
Disguised user location data collection on Huawei phone? - seapunk
https://threader.app/thread/1051204370543648770
======
mabbo
I know I sound like a broken record on Huawei posts (too many friends' parents
lost their jobs over it) but it's worth pointing out that Huawei has an
(alleged) record relating to stealing information for their own gain, ie: they
stole a lot of IP from Nortel in the 90s[0], possibly others. Then they
competed in the same market with a fraction of the R&D budget and buried
Nortel.

Don't think about this in terms of just governments tracking you. Consider if
you have any work emails containing company secrets in them. Consider if you
have 2FA apps installed that you would use to unlock or change your work
password. And since it was almost certainly the Chinese Intel/Military that
helps Huawei and other companies, you can be sure that whatever information
Huawei gets access to doesn't need to just help _them_ out, but might help any
other company the Chinese government wants to see succeed.

Google and Apple might use your data to better target ads against you. That's
terrible, but doesn't seem so bad in comparison.

[0][https://www.cbc.ca/news/politics/former-nortel-exec-warns-
ag...](https://www.cbc.ca/news/politics/former-nortel-exec-warns-against-
working-with-huawei-1.1137006)

~~~
da02
What do you mean by, "too many friends' parents lost their jobs over it"?

(Thanks for posting this info. about Huawei.)

~~~
todd3834
I’m guessing they worked at Nortel

~~~
da02
Thanks. That makes sense.

------
iforgotpassword
This is unfortunately common with Chinese software. Remember back in the early
2000s when a lot of freeware and shareware shoveled adware onto your PC
without telling you? Remember when tools like ad-aware were popular? Nowadays
that's the exception, or done by those shady download portals which wrap the
installers of everything. And often times there's at least a checkbox in the
installer. It seems China is currently where we were back then. User awareness
is low, as long as things work nobody cares.

Sure, there's tons of malware on the play store etc., but it's always from
some weird vendor nobody has ever heard of. Coincidentally, a couple days ago
I noticed a friend's phone running really hot. It was freshly charged, taken
off the charger about half an hour ago, but freaking hot. I checked the
battery stats and "sougou", a popular Chinese keyboard (if not the most
popular one) clocked in with 24 minutes of CPU time. I told my friend and we
uninstalled immediately. Two days later he was super happy and told me his
phone's battery life increased greatly and he can now even make it through a
full day (...). Now I'm still hesitant to claim this was definitely some
mining software embedded in the keyboard, it might as well have been a messed
up config making some thread spin in an infinite loop, but the suspicion
stays...

------
captainmuon
Umm, I don't doubt that there is a lot of nefarious data collection going on,
for both profit and political reasons. But this seems to me like a "Google
Now" kind of feature, that suggests modes of transportation based on your
current location. Having a list of train stations and airports and doing the
detection on the phone as opposed to in the cloud seems even the more privacy
protecting way (although they probably still upload your entire GPS history
like Google does...).

~~~
lwhi
I'm guessing POI stands for person of interest?

If so, seems more nefarious to me ...

Edit: definitely more likely it's point of interest

~~~
zht
POI stands for point of interest probably.

When stand-alone GPS navigation devices were more common it was a pretty
common acronym.

~~~
lwhi
Good point .. but if you look at the context, I think person of interest
actually makes more sense in a lot of cases.

~~~
azinman2
Context is about location. Point of interest is most probable. That’s standard
mapping lingo.

~~~
lwhi
I definitely understand your point, but I'm talking about the specific context
the acronym is being used in.

e.g.

callsPoiAtHome() callsPoiAtHomeAtGeoPoint() callsPoiAtFamiliarPlace()
callsPoiAtWorkPlace()

Edit: typo

~~~
yayana
Why would you combine the Boolean for whether a user is nefariously a Person
OI with each type of check for their location?

Nefarious POI would have a very limited context in the frontend (after it
turns everything on.)

Subcategories of Points OI being coded this way makes a lot more sense.

~~~
lwhi
Yeah, good point - may have been watching too much TV :)

------
sigmar
This doesn't seem like responsible reverse engineering (specifically:
decompiling one app and then publishing strings to give people partial
information and assume the worst). There are definitely possible legitimate
uses for one apk without a UI to "suggest modes of transportation" to another
apk, as another comment on this thread describes.

------
axaxs
Sigh, this guy again. He is not a real security researcher, but obviously a
novice learning about programming and decompiling. That is fine, except he
keeps making outlandish and wrong accusations. He kept doing the same thing to
OnePlus, until he basically got laughed away by real security researchers.
Something to keep in mind as you read...

~~~
nilsocket
I don't known if author is stating any truth.

I have a Honor mobile, some of there apps were system apps. You can't disable
them, or uninstall even when you are rooted.

On OTA updates they add new system apps.

It's fine to have bloatware, but forcing users to keep it is not fine.

~~~
sschueller
My Samsung prevents me from uninstalling the Facebook app which came pre
installed.

I don't care if Samsung prevents you from removing their camera app but
facebook doesn't have anything to do with Samsung so I should at least be able
to remove that.

~~~
kyrra
It's a matter of understanding how apps work on Android (at least today). When
apps come pre-installed ir can sometimes be part of the system partition, such
as Facebook is your example. Apps on the system partition cannot be uninstall,
but they can be disabled.

I believe Google has been working to make it so more apps are not in the
system partition, but it can be up to each phone manufacturer on how a bundle
apps.

------
xte
That's the joy of proprietary software, on proprietary hardware, in absence of
law that mandate for software to be open, toolchains needed to build and
install included and mandate hardware must be open and designed/produced by
different subject than software, like in some countries we mandate
communication network to be different subject from ISP selling service on top
of them.

Freedom must be preserved and when people start to do so dictatorship came
physiologically.

------
m3nu
It's ok to buy their cheap hardware, but I strongly recommend replacing the
software right away with e.g.
[https://download.lineageos.org/](https://download.lineageos.org/)

~~~
bcaa7f3a8bbc
Yes. Until Huawei started to lockdown the bootloader in recent phones!

~~~
trumped
It really stinks that there are barely any new phones available for purchase
with unlocked boot loaders... you have to rely on hacks to replace the
software that rapes your privacy.

~~~
reitanqild
I have a Nokia. I think keys to unlock most new models are available from
Nokia (was in my news a week or two ago.)

BTW: my phone was super cheap, like less than USD300, no strings attached. It
is great for most of what I use: mail, hn, local news, signal, slack,
telegram.

It's also part of the android one program so I expect it to receive updates
faster than my old phones.

The camera (or the camera software) has some real problems though: it's not as
good as my older samsung S7 and it sometimes freezes.

Maybe the slightly more expensive models have better cameras, mine was about
the cheapest reasonable phone I could get.

~~~
Fnoord
Certain Nokia Xperia can run SailfishOS.

~~~
reitanqild
I'm fairly certain Xperia is a Sony brand.

~~~
Fnoord
Yeah, but given we are complaining about data collection you can buy yourself
out with Sailfish OS for 50 EUR or install microG (such as with LineageOS).
I've done the latter on a FP2, but Sailfish OS would be a suitable
alternative.

------
taildrop
Every Chinese company is at least partially owned, controlled, or heavily
influenced by the Chinese government. It's just a fact of life given their
current system of government.

Ask yourself this question. Would you buy an iPhone if the US Government owned
a significant part of Apple? Or could shut down Apple at any time they wished?
Would you trust them not to provide your information to US law enforcement or
other government entities without due process under those conditions?

Then why would you purchase a phone manufactured by a Chinese company given
the same circumstances?

~~~
rhizome
_Every Chinese company is at least partially owned, controlled, or heavily
influenced by the Chinese government. It 's just a fact of life given their
current system of government._

Is this different than American companies who are at least partially funded
and/or influenced by the CIA? (Among other sources of government funding...)

[https://en.wikipedia.org/wiki/In-Q-Tel](https://en.wikipedia.org/wiki/In-Q-
Tel)

~~~
rconti
I've worked for one IQT company and it couldn't have been more hands-off.

I haven't worked for a Chinese-backed company, though, so I can't say one way
or the other.

~~~
rhizome
I'm sure it could easily have been more hands-on, though. I think all
governments engage in this to some degree, or try to, or would like to. It's a
natural extension of power, control over the country, getting your hooks into
your dependencies. We see how rich people and companies have essentially
stopped contributing finanically to the running of the country, which isn't
free.

------
rathboma
I'd love to see this type of investigation done on a US model of their phones,
for example an Honor 8 pro.

------
da02
I have a family friend that is 70+ yr olds. Unfortunately, the best deal I
could find for him via his AT&T prepaid plan was a $70 Huawei Ascend XT2 @
Walmart (locked to AT&T). It's performance is great: fast charging, long-
lasting battery, 2G of RAM, and intuitive UI (despite being Huawei's custom
modifications of stock Android).

What are the best alternatives (in terms of security updates and privacy) for
Android phones with 2G of RAM and $100-$200 unlocked? The Ascend XT2 is so
great for non-power users, that I'm even willing to overlook Huawei's awful
practices for my next phone. All other phones are either too expensive or
never have official security patches released for the OS.

~~~
pdimitar
Your best bet is Xiaomi.

Go to gsmarena.com and click on the advanced finder and apply your filters.
You will be sorted in no time.

~~~
culot
Are there many low-end Xiaomi phones that support AT&T?

[https://www.frequencycheck.com/carrier-
compatibility/p5vW4/a...](https://www.frequencycheck.com/carrier-
compatibility/p5vW4/at-t-united-
states/devices?commit=Search&q%5Bdevice_brand_id_eq%5D=171&q%5Bfull_name_cont%5D=xiaomi&q%5Bs%5D=release_date+desc&utf8=%E2%9C%93)

I thought they were mostly not useful for US carriers?

~~~
da02
I have a Xiaomi Redmi 4G (codename: Dior) that is 3+ years old. It works on
T-Mobile.

That chart is helpful. I would also read the reviews of the phone and check if
the phone says "Global Edition" or "Global Version" to also check
compatibility.

I use the Mokee ROM. It gets regular updates. But, the Huawei Ascend XT2 feels
much faster with a longer-lasting battery.

------
pdimitar
This is unfortanate and I expected it for a while now. First OnePlus was
exposed a while ago, then Blu, then maybe a few other smaller ones (can't
remember, anybody has links?), and now Huawei... I have to wonder if the
companies aren't strong-armed by the Chinese government or they are all simply
the same kind of greedy shady private info dealers. So it's quite likely
Xiaomi will be exposed at some point as well.

I like Xiaomi. Owned two of their phones and it was the best ever Android
experience for me -- not because of the iOS look-alike-ness. The devices were
just very snappy, the default apps were very functional and comfortable to use
and the whole thing just worked pretty well out of the box. I was pretty
impressed, still am.

But I seriously don't trust the baseband vendors so I moved to the Apple
ecosystem. Now I am left wondering if Apple is simply not better at hiding it
if they are doing things like that (remember when they were caught recording
the phone screen's activity and sending it to Uber?)...

Are we better off at the Apple side? Or should we all be buying an Xperia X
and installing Sailfish OS on it?

~~~
emsy
I think you got that wrong. They allowed Uber to use the private API that
allowed screen recording. Apple didn't record the activity and send it to
Uber.

~~~
pdimitar
Thanks for the correction. You are right.

Still doesn't make it better though, wouldn't you agree?

~~~
saagarjha
Slightly, I’d say. The reason why Apple granted that entitlement was because
the Apple Watch API wasn’t powerful enough to perform some of the rendering
that Uber needed for their watch app, so they’d render it on iOS and send it
over in order to have an app available on launch day. The irresponsibility is
that Apple didn’t immediately revoke such access once they developed a
replacement API for this use case.

~~~
pdimitar
All of that definitely makes sense. It just makes me afraid what possibilities
does that open for Apple and any other corp they are willing to scratch of
back of. :(

It also makes you wonder what other kinds of these "entitlements" exist.

~~~
saagarjha
As far as entitlements go, I don’t think there are any others that Apple has
given out. Private API, though, has been approved by Apple for use in certain
apps.

------
jorblumesea
I really don't think many in the West understand how interconnected business
and government is in China. The scale at which companies work with the
government and how the government funds companies makes it very hard to trust
any Chinese company. China is the most opaque business world we can imagine
and Chinese military intelligence has deep connections to Chinese businesses.
They are two sides of the same coin, where Chinese military agents are even
implicated in attacks on Western companies to help their own corporations.

