426 comments

[ 4.8 ms ] story [ 289 ms ] thread
I think you would have to be mad to leave the stock ROM running on a Xiaomi phone, IIRC they were caught logging peoples browser history a few years ago. Several models have mainline LineageOS support, I'm running Lineage on my Mix 2S and hope to have years worth of updates going forward. The hardware is really good value as long as you install an non-tainted OS.
Not to sound paranoid, but won't even LinageOS phones have to run closed-sourced firmware and drivers?
Correct, its entirely possible they could be doing more insidious stuff at the firmware level, but dumb keyword checking is almost certainly implemented in userspace.

I don't think you can trust any proprietary firmware out there, its just a question of which you trust less than the others.

And based on recent discoveries it sounds like Xiaomi should be trusted less than others.
As stupid as it might sound, I do trust Pixel phones, and an hypothetical iPhone running a different OS, the most of all alternatives. If one want's a smartphone, if not just take a 20+ year old dumb phone. Or BlackBerry.
Good luck getting that 20 year old phone to connect to any modern wireless network. I don't think anyone is running a 2G network anymore.
I totally forgot that even 3G is going to be phased out.
Not only firmware. Custom ROMs actually have to use binary blobs in kernelspace and userspace as well, in order to be able to use the hardware.
>"its just a question of which you trust less than the others."

Simple. I do not "trust less". I just do not trust. My phone is a phone. No Internet activity. I spend enough time in front of my desktop, dragging another computer anywhere I go is the last thing on my mind.

You can replace the user-facing software, but can/would you trust the baseband?
Isn't the baseband Qualcomm code? Do you think Qualcomm allowed Xiaomi to run their own baseband on it?
Do you think a Chinese company would even ask for permission? :)
You can't exactly do it without permission though. You need to crack the bootloader for the baseband and that's way easier said than done and immediately noticeable.
> You need to crack the bootloader for the baseband and that's way easier said than done

There have been more than enough cases of people poking holes in bootloaders, including secret services. For what it's worth, Huawei and Xiaomi can be considered as part of the Chinese CCP dictatorship and I'd expect them to have access to such exploits.

> and immediately noticeable.

How is an user supposed to notice a modified baseband firmware? The only thing that a user can see is if the device has been rooted, but with a factory-supplied backdoor even that doesn't help.

There's a difference between poking a hole the device bootloader and the baseband bootloader. The second is wayyy more lockdown and has a tiny attack surface.

A user can directly download the baseband image from the chipset using for example QFIL. Then you can check if it's signed with Qualcomm's key or another. Exploiting this would require Xiaomi to hide two baseband firmwares in the baseband firmware which isn't feasible, and it would also require them to completely rewrite the baseband bootloader instead of just exploiting it.

But even then you'd be able to read the eMMC and notice that there are two baseband firmwares. If you want to figure it out, you're free to buy any Xiaomi phone, read the eMMC, and check how many baseband images there are, then you'll be able to definitively know. Let me know if you do it.

When I said immediately noticeable I meant by Qualcomm, not by the end user though. They have contractual obligations to lock down their baseband and their licensing system relies on it so they have a large incentive.

Only when CPU is Qualcomm I think. I'm not knowledgeable with QPST/QXDM scenes but it didn't sound like firmware integrity mechanisms on qcom modems are too tight.
Of course the firmware is only Qualcomm if the modem is Qualcomm.

QPST/QXDM allows you to mess with the modems by sending it commands and changing configs yeah. But if you want to flash the firmware that's something else.

Yeah the firmware integrity mechanism are not the best, and there's definitely vulnerabilities in the firmware. But there's still no way of installing unsigned firmware on more recent devices, and I've never come across a way of running unsigned code without it being really obvious.

There was a bug recently that allowed you edit baseband memory from within the OS, but again you'll never be able to hide that from Qualcomm on a million devices.

I was stupid enough to buy a Xiaomi phone without enough due diligence. Aside from all spying that is going on, the software is abysmal.

The problem with replacing the OS is that I believe most banking apps I use will stop working. Might just need to write this phone off.

I have installed an AOSP-based rom on my Xiaomi 9T and banking apps (well, at least one) seems to be working fine.
Did you have any problems with AOSP? I want to replace the stock spyware on me mom's 9T, but the experience seems to be mixed, judging by a couple of forum discussions.
Minor inconveniences mostly, but that's probably because I keep flashing different ROMs to try stuff out.

My only "issue" is that because of my escapedes with flashing I now have only Widevine L3 support, so no full-HD videos on Netflix. But this should be easily fixed by flashing xiaomi.eu ROM and then going back to AOSP.

This is my daily driver: https://forum.xda-developers.com/t/rom-11-0-official-davinci...

Banking has to be the dumbest "security" industry there is.

Restrict apps, but can still log in via browser.

I have one bank app that actually says to screenshot a payment screen for your records, while blocking screenshots via app policy.

> Restrict apps, but can still log in via browser.

This isn't paradoxical. You treat the browser as a less trusted security domain than a phone, which usually has a secure boot chain, strong sandboxing, encrypted disk, reliable hardware cryptography etc, and therefore provide a different/better service on the phone. If a phone is missing one of these expected components then you're not the target market for the app, I guess. (Of course, your phone OS might be perfectly good, and the stock one might be crap, but the app developers don't care.)

They allow browsers with, for example, extensions that can spy on a banking interaction with very little effort.
What can a phone OS do to an app that a modern browser can't do to a webpage, as it relates to being a frontend to your bank account?
If the bank is planning to use the app to replace their hardware 2FA tokens (that they used to mandate for web transactions here), then the app must be considered more secure than the browser (probably because the secrets can be placed somewhere not trivially readable).
I disagree. My main bank allows several high-risk actions to be performed when logged in from a web browser, which are entirely impossible from the mobile banking app.

It's completely ridiculous that I can't use my mobile banking app for day to day low risk, low volume transactions if my phone is rooted, yet I can do anything and everything with high values of cash and credit from a Linux machine running any web browser I wish, as root.

The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".

These are protections any reasonably technical user can circumvent with the likes of Magisk and still, all to do far, far less damage than is possible than if they were to use a web browser.

> yet I can do anything and everything with high values of cash and credit from a Linux machine running any web browser I wish, as root.

Don't give them any ideas. They'll just ban Linux browsers now.

> The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".

I don't understand, why people think so. Banks hire good developers. They don't pay them well (by banks' own standards), but they still pay enough to hire competent programmers.

Unfortunately, working in bank is highly competitive environment, that fosters sycophants and rewards socially adept people, good at obeying orders to letter. Who cares, what the programmers think, they are at the bottom of command chain anyway.

The fraud prevention is often split into it's own department. As for "computer security" department, it is a fang-less security circus, that exists to satisfy PCI DSS. In some banks it outright pretends, that web sites and mobile apps don't exist. All your data will be processed in "secure server enclave", managed by "certified professionals", while sending hashes of credit card numbers to Google Analytics.

That's what happens when you have external security requirements along with audits and incompetent/greedy management. Designing and implementing a security policy based on the standard is a waste of money when you can do the bare minimum by checking off boxes.
Bank websites in some (developed, European) countries restrict you to 6-8 digit passwords (not alphanumeric), and don't have a 2FA option like Facebook or Google do. It's a massive joke.
Granted that is on a phone where you can usually just swipe left to their email application and run through some forgot your password steps - also the 2FA that most people use is just SMS which goes to the same place.

Assume that if someone has your unlocked phone they own your life.

The concern with SMS is SIM cloning. An aspiring code thief doesn't need your phone once they can pretend to be your phone.
Many must also store them in plaintext as well, or something like it, because the operator has to be able to confirm the spoken password for telebanking.
Oh and it changes every 6 months "for security reasons" thus guaranteeing it's either very simple or you write it down!
My favourite was when I needed to enter the second and fifth caracter of my password, and seventh and ninth digit from the login number. These are surely hashed in the database! (Metro Bank UK) not banking with them anymore.
Not to mention the widespread SMS two factor.
Totally agree, on my stock Pixel 4a using NextDNS breaks my banking apps (presumably because they're using analytics that get blocked, sigh).
Banking apps are often the worst from the speed and user experience perspective as well. It's like they hire worst developers to work for them.
Banking is known for skimping on IT staff, hiring cheapest possible workers from 3rd world countries and essentially running sweatshops.
Use Magisk, your banking apps will work fine.
For now, until hardware backed attestation becomes properly enforced... Isn't security great
It probably will never be. It just takes one OEM to fuck it up and everyone can use their device ID. That's why hardware backed attestation doesn't work, OnePlus fucked it up and now Magisk can pretend to be that phone and get exempted.
If a Chinese oem loses their keys why not just revoke them?
And cut off the phone from SafetyNet? That would hurt SafetyNet adoption and be bad for Google, which is presumably why they didn't do it for OnePlus.
Banking works under CalyxOS with microG. It doesn't like VPNs so, which I can understand somewhat.
Even apps like Netflix are configured not to be available on Google play if the device is not a certified one. That certification is lost AFAIK on rooting. I have two perfectly good android tablets that can’t run Netflix
(comment deleted)
Is there anyone who knows how to root a device that doesn't know how to torrent?
Not even just that but magisk modules can show phone as stock to banking apps and such.

Really this all just shows that people will truly put up with anything to make their lives more convenient, or for them to have to do less work.

> truly put up with anything to make their lives more convenient

This is a contradiction in terms.

No it's not.

That's the reality we live in. They will put up with being spied upon 24/7 for the convenience of a cheap phone they can't be bothered to root and ROM.

I'm far too lazy to torrent crap at my age - it takes too long and it can be a pain to find what I want.
Made me chuckle. I know a guy who finds Netflix a total PITA and the streaming experience (sorely) lacking. So he pays for Netflix streaming and dvds, and then downloads what he wants to watch via torrents for the convenience.
I think if you've been torrenting this entire time you're probably set for life - being looped into all sorts of movie sharing rings that you regularly seed for... but breaking into it fresh - it's tough.
I used to be in those groups but stopped years ago. I'm still fine just using exclusively public torrents on public trackers via a VPN.
This is why I still have my iPhone around. I know that one day my banking apps will just stop working. For now, Magisk Hide does the job.

Next time when I'll be looking for a new Android phone to buy, stock Android will be a hard requirement. I was stupid to pick my Xiaomi phone for it's hardware, I should've just gone with a Motorola.

I went from two nexuses to two motorolas to the Xiaomi. I didn't how good I had it with stock Android.
wouldn't it make more sense to have an open(able) bootloader as a hard requirement? What if your phone, regardless of OS, never gets updates?
What kind of due diligence is needed besides knowing it's built by a Chinese company?
I have a Mi 8 and use the xiaomi.eu ROM which supposedly has a lot of the junk removed. I also rooted it. I have no issues with any banking apps, Netflix or SafetyNet.
Most people don't care if another country spies on them, since their laws don't apply to them. They would care much more if they are profiled by their own government. Or more like tech companies on behalf of the government spying on them, and them being discriminated, harassed, or jailed based on that data. So in a way its actually kind of smart to go with a Chinese phone if you live in America.
Galaxy Brain take.
(comment deleted)
Good value assuming you're on the right carrier. AT&T in the US and its MVNOs are moving to a whitelist model in February, making Xiaomi phones unusable for anyone in the US not on T-Mobile.
On a related note, Realme recently bricked two (maybe more) phone models with an update that caused a soft-boot loop if the weather service (!) was removed by the user to reduce bloat. The problem is not fixed. People have lost data. I personally put Realme on my "never do business with" list.

If their engineering is so poor that they haven't caught this in time, nor reacted by releasing a one-line software patch that can be applied manually (cause users sure as hell can't do it themselves - stock can only apply signed updates), they shouldn't be trusted with anything.

What difference does it make to disable the censorship function compared to fully removing it from the code base?

Considering that phone updates cannot be verified, every phone maker has the ability to secretly add such features at any time. And if the phone is link to a user account they could even do this in a targeted way.

The thing is if these censorship is enabled, its going to be found out in a second by someone and explode in the news. All it does is that it deletes a word you typed on your phone or prevent you from seeing a piece of content that you want to see. It's going to be so obvious. It will not achieve the desired goal to censor in the first place and will make people realize what you don't want people to see. It will completely backfire. Given it is a broken and illogical plan, then it is highly unlikely there is a a multi year effort to build phones, sale to international markets, just to censor what people want to say and feed people about ccp propaganda. Even if someone is so stupid and want to do it anyway. What you fear is the censorship actually work. But you don't have to worry about that as it will not work.
I wonder when it'd be accidentally turned on
(comment deleted)
I would like to see concrete reproducible evidence for this.
The 35 page report has details that should make it easy to replicate.

"This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time of the analysis, the MiAdBlacklistConfig file contained 449 elements). A fragment of the MiAdBlacklistConfig file is shown in Table 14." page 23

Linked elsewhere but here's the PDF report: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...

Hmm that is why that Huawie android fork flaw of running other mods as system allowed with hidden updates is screaming at me now.

Its way to update that mod in real time without the user knowing about it as its system allowed due it running in a separate allowed system space.

Time to pressure vendors to seek RYF certification.
We should be up in arms over this. But we should also be up in arms over Apple's "CSAM" plans.

Surveillance doesn't belong on our devices. Period.

Once it's in, the dictators can clamp down even harder. Over time, freedom atrophies and the window slides closer to totalitarian control.

Don't invite the devil in. Scream it away.

There were multiple articles about apple's csm with discussions.
And we should stop talking about it? That's what Apple and the intelligence orgs want.
I'm totally up for talking about it, what more can we talk about tho? I'm switching vendors and advocating for open sw/hw. Open to more threads!
I don’t see Lithuania writing a report or making a fuss about it. Weird.
No, someone a lot more powerful did:

"Member of the German parliament, Manuel Höferlin, who serves as the chairman of the Digital Agenda committee in Germany, has penned a letter to Apple CEO Tim Cook, pleading Apple to abandon its plan to scan iPhone users' photo libraries"

https://www.macrumors.com/2021/08/18/german-politician-lette...

https://appleinsider.com/articles/21/08/17/germany-writes-to...

Along with

"Apple photo-scanning plan faces global backlash from 90 rights groups"

https://arstechnica.com/tech-policy/2021/08/apple-photo-scan...

And 487 other articles, reports, fusses that went against Apple's plans.

Why is this linked to some random tweet that adds absolutely nothing instead of the article the tweet links to? https://www.reuters.com/business/media-telecom/lithuania-say...
I used the tweet due to the paywall of the Reuters article.

Another user below found the best link, the true original source:

Here's the official report: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi... (link updated)

Since when has Reuters employed a paywall? I know they had planned on implementing one earlier this year, but that was indefinitely postponed.
Ah, it says "Register for Free". So not really a paywall, my mistake.
You pay with your personal data :)
Well, I for one can't read the article other than in the private mode, because the site says it's time to register.
Bypass it by blocking arcpublishing.com in uBO, hosts or DNS
Free Tibet. I just typed that on my Xiaomi with stock MIUI, using Google Gboard.
I don't think there were allegations that you couldn't type Free Tibet?
What exactly are the allegations then?

"have a built-in ability to detect and censor terms such as "Free Tibet"

Censor by preventing one posting the phrase? Removing the phrase from web pages?

What are the steps to reproduce?

The allegation is that the censorship code is there. It's disabled on phones in western markets, but can be enabled remotely by the manufacturer.
So, it's better than US made spyware which cannot be removed from "our" PC CPUs? Best we can do is "disable" these features in the BIOS/UEFI and sleep well, even though we nothing's really stopped.

Sorry for the whataboutism but I am lot less concerned about Chinese spyware because I know for a fact that my government serves the EU and the US.

All this anti China propaganda is really tiresome. China this, China that. Someone seems really scared. Fuck this someone

As you can see, one gets downvoted quickly when pointing out double standards, or posting anything else that could interfere with anti-Chinese propaganda efforts.
The reply was to my fairly "just the facts" statement, where I didn't characterize what was happening, just explained it.
> It's disabled on phones in western markets, but can be enabled remotely by the manufacturer

Well, I think everything can be enabled remotely by your manufacturer, no matter which... it is what we call "software upgrades".

But for me, a western, it's actually good to have a phone controlled by the Chinese. I would be concerned if it were controlled by my government, though.

It's also in Chinese, so if it is activated typing it in English doesn't do anything. But that's not to say that it can't be also updated to be other languages
It's all covered in the 32 page research report:

Xiaomi system applications (Security, MiBrowser, Cleaner, MIUI Package Installer and Themes) have been found to regularly download the manufacturer’s updated configuration file MiAdBlacklistConfig from a server located in Singapore. This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified in the MiAdBlacklistConfig file). Analysis of the Xiaomi application code showed that the applications have implemented software classes for filtering the target multimedia displayed on the device according to the downloaded MiAdBlacklistConfig list. This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information.

PDF here: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...

Right
I don't understand what you're saying or intending with your comments. There are 32 pages in the report. I'm curious about steps to replicate as well, generally for stuff like this.
I mean the piece quoted above is the correct original source. I wanted to post exactly this snippet myself.

From that a possible test case can be to open this HN thread in MiBrowser and see the webpage blocked due to the "free Tibet" phrases posted here (assuming MiAdBlacklistConfig includes English versions).

If anyone has a Xiaomi phone and is willing to accept the MiBrowser terms of use, please try.

Right. MiAdBlackListConfig does not include English versions, according to the 32 page research article. Therefore "Free Tibet" is not relevant.

A user here testing this is irrelevant. If someone wants to verify, figure out where we can get the codebase and search these strings ourselves.

Chinese versions are posted already too, so this thead can be used for testing now.
Unless you are based in China, a Chinese national, a known dissident or a journalist it doesn't really matter, does it? Also, how do you know what Xiaomi did after you typed it?

EDIT: As I really phrased it badly, I mean it doesn't proof anything if none of the above mentioned groups does it. It absolutely matters that Xiaomi is censoring and monitoring stuff based on key words. I oppose that even more than oppose Apple monitoring child pornography. Simply because Xiaomi is already doing the monitoring for a non Democratic repressive government.

Are you saying you don't care what happens to journalists around the world? Seems like a recipe for disaster.
No, quite the opposite actually. Just that it doesn't mean anything if a random Xiaomi user in Europe can type words Xiaomi is monitoring. Since that user most likely isn't the reason why Xiaomi is doing that kind of stuff.
Oh I get what you mean, my bad. You're saying the above poster "typing in Free Tibet and nothing bad happened" doesn't prove anything. Yep, agreed.
Exactly that, I could have phrased it better I think.
Yes, rather than "it doesn't matter", something like "typing in a phrase yourself isn't relevant as this feature is likely disabled for you".

Believe that's why you're being downvoted. The way HN moves comments around also so yours was not right next to the comment you replied to, which didn't help.

Reading my comment again, I do see the problem... On the positive side, it teaches clear, consive writing. Even in quick, short comments. Or thinking, as far as that's concerned. I would have used the same words verbally as well.
Pronouns in particular seem problematic. "It", "they", "he", "her" seem to be on their way out because they are less and less useful at communicating information.
Those first two categories make up 1 in 5 people on earth. You don't care what happens to 20% of the human race?
According to the 32 page research report the phrase is "西藏自由", and also that blocking is disabled outside regions of interest. So it's likely you won't see anything happen, but worth a try!
> "Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Defence Deputy Minister Margiris Abukevicius told reporters in introducing the report.

This is applicable equally for every other country.

Xiaoyu for doing stuff like this.
What happens when you type - Winnie the pooh ?
Whilst the loveable bear was somewhat banned online for a little time a while ago, it's now not actually banned in China in itself and is and has been a popular children's toy. Disney stores also exist and sell winne the pooh in China.

What's more accurate is the use of the bear with reference to their leader (who looks like him!)

A better string would be "tianamen square massacre"

From the article: Relations between Lithuania and China have soured recently. China demanded last month that Lithuania withdraw its ambassador in Beijing and said it would recall its envoy to Vilnius after Taiwan announced that its mission in Lithuania would be called the Taiwanese Representative Office

No one trust China but this sure looks like politically motivated. Was someone else able to authenticate or reproduce the results.

Yes the context is Lithuania dared state the obvious fact that Taiwan is a country, and now they are paying the price.
You can read the report and literally look up file on your Xiaomi phone which contains censored words.
Most people don't have Xiaomi phones. And it's worth noting that the document only mentions some of those, from over 300 entries. What are the others and why were they redacted out?
Thet are very common in Lithuania, to the point where I’d say around 20% of new phones being sold are from Xiaomi. They expanded heavily into other industries, like home automation, with prices that are a fraction of what other manufacturers would ask for their hardware.
I am not sure how accurate this information is but quick google search says Xiaomi have 24% phone market share in EU, not just Lithuania.
My prediction is that their market share is going to substantially grow. Xiaomi phones are much cheaper in terms of the hardware they offer. A Xiaomi Poco F3 costs €350. A comparable device from others is probably in the €>450 range. An iPhone's probably in the €>800 range.
There are no details really as to how Xiaomi censors those terms. If one does not use the bundled-in browser / app-store, I doubt Xiaomi can censor anything at all in other browsers unless they MiTM with client-cert. OTOH, many popular non-browser apps (at least the ones that matter) pin certificates, so even Lenovo-esque shenanigans wouldn't work [0].

What can they possibly be doing in the firmware or the ROM to break TLS (and other such authenticated key-exchange protocols)? The only thing I think of: Injecting a compromised https stack in to an app's classpath / ld_library_path. This may sound ambitious, but the Android modding community already uses such runtime swappers to great affect [1][2].

[0] https://news.ycombinator.com/item?id=9072424

[1] https://forum.xda-developers.com/f/magisk.5903/

[2] https://forum.xda-developers.com/f/xposed-general.3094/

Off the top of my head, theu can censor at the keyboard level, at the SMS level, and at the camera level: https://www.reddit.com/r/Xiaomi/comments/pgk8y3/xiaomi_camer...
Yikes, yes: The Input Methods are totally under their (ROM's) control even if one uses a non-Xiaomi keyboard.
Free tibet", long live Taiwan independence", or "democracy movement".

i sent this to a friend who owns a xiaomi phone and asked him to resent this back to me via sms. the message appeared just fine.

note: i am from india so this might not be enabled on the phones here for now

It may appear fine but your friend may be logged.
so what is the chinese government going to do to an indian who sent the text to someone ? force xiaomi to do something sinister to them?
Maybe keep getting scored until it reaches a certain threshold and gets marked for closer inspection of who the person is?
Censorship of the Taiwanese flag by Apple on the iPhone for users in China manifested itself as a crash whenever the Taiwan flag emoji was used[1].

[1] https://www.wired.com/story/apple-china-censorship-bug-iphon...

> But Wardle found that in some edge cases, a bug in the Taiwan-censorship code meant that instead of treating the Taiwan emoji as missing from the phone's library, it instead considered it an invalid input. That caused phones to crash altogether, resulting in what hackers call a denial-of-service attack that would let anyone crash a vulnerable device on command.

Which was also a bug—the conditions of which's existence are manifestly political (which I have zero desire/intent to defend here), but nonetheless an Apple-side bug that was patched eventually

Android hacker community, like XDA, should be able to quickly reserve engineer this as more details surface
Maybe they just turn offenders along with the evidence over the the PLA, for "review."
Thanks to those who posted a link to the actual report [1]

It may be worth clarifying that all those keywords and terms are in Chinese. So when they say "Free Tibet" they mean that the phone has a blacklist file that contains "西藏自由" and which use is disabled in the "European region".

On the other hand, it seems that this blacklist file is actually downloaded into the phone, which suggests to me that they could update it to match any terms in any language if they wanted.

I think that Chinese manufacturers will really need to produce 'clean' firmware that satisfies independent audits instead of these superficial feature flags if they want to continue to sell in the West long term. If not they will suffer Huawei's fate one after the other when this sort of thing is found out.

[1] https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...

> which suggests to me that they could update it to match any terms in any language if they wanted.

About the same thing as Apple scanning iPhones for what they say is child porn.

suggests to me they could update it to match any images if they wanted...

Pretty much the same thing, if you ask me.
Are there any good non-Chinese smartphone besides Samsung? Preferably someone who delivers a stock android?
(comment deleted)
iPhone?
Depending on your definition that’s also a Chinese phone. You might be able to get one build in India, but that require a lot of effort.

The problem is that you’re more or less screwed if you trust neither China nor Google. Generally speaking the iPhone is your best option, but partly due to a lack of options.

Just buy Pixel phones, the pure Android experience and day 1 updates are worth it. The new Pixel 6 will use LTS kernel and custom SoC, rumored to have updates for 5 years instead of what was a standard of 3.
(comment deleted)
If you care about privacy one of the few options is a Google Pixel with CalyxOS and no Google Services.
Consider the Gigaset GS4 or one of their older devices. The GS4 is not currently rooted afaik but some of their older devices (GS290?) are supported by (edit)e.foundation [1] and etc. As an additional benefit, they are made in Germany (though the origin of the parts is probably not exclusively German I guess.)

[1] https://doc.e.foundation/devices

I wonder why is anybody still surprised.

China has no qualms invading privacy of anybody. They will try any and every way to get whatever they need and they are pretty effective at it.

Ever read about making business in China? What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam. It is practically part of Chinese culture and upbringing.

Why do you think "chinese" is practically synonym to "cheap and most likely defective"?

Just say no to Chinese phones and TVs and internet services, because you WILL be exploited. It is not a question if but rather when and whether you will or will not know about it.

> I wonder why is anybody still surprised.

This is the kind of claim that's deep in conspiracy theory territory until the smoking gun is uncovered, and once that's out (and only then) it becomes obvious and unsurprising.

No, it is not and has not been surprising for decades.

In China there are no private companies.

There are only companies that Chinese government lets you run as long as you cooperate with the government.

Even Jack Ma was put through the wringer after questioning the CCP publicly.
> No, it is not and has not been surprising for decades.

I still recall the Supermicro backdoor chip story, and how once the Bloomberg news broke it was immediately so obvious and so clear that backdoor spy chips were undoubtedly being injected.

But a few years have blown by and the story is now a renowned hoax.

https://www.theregister.com/2021/02/12/supermicro_bloomberg_...

So tell me, is this sort of story also unsurprising for decades?

So... this would be like saying "We have a murderer, we have ample evidence for it on tape and multiple witnesses. But there is also this one person that lied about being witness so then it must mean that the suspect is innocent."
> We have a murderer, we have (...)

It sounds you lost track of the discussion. If you browse back through the thread you'll notice that the whole point is that without evidence this sort of accusation lies deep inside conspiracy theory territory, among all nutty baseless conspiracies. The key difference in this case is that, unlike all other conspiracy theories, there is indeed evidence that provide substance to accusations. Stating that an accusation is obvious is not evidence nor enough on itself. As I pointed out, the accusations in the Supermicro case we're also immediately obvious. Too bad they were not grounded on reality and after all these years there is no evidence to support them. But they were obvious, right?

I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now. Just look at how smart TVs hoover up data from their customers. There's a danger to painting this as a problem with China's tech industry because it implicitly lets other tech companies off the hook for their horrendous privacy practices.

> What we call cheating or stealing is a standard business practice there.

What about "move fast and break things"? Or Uber's skirting of labor and taxi laws in many jurisdictions worldwide? I get that this is literally whataboutism, but the above examples are considered virtuous by many here. What's the fundamental difference? To me it seems like China has just perfected the tech "hustle" culture invented in SV.

Appreciate your perspective here, you're right. The insidious "filter list" in the dictionary is sensational and the meta-story is around the worldwide invasion of user privacy.
> I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now.

Yes and no.

Yes, it is a problem with many tech companies, I agree.

But the way China does this is something completely different. Tech companies do this for their profit. China as a country exploits every single avenue to steal information and protect their position.

Stealing information and protecting their position is pretty common in the corporate world, in fact that's how many corporations ensure their continued profitability.

What you have in China is equivalent to "US Government" + "Big Tech" - "Bill of Rights".

Given the erosion in the bill of rights here, I suspect things are on a similar playing field. The main difference is the US government only censors using indirect means or by attacking the providers of information like Julian Assange.

Did we forget that the NSA is collecting most of the traffic on the internet?

I still say there is a big difference between intercepting the Internet traffic and saying that giving unlimited access to the information is a prerequisite to doing business.

Just think US government decided to imprison Apple executives and put their own in place of them unless Apple gave unlimited access to all their devices to US agencies.

Also the way China uses this information -- to control minorities, punish "thought crime", erase historical events and uncomfortable topics from public.

At least some of the groups China bans are CIA funded or are other regime change attempts by the west, but point taken.
> Given the erosion in the bill of rights here, I suspect things are on a similar playing field.

Not even close. Ready?

Joe Biden is suffering from worsening dementia. It was obvious before he took office. He's incompetent for the office. His aids constantly have to protect him from the public spectacle of his declining mental condition. The media also constantly does their part to artificially shield him. Biden was probably the candidate most capable of beating Trump (the Biden campaign mostly let Trump punch himself out), perhaps the only candidate capable of it, however he was also not mentally/physically fit for the office.

Have you seen some of the super creepy videos of him on YouTube? How about all his various embarrassing gaffs (fella from down under)? They're still on YouTube. It works in a similar way in China with Xi and the party in general, right?

I've placed this comment on a public forum, anyone can read it.

When do the authorities show up to disappear me? How many years shall I spend in prison for my comment? Will my family be safe?

Did you see what the media did to Trump during his Presidency? Did you read social media during those four years? And there is a similar playing field in the US as in China? Ha.

Very few of us can read Chinese (which explains why no one treats China like a country made of people), but I expect that in a country of a billion people many people have all kinds of rude opinions for and against the government expressed all over the internet.
> Why do you think "chinese" is practically synonym to "cheap and most likely defective"?

I think this is orthogonal to china stealing/copying. A lot of stuff from china is cheap/low quality because that's where you can cheaply mass produce plastic crap. But a lot of products from china are extremely high quality, world class level. You just have to pay more for it.

Western companies and business people have been remarkably myopic over the last few decades when it comes to the reality of doing business in China. The parent comment here is exactly right... this person knows what they are talking about yet somehow companies in the West seem to persist in trying to make a go of it. They almost all eventually learn their lesson but it doesn't have to be this way. This is not new info or new behavior.
> It is practically part of Chinese culture and upbringing.

Wow. Didn’t expect such blanket and shallow statement on HN.

Are you a Chinese yourself? On what basis do you base your assumptions on? Really.

> What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam.

Now this is something that is attributable to human behaviour. Pretty sure it is observable across all kinds of culture and races. But why did you single out the Chinese?

> But why did you single out the Chinese?

For my experience working with Chinese and other peoples' reports of the same?

I have worked for a company that has outsourced production to a Chinese company. They would try new trick every other month. Replacing parts for cheaper substitutes, skipping process steps, using counterfeit components. You point it out, they fix it, then they do the same when you are not looking at their hands.

Every time they are being polite about it, but you know, this happening almost every shipment is not an accident.

And even when you come with a solid proof they bend backwards to not admit they did it.

Read up on some other horror stories of outsourcing production to China.

Successfully outsourcing to China usually requires a sizable fleet of lawyers, constant presence at the production facility and inspecting every shipment for adherence to the contract.

Again, don't you understand the reason for why you buy Chinese from Chinese company and it immediately falls apart? Or tries to kill you? The Chinese companies that try to make quality products are a small minority. They do exist, my Andonstar soldering microscope and Rigol osciloscope is a proof of it, but they are an exception.

Yea I think parent is more worried about being PC than being truthful. All of the points mentioned were true, they just aren't PC.

Gutter oil has been outlawed for a good minute now, yet it gets into even the restaurants, I've friends from mainland China who say even if you stay away from street vendors eventually you will eat it, so people just give up worrying about it.

Myriad and many are the stories of factories taking specs and running off to start a cheaper knockoff competitor.

Sometimes the truth sucks. I used to dream of visiting China, now I'd be scared to.

I lived in China for a year and vouch for this type of behaviour. It’s just considered normal in China. The really odd thing is that when you call them out on it, they are super polite. Eg they will always try to give foreigners fake money but after a while you can spot the fakes “zhe shi jia de!!”, you say (This is fake!) and they apologise and give you a real one. At the same time, you earn respect from them. It’s just all very odd but you get used to it. Whilst I enjoyed living in China, I don’t want to ever go back.
Your post reminds me of the time people in China rioted because students were not allowed to cheat on their exams. There really is something cultural going on there.
That has because the exams were national university entrance exams and the new stronger anti-cheating measures were only being applied in one city.

