This may be slightly off-topic, but as someone who has wanted to write apps before, I find the amount of "bloat" surrounding the Android ecosystem in general is astounding. For example, there is a "LegalTerm" app whose classes.jar is nearly 2MB, and I suspect its function is to only display this legal information and possibly ask the user whether to agree:<p><a href="https://github.com/julKali/nokia8-evenwell/blob/master/packages/LegalTerm/apktool/res/values-en-rUS/strings.xml" rel="nofollow">https://github.com/julKali/nokia8-evenwell/blob/master/packa...</a><p>Yet looking at the other files included, it seems this app also draws its UI using bitmaps in a dozen different sizes, and has to reimplement something as elementary as text selection ( <a href="https://github.com/julKali/nokia8-evenwell/blob/master/packages/LegalTerm/apktool/res/drawable-xxxhdpi/abc_text_select_handle_left_mtrl_dark.png" rel="nofollow">https://github.com/julKali/nokia8-evenwell/blob/master/packa...</a> ). Are they going overboard, or is this just how Android works? I primarily work in Win32 and such a simple app there would have a size measured in kilobytes, not megabytes.
So I have spent some initial time looking at this.<p>com.evenwell.autoregistration.Caivs has some worrying looking stuff.<p>There is a website here with the username and password in cleartext in the jars: <a href="https://www.c2dms.com" rel="nofollow">https://www.c2dms.com</a> Nothing visible/doable once logged in from what I could see.<p>It also appears to be collecting fine-grained location data, e.g. this is the output from logcat (I have obfuscated my own GPS coords here, but they are 6 digits of accuracy)<p><pre><code> 2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: LocationUpdated: 3.location:Location[gps 51.xxxxxx,-0.xxxxxx hAcc=39 et=+1d19h59m28s923ms alt=102.50201416015625 vel=3.09 bear=14.3 vAcc=24 sAcc=3 bAcc=10 {Bundle[mParcelledData.dataSize=96]}]
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: gps accuracy:38.592003
2019-03-30 19:38:21.406 15139-15159/? D/[CAIVS] LocationFinder: updateLocation: is in accuracy :1000
</code></pre>
com.evenwell.autoregistration.Utils.RegisterManager seems to be doing some scheduled checks and doing something with this collected data in the first 24 hours, then phased at 15 and 90 days. It is not clear what is happening having only done an initial scan over this.<p>It does <i>look like</i> they are doing some checking to see if the device is a Nokia device and selectively doing or not doing location-based stuff based on that, e.g. from com.evenwell.autoregistration.Utils.GetInfo<p><pre><code> 2019-03-30 20:09:25.108 16558-16577/? D/[CAIVS] GetInfo: getCellLocation: in black list
</code></pre>
Further investigation probably warranted. This looks a bit suspect and might only send data on specific days (and would explain why I did not notice anything outbound over my 4 day period of checking before).
There was a recent posting about Nokia phones calling-home to China recently (<a href="https://news.ycombinator.com/item?id=19449824" rel="nofollow">https://news.ycombinator.com/item?id=19449824</a>) which I guess prompted this.<p>Personally I think it would have been useful to see the java hosted directly in the git repo rather than as a zip, then we could have casually browsed or searched for tell-tale things (e.g. HTTP/TCP stuff in the java) within the repo without having to clone, decompress them all individually, then search on a local drive. Smali works I guess, but I am personally not familiar with it.<p>For anyone interested, I had a month-or-so old Nokia 7.1 on Android 9 (UK one bought from a high street retailer). A lot of these packages look similar to that (not done an detailed check but the names look familiar).<p>After the "phoning home" posting I installed NoRoot Firewall to examine what was going on and if any of these evenwell packages were calling out. I was not able to find any evidence of "phoning home" from the several days I was running NoRoot Firewall. The main weird thing was the camera app connecting to Facebook (for the live streaming) even though I hadn't set any of that up or have a Facebook account. Original comment: <a href="https://news.ycombinator.com/item?id=19450847" rel="nofollow">https://news.ycombinator.com/item?id=19450847</a> I am not saying that they never send anything, but I did not see any evidence of it happening for the 3 or 4 days I was looking for it.
