Discovering that a Bluetooth car battery monitor is siphoning location data (doubleagent.net)
Hi HN, this is my efforts in reverse engineering a BLE car battery monitor where it's app has over 100,000 downloads on the Google Play store alone.
It turns out it's sending GPS, cell phone tower cell IDs and Wifi beacon data to servers in Hong Kong and mainland China on a continued basis. Google and Apple app store pages say no personal data is collected or sent to 3rd parties.
Hopefully readers pick up a few tips on reversing apps for their connected devices.
307 comments
[ 4.7 ms ] story [ 288 ms ] threadIt turns out it's sending GPS, cell phone tower cell IDs and Wifi beacon data to servers in Hong Kong and mainland China on a continued basis. Google and Apple app store pages say no personal data is collected or sent to 3rd parties.
Hopefully readers pick up a few tips on reversing apps for their connected devices.
https://www.amazon.de/dp/B0BLG9Z462
You can click the images where the third one contains a comparison. Interesting that they pretend that BM6 has this as a special feature since it just is a feature of the app.
The QR code [0] on the device points to this app: https://play.google.com/store/apps/details?id=com.dc.bm6
So I checked other URLs like https://link.quicklynks.com/bm3.html and https://link.quicklynks.com/bm4.html, and the latter redirects to https://www.leagend.com/ which operates this YT channel https://www.youtube.com/channel/UCqkvyOFP5cXQ02f3h1Ns42Q
[0] http://link.quicklynks.com/bm6.html
The play store page for this app states:
- No data shared with third parties
- This app may collect these data types
- Data isn’t encrypted
- You can request that data be deleted
I just checked the BM2 app (subject of the blog post series) and they have updated with the similar detail [2], updated on the 25th of June 2023, although they say the data is encrypted - will need to verify if this is the case with the latest release. It also still says data not sent to any third party. If they still use the Alibaba AMap SDK - then that's a third party.
The Apple app store also now discloses location data is being sent [3]
I'd like to think my research / blog posts put pressure on them to start being honest with their customers.
This doesn't excuse them though. A battery monitor does not need to know your location.
[1] https://play.google.com/store/apps/details?id=com.dc.bm6
[2] https://play.google.com/store/apps/details?id=com.dc.battery...
[3] https://apps.apple.com/au/app/battery-monitor-bm2/id11154920...
It's a fine line between data collection for commercial reasons and spying. Of course the mis-representation is an issue all by itself and Apple/Google should kill this app for that reason alone if they are going to be consistent.
No there is not. Your permission is the line
Requesting is easy... but trusting the whole "Yeah, we definitely deleted that data you asked us about" is where things can be tricky. :/
https://developer.android.com/guide/topics/connectivity/blue...
Is Android actually verifying this, or can this be used to misrepresent what’s going on?
Binning these to practical real-world "sacrifices" makes far more sense. I'd say Apple is ahead on UX, not behind.
I get it that BLE MAC addresses can provide very detailed location information, in my case my thermostats/valves broadcast MAC addresses all the time, so if they are sniffable, it is known that I'm at home, but this is not the case when I'm on my bike or in my car, where maybe there's the address of the bike computer or the car radio, because these are traveling along with me, giving no positional information.
Once I meet other people or walk around some streets, geolocated BLE MAC addresses will be present again, but it still isn't the same as high resolution GPS. GPS doesn't require an additional database lookup from a database which the "spy" may not even have access to, it directly sends latitude, longitude and accuracy.
It's annoying that Google neglected or still neglects this.
In theory it would be slightly harder to determine the users location if only BLE scanning was granted but I'm sure the Alibaba would have no difficulty getting more or less the same amount of location info.
Plus how do you express this to users? Do you call it "BLE Scanning" and try to explain that this reveals location information? Most users will miss that explanation. Or do you call both permissions "Location"? But now what is the incentive to request the lesser one.
I actually think that Google made a reasonable call here. If they both grant access to more or less the same info it makes sense to be behind the same permission.