We will never be able to truly discern the true data sharing agreements they
have, and I think it's safer to ban Chinese communications companies from
working in the West until things change. It's clear China has no intention of
curbing bad behavior and the current approach is not working.

It is well understood that Chinese military officials carried out the Nortel
hacks and gave the IP to Huawei (and others). Nothing coming from China and no
Chinese company can be trusted.

~~~
dnomad
This is pure bullshit. The idea that Chinese companies and the government are
somehow fused has no basis in reality. But it's remarkable to watch people
push this sort of conspiracy theory. The exact same people will, when the
government cracks down on a company like Tencent, go on to claim that
companies are victims of the government.

~~~
jorblumesea
This rebuttal isn't rooted in reality. China's willingness to use state
resources to gain competitive advantages for its corporations is proven
without a shadow of a doubt.

------
craftyguy
Why would a, for example, US citizen be more concerned about a foreign
government spying on them than their own government? To play devil's advocate,
my government is in a much stronger position to harass me than some country I
may never visit again.

~~~
jldugger
To the best of my knowledge, the US government has not stolen corporate
secrets and forwarded them to their favored companies.

~~~
ivarv
The European Union's investigation into the ECHELON program found otherwise.

A high level overview is at
[https://en.wikipedia.org/wiki/ECHELON#Concerns](https://en.wikipedia.org/wiki/ECHELON#Concerns)

The actual EU report is available at:
[http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//...](http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A5-2001-0264+0+DOC+PDF+V0//EN&language=EN)

~~~
adventured
Is there something actually proven and more comprehensive, than speculation
from two decades ago? Nearly all of the concerns listed in your Echelon link,
are political in nature (eg about Princess Diana, or the five eyes with Canada
spying on two British ministers for Britain in 1983), not examples of
industrial IP theft.

Baseless claims won't cut it. The US has had by far the world's largest
economy for the last two decades. There should be _dozens_ of legally proven -
court cases - examples of intellectual property theft far worse and larger
than anything China has done, given the scale difference of the economies over
that time and the supposed capacity to hoover up global communications and put
it to use in industrial espionage.

Saying that well: here's one example, or here's two examples across 30 years,
is not good enough to indict the world's largest and most technologically
advanced economy for being rampant industrial thieves. To show a comprehensive
pattern of deep industrial espionage, and to show that it isn't more along the
lines of routine espionage that occurs between any two great economic powers,
requires a lot more proof.

~~~
icebraining
_There should be dozens of legally proven - court cases - examples of
intellectual property theft far worse and larger than anything China has done,
given the scale difference of the economies over that time and the supposed
capacity to hoover up global communications and put it to use in industrial
espionage._

How many legally proven court cases against industrial espionage carried by
the Chinese State are there?

------
baybal2
This is data for app called SmartCare

It is not installed on Huawei phones made for export to capitalist countries,
but apparently the data collection part of the app has not been deleted, only
UI.

Smartcare is an analogue of google's creepy email scanning program that likes
to wake you at 1 am with "your outbound flight is coming in 3 hours" when it
isn't

~~~
milankragujevic
It is installed though, at least for Serbian phones.

------
jhabdas
Left and right are two wings of the same bird. What many seem to overlook in
posts like this is the simple fact that they're being controlled by an
authority and you allow that authority to take from you, even if you believe
you're doing it voluntarily because that's what everyone else does.

Remember, nothing is truly yours if you have to pay someone else for the right
to use it. The cost then for using a Huawei phone as a US citizen is they
spying will continue but at least more authoritarian governments (excuse me,
Democratic republics) gets a piece.

------
John_KZ
Eh. To be fair I'm torn between giving my local government the ability to
manipulate me vs giving a foreign power my data. I don't read Chinese-owned
news, I don't vote in China, I have nothing to do with them (well, except
having my electronics made there). So is it really worse when Huawei steals my
data instead of Google? At least with Huawei someone might care enough to stop
them.

~~~
Kadin
First, you have some level of recourse against agencies of your own
government, either directly or via the electoral process. They may or may not
have more interest in you than a foreign government, but that depends on what
you're doing. The type of people of interest to American intelligence agencies
is rather predictable and unimaginative.