I bought an Amazon Fire HD10. The amount of bloatware is unimaginable. The battery would go from 100% to 20% during the night when no one was using the thing. I eventually rooted it, removed all the unwanted 'features'/apps and now the tablet goes from 100% to 99% when sleeping for 12 hours and when I actually use it to read a book the drop is negligible (I am using the night mode).<p>The same happened with my android phone, once I got rid of all the crapware (NoRoot firewall helped in both devices to see who tries to go behind my back).
These are all made by (basically) Foxconn, who do all the design and manufacturing for HMD (also I believe Terry Gou owns a large stake in HMD).<p>Browsing through the decompiled packages isn’t really that concerning, to be honest.<p>Also, technically it’s Taiwan. ;)
As foobarbazetc noted, the listed packages have been specifically developed for Nokia (HMD). And although many only actually send telemetry on Nokia phones that have been sold in China, there is still quite a lot of data at stake that can be used to track the device when combined with data from other sources.<p>I wanted to share my findings to create the awareness that the mechanisms are there and it only takes a little misconfiguration (see <a href="https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia-7-plus-was-sending-personal-data-to-china" rel="nofollow">https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia...</a>) and all this goes straight to the Chinese authorities.
This isn't as horrifying as carrier-iq snafu of prior years [0].<p>The simplest thing one could do right now to get some semblance of privacy back is to use blockada [1] / intra+adguard-dns [2] (better than blockada, because it does DoH). Of course, you could also use pi-hole [3], to that affect as well, but I am not sure if it qualifies as "simple". These DNS based anti-tracking solutions, are tremendously effective right now, though, inevitably, the trackers would work around against it [4].<p>Other than that, go over the apps list on Android [5] and see the ones you don't have a need for and...<p>1. Disable them.<p>2. If you can't #1, remove all permissions. Remember, certain permissions like "draw on top of other apps", "read notifications" are elsewhere.<p>3. If you can't #2, remove their ability to talk to the internet for both mobile-data and wifi [6].<p>Remember to backup your data. I've seen atleast one ROM (looking at you Lenovo) getting stuck in a boot-loop when certain apps are disabled, or permissions removed from them.<p>I think, I/someone should buckle up and write an open-source app that helps with one-click lock-down. Someday...<p>Bonus:<p>Avoid Chrome. Use Firefox with uMatrix, HTTPSAnywhere, CanvasBlocker, FirstPartyIsolation, and DecentralEyes.<p>---<p>[0] <a href="https://hn.algolia.com/?query=carrieriq&sort=byPopularity&prefix=false&page=0&dateRange=all&type=story" rel="nofollow">https://hn.algolia.com/?query=carrieriq&sort=byPopularity&pr...</a><p>[1] <a href="https://play.google.com/store/apps/details?id=org.blokada.alarm.dnschanger" rel="nofollow">https://play.google.com/store/apps/details?id=org.blokada.al...</a> (root version has better capabilities)<p>[2] <a href="https://news.ycombinator.com/item?id=18788410" rel="nofollow">https://news.ycombinator.com/item?id=18788410</a><p>[3] <a href="https://news.ycombinator.com/item?id=18075159" rel="nofollow">https://news.ycombinator.com/item?id=18075159</a><p>[4] <a href="https://news.ycombinator.com/item?id=19258717" rel="nofollow">https://news.ycombinator.com/item?id=19258717</a><p>[5] Use ExodusPrivacy to determine which apps have been found to integrate with known trackers. <a href="https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy" rel="nofollow">https://play.google.com/store/apps/details?id=org.eu.exodus_...</a><p>[6] <a href="https://play.google.com/store/apps/details?id=com.glasswire.android" rel="nofollow">https://play.google.com/store/apps/details?id=com.glasswire....</a>