Hacker News new | past | comments | ask | show | jobs | submit login

Please don't assume this is a one-time event, or that it is specific to this brand or even to Chinese manufacturers. Nokia could actually be in the best half on that aspect, just got unlucky.

Most of such info leaks are hidden. I've already witnessed several OEM firmwares sending informations to many different parties. Too often, this is done through http, with payload encrypted. But it's always symmetrical encryption, and the encryption key can be computed from the fields in clear in the request. Such techniques are enough to stay under the radar of classic MITM, and require hard reverse engineering work to detect. I've noticed such behaviours on major Chinese OEMs, and white-label brands.

I never did actual reverse engineering on more western-ish brands, but the little I've seen doesn't look good. On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions, because this gives the right to give apps any permission), raises an advertisement company in Israel and a Telco in Singapore.

If you're worried about this situation (I do), I recommend you start lobbying about mandatory bootloader unlock, and easier OS replacement on smartphones. In this area, Nokia is amongst the worse, since AFAIK they still haven't authorized any bootloader unlock. Personally my work in this ecosystem is to make the Phh-Treble ROM, which is most likely the Android ROM with the largest hardware support (even though it requires the phone to be natively running Android 8 at least), and it is opensource.

> On Samsung Galaxy S9+ simply listing apps that can install apps silently (which is the master of all permissions

Wait... what? Why is there such a permission in the first place?

> Why is there such a permission in the first place?

Google Play and F-droid require it in order to update apps automatically.

Essentially, you give one app a permission to install other apps. Whether it notifies you or not, it's up to the app.

As mentioned, there are updates, but then you could have an upgrade-specific permission (there isn't one).

But even when simply installing, check the workflow that the play store currently have: When you click "install" in the play store, you don't really want interactions far in the future about it. So the apps' permissions are asked right away. Without this silent install permission, you would have a pop-up at the end of the download (which can be between few seconds after clicking "install" to several hours if you're unlucky and downloading a big app), asking you to confirm the installation.

Oh. Now I see why my phone randomly installs Amazon Prime Music or Prime Video. I have Kindle installed and recently installed audible - after installing audible, I noticed I got Prime Video (haven't been a subscriber for a while).

> raises an advertisement company in Israel

Out of curiosity, what "advertisement" company would that be?

Digital Turbine

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact