy. Think twice before updating the OS because it's irreversible.
the hardware spying comments are absolutely false. the bootloader of the phone could initialize part of the board for active data communications while having android being completely oblivious that the chips or part of chip even exists. the ONLY way to test it is a signal analyzer for whatever freq the tower u connect to is and also being able to decipher what it is, which is next to impossible. its the perfect spy vector. Intel does this with ME but it isnt nearly as bad a threat as an android phone because the bios ecosystem is standardized with x86, ARM is a whole different breed. 99% are locked bootloaders, require signed binaries for updates, you can't flash custom roms, and i dont think the bootloaders for AOSP roms are even open source, so it pretty much nullifies any relevancy for spying protection if it is at the hardware level.
You' re talking about degoogle android devices on a google platform such UA-cam 😂
Lol not surprised he didn't mentioned GrapheneOS
Someone is clearly salty from the previous conflict.
More-so because we're threatened to be sued any time *certain ROMs* are mentioned.
@@techlore That's a real shame.
if that's the case, you're in quite the bind in terms of reporting on their process.
@Imran A gotta start some where
@Sodium Chloride Is there a common factor between the two?
You are making the mistake of thinking managers only do what is best for the company. As a veteran of the tech industry for 45 years I can tell you this is false. Of course there are those who things to enrich themselve but I have also seen decisions made for political and religious reasons.