I agree with others, better open a "Tell HN" in this cases.
Herd mentality for sure.
a lot of this industry (in particular web and mobile technologies) survives thanks to systematic privacy violations. it's nice to keep the eyes wide open.
Best thing to do would have been to contact tech sites with the info. Like The register would definitely do an article about it.
I think "Tell HN:" is for such cases, but it's just not as popular.
Were you able to forcefully uninstall these via adb?
I think all HMD devices have those packages.
Most of such info leaks are hidden. I've already witnessed several OEM firmwares sending informations to many different parties. Too often, this is done through http, with payload encrypted. But it's always symmetrical encryption, and the encryption key can be computed from the fields in clear in the request. Such techniques are enough to stay under the radar of classic MITM, and require hard reverse engineering work to detect. I've noticed such behaviours on major Chinese OEMs, and white-label brands.
I never did actual reverse engineering on more western-ish brands, but the little I've seen doesn't look good. On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions, because this gives the right to give apps any permission), raises an advertisement company in Israel and a Telco in Singapore.
If you're worried about this situation (I do), I recommend you start lobbying about mandatory bootloader unlock, and easier OS replacement on smartphones. In this area, Nokia is amongst the worse, since AFAIK they still haven't authorized any bootloader unlock. Personally my work in this ecosystem is to make the Phh-Treble ROM, which is most likely the Android ROM with the largest hardware support (even though it requires the phone to be natively running Android 8 at least), and it is opensource.
Wait... what? Why is there such a permission in the first place?
Google Play and F-droid require it in order to update apps automatically.
Essentially, you give one app a permission to install other apps. Whether it notifies you or not, it's up to the app.
But even when simply installing, check the workflow that the play store currently have: When you click "install" in the play store, you don't really want interactions far in the future about it. So the apps' permissions are asked right away. Without this silent install permission, you would have a pop-up at the end of the download (which can be between few seconds after clicking "install" to several hours if you're unlucky and downloading a big app), asking you to confirm the installation.
Out of curiosity, what "advertisement" company would that be?
In the meantime, I recommend the following:
1. Remove any unnecessary packages through ADB (https://www.xda-developers.com/uninstall-carrier-oem-bloatwa...)
2. Use Shelter (https://f-droid.org/en/packages/net.typeblog.shelter/)
3. Use a VPN-Firewall such as NetGuard (https://f-droid.org/en/packages/eu.faircode.netguard/) or NoRoot Firewall (https://play.google.com/store/apps/details?id=app.greyshirts...).
Google hoovers up all the data and tells their partners they can't do this too? The antitrust regulators would have a field day.
But bypassing these mechanisms is a decision they had to make. If they're just lazy or incompetent, these userspace apps should be sufficient as a mitigation.
Check this out for a more sophisticated way: https://privacyinternational.org/node/2732
Having said this, I never expected Nokia to be doing that, too. Both Nokia and HMD are Finnish, do they really need to outsource the creation of the ROM?!
OEMs still make changes to it, and it still seems dependent on carriers pushing through the changes - despite buying a SIM free phone, I waited 2 months longer for updates, which seemed to be the case with everyone on the same network in the UK.
It's far from bug free, with a few updates in the last few months introducing new bugs. Again, it shows that this isn't an update coming directly from Google, it is at least in some part developed and tweaked by OEMs. In this particular case, the process showed that HMD/Nokia is severely lacking in development and QA expertise, as there have been ongoing issues for months with no fix.
They also introduced their own battery optimisation software a few months ago, which massively changed how the phone handled multitasking and background applications (effectively, it killed them all). And then this news that they're sending unencrypted identifiable information to a third party? These things shouldn't be possible if Android One did what it claimed.
I avoid OEMs like Samsung because of all the bloat and junk that they add on top of Android, but Android One is clearly not a solution to that. I would still prefer it in theory in the alternatives, but I'll do more research next time - if a company doesn't have a proven track record, then Android One isn't going to solve that.
One minor point - Nokia the company isn't involved in the Nokia Android phones. HMD is just a small company that licenses the brand. Admittedly, a small company that was founded by ex-Nokia folk and based across the road from Nokia's HQ, but it's evidently not a company with Nokia's resources or much of their expertise.
