174
submitted 7 months ago* (last edited 7 months ago) by coffeeClean@infosec.pub to c/degoogle@lemmy.ml

The technical mechanism:

https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock

update


To be clear, I am not the OP who experienced this problem. I just linked them from here.

top 50 comments
sorted by: hot top controversial new old
[-] Blaster_M@lemmy.world 64 points 7 months ago

Don't buy a phone on collateral credit (like from a cell provider that "gives" you a phone with service). If you must, ebay a phone and use paypal.

If you can't afford a $1200 phone by paying for it in "cash", you need to aim lower.

[-] electricprism@lemmy.ml 22 points 7 months ago

Comments from the last post indicated it made no difference to having the killswitch on their devices as per screenshots.

Still I agree, buying on credit is not a good idea.

[-] coffeeClean@infosec.pub 8 points 7 months ago

The real problem with @Blaster_M@lemmy.world’s comment was to blame the victim. It may be sensible to blame the victim, but let’s not lose focus on the perp.

[-] coffeeClean@infosec.pub 12 points 7 months ago* (last edited 7 months ago)

I must say Paypal shares customer data with over 600 corporations among other scummy things, so I boycott them. I also boycott eBay because the javascript required to use their website port sniffs your LAN and feeds that back to them, apart from other evils.

But most importantly, I’m not necessarily worried that I would personally get burnt by this. But just like my unwillingness to buy an Intel CPU with a management engine (or AMD’s flavor of this), I am unwilling to buy a product that was designed to work against me. I do not want to finance anti-consumer suppliers. ATM I don’t know how to check whether my version of AOS has this “feature”.

(BTW, I’m not the OP; I just linked their post here)

[-] Blaster_M@lemmy.world 13 points 7 months ago* (last edited 7 months ago)

Sniffs your local pc to look for remote desktop and vnc ports on it. I can see this being useful in finding RAT risks, but the portscan thing is something the browser should be blocking or sandboxing.

As for PayPal, well, your cc / bank also shares lots of data.

If your threat modelling is that severe, your best bet is Tor Craigslist, a couple blokes packing heat and a briefcase of money in a place with no parking lot surveillance.

But then at that point security and safety is on you and your mates to implement.

[-] coffeeClean@infosec.pub 3 points 7 months ago* (last edited 7 months ago)

As for PayPal, well, your cc / bank also shares lots of data.

Paypal is not a bank. Paypal is an additional MitM. Using Paypal adds another surveillance capitalist to the chain along with your bank and credit network. But indeed, the banks and credit cards are shit so I am fighting the war on cash quite hard. I’ve already been dragged into court for insisting on paying a creditor in cash. I won that case and will continue insisting on cash payments.

If your threat modelling is that severe

My threat model simply includes mass surveillance. Which is in the threat model of everyone who understands and embraces privacy. It’s worth noting that it’s not purely and infosec stance. I also object to feeding a supplier who is acting against me. The moment I detect that a supplier is working against me, I walk on ethical grounds. They have failed to earn my business. The snooping just happens to be the manner in which they are working against me.

your best bet is Tor Craigslist,

I was doing that at one time but something pushed me off. I don’t recall what.. whether it was SMS verify or CAPTCHAs or phone numbers or fussy email address verifiers... something drove me off.

[-] Blaster_M@lemmy.world 4 points 7 months ago

Can't help you there. Buying stuff isn't anonymous, even brick and mortar stores have cloud surveillance cams now.

load more comments (2 replies)
load more comments (2 replies)
[-] MisterFrog@lemmy.world 7 points 7 months ago

I'm OOP, I bought this Pixel 6 phone outright directly from Google. This system app has no business being on my phone.

And even IF it was purchased on credit, this is such an unfair power dynamic which hurts the most vulnerable in society.

Miss a phone payment, get locked out, haha have fun trying to access your bank account (many people have a phone as their primary computing device to access banking, and further, many banks might have SMS 2FA).

I say, there is no excuse for this. There were repo methods before software locks, and we'd ought to keep it that way.

It doesn't appear to actually be used, at least in Australia, but having the functionality built in at all should be straight up illegal in a caring society.

load more comments (1 replies)
[-] cm0002@lemmy.world 4 points 7 months ago

I don't think any of the major (I know someone will probably come in here and tell me about some tiny provider that's only in like 2 states that does) US carriers that do phones on secured credit, they default to unsecured credit. Maybe, they have an alternative plan for people with not so great credit, but I doubt it.

load more comments (2 replies)
[-] IsThisAnAI@lemmy.world 17 points 7 months ago

Don't buy a phone on random creditors that install this shit. This has nothing to do with Google.

You going to ditch Linux because they support remote management too?

[-] MisterFrog@lemmy.world 15 points 7 months ago

I'm OOP, I bought this phone outright. Google seems to be installing this on phones by default (the actual pattern based on people's comments seems to be more recent phones, but not all have it).

It's even shipping within de-googled phones, at some base ASOP level (or the hardware, I dunno, not that knowledgeable), as some GrapheneOS use reported having it on their phones too.

I'm pissed because: 1. It's installed when it shouldn't be, 2. Gives inappropriate power to creditors, which hurts the most vulnerable.

[-] ichbinjasokreativ@lemmy.world 7 points 7 months ago

I bought a pixel from a german carrier in germany and installed GrapheneOS on it and this 'app' is still installed.

load more comments (13 replies)
load more comments (7 replies)
[-] coffeeClean@infosec.pub 10 points 7 months ago* (last edited 7 months ago)

This has nothing to do with Google.

Google welded anti-consumer logic into the kernel. Of course that’s on Google. Just like Intel started making CPUs with a management engine that can only work against non-corporate consumers, basically saying fuck the individuals’ needs.. putting individuals at unconscionable risk without their knowledge or consent.

Consumers have decisions to make. Is a consumer happy to feed a supplier who sells them something that works against them? Some are. I’m not. Going forward they fail to earn my business because they have too many masters.

You going to ditch Linux because they support remote management too?

Linux is not locked down. Users can remove anything they want from it.

load more comments (3 replies)
[-] CubitOom@infosec.pub 12 points 7 months ago

I for one am glad that it was deemed safe for 3 year olds to be indebted to creditors.

[-] owen@lemmy.ca 4 points 7 months ago* (last edited 7 months ago)

I just thought of a new business: Baby Debt.

We trick children into signing contract so we can legally control them financially for life.

Baby Debt: It's Not Illegal

[-] Omega_Haxors@lemmy.ml 3 points 7 months ago* (last edited 7 months ago)

Since this software comes preinstalled and you can't get rid of it, that means it is illegal to sell this phone to anyone under the age of 3.

That or the software itself is illegal which sounds a little more accurate.

[-] AdmiralShat@programming.dev 7 points 7 months ago

Couldn't you just remove it with ADB?

[-] kratoz29@lemm.ee 5 points 7 months ago

Root or get out, I have been rooting since 2020 and I decide what the heck to do with my phone 😁

[-] AdmiralShat@programming.dev 6 points 7 months ago

I mean, the people this was targeted at were Kenyans who otherwise couldn't afford a phone, I don't think the people this applies to can afford to chose a phone model

[-] coffeeClean@infosec.pub 3 points 7 months ago* (last edited 7 months ago)

If I were to simultaneously demand:

  • a phone with a relatively non-evil brand (thus obscure), and
  • a rootable phone (thus a mainstream one)

that leaves me with no phone at all. Because only popular mainstream models get rooted and they’re all made by the worst companies.

When my current phone loses its usefulness I might even go without. Or possibly get one 2nd hand although the 2nd hand market still supports the 1st hand market.

[-] N4CHEM@lemmy.ml 4 points 7 months ago
[-] coffeeClean@infosec.pub 2 points 7 months ago

I think Fairphone did not exist when I last bought a phone. But you make a good point; I overlooked that. It will probably be my next phone whenever I reach a point where open street maps no longer updates on my phone.

[-] cm0002@lemmy.world 4 points 7 months ago

Iirc when this came up yesterday, it disables Developer tools when active

[-] coffeeClean@infosec.pub 3 points 7 months ago

I think someone mentioned this is in the Playstore services stuff that’s hardwired in to the platform. Which means if a device is unrooted you can possibly do: $ adb shell 'pm disable --user 13 com.google.android.gms'.

[-] Norgur@kbin.social 7 points 7 months ago

Wasn't this app some exclusive thing for a marketing scheme in Kenya for Android Go? If so… maybe your phone has a… African history?
https://blog.google/intl/en-africa/products/android-chrome-play/growing-access-and-inclusion-with-more/

[-] MisterFrog@lemmy.world 3 points 7 months ago* (last edited 7 months ago)

I bought it practically on launch in Australia, directly from Google (I'm OOP), so I'd be surprised unless there was some last minute redirection of inventory from Kenya to Australia ¯_(ツ)_/¯

[-] Philharmonic3@lemmy.world 4 points 7 months ago

Everyone in this thread is wild. Buying a phone on credit makes sense with how expensive they are. How else can Google protect themselves though? Just like cars get repossessed if you didn't pay, this is a two-way street. Otherwise people could have a phone sent to them and then never pay anything for it.

[-] coffeeClean@infosec.pub 10 points 7 months ago* (last edited 7 months ago)

If the creditor wants to collect on a debt, there is a court process for that. I’ve used it. It works.

Locking the phone is not repossession. It does nothing other than sabotage the device the consumer may need to actually make the payment. The phone remains in the buyer’s possession and useless to the seller.

Power is also misplaced. What happens when the creditor decides to (illegally) refuse cash payments on the debt? Defaulting is not necessarily the debtor’s fault. This in fact happened to me: Creditor refused my cash payment and dragged me into court for delinquency. Judge ruled in my favor because cash acceptance is an obligation. But this law is being disregarded by creditors all over. If the creditor had the option to sabotage my lifestyle by blocking communication and computing access, it would have been a greater injustice.

#WarOnCash

load more comments (6 replies)
load more comments (3 replies)
[-] cyborganism@lemmy.ca 2 points 7 months ago

You have a pixel phone. Just install Calyx OS on it.

[-] MisterFrog@lemmy.world 11 points 7 months ago

Even if this would help (I'm OOP, and according to some commenters it's still installed on their phones running other OSes), I'm still outraged at the concept and the fact it's installed by default.

Plus, "just" installing a different OS is not a terribly mass-market friendly thing.

It should be regulated against by governments. The EU is slowly heading in the right direction. We're letting these tech companies do whatever the fuck they want to.

Most people don't have the time or knowledge necessary to make their digital lives entirely private.

This has "stop global warming by making personal choices" vibes to it.

I want privacy by default, and I'm not going to apologise for that.

[-] cyborganism@lemmy.ca 3 points 7 months ago

I agree with you 💯 percent.

load more comments (1 replies)
[-] Senseless@feddit.de 6 points 7 months ago

I don't think that necessarily helps. I'm running GrapheneOS and "DeviceLockController" is installed there as well. From what I read, it's because it's part of AOSP.

I did take all permissions and from the system logs it reads that this app never has been used or tried to send anything to begin with.

load more comments (3 replies)
[-] coffeeClean@infosec.pub 2 points 7 months ago

To be clear I linked to someone else’s post. I don’t have the Pixel phone.

load more comments (1 replies)
load more comments (3 replies)
load more comments
view more: next ›
this post was submitted on 22 Mar 2