Hacker News new | past | comments | ask | show | jobs | submit login
Sony Xperia phones come with Baidu spyware? (sonymobile.com)
70 points by sleepyhead on Oct 28, 2014 | hide | past | web | favorite | 64 comments



I came in thinking that this was going to be about the Baidu IME Japanese language input (which caused quite a stir earlier this year iirc, for the same kind of logging and tracking -- though I think the information wasn't as extensive as this). Lo and behold, it's much worse than that.

Wasn't it Sony that installed some kind of spyware in its VAIO machines or its anti-piracy SW or something along those lines? When will they ever learn? And there will likely never be an explanation for what they were trying to do here.

They are already in a precarious position in the smartphone market with most of their sales coming from Japan (and Sony Ericsson becoming just Sony Mobile back in 2012). What were they going to do if shit really hit the fan and this went to mass media in Japan as the "Chinese spyware phone" given the tension between the two countries, especially given Japanese QE over the last 1.5+ years? Consumer sentiment is pretty irrational. I can easily see a situation where they get labeled as a "traitorous company" and a boycott starts, at least vs their mobile division. Shortsightedness at its finest.

I want to root for this company so badly yet every few years they do boneheaded things like this and make me utterly despise their stupidity.

edit: On further thought I bet this is created by some pre-installed default Baidu app that Sony QA didn't vet properly or didn't give a damn about. Or maybe QA found the folder + the connection to China, but it was quashed by management for "strategic reasons". The latter seems more likely, since the engineers I know at Sony (at least in SCEI) are pretty damn good.


I believe you are referring to the Sony BMG copy protection rootkit scandal [0]

[0] http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...


That's the one. Thx!

Rootkit, Playstation Network hack, Baidu spyware, ... I want to believe in Sony, and yet, this. :(


Sony isn't one monolithic behemoth. It's a conglomerate of various distinct groups under a loosely coupled ownership.

Also, I fail to see how a push service is equated to any of those. They aren't even related, PSN Hack occurred because of an unpatched vulnerability (an Ops failure). Rootkit was DRM.

The latest Z3 series are wonderful phones, one of the best in the Android ecosystem. That's what they should be judged on, not due to a poor choice of a push service provider!


You can add persecution of geohot to your list.


Baidu spyware on a Android phone with Google spyware, Yeah!


Can anyone explain why Chinese software like this is branded "spyware", while Google Play and iCloud services aren't? Since it seems the difference is just in the country that spys on me?


There is a bit more transparency when it comes to US and EU servers.

Issue with Chinese servers is that whole infrastructure is owned by government so they can track all info going through it without limits.

In US this is much more complicated.

Also since some time spy agencies around world were warning about those user informations sent back to China. They have their reasons but they wont reveal exactly what this is about since this would cause political cooling with China relations. Seems like something serious is going on there with all this data.


I don't find the distinctions between Chinese and U.S. national governments credible in this post-Snowden era.


I agree from a stealing data point of view. However what is done to that data is a different matter. I don't think the US government cares about my data or other 'normal' users. I am afraid that the Chinese can exploit it though. Much more possible that some corrupt officials gives data to the Chinese mafia or have their secret hacker army do something to hurt a country they don't like.


Just american idiots round here, Ive prototyped apps using baidu push service (the so called "spyware"). Its just another type of gcm except based in china. GCM servers are at best unreliable in china thanks to censorship.


Or maybe as an Indian I am concerned why my phone has to use Baidu at all, when I am not using any service it provides and the fact that my data is being sent to China without my knowledge?


I gotta ask, what difference does it makes where your data is collected - U.S., EU or China?


I hold EU in very high regards, so far they have not betrayed humanitarian values. China is a concealed demon, however bad you might think US is, China is a hell of a lot more and the reason is simple China is NOT a democracy. So far the actions of both the countries align with this statement.

Also I know and agree that my data be collected by US/EU, I wasn't asked when sharing my info to China.


OP here. European living in Asia. Any service that is tracking me without my consent is spyware. Regardless of the definition I am far more concern with being tracked by some Chinese company compared to a German company. So origin is important here.


Or maybe people dont want to be spied on by services from basically web un-regulated countries?


Such as the U.S.? Are are you asserting that the U.S. is regulated? My guess is, every drug suspect prosecuted with parallel construction, every ISP, and everyone harassed at the border for their online activities would disagree.


I think the difference is with Google 'spyware' you actually DO opt in when you setup ypur phone for th first time. This app is loaded silently and without notification to the user.


I see your point. However there are many differences. For iOS and Android I have chosen those systems and thus to a certain degree accepted connections to Apple and Google. I have not however chosen to do anything with Baidu. Regardless I think anything that tracks you is spyware unless I have given it my consent to do so.


Probably because Baidu doesn't make Xperia phones, unlike Google and Apple which power Android & iOS respectively?


So you're against using cloud providers? Apps use push notification services through Amazon or Microsoft all the time.


Funny so many people call this "spyware" while using smartphones with Google apps/services that feed your data to the NSA. Priorities, people?


The priority is to end companies spying. I agree that Google and NSA is a huge issue too, and that debate has been going on for a long time.


Reading the thread from the startt, it seems that Baidu is used for pushing content to MyXperia.

MyXperia is their service similar to let you can remotely track or lock your device. My guess is they are using Baidu's push service to send the commands to device.

So I'd say this is a poor choice of service provider from Sony - especially for non-Chinese versions - but _probably_ harmless.


At best, as harmless as Google's command & control channel to Android devices (=not very).


If you are on your phone, open the site in Desktop mode.


...Otherwise you will be made sign up through a LONG and HORRIBLE sign up process :O


  To sketch the magnitude of the problem: potentially, the Chinese governmnet can:
  ...
  Prevent your device from entering sleep mode
  ...
Oh well I'm screwed.


Well, that means the screen will not time out, and thus will not ask for a password. Baidu has location access too, so there's an obvious attack vector in disabling the screen time-out before sweeping in and confiscating the device.

It's the least menacing item on that list, but that doesn't mean it's completely harmless.


I don't think it has anything to do with Sony, the folder is created by lots of apps - wechat, MIUI themes. http://forum.xda-developers.com/showpost.php?p=55033304&post... suggests it's also created by ES File Explorer.


It's happening for stock out of the box configs too. It has everything to do with sony.


I imagine the baidu folder is set up due to baidu search or social network integration.

The connections to IP addresses have been seen on other phones so it's probably some software people have installed http://forum.xda-developers.com/showthread.php?t=2509815


Just unpacked my Sony Z3 compact, haven't installed a single app and its connecting to China... Needless to say, I will never use this phone or any other Sony product ever again.


Without taking a position on this particular case, I must observe that if you are going to boycott every company that has done something that allows some government to spy on customers, your list of vendors will be down to... I was going to say your local grocery shop, but thinking about it, they probably have a credit card reader, and I'd be astonished if there weren't at least some cases of governments tracking people via credit card purchases.


If they send data from my phone (potentially private information) to a foreign country without telling me, then I think its reasonable to boycott them. If I knew that my local grocery store sent my private information to china I would boycott them too. But I'm fairly convinced that they don't do that.


Eh, it's a push service. They aren't mining your information. It's used for their myXperia service, which is used to locate your device with a sound alert or display its position on a map. You can also erase data and/or lock your device if you lose it.[1]

[1] - https://myxperia.sonymobile.com


It's a service developed to retrieve my location and to get access to my device!


Google, MS, Apple, Facebook and Twitter operate out a foreign county for most of us. At most they "tell" by way of click through agreements wherein you sign away your firstborn and then some, otherweise you are without smartphones and social media.


> Needless to say, I will never use this phone

No Cyanogenmod ROMs for the Z3 series yet unfortunately so it looks like a return is your only real option.

http://wiki.cyanogenmod.org/w/Devices#vendor=%22Sony%22;type...


I'm willing to give SCEI (the Playstation unit) the benefit of the doubt still (despite their hacking scandal), but I'm surely done with Sony Mobile devices for sure.


I was done with Sony after my investment into Playstation Linux (PS2), as they screwed their PS3 follow up.

It was more closed down than Yaroze and PS2 Linux, and eventually kicked out the door.

The PS4 makes use of clang and BSD and where are the contributions back to the communities, besides a few talks at LLVM summit?


the playstation unit that progressively dropped features from the ps3 you paid top dollar for? you are too kind.


I was just glad that DRM got the name-and-shame it deserved every time Sony revoked a feature via online software-downgrade. Now I hate my PS3 and only use it for Amazon and YouTube. The games I paid full price for all have their hand out for DLC. Bleah.


Ah I actually skipped the PS3 and just went for PSP/PSVita. :(

Thanks for making me aware of this history.


I am not so concerned about the folder itself but my phone now has a constant connection to an IP address in Beijing which I am not too happy about.


What about constant connections to Google servers aka NSA? That doesn't concern you too?


It does. What is your point here? Because Google is doing this then I must accept others doing it as well?


Samsung Android phones come with Google spyware?

Apple iPhone phones come with Apple iCloud spyware? Google search spyware? Yahoo search spyware? Bing search spyware?

Microsoft Windows Phone phones come with Microsoft spyware?

It's the same stuff. At least China tells people what they do, instead of leaving people with uncertainty and doubt.


If you buy a phone from Apple it is implied that it will make connections to Apple. To a certain degree off course. However I have not bought a Baidu phone and have not given my consent to be tracked.

What is wrong with you people who nitpick in this thread. It is an invasion of privacy and is being done without my consent. That is the important issue here.


OMG I saw that folder a while back on my phone and ignored it thinking some sony app uses it and it's included in case I set the phone language to Chinese. But I never thought a Japanese company would be sending anything back to a Chinese IP address!


My girlfriend recently bought an Xperia and a couple weeks later she received a notice from google that someone was blocked when trying to log into her gmail account from China. I wonder if there could be a connection.


It's extremely unlikely that the two are related. Account access attempts from Chinese IP addresses are common for almost everyone on Gmail.


If I were to buy a new Sony phone, is there a way to stop this from happening?


If it's the phone (Z3?) in question, it seems that an update that purges this is incoming (though I wouldn't trust it until we have reports proving that this is the case).


Has anyone reversed com.sonymobile.mx.android.apk yet?


I will if anyone can put the link up somewhere.


https://mega.co.nz/#!bcxjxKgA!_vRRYgQbzmGxTXkAnLRG2DNuR9HhNS... is a UK Z3 firmware, I'm working on extracting it with 7zip and unyaffs. Unless someone wants to adb pull from their own Z series device.


This is the folder I found in my Xperia Z, latest stock firmware (Android 4.4.4) installed after a full wipe about a month ago. Files are mostly empty. https://www.dropbox.com/s/ds1iyk5vffexrlx/baidu.zip.zip?dl=0


Their music arm is much much more morally elastic:

https://www.scribd.com/doc/22131876/Underground-Resistance-v...


libbd_push.so is Baidu's push notification service. Admittedly the fact they have to use native libs is a bit shady however if you have a large chinese userbase then GCM isnt really an option.


I'm the owner of the new Sony Z3 and even before this new Model , I had the same Baidu folder in my older Sony Xperia S. I don't understand so many talk-talk now and not before ?


The worst part is that it starts the service and connects to China without your consent or making you aware of it. At least I can turn off Google sync without any issues.


This makes me sad, I just bought the Z3c.


Indepth analysis : Is Sony’s Xperia smartphone sending back data to China through ‘Baidu’ folder backdoor? http://www.techworm.net/2014/10/sonys-xperia-baidu-folder-au...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: