undefined | Better HN

0 pointsignoramous2y ago0 comments

> > This seems like much bigger news than it's being received as.

> This has been widely known for more than a decade (Sorry I can't provide with a source. I was expecting Google search-in-the-past feature to work, but it doesn't).

Yep. Nitrokey's post was disappointing but understandable from a marketing perspective.

The thing that needs more discussion is the closed source stuff Android OEMs / ODMs run at higher ARM privileges rendering all of Google's grand ceremony around Android security moot (other than on Pixels may be).

0 comments

phh2y ago

> The thing that needs more discussion is the closed source stuff Android OEMs / ODMs run at higher ARM privileges rendering all of Google's grand ceremony around Android security moot (other than on Pixels).

You're mentioning security, which is interesting, because here it's not a question of security (don't get me wrong, izat did have security flaws in the past, and I wouldn't bet that modern devices are all properly corrected), but only to who you are sending your private data to.

It's also fun that you mention Google doing security around Android... because the vast majority of people do send their private data to Google!

My personal take is that if we want to control who we send our data to, we need to start from the easy steps: I personally use a modified Android to send the least amount of data to Google. Disabling gps xtra is pretty easy. I think I already have it disabled, but I'll check.

ignoramousOP2y ago

> You're mentioning security, which is interesting, because here it's not a question of security

I mention security because, by running blobs (sometimes entire OSes) in TrustZone EL3 / Hypervisor EL2 rings, OEMs / ODMs can pretty much do anything they want, including connecting to WiFi / LTE networks to phone home, analyse contents of the RAM, scan UFS / eMMC, track inputs / keys, and what-not; all without Android (Kernel EL1 + Userspace EL0) ever knowing anything about it.

> It's also fun that you mention Google doing security around Android... because the vast majority of people do send their private data to Google!

Agree. One good thing about Google tightening up Android APIs (and CCD certifications) in the name of security (and compatibility) is it only leaves Google with the keys to snoop on users. Careful "De-googling" of the ROM can take one a long way, indeed.

> My personal take is that if we want to control who we send our data to, we need to start from the easy steps: ...

And install the Rethink Firewall (network monitor) while you're at it, phh (:

j / k navigate · click thread line to collapse