I agree with others, better open a "Tell HN" in this cases.
With this comment I think it was to hard for people to understand in the first place.
Herd mentality for sure.
> Nokia phones sent identifiable data to Chinese server
isn't click bait, but simply much more clear and to the point than
> Ask HN: HMD Global (Nokia) is acting shady Any recourse?
a lot of this industry (in particular web and mobile technologies) survives thanks to systematic privacy violations. it's nice to keep the eyes wide open.
Best thing to do would have been to contact tech sites with the info.
Like The register would definitely do an article about it.
I think "Tell HN:" is for such cases, but it's just not as popular.
Were you able to forcefully uninstall these via adb?
I think all HMD devices have those packages.
adb shell pm list packages
adb shell "pm list packages | sort"
Most of such info leaks are hidden. I've already witnessed several OEM firmwares sending informations to many different parties. Too often, this is done through http, with payload encrypted. But it's always symmetrical encryption, and the encryption key can be computed from the fields in clear in the request.
Such techniques are enough to stay under the radar of classic MITM, and require hard reverse engineering work to detect.
I've noticed such behaviours on major Chinese OEMs, and white-label brands.
I never did actual reverse engineering on more western-ish brands, but the little I've seen doesn't look good.
On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions, because this gives the right to give apps any permission), raises an advertisement company in Israel and a Telco in Singapore.
If you're worried about this situation (I do), I recommend you start lobbying about mandatory bootloader unlock, and easier OS replacement on smartphones.
In this area, Nokia is amongst the worse, since AFAIK they still haven't authorized any bootloader unlock.
Personally my work in this ecosystem is to make the Phh-Treble ROM, which is most likely the Android ROM with the largest hardware support (even though it requires the phone to be natively running Android 8 at least), and it is opensource.
Why is there such a permission in the first place?
Google Play and F-droid require it in order to update apps automatically.
Essentially, you give one app a permission to install other apps. Whether it notifies you or not, it's up to the app.
But even when simply installing, check the workflow that the play store currently have:
When you click "install" in the play store, you don't really want interactions far in the future about it. So the apps' permissions are asked right away.
Without this silent install permission, you would have a pop-up at the end of the download (which can be between few seconds after clicking "install" to several hours if you're unlucky and downloading a big app), asking you to confirm the installation.
Out of curiosity, what "advertisement" company would that be?
In the meantime, I recommend the following:
1. Remove any unnecessary packages through ADB (https://www.xda-developers.com/uninstall-carrier-oem-bloatwa...)
2. Use Shelter (https://f-droid.org/en/packages/net.typeblog.shelter/)
3. Use a VPN-Firewall such as NetGuard (https://f-droid.org/en/packages/eu.faircode.netguard/) or NoRoot Firewall (https://play.google.com/store/apps/details?id=app.greyshirts...).
Google hoovers up all the data and tells their partners they can't do this too? The antitrust regulators would have a field day.
But bypassing these mechanisms is a decision they had to make. If they're just lazy or incompetent, these userspace apps should be sufficient as a mitigation.
Check this out for a more sophisticated way: https://privacyinternational.org/node/2732
Having said this, I never expected Nokia to be doing that, too. Both Nokia and HMD are Finnish, do they really need to outsource the creation of the ROM?!
OEMs still make changes to it, and it still seems dependent on carriers pushing through the changes - despite buying a SIM free phone, I waited 2 months longer for updates, which seemed to be the case with everyone on the same network in the UK.
It's far from bug free, with a few updates in the last few months introducing new bugs. Again, it shows that this isn't an update coming directly from Google, it is at least in some part developed and tweaked by OEMs. In this particular case, the process showed that HMD/Nokia is severely lacking in development and QA expertise, as there have been ongoing issues for months with no fix.
They also introduced their own battery optimisation software a few months ago, which massively changed how the phone handled multitasking and background applications (effectively, it killed them all). And then this news that they're sending unencrypted identifiable information to a third party? These things shouldn't be possible if Android One did what it claimed.
I avoid OEMs like Samsung because of all the bloat and junk that they add on top of Android, but Android One is clearly not a solution to that. I would still prefer it in theory in the alternatives, but I'll do more research next time - if a company doesn't have a proven track record, then Android One isn't going to solve that.
One minor point - Nokia the company isn't involved in the Nokia Android phones. HMD is just a small company that licenses the brand. Admittedly, a small company that was founded by ex-Nokia folk and based across the road from Nokia's HQ, but it's evidently not a company with Nokia's resources or much of their expertise.
After installing the security updates, WiFi only works once after a reboot, the moment you disable it, you have to either sludge forward with modem speeds on 2.4GHz-band or none at all if you are on 5GHz-band. Since these problems manifested after installing the security updates, it's slowly starting to point towards a driver/firmware issue instead of a hardware problem as some have speculated.
Some fixes for this are "phantom SIM", resetting WiFi settings or booting into safe mode. Only common thing with these "fixes" is the reboot; so far it is the only thing that will fix the WiFi but turn it off once and you're boned. Similar issues are noticeable with the WiFi AP: first try after boot works just fine, next one you have to try to force 2.4GHz-band on the AP along with 5GHz, causing the AP to "soft reboot". After this, you are very likely in need of a reboot as the AP will no show up.
After this breach of privacy and data security, along with the WiFi issues, I'm slowly starting to lean towards filing a complaint to either HMD or the local customer protection agency here.
Worst of all, the support forum topics I've checked somewhat regularly on have no official replies from HMD or Nokia, only second-hand information from people who have been in touch with support.
I know some of those people (in Finland) who worked in these outsourcing companies, but they just worked on the more high level components like Android apps etc. Not with bootloaders or OS images.
That said I've not noticed anything obviously suspicious when I use a firewall to monitor it. I only did it as a test so I might have missed something. Also I'm in the UK, if that makes a difference.
I wonder if it's only specific country builds that display this behaviour?
Here's pm list: https://pastebin.com/HjQED9fr (I installed few applications myself)
Could you explain why this is problematic?
I installed NoRoot Firewall as suggested in another comment here. So far NoRoot Firewall has not detected any activity from anything unusual running in the background (either idle, screen-on, or charging).
What was weird though was that if I open the Nokia camera app, it tries to talk to edge-star-shv-01-lhr-facebook.com, edge-star-mini-shv-01-sof1.facebook.com & edge-star-shv-01-sof1.facebook.com. I believe this is due to the facebook live-broadcasting feature built into the Nokia camera app, although I have not got it logged in so not sure why it is phoning home just when I open the app.
I'll keep running foir a few more days (I cant use my usual VPN at the same time as NoRoot Firewall so dont want to run indefinitely) and udpate if anything else happens.
In other words - a non-story or at most a story about quality issues at the reborn Nokia.
But luckily the URL pointed to China ... so we can make the story about that ... with a big red communist flag, talk about mass surveilliance, human rights, future invasions and so on ...
I don't really think this is because of racism; I mostly just think it is because we are idiots that prefer big hyperboles rather than simple explanations of non-issues.
To me it is obvious that it is Nokia that is sloppy and having quality issues.
Because it gives more attention.
The real story here is that the venerable brand of Nokia now is being used to sell sub-quality phones.
Nokia isn't being shielded in the article.
On the off chance that you're a native Chinese speaker, are you able to figure out what the purpose of device self-registration is? My Chinese is unfortunately not good enough to easily find information on it.
Adding to that the fact that I don't receive system updates anymore, I have absolutely no trust in my phone. My next phone will be an iPhone, for the lack of better alternative.
I don't have a previous experience so my reasoning was "well it's Samsung, at worst they'll have some shitty branded apps and some cruft". But I don't have an idea what these dozens of preinstalled apps running on my phone doing. Almost none of them can be uninstalled and only a handful can be disabled.
It is kind of scary to use a banking app on this thing. Never felt this way on an iPhone. I wanted to see the Android side after years of iPhone use, apparently it is still shit.
My wife, who is not a tech person at all, flatly refuses to run any banking or financial apps on her Android phone. She knows just enough about the technology to know that most Android devices are cesspools of spyware and malware, even her Galaxy phone. She doesn't like iPhones though, so I doubt she will ever go over to that side even for security's sake.
Lie to me and I'm done with you, especially over something as important as privacy and freedom. It may now be closer to what they originally promised, but I no longer trust them.
It's a shame because they're really the only company doing what their doing (a fighting a chance at open source (as possible) and secure hardware)
Give it time. The slow-downs/reboots happen to every Android device over time.
You can find implementations by Qualcomm and Mediatek on GitHub, the Mediatek one even comes with a minimal README . That seems to indicate that it's gated by a feature flag "MTK_CT4GREG_APP" and is only supposed to be active when explicitly selected while the phone is in developer mode. That makes it likely that sending the data was only due to a misconfiguration.
Considering the long list of manufacturers starting at page 10 of , it's also possible that others are leaking data in the same way.
I assume the android implementation was done in China, then many requirements are related with "补贴", it is just part of them to submit some data to zzhc.vnet.cn. But didn't get deleted when they are making EU variants.
My understanding now is that some 4G deployments are subsidized, and to correctly compute the amounts to be paid, China Telecom needs to collect more data than is usually available, so they came up with the idea of sending the data to zzhc.vnet.cn.