Sorry for complaining, but it's so hard to find standalone devices that don't require an app nowadays (simple example: try finding an LED lamp where you can choose the light color that allows doing it with a button on the lamp itself without app - I found one but it was non-trivial and it still doesn't allow color cycling without app). If people wouldn't prefer this BS, it would be easier to find sane electronics/electrics again.
(Almost) No one is making their car purchasing decisions based on the existence of a car battery health feature.
[0]: https://www.motorbiscuit.com/oil-dipsticks-disappearing-at-a...
The great thing about Android applications is that often they generally decompile quite nice into human readable Java so the barrier of entry can be quite low to start reversing.
Grab a copy of JADX[1] - it will decompress and decompile the APK files. If you don't have an Android handset, use an emulator and/or grab APKs from apkpure[2]
Dynamic analysis is a bit more challenging. In my blog post I use Frida[3] extensively.
If you get started on something and get stuck/looking for support, feel free to DM me on Twitter (handle in HN profile), more then happy to help.
[1] https://github.com/skylot/jadx
[2] https://m.apkpure.com/
[3] https://frida.re/docs/android/
I kid, I kid.. Somewhat.
Because that's what "consumer tech" has turned into. An excuse to lie to end users as much as you can possibly get away with, to collect as much information from them as you possibly can, gatekept by companies who do not care in the slightest about any of those, unless it makes bad press for them, at which point they "promise to try harder to not get caught doing this in the future."
And they don't even try to hide it. It's just that nobody looks.
> Note: Since the BM2 does not use HTTPS, there is no need to even install a certificate. What this means is that anyone can independently identify that their latitude and longitude co-ordinates are being sent on either iOS or Android with no modifications to their phone.
"Anyone can independently verify." And also, anyone on the network connection between you and the server can help themselves to this data.
I'm curious, have you (or anyone else) seen novel solutions to this problem? Is this even solvable? Ideas everyone!
Make sure the financial liability is at least the maximum of 100x the value of the data and 10x the revenue the suite of bundled products generate.
it attempted to turn people's personal data from a balance sheet asset into a liability
with varying success
You don't have to know. You can safely guess. Assume anything "connected" is shouting as much as it possibly can, upstream, at all points in time. It's a cell phone app? You have location services turned on? It's streaming your position. Also, whatever else it can grab. Basically, if you've granted a permission to an app, assume it's streaming that attribute upstream, and keep things limited.
And, at all costs, prefer offline only devices. It took me a while to find some air quality sensors for my home that weren't online and App-based - but they're literally standalone displays that sniff the air and report out PM2.5/PM10/CO2/etc. I can't access them with an app, I have to walk past and look. So be it. For voltage of batteries, ffs, just use a voltmeter, or, if you care about always seeing it, install a little bulkhead voltmeter. I do this on all sorts of projects (most recently a "power toolbox" I use for stuff - battery, inverter, solar charger, USB ports, and a little voltmeter that shows pack voltage when it's powered on).
And then leave your little pocket snoops behind on a regular basis. I've gone back to carrying a regular watch on my wrist, or, when I'm feeling spicy, a pocket watch. And no cell phone, or a turned off cell phone in my backpack or something.
> Is this even solvable?
No. Because (a) most people don't care, in terms of actions they're willing to take. This app in question has had hundreds of thousands of downloads, so clearly the devices are popular enough. Saying "I care about my privacy!" is one thing, but actually living without 30,000 apps installed on your phone (shoulder surf when people are scrolling their screens in public places - I've watched people on an airplane with a iPad Pro Max or whatever have literally 20-30 screens full of icons) is pretty uncommon. and slightly inconvenient.
And, (b), politicians are largely in the pay of tech companies, or at least believe the lies about how they're bringing people together and will self regulate and... whatever.
The solutions are simply to opt out, or start using more aggressively hostile-to-profile things. Waves from Qubes-OS in a disposable VM
I don't have any other good ideas. The tech ecosystem has rotted, and I don't see any redemption for it. I work in tech, and I've been engineering my life to require less and less computer use, and I genuinely look forward to putting down a computer for the last time.