The parents in that city felt that widespread cheating was normal everywhere else essentially turning admissions into a lottery with a big disadvantage to anyone who did not cheat.

That has to be the most lame excuse I've ever heard, at least it's funny!
> Chinese culture and upbringing

You can't post slurs like this to HN. Nationalistic, racial, and/or ethnic flamewar is not welcome either. I'm sure you can make your substantive points without any of that.

https://news.ycombinator.com/newsguidelines.html

Hi dang.

I have nothing against Chinese people.

On the other hand what I described is day to day reality doing business in China and is easily backed by facts.

You may not like, you may not be aware of it, it but it is truth.

See accounts of other HN users in this thread.

"I lived in China for a year and vouch for this type of behaviour. It’s just considered normal in China. "

I don't disbelieve you, but your comment definitely did not make it clear that you have "nothing against Chinese people". On the contrary, it rather it made it sound as if you did. No doubt you didn't consider this possibility because you know your own intent—but intent doesn't communicate itself. It's your responsibility to disambiguate that.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...

HN readers with Chinese backgrounds or Chinese connections have just as much a right to be here as anyone else does. I invite you to consider how someone in their position would feel after reading your comment about how "Chinese culture and upbringing" includes "cheating and stealing". Even minimal empathy would make you recoil from what you posted.

HN readers with Chinese backgrounds have already been hounded off this site by prejudicial comments. That's shameful. I don't want it to happen again, and your comment crossed into that territory. Please don't do it again. As I said above, you can make your substantive points—including relating your personal experience—without crossing into prejudicial generalization. It's not that hard - you just need to be mindful of the audience. You're broadcasting to a large, diverse population when you comment here.

What's "decomposition analysis" and how can I do it at home?

Since others here are curious, how would one go replicating these results to find the MiAdBlacklistConfig file? Can I download the OS from a website and just search for strings in the MiAdBlacklistConfig file? I'm genuinely interested, rather than using this question to cast doubt on the 32 page research report.

I am curious about this too.

From what I can gather from the report it should be possible to reproduce the analysis. Probably it is even possible to run the apps in question in an emulator.

Also it should be possible to get the full url of the censorship configuation file and also its full contents.

Given the extreme politics around this, I think it would be better if this type of analysis was done as open source and in a completely reproducible manner.

https://www.reddit.com/r/Xiaomi/comments/pgk8y3/xiaomi_camer...

Related, in this thread the OP discovered that he couldn’t take photos of an election ballot - they were being overwritten with a big green block.

No, the OP in the thread later retracted as they could not replicate and it seemed more like a random bug in the camera:

"Yesterday I was a bit in a hurry and could not do all tests that I would have liked to. Today I tried to repeat the whole process with the same setup, documents still laying on the same table untouched etc. Just the lighting changed substantially (morning sun).

I was unable to repeat the 'green picture effect' even once... all pictures taking with Xiaomi stock camera turned out well.

I am sorry that I jumped to unproven conclusions (censoring) :( "

Please read your full source in the future before posting. It clouds the discussion. (I just did this myself on another article)

this turned out to not be true - the comments pointed out that the overwrite is likely an app interpreting it as different image format, which had happened before, and OP didn't replicate the issue the next day in different light
I'm keeping an eye on this while waiting for breaking from more prominent news sources.
Why recommend against them and simply not ban the sale of Xiaomi and co. in Lithuania?
I just helped someone remove the built-in Chinese malware from a US Government provided phone.

It's insane.

https://blog.malwarebytes.com/android/2020/07/we-found-yet-a...

(comment deleted)
This is what kinda terrifies me about today's digital landscape. Now it's so cheap to hide surveillance capabilities (spyware, hidden microphones or cameras) that bad actors can just embed surveillance into every cheap device, hoping just by sheer numbers to get one into a sensitive area (e.g. Pentagon, Langley), and then remotely activate surveillance. With the computational capabilities of today's data centers, they don't even have to be all that selective anymore. They could just be monitoring everyone, at some granularity, dumping logs into a massive database with just enough metadata to make it searchable/queryable.

It's downright dystopian.

> It's downright dystopian.

It sure is. No stopping it now though.

I'm old enough to remember being able to go to someone's place and expect privacy. These days literally anything can have an HD cam.

Not great for paranoia but what can you do?

> They could just be monitoring everyone,

They are. Snowden already proved this, and we apparently got into that particular situation to keep pace with China.

Not my job.

You are more powerful than you may realize. Work on supporting open source hardware and software options.

1. If you are a developer, consider buying a Pinephone [1] and contributing to the codebase.

2. If not a developer, you can submit bug reports and test fixes. Same for Purism Librem phone as well [2].

3. If you are neither, or have no time to spare but do have money, you can always purchase one for kicks or donate to open source like Ubuntu.

4. Finally if you have no time or money, simply upvoting privacy related threads on HN and talking with your friends about it helps too.

[1] https://pine64.com/product/pinephone-beta-edition-with-conve...

[2] https://puri.sm/products/librem-5/

edit: added numbering

I hate to say this, but OSS anarchism is not going to work. Most people cannot really work or live with those devices.

This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.

The solution to bad government is not "no government" and the solution to bad company behavior is better rules.

Open to other ways of taking action. What are you doing to support the solutions you describe?
> I hate to say this, but OSS anarchism is not going to work. Most people cannot really work or live with those devices.

Baby steps. Such changes start small.

> This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.