After installing the security updates, WiFi only works once after a reboot, the moment you disable it, you have to either sludge forward with modem speeds on 2.4GHz-band or none at all if you are on 5GHz-band. Since these problems manifested after installing the security updates, it's slowly starting to point towards a driver/firmware issue instead of a hardware problem as some have speculated.
Some fixes for this are "phantom SIM", resetting WiFi settings or booting into safe mode. Only common thing with these "fixes" is the reboot; so far it is the only thing that will fix the WiFi but turn it off once and you're boned. Similar issues are noticeable with the WiFi AP: first try after boot works just fine, next one you have to try to force 2.4GHz-band on the AP along with 5GHz, causing the AP to "soft reboot". After this, you are very likely in need of a reboot as the AP will no show up.
After this breach of privacy and data security, along with the WiFi issues, I'm slowly starting to lean towards filing a complaint to either HMD or the local customer protection agency here.
Worst of all, the support forum topics I've checked somewhat regularly on have no official replies from HMD or Nokia, only second-hand information from people who have been in touch with support.
I know some of those people (in Finland) who worked in these outsourcing companies, but they just worked on the more high level components like Android apps etc. Not with bootloaders or OS images.
That said I've not noticed anything obviously suspicious when I use a firewall to monitor it. I only did it as a test so I might have missed something. Also I'm in the UK, if that makes a difference.
I wonder if it's only specific country builds that display this behaviour?
Here's pm list: https://pastebin.com/HjQED9fr (I installed few applications myself)
I installed NoRoot Firewall as suggested in another comment here. So far NoRoot Firewall has not detected any activity from anything unusual running in the background (either idle, screen-on, or charging).
What was weird though was that if I open the Nokia camera app, it tries to talk to edge-star-shv-01-lhr-facebook.com, edge-star-mini-shv-01-sof1.facebook.com & edge-star-shv-01-sof1.facebook.com. I believe this is due to the facebook live-broadcasting feature built into the Nokia camera app, although I have not got it logged in so not sure why it is phoning home just when I open the app.
I'll keep running foir a few more days (I cant use my usual VPN at the same time as NoRoot Firewall so dont want to run indefinitely) and udpate if anything else happens.
In other words - a non-story or at most a story about quality issues at the reborn Nokia.
But luckily the URL pointed to China ... so we can make the story about that ... with a big red communist flag, talk about mass surveilliance, human rights, future invasions and so on ...
I don't really think this is because of racism; I mostly just think it is because we are idiots that prefer big hyperboles rather than simple explanations of non-issues.
On the off chance that you're a native Chinese speaker, are you able to figure out what the purpose of device self-registration is? My Chinese is unfortunately not good enough to easily find information on it.
Adding to that the fact that I don't receive system updates anymore, I have absolutely no trust in my phone. My next phone will be an iPhone, for the lack of better alternative.
I don't have a previous experience so my reasoning was "well it's Samsung, at worst they'll have some shitty branded apps and some cruft". But I don't have an idea what these dozens of preinstalled apps running on my phone doing. Almost none of them can be uninstalled and only a handful can be disabled.
It is kind of scary to use a banking app on this thing. Never felt this way on an iPhone. I wanted to see the Android side after years of iPhone use, apparently it is still shit.
You can find implementations by Qualcomm and Mediatek on GitHub, the Mediatek one even comes with a minimal README [2]. That seems to indicate that it's gated by a feature flag "MTK_CT4GREG_APP" and is only supposed to be active when explicitly selected while the phone is in developer mode. That makes it likely that sending the data was only due to a misconfiguration.
Considering the long list of manufacturers starting at page 10 of [1], it's also possible that others are leaking data in the same way.
[1] https://wenku.baidu.com/view/c2eaa9fc5022aaea998f0f7f.html
[2] https://github.com/griffins-testing-ground/android_vendor_mt...
I assume the android implementation was done in China, then many requirements are related with "补贴", it is just part of them to submit some data to zzhc.vnet.cn. But didn't get deleted when they are making EU variants.