Most Western governments do not engage in espionage for private-sector
economic gain. (Before the Chinese apologists show up: there have been
extremely limited examples, historically, including a few times when US
intelligence agencies became aware of spying or collusion on the part of
another party in negotiations with a US company and notified them. There is
not anything in the US that approaches the "same team" approach that the
Russians and the Chinese have.)

So even if you are not engaged in, say, assisting Tibetan independence
activists, the Chinese government might still be interested in your work
email, and there is reason to believe that any proprietary information might
get passed along to a Chinese competitor (in the Russian scenario, it's
probably more likely cybercriminal organizations who might sell it).

The type of user who should be concerned about Chinese or Russian hacking,
given the significant overlap between private industry (including criminal
organizations, particularly in Russia) and government intelligence, is much
more broad than the type of user who should be concerned about targeting by US
or European intelligence.

Middle Eastern countries are probably somewhere in the middle; they have what
appears to be more broad targeting than Western countries but still maintain
more of a firewall between industry and government than Russia/China. (That
said, the physical threat appears to be greater if you really are a person of
interest.)

------
Markoff
is this some wannabe hacker? it's pretty clear from those descriptions it's
something for their voice/smart assistant or organizing tool (hivoice, hiboard
or whatever, they have million names) which can scan you calendar, SMS and
other items to notify you about upcoming flight, train, movie in cinema etc
and remind you this or find friends (contacts) based on your location after
arriving to destination and they are very clear in their privacy policy about
what information how they use and how to opt out from submitting these
(sensitive) personal information

i work for several Chinese companies including Huawei, OPPO etc, all of them
have this assistant which scan also your SMS for package delivery info so they
can track your package and provide you with simplified information in form of
cards, i guess closest western equivalent would be Google assistant (never
used either), though personally my Honor phone is running Lineage without
gapps, because i don't like western/Chinese spyware and most importantly
unnecessary battery eaters

------
diminish
Huawei is the rising star in smartphone shipments together with Lenovo and
Xiaomi. I see more HN posts against China directed at Huawei than others? Why?

~~~
icebraining
Maybe it's not just anti-Chinese bias, and Huawei really is worse than others?

~~~
diminish
Maybe - yet recently I see all around youtube, and social media some anti-
China build up. I have never been to the country and have nothing to do but
just curious [1]. if there's kind of an orchestrated campaign against Chinese
economy. I had the same impression from Russia after Ukrainian revolt when
hundreds of channels/users have popped up out of nowhere on social media. I
feel some people are doing the same against China as part of the trade wars,
and conservationist policies.

[1] One example:
[https://www.youtube.com/user/NTDChinaUncensored](https://www.youtube.com/user/NTDChinaUncensored)

~~~
icebraining
I'm not saying there isn't. But that doesn't explain why Huawei is more
attacked than other Chinese companies, which was your question.

~~~
diminish
..most likely Huawei was also very active in network and mobile infrastructure
and they may be more prone to state sponsored hackery. I also forgot ZTE..

------
theclaw
Betteridge’s law applies. The guy found a database of train stations, car
parks and airports - so what? When it finds you’re nearby it tells the cloud
service which presumably grabs your tickets or something, like a geofence. The
location data is not ‘user’ location data, it’s point-of-interest map data,
and the ‘name’ he found is probably the name of the POI. What a joke.

[0]
[https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines](https://en.wikipedia.org/wiki/Betteridge's_law_of_headlines)

------
rilut
Xiaomi Mi A1 also has app named Spock (com.miui.spock) which cannot be
disabled/uninstalled

------
a-dub
looks to me like he found a google now type facility that triggers actions
based on locations?

------
TACIXAT
Second link I've seen from threader. All the images are broken on mobile
(Android, Firefox). Can we link to the original?

~~~
21
The links are also broken on desktop Firefox/Chrome.

~~~
ronaldl93
Works fine here

------
chocochip
I think it's a bit sad and funny that the tech industry still seem concerned
with this, but when the most extreme cases of data collection are exposed,
namely Edward Snowden and Cambridge Analytica, little was done by the people
or by organizations to ask for action.

Everybody moved on to the next big headline and every now and then people will
shout and complain about "privacy" without actually saying what should be
done.

Also, GDPR which I see as an actual attempt to make this whole mess a bit more
organized became just a modern version of "I accept the terms and conditions".

