Who owns your shiny new Pixel 9 phone? You can’t say no to Google’s surveillance - eviltoast

Google’s latest flagship smartphone raises concerns about user privacy and security. It frequently transmits private user data to the tech giant before any app is installed. Moreover, the Cybernews research team has discovered that it potentially has remote management capabilities without user awareness or approval.

Cybernews researchers analyzed the new Pixel 9 Pro XL smartphone’s web traffic, focusing on what a new smartphone sends to Google.

“Every 15 minutes, Google Pixel 9 Pro XL sends a data packet to Google. The device shares location, email address, phone number, network status, and other telemetry. Even more concerning, the phone periodically attempts to download and run new code, potentially opening up security risks,” said Aras Nazarovas, a security researcher at Cybernews…

… “The amount of data transmitted and the potential for remote management casts doubt on who truly owns the device. Users may have paid for it, but the deep integration of surveillance systems in the ecosystem may leave users vulnerable to privacy violations,” Nazarovas said…

  • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    If you only care about security, you should keep Play Services isolated in a separate profile. That way, even if there happens to be a memory corruption vulnerability in Play services, which isn’t caught by hardened_malloc or the hardware MTE in newer devices with ARMv9 chips, the rest of your system would still be safe, since Play services aren’t running as root, and in order to compromise the entire system, there would need to be a privilege escalation vulnerability in all of Android, not just Play services.

    And you know what helps reduce risk of exploit? Smaller codebases.

    Why does CalyxOS include the F-Droid privileged extension then? It’s yet another component running with elevated permissions and unnecessarily increasing attack surface. Why does it include Google’s eUICC component with elevated privileges and no proper sandboxing?

    • RubberElectrons@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      3 months ago

      Err… That component appears to be built from source per Calyx’s Gradle rules? The source is pulled from here: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/telephony/java/android/telephony/euicc

      My hardware is too old to support MTE. I’m running a pixel 3 because I’m more worried about damaging our earthly environment with this constant hardware churn.

      I’m sorry you’re unhappy that I’m happy. I’m still able to run Android 14 in a reasonably secure manner, I’m able to exchange information with other people easily, without Google getting much information from me, and that’s satisfactory. My actual security relevant machinations happen on my much better protected laptop.

      Thanks for your input, have a nice day.

      • Andromxda 🇺🇦🇵🇸🇹🇼@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        Err… That component appears to be built from source per Calyx’s Gradle rules? The source is pulled from here: https://android.googlesource.com/platform/frameworks/base/+/refs/heads/main/telephony/java/android/telephony/euicc

        That’s apparently not the entire thing though. I haven’t used CalyxOS in a long time, could go to the settings menu for adding a new eSIM and take a screenshot of it?

        I’m sorry you’re unhappy that I’m happy.

        Oh I’m absolutely not. I’m glad you found an OS you like, I just pointed out that GrapheneOS is far superior in terms of privacy and security, and therefore probably the better choice, but you are obviously free to use whatever suits your needs and makes you happy. And it’s better than the stock OS I guess.

        My actual security relevant machinations happen on my much better protected laptop.

        How do you protect a laptop to be more secure than a modern mobile device? Desktop operating systems are inherently less secure, since they lack proper application sandboxing, they often don’t even have mandatory access control mechanisms (such as SELinux or AppArmor) in place and don’t have a good way of verifying the boot image. Secure Boot is broken and essentially useless, and can’t be compared to Android Verified Boot whatsoever. TPMs aren’t secure either, and can’t even remotely be compared with proper secure elements such as the Google Titan M2 or Apple’s Secure Enclave. Do you use QubesOS, or how did you achieve better protection on your laptop compared to your smartphone?