My understanding now is that some 4G deployments are subsidized, and to correctly compute the amounts to be paid, China Telecom needs to collect more data than is usually available, so they came up with the idea of sending the data to zzhc.vnet.cn.
Still pretty hacky, but it kind of makes sense from a perspective of doing the minimum necessary to fulfill the requirements.
Though that doesn't explain why CT wants that data.
江苏某项目采用CAT1模块做模块补贴,补贴中自注册失败,后经排查发现如下在补贴自注册中的几个共性问题:1、终端客户采购模块与模块厂家到广研送检模块和软件版本不一致;2、补贴受理中,如果是定向的,需要增加自注册的IP地址zzhc.vnet.cn IP:42.99.2.15;3、补贴受理时需开通4G功能。
If you have been following the Nokia's Android phone, you will know they have always been launching new phones in China first before making slight update or shipping exactly the same one to International Market. So it could happen this is part of the logistics and Supply Chain mistep. I am giving Nokia the benefits of doubt here. Since HMD do have many original Nokia employees, it could be an oversight.
The NSA works with US companies to secure their systems from espionage.
Shouldn't the NSA be analyzing consumer electronics to make sure they don't spy on US citizens, some of which will have sensitive information or trade secrets on their phones?
[1] https://www.wired.com/2013/10/nsa-hacked-yahoo-google-cables...
Aren't those companies tryig to get all the information they can about us?
Perhaps they don't want to be "secured" because it costs money to do so.
Seems to support the US paranoia about Chinese gear and if proven as known evil, doesn't help huawei's 5g aspirations...
When you consider the progress China has made over the last 50 years from the perspective of a typical Chinese citizen, you can see why they make that bargain.
I have been living there for a while and Chinese people can talk about it as freely as elsewhere and most of the people I know are very aware of it.
The opinions about tracking/surveillance are not the same than in the west though and it is much more accepted here. In my social circle, a large majority of Chinese people would prefer security over privacy or just don't really care.
Hard to believe for a westerner like me, but people are happy about it so far.
Personally for me Google is an opposite of privacy.
https://android.stackexchange.com/questions/191883/
https://github.com/bcyj/android_tools_leeco_msm8996/blob/mas...
This has now been fixed and almost any device affected by this error has now installed the update. HMD Global takes the safety and privacy of our customers seriously.
I've just installed it on my 6.1 Plus. Nothing sus yet but it's only been 5 minutes.
For example, many apps, especially messenger and social network apps secretly or openly export contact lists from devices. Not only this is highly unethical, it might be a violation under GDPR because the information in the contact list is personal information and you must obtain the permission of that person for transferring the data abroad, not only the permission of the phone owner.
Almost every mobile app collects IMEI, a hardware identifier that allows governments and mobile companies to track the precise location of your phone. While such data are highly sensitive, they collect it without any second thought. Even a simple keyboard app was collecting all the data it could grab [2].
I can remember how Google was collecting WiFi data, without permission from access point owners. It was also collecting the traffic sent over WiFi [1].
It seems like the companies in every country have similar interests for users' data.
Also, I have a noname Chinese phone and when I examined its traffic with Wireshark, it was attempting to send data with IMEI to Chinese servers (luckily I had no SIM card inserted so it couldn't get a phone number). It was sending data to Google servers as well, but sadly they were encrypted with SSL and even installing a self-signed root certificate on the device didn't help to decode the contents.
So I think there should be better regulation of data collection. The general rule ("not a single byte" rule) should be that no data can be sent anywhere without explicit user's consent (not a phrase somewhere in the EULA). Also I think the manufacturers should put large warnings on the boxes, like the ones on the cigarette packs, like "This device sends all your private data to country X", "This IoT device will spy on you 24 hours a day", "This device uses a cloud in country Y", etc. So that the consumers better know who will spy on them.
[1] https://www.wired.com/2012/05/google-wifi-fcc-investigation/
[2] https://www.zdnet.com/article/popular-virtual-keyboard-leaks...
Edit: I am not disputing the "One China Principle". The fact remains that Taiwan is self-governed.
The real reason is that 5G is not secure by design, just like 4G and 3G and GSM before. But the NSA wants to have the keys only for themselves.