Still pretty hacky, but it kind of makes sense from a perspective of doing the minimum necessary to fulfill the requirements.
Though that doesn't explain why CT wants that data.
If you have been following the Nokia's Android phone, you will know they have always been launching new phones in China first before making slight update or shipping exactly the same one to International Market. So it could happen this is part of the logistics and Supply Chain mistep. I am giving Nokia the benefits of doubt here. Since HMD do have many original Nokia employees, it could be an oversight.
The NSA works with US companies to secure their systems from espionage.
Shouldn't the NSA be analyzing consumer electronics to make sure they don't spy on US citizens, some of which will have sensitive information or trade secrets on their phones?
Aren't those companies tryig to get all the information they can about us?
Perhaps they don't want to be "secured" because it costs money to do so.
Seems to support the US paranoia about Chinese gear and if proven as known evil, doesn't help huawei's 5g aspirations...
When you consider the progress China has made over the last 50 years from the perspective of a typical Chinese citizen, you can see why they make that bargain.
So success would be far from guaranteed.
If I'd be Chinese I'd probably do the same trade they did.
After prosperity, keeping the lid on as hard as it is now is much, much harder. And if changes don't come easily and naturally, I guess you can emigrate.
And what makes most people happy is having a rich personal life, rather than achieving their political goals, I've found.
There would now be political rallies, protests, different factions of people wanting different things, etc.
That distracts from economic progress.
It's fairly clear to me that in many cases freedom of speech and similar rights leads to less stability and less economic growth.
(I'm specifically noting those two because their deaths were epochal events in the modern political history of both countries.)
The OP said they don't talk about it. Doesn't mean they don't care about it much. It is simply they don't have any means, tools or action they could do to change it.
This isn't true at all. China is one of the only places in the developed world where the populace legitimately could topple the government, simply by sheer mass.
Why do you think the party works so diligently to quell dissent and organization while going to extreme lengths to prop up the economy? It would be nearly impossible to hold on to power if the people turned, but nobody is interested in that while they (or their children) can live in a nice apartment and take a holiday in Europe once in a while.
I'm just trying to understand this attitude towards acceptance of losing privacy...
Or is just given up after years of losing to their government?
I have been living there for a while and Chinese people can talk about it as freely as elsewhere and most of the people I know are very aware of it.
The opinions about tracking/surveillance are not the same than in the west though and it is much more accepted here. In my social circle, a large majority of Chinese people would prefer security over privacy or just don't really care.
Hard to believe for a westerner like me, but people are happy about it so far.
That's a nice translation!
Ah... the times we live in.
What about the data that already leaked?
Personally for me Google is an opposite of privacy.
This has now been fixed and almost any device affected by this error has now installed the update. HMD Global takes the safety and privacy of our customers seriously.
Random hacker news comments aren't the most trustworthy.
I've just installed it on my 6.1 Plus. Nothing sus yet but it's only been 5 minutes.
For example, many apps, especially messenger and social network apps secretly or openly export contact lists from devices. Not only this is highly unethical, it might be a violation under GDPR because the information in the contact list is personal information and you must obtain the permission of that person for transferring the data abroad, not only the permission of the phone owner.
Almost every mobile app collects IMEI, a hardware identifier that allows governments and mobile companies to track the precise location of your phone. While such data are highly sensitive, they collect it without any second thought. Even a simple keyboard app was collecting all the data it could grab .
I can remember how Google was collecting WiFi data, without permission from access point owners. It was also collecting the traffic sent over WiFi .
It seems like the companies in every country have similar interests for users' data.
Also, I have a noname Chinese phone and when I examined its traffic with Wireshark, it was attempting to send data with IMEI to Chinese servers (luckily I had no SIM card inserted so it couldn't get a phone number). It was sending data to Google servers as well, but sadly they were encrypted with SSL and even installing a self-signed root certificate on the device didn't help to decode the contents.
So I think there should be better regulation of data collection. The general rule ("not a single byte" rule) should be that no data can be sent anywhere without explicit user's consent (not a phrase somewhere in the EULA). Also I think the manufacturers should put large warnings on the boxes, like the ones on the cigarette packs, like "This device sends all your private data to country X", "This IoT device will spy on you 24 hours a day", "This device uses a cloud in country Y", etc. So that the consumers better know who will spy on them.
Edit: I am not disputing the "One China Principle". The fact remains that Taiwan is self-governed.
But both sides agree that it is China.
Like Korea includes both North and South even if there are two states.
Ask Chinese, ask Koreans. Also ask Germans or Vietnamese.
You could also ask Foxcomm's founder.
The real reason is that 5G is not secure by design, just like 4G and 3G and GSM before. But the NSA wants to have the keys only for themselves.