Of course that requires said person to also resist the temptation of data harvesting. Which few seem to be able to.
You'd have to write the phone app, but that would be as complex as you wanted.
There is also the possibility that this is a national security issue. Exfiltrating location data to China for 100k Americans, probably including government and military employees, violates the law. But again, it's all about the cost. Also ambivalence (as others have pointed out).
Google easily has the money and engineering resources to provide a complete fix to this issue (multiple spoofing options, deny options etc.) but of course they don't want to - because Google's business is advertising and advertisers want your location data. And your frequently visited locations. And wifi networks. And probably brand names of whatever is on your network.
We desperately, desperately need to get open-source considered as a national security agenda item. We need hardware vendors forced to publish full interface specifications. We probably need to require firmware blobs to be open source and tell Nvidia and AMD to stop breaking the law (i.e. they both suspect they'd be done for copyright/patent law if they had to publish their source code so they don't).
That’s all we can do. Us government will do nothing.
As you point out though, the application doesn't even use TLS for sending the GPS data.
In part two [2] of the blog post series, the Alibaba's AMap SDK uses both TLS and custom encryption and this took me quite a few days to figure out the Wifi and cell data collection - so it's not always so trivial. Either way, I recommend to everyone to at least do a basic 'desk check' on the apps they install. You never know what you will find.
[1] https://mitmproxy.org/posts/wireguard-mode/
[2] https://doubleagent.net/2023/05/22/a-car-battery-monitor-tra...
Funny how mechanisms that increase security also remove some of the freedom and visibility we have into our own deviecs.
Same challenges are present with performing forensics on an iPhone! The top commercial forensic toolkits will try to jailbreak the handset if possible to pull off artifacts. Good luck on newer hardware with the latest iOS versions. [1]
On the topic of iOS forensics, you can still get quite many useful artifacts from iOS backups with Mobile Verification Toolkit [2] being quite exceptional. I have had less success with iOS backups and the popular iLEAPP forensics software [3].
[1] https://blog.elcomsoft.com/2022/09/ios-forensic-toolkit-8-0-...
[2] https://docs.mvt.re/en/latest/
[3] https://github.com/abrignoni/iLEAPP
MVT takes a (MACB) timeline of your phone backup file changes and other events - including your text message history.
Here is a simple script that I wrote converts it into a format compatible with Timesketch [2] so it's trivial to explore events from the phone, indexed and searchable by time, kind of what you would see in Kibana.
[1] https://timesketch.org/
[2] https://github.com/x1sec/mvt2timesketch
This is what unregulated capitalism looks like.
Implementing that policy would mean not owning a mobile phone, a car, a television, microwave, or washing machine, etc.
(Edit: PinePhones are cheaper than I thought.)
So you can read into that, "This is how profitable it is to abuse your users."
Smart TV companies make more money selling behavioral data now than they do selling TVs. Streaming stick companies are the same. Roku basically gives hardware away at cost in exchange for the juicy data streams coming off it (their "how we sell your data" "privacy" policy is a hysterical read, they grant themselves permission to scan your network and report other devices on it should they care to).
The more practical advice at the moment seems to be "don't buy anything with an internet connection if you aren't 100% OK with it tracking your every movement".
Seems like that's only going to last another year or two with 5G and shit like Amazon Sidewalk making every single device internet connected.
And thankfully, you can still find washing machines and microwaves which don't spy on you.
Keep your old stuff people cos, soon I'm sure _everything_ will spy on you and track you!
I wish we could, but they truly have us by the balls. It is nigh impossible to participate in society without using proprietary software.
Just push back. Here's an example: Reolink are a Chinese company, what makes cameras - nothing intrinsically wrong with that but you should expect them to be be required to comply with any requirements the CCP might ... require. Reolink are also quite a savvy bunch and have gradually ensured that their products don't actually require an internet connection, at all. They do offer an app and the requirements of using the app are that the cams need to see the interwebs and be gatewayed by systems that are eventually subject to the CCP.