Yes, but regulations do also ring-in different challenges and over the long-term, the status-quo ends up being enshrined in them, thwarting the otherwise thriving diversity of the ecosystem. Though, it is inevitable Internet / Web gets regulated ala Finance / Telecommunications industries.

I don't disagree at all with what you're saying, but shouldn't we still what little we can? Even if it's incremental, doesn't it at least send a tiny signal to manufacturers and companies and government if they see an increase in the demand of open hardware and open-source software?

The end solution will definitely require something more systemic, no question, but I don't think that should stopping the common person from doing what what they can.

I bought an iPhone less than a year ago (to use up a discount code before I left Apple), but a part of me already regrets not biting the bullet and purchasing something open, like a PinePhone.

This is the correct answer. Legislation and outright bans of products that require any sort of internet connection to work.

Furthermore, legislation that explicitly prevents gathering of any data, user account or coercion to use the product in any way without explicit consent of the user.

OSS is not going to cut the mustard.

We need both. First, Stallman was right. We simply cannot trust the magic incantations (code) of closed-source software and hardware to respect laws, in spirit or in letter. We must be able to audit all devices at every level. Second, the EFF is right, too. They fight at the legislative level. But they are fighting a defensive game. Consumers need to go on the offensive and lobby for legislatures to pass a digital Bill of Rights.
Certainly, legislation would be enormously helpful, but legislation isn't incantation. Economic factors are real.

Western countries need to rebuild their domestic manufacturing bases. There is no other way to guarantee that production will respect ethical norms and no other way to realistically punish violations. Legislation must incrementally direct industry back to the West and provide conditions under which it can flourish. This is easier said than done which is why any temptation to outsource ought to be VERY carefully considered because once you outsource industry, not only do you destroy the industrial base and mutually beneficial complex relationships, but you also starve domestic expertise and competence and the culture of that industry. Industry is a culture and culture is only transmitted when it is living, when there is a society of people who communicate and share and contribute and make use of it. If you ship textile manufacturing abroad, your domestic textile culture atrophies and withers. I think people underestimate this. It's not just a matter of willing something. You don't just say "well, all we need to do is build a factory for making X". Yeah? Who knows how to build that factory and to make X, and make it well so that it is competitive? Not you. Western cultures have forgotten how to make certain things. It's like trying to go into the pyramid building business by just wanting to do it or by looking over some old papyrus. Yeah, sure, you have to start somewhere, and do start, but don't expect it to be easy.

Decentralizing production is also better for security by removing unnecessary dependence. You want production to be distributed. You do not want one guy to make all of X.

And placing your bets on Chinese reform or political pressure on China to "be nice" is so ludicrous that I won't waste my proverbial breath. I will only say that the vast imperial ambitions of China are not only obvious, but that the elites of our own countries have taken a liking to their methods. The recent self-hatred of Westerners creates a vacuum, and Chinese ideas seem poised to fill it.

Technically capable person can easily protect himself. It's not that hard. At least from ordinary threats. Use dedicated firewall device, use software firewalls, periodically check out running services.

Issue is with rest 99.9% of people who will share whatever you say, because their phone happened to be nearby and you can't really do anything about it.

Biggest missing piece in all these "free" phones is giant (bigger than Linux kernel) baseband firmware blob. Until we have something like Osmocom but for LTE, LTE-A, 5G, etc, all this is pointless.
> something like Osmocom but for LTE, LTE-A, 5G, etc

We already do. SrsRAN[1] UE and OpenAirInterface.

[1] https://www.srslte.com/

Not the same. It's only for use in computers with SDR hardware attached AFAIK. Nothing ready to flash into the phone firmware and just use it like OsmocomBB allowed with these Motorola phones.
I'm, like many people here, the IT support for my extended family.

I generally do my best to not only steer them away from invasive devices but also explain why.

Unfortunately this is more and more turning into a situation where I have hardware sent to me, reflashed with a known good rom and then mailed back out.

It’s underrated but DJI drones sold by millions is a great way to spy on what could not be gathered through satellite imagery. If not now then during war time, CCP has a million remote cameras in form of DJI drones and can turn it on in a snap. It would require nationwide firewall to stop. Of course, DJI drones require DJI flight app to even take off.

Why isn’t US Gov putting together legislation for this sort of a thing is beyond me.

In your scenario, is China leveraging it's own DJI drones? Or DJI drones already owned by hobbyists?
Taking over drones owned by hobbyists.

There seems to be a onslaught of positive DJI YouTube videos about how creating a user account is great and easy. Including fake comments praising DJI. Just search on YT DJI Mavic Pro setup.

All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.

> All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.

We're way past the point of no return with all of this.

At some point you just have to accept the new normal. Some of this should be handled by national security teams but I am unsure where we stand (US).

I'm surprised Lithuania of all places takes a firm stand on Chinese phones, meanwhile the US seems to be spinning its wheels. I am not sure what is going on behind closed doors.

I’m not sure if I agree with defeatist attitude. I’d do whatever I can. But, I do agree that this needs to be taken care of at the legislation / national security level and citizens shouldn’t have to.
Lithuania let Taiwan call its interests section an embassy or something and China is pissed so they were probably expecting blowback
Is that even enough though? Couldn't china put in shadow processors or other hardware-level surveillance similar to Intel's management engine? And it would be extremely difficult to detect, let alone disable or mitigate.
>Couldn't china put in shadow processors or other hardware-level surveillance similar to Intel's management engine?

Do we know for certain that IME is not already doing this kind of spying though?

Android 7? Then you don't need malware. It will be provided on first boot by multiple parties.