Now this isn't quite yet perfect. Rio cams have offered ONVIF for at least five years, so Zoneminder, Frigate and all the rest can be your NVR. The camera's VLAN can be firewalled off from the internet. Mine is called THINGS and it is net door to SEWER for stuff I really worry about!
Their doorbell offering is pretty decent but two way comms needs some handling. At the moment their app is the best bet for functionality but there are signs that Home Assistant with webrtc - https://github.com/AlexxIT/WebRTC should be OK.
It is not impossible to live without prop software. At least care and try.
People are fully accepting of data gathering when it's out in the open. Trust doesn't have anything to do with it, people are consenting to this kind of thing openly, and when something does come out they do not care.
And while everyone won't be able to understand what they're looking at, the community as a whole would benefit from people looking at it an announcing/discussing problematic things they see in the code base.
If an open source project is syphoning data, someone's going to see it and talk about it.
If a closed project is doing it, it's harder / more complicated for that act to be discovered.
I was under the impression that properly anonymizing location data includes aggregating a sufficient amount of individuals and the radius of this aggregation of course changes based on the population density in a given area. In with anonymized location data we can only draw conclusions on a populace and not an individual, which is still very useful.
Of course, I generally agree with you. In most cases it won't be done properly and just replacing PI with the same "anonymous" id on a set of location data points of an individual achieves next to nothing.
God because Blutooth LE devices need location permission on Android? How is that still a thing, I remember being outraged about that a decade ago or something.
It's a tricky problem. As a more technical user, I'd love it if they were separate permissions and the Bluetooth permission included an extra "your location can be determined from bluetooth alone" warning. But for the average user that's just going to confuse them.
On Android apps that don't use Bluetooth to derive location, and assert that they don't, will not prompt the user for a location permission. But this app is requesting `ACCESS_FINE_LOCATION` in its manifest. It could be doing that because they're acknowledging they are using Bluetooth to derive location, but I don't think they are. I suspect what's actually going on is that they're requesting that permission just so they can show your location inside an embedded map view. In which case the permission is not related to its Bluetooth usage.
> I suspect what's actually going on is that they're requesting that permission just so they can show your location inside an embedded map view.
Does the embedded map do some processing in the cloud first? Because the lat/lng is sent over the same API request that includes the battery voltages as well as the BLE address of your handset. I really think none of this is essential to a simple app that reads a battery voltage on your screen.
Of course they neglect to say they will also use the permission to collect your GPS co-ordinates.
Then the AMap location services SDK goes further collects MNC, MCC, LAC and CELL IDs (CGI) and Wifi SSIDs. Here I think the battery app developer does not even know this is happening, they use AMap SDK to obtain the GPS data only. It took me quite some time to figure this out (documented in part 2[1]).
Will also note the manifest has CAMERA, IMAGE_CAPTURE, ACTION_VIDEO_CAPTURE, RECORD_AUDIO and MODIFY_AUDIO_SETTINGS. I have not seen where/how they are used (yet). The code that included strings requesting various permissions (In the AMap SDK code) uses string obfuscation to conceal what it is doing. Likely to trick automated static code analysis tooling.
Note:
> Alibaba state “in 2018, Amap became the first Chinese maps service to navigate a path to 100 million daily users”. [2]
How are Google allowing this SDK to be used in developer's applications?
[1] https://doubleagent.net/2023/05/22/a-car-battery-monitor-tra...
[2] https://www.alibabacloud.com/customers/autonavi
This seems like the problem? And it explains why the app can upload your GPS coordinates directly after querying the Android location APIs.
According to the developer docs, Bluetooth apps should only request ACCESS_FINE_LOCATION "if your app uses Bluetooth scan results to derive physical location". And if they assert that they don't use BT to derive location then the user won't be prompted with a location permission dialogue, just a bluetooth one.
This app isn't deriving location from Bluetooth alone? But I'm guessing it has an embedded map inside that shows your location, and that's why it needs ACCESS_FINE_LOCATION. Meaning it's unrelated to Bluetooth. From reading the docs linked by the GP it seems that for Bluetooth communication only purposes an app shouldn't request that permission.
I wonder how many other apps on the Google Play store do this.
We can't expect the every day user to read and comprehend Google's developer documentation.
You have to wonder how long this app never got taken down. Permissions declared in the manifest do not always equate to them being used.
Google could cross reference the privacy statement that the developer published against the manifest. That would have got it flagged.
The actual code that calls android.content.Context.checkCallingOrSelfPermission() obfuscates the permission strings in many places - bypassing static code analysis checks.
Bluetooth, it to require locations because if you passed by a beacon and an app is registered to the OS to watch it, that that is the same as reporting your location.
Your phone said “hey, app that the user installed, you know that BLE device you told me to watch for? Saw it just now!”
So it’s not it doesn’t make sense. Bluetooth low energy can be used to determine your location so you should have to give it permission.
The problem is… No one knows this.
It’s not even like there’s a solvable problem, because you don’t have to be using the Bluetooth low energy beacon format for this, you just need to be able to scan for advertising BLE devices which the OS does all time. Remember the rush to turn Covid Tracking on (Covid is over, but those changes aren’t going away).
This is how Tile and the Apple Tags that killed them work. Those are just roaming beacons.
Tons of apps that you install for major retailers, Home Depot, Target, Walmart, Best Buy all know exactly when you walk in the store if you have their app on an location services given into it.
Don’t install apps. Not unless you have to. Then questionable permissions aren’t an issue.
https://twitter.com/haxrob/status/1673874637632196608
I'm actually looking at some Victron kit for a real-world application. I saw you're an Aussie. I'm based in Sydney, so if you're here as well then I can let you know in case you wanted to play with a real-world device in the future?
It honestly feels like a way to spy on family/company vehicles. Powered by the battery… knowing its voltage just being a side effect. But I guess that’s only if the app also tells you these data.
This product seems to be a bit of an in-between, not having the ability to trickle charge the battery, but you can keep any eye on it and charge or jump it as needed.
Also, they make the tractor a lot happier to start in the winter. :)
Every vehicle was on a trickle charger, for a few reasons. But one reason I especially liked…
The La Ferrari CAN NOT run the batteries dead. If it does, and it’s locked, you are in trouble. Like call a Ferrari rep to come fly out and partially take it apart to get it charged and running again trouble.
Same with some Bugati I had never heard of.
Everything down to McCarens and lower. These aren’t vehicles that will run after sitting for a month let alone a few. Some might top at a week.
One time, I had to change the oil on a McClaren… it has no dipstick, no oil pan, and you need to remove ~50 bolts and two skid plates to access anything.
They are art and engineering pieces that you get inside. They are not cars per se.
Another (more common) use case is people that take their caravan out on the road. Many have a plug into the car that keeps the caravan fridge powered on when driving.
For me, I wanted to keep track of the voltage of the battery in a caravan when not connected to mains power.
I ended up using a multimeter but an app would have been more convenient
These types of gadgets are useful too in my other car where I can spot check the voltage when on the road and when charging USB devices 12V USB Outlet Qidoe Dual 18W Quick Charge 3.0 Port & 20W PD 12V USB C Car Charger Socket with Voltmeter and Power Switch, Waterproof Multiple Car USB Port Adapter https://www.amazon.com/gp/product/B0B1WJ3W5X/ref=ppx_yo_dt_b...
Still looking for a solution, by the way, if anyone knows of something which will work (kind of thinking I want to go with ESPHome now though).
Typically used for solar panels, but you could always hook up a 18-20v power supply and let it manage/charge your battery. The nice thing about these controllers is that they can handle multiple battery types and have multi-stage charging algorithms.
Could easily integrate with Home Assistant. Might give it a go actually.
It reads the real time voltages, not voltages stored in the embedded device's memory (for when there is no BLE connectivity while it's running). If there is interest, I can work out this part too.
[1] https://gist.github.com/x1sec/3af7efdcd3465aac09093081c32ba3...
[2] https://doubleagent.net/hardware/ble/bluetooth/2023/05/23/a-...
I’m not sure I like this pattern of thinking. For example, a TP Link router would send data back using packets over the public internet (unless there is some true spy craft at work). That’s verifiable.
If you suspect your TP Link router is sending everything to some remote server… monitor the traffic?
Like, how exactly? With a separate firewall between WAN and the TP Link? It makes little sense because TP Link makes cheap home routers and adding a firewall to the design would make the whole setup expensive.
Setup a lab using an old PC with two Ethernet cards, a WiFi card, etc. and observe the traffic flowing through it from the device you connect.
If it’s phoning home you’ll see those messages.
If you think it’s event based, or targeted surveillance, you’ll need to get more creative. But in OPs post it sounded closer to “logging everything and sending it all back” - if you’re already technically inclined that’s detectable with less effort than a lifetime of worrying about such things.
If I get a device that claims to use Bluetooth, I would return it if it actually needs access to the internet.
https://netguard.me/
Not sure if that is what you meant. If your concern is more generally about the app being malicious, I suppose you could audit the source code. But this is not something I have done or even am qualified to do, so I don't know.
You can disable internet for apps on Android. Open the app details in the settings (or by tap+holding the icon in the home screen), tap the data usage, and disable network access (cell access, wifi access, neither, or both).
Making internet access opt-in would be a massive pain for most apps, because almost every app has some online component these days.
I don't have these options on Android 9. All I can do is disable background access or allow access in data saver mode. The only way I can keep active apps offline on this phone is to put the phone in airplane mode when launching them which is a much bigger pain than having an opt in.
Bluetooth can allow external parties to detect it for tracking. I always keep bluetooth off unless I specifically need it and then turn it back off. Same for location.
For noobs it could show the domain, and if it’s whitelisted by apple somehow it is green (server certs?). Yellow if it’s not whitelisted and not on a banlist. Or maybe skip the colors if it’s too confusing for people, annd just show the names. Apps that request to banlist are blocked from App Store until further review.
and for pros we can tap to see more details, like the payloads and headers. Etc.
What do you think? I really want this feature. It’s not that hard to add. Come on apple.
Wish I worked at apple then I would try and do it. Lol.
Android grant/revoke style permissions are a retrofit. You used to have to accept all permissions before installing through the store, and internet access was one of those. But if you didn't accept, you don't get the app.
That's still how it works for some permissions, but many have a grant/revoke instead. Internet access is still a permission, but google play doesn't prompt you for it anymore. All apps get to have it. (But if they don't ask for it in their manifest, it doesn't work)
[1]: https://developer.apple.com/documentation/bundleresources/en...
It also siphons data on your phone and sends it to China. Oh, and I bet that drains your phone battery. I can't think of a better anti-gift for the holidays. This gizmo is a rare triple consumer threat.
This is a big problem with aftermarket dashcams that continue to monitor the surroundings when the vehicle is parked.
There's some push to go to 48V+ Li-ions. We shall see.
When my friends laugh at my obsession over privacy and data collection, this is the kind of thing I point at. There's no reason to believe they're doing this for malicious reasons, but we really have no way to know. It's probably just ignorance/incompetence.
The amount of location data the device maker is collecting is significant - perhaps they are monetizing it? If so, would you consider this malicious (if not disclosed to the end user this was happening)?
The AMap SDK the app uses collects much more location data - here I feel they are likely using it to improve the accuracy of their location service/mapping software. I don't consider this malicious, unless this behavior is not disclosed to users and developers. Their site is in Chinese [1], would anyone read through their fine print to verify?
[1] https://lbs.amap.com/api/lightweight-android-sdk/download
I haven't taken the time to fully dig into your posts, did you notice if they're generating a user ID? For me, that would be the difference between using it for location accuracy or tracking user locations. That being said, the data they already have is probably more than enough to track individuals.
Reminds me of this one post that I just can't find anymore: a (danish? finnish?) journal bought a pack of "anonymized" location data and chose one individual. They were able to track where they lived and worked, and where they went for vacation. They even went to their place and talked to them, and they had no idea this was happening whatsoever. I really wish I could remember where I read it.
https://www.nytimes.com/interactive/2018/12/10/business/loca...
Edit: or actually I was thinking about this article, One Nation, Tracked:
https://www.nytimes.com/interactive/2019/12/19/opinion/locat...
Which is one in a series they did after some employees of a data broker or digital ad company (if I recall correctly) leaked a dataset to the New York Times because they actually were concerned about this kind of dataset existing.
This is China's typical playbook. Purposely collect data in seemingly harmless ways, or intentionally leave wide open security flaws that they can exploit in the future. And when they get caught it's an "oops sorry, we'll fix it right away".
The worst part is that there is no consequence for this behavior. Google, the EU, and/or FTC should be lodging fines.
> reveals that that the Apple iPhone version is also location data to remote servers.
I’m guessing there should only be 1 “that” and there’s a missing “sending” between “also” and “location data”
If your flashlight app needs gps to turn on, no problem. You are currently on mount Kilimanjaro.
That said, the attention of the blog post seems to have triggered them to disclose now on the Apple [1] and Google Play [2] store that they are indeed collecting your location data. They got away with lying for quite some time, over 100k downloads on Play store and 1.57k reviews.
[1] https://apps.apple.com/au/app/battery-monitor-bm2/id11154920...
[2] https://play.google.com/store/apps/datasafety?id=com.dc.batt...
I mean this is just retarded design. Unless there’s a “technical need” to use GPS while dealing with BT or WiFi that I am not aware of that.
Use the courts and public sentiment.
> If you’re concerned your personal information has been mishandled, you first need to complain to the organisation or agency you think has mishandled it. If they don’t respond to your complaint within 30 days or you’re not happy with their response, you can lodge a complaint with us.
I have complained to the retail store that I purchased it from. It's been over 30 days, next is the OIAC. The device is rebranded and sold under many different names (globally) so the real impactful course of action is to have Google and Apple take the applications off the app store.
[1] https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-p...
Very sound advice. What if you have purchased some Bluetooth enabled device that requires an app? Don't purchase Bluetooth/connected hardware? Perhaps!
My next blog post will be on a bike Speedometer that uses GPS to calculate the bike speed. It has an Android app, and yes it sends your data to remote servers hosted within Hong Kong.
Edit: with mitmproxy and installing a cert in the phone's store, as explained in the latter half of the write-up. I guess that wouldn't work if the application pinned the server certs, but I guess this "commercial malware" is not that sophisticated.
If certificate pinning was used, it can be bypassed by modifying the APK or dynamically hooking into the running application using Frida. Often you have to try a few things before getting it working, often starting with a universal TLS bypass Frida script [1][2]
[1] https://codeshare.frida.re/@pcipolloni/universal-android-ssl...
[2] https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
This is China's typical playbook. Purposely collect data in seemingly harmless ways, or intentionally leave wide open security flaws that they can exploit in the future. And when they get caught it's an "oops sorry, we'll fix it right away".
The worst part is that there is no consequence for this behavior. Google, the EU, and/or FTC should be lodging fines.
For example: Imagine if you could track the security teams availability and behavioral patterns. You could infer when the business has been hacked or there is going to be a release they have been hacked, you could trade off this information for profit.
You'd be better off hacking the company yourself if you wanted effectiveness.
Let me give you a lower stakes example, I can figure out when you're at work to know when to rob your place via when you post on instagram. Lower stakes but same theory.
“national security” is the magic phrase to get the US government to do anything
Imagine saying this with a straight face as an American.
The very first time it happened to me, it was confusing - hm, why does this random app, having nothing to do with connectivity, require bluetooth access?
Permissions should be more granular - and more importantly, Apple should make it so not giving an application a non-essential permissions is not grounds for not letting the user use the app.
That was a mouthful, hope it made sense.
https://developer.android.com/guide/topics/connectivity/blue...
Seeing this article made me thankful for GrapheneOS. I've been dailying it for a few months now. Every single app is explicitly granted network permission (or not) upon installation. Local apps like this definitely don't get network perms, and neither does my keyboard app (that always creeped me out.)
I'd love to use many offline note taking apps, but not if they're liable to randomly upload my notes to a potentially adversarial third party. And the actively privacy-hostile behavior of maintaining a separate branch just to disallow access to this feature is not appreciated.
It's not ridiculous, it's straight-up hostile to their user's privacy and safety.
But no major phone OS provides a reliable "can access the internet" permission (without jailbreak/root). This would solve this issue much above the stack. I can install the dubious app. If the app can't access the internet at all (properly enforced by the OS) then by definition it can't leak anything.
I find it particularly disappointing from Apple. If they were truly committed to privacy as they claim, this would be a feature already.
https://support.apple.com/guide/iphone/view-or-change-cellul....
This would stop a great deal of the apps that hover up data like this.
Google is complicit here. Change my mind.
Settings --> Passwords, then just delete the entry for Discord.
Or have I misinterpreted your issue?
Yeesh :/
https://grapheneos.org/
And I don't mean it as a knee-jerk response, this is open-source, anyone with skills is welcome and if you send a pull request here https://github.com/GrapheneOS/grapheneos.org with the screenshots presented in the way you'd expect them, it might get merged.
- I don’t have a phone that can run it, I’m just curious but without seeing what it looks like it’s hard to become interested
- even if I could install it, there’s basically no chance I would install it because I have no idea what it looks like, because there are no screenshots on the front page
How is that even possible? I know apps can request location data to be turned on, but I was surprised the app can unilaterally turn it on. I couldn't find any way to prevent that.
These are the kinds of reasons why I can't trust any phones at all.
There is no way for an iOS application to just say "turn on GPS" and be granted granular location access without user intervention.
Damn. Just like on Android.
The permission to always have location access(while closed) exists. Important for apps like Find My, etc.
But that has to be manually enabled per App in the settings. Apps can't even prompt for it, the location permission dialog only lets you allow usage while in the foreground. Also everytime your location is used in the background you get notified about it. So yeah, op either uses outdated android or enabled it manually.
Sure, the Chinese manufacturer is a factory making gadgets on the other side of the world - they have no real avenue to monetize your location data. They likely don't even know your name.
Hence, my suspicion is this is all a complex way to stop someone else making a 'compatible' device and selling it without developing their own app. Thats why the app checks the mac address is valid, and uploads location data so the manufacturer can see if one device is in two locations at once, confirming piracy must have occurred.
I have trouble seeing this as being quite as sinister in motivation as it first appears; while this data is certainly invasive and valuable, it's the same data that Google and Apple collect to build their mapping services, as well. It's a tough problem. I think the Big Issue exposed by this car battery monitor is the lack of granularity in mobile OS permissions. By granting the Android app BLE access, you also give it "fine location" access which lets AMap slurp your data.
I think this write-up is pretty good but I wish OP hadn't buried the lede as much in the first paragraphs. Why not mention it's AMap in the tl;dr summary?
> Why not mention it's AMap in the tl;dr summary?
The GPS data is being sent to two different companies - the battery monitor developer and AMap. I could make this clearer in the tl;dr.
The cell phone tower data (MNC,MCC,LAC,Cell ID) and Wifi BSSID collection is AMap only.
That said, none of the AMap behavior is disclosed by the application developer. Literally apps that use the AMap SDK in this way turns the user's handset into a continuous scanner. This impacts user experience - just check all the complaints on the 1.75k reviews on the Play store [1].
I doubt many devs are aware of this - It took me countless hours to figure the AMap side of things due to obfuscation techniques in the AMAp code. (See part 2 on the blog post series).
The primary issue is that all this data is collected, sent to multiple 3rd parties (AMap being one of them) and none of this was disclosed to consumers when they download the applications.
[1] https://play.google.com/store/apps/details?id=com.dc.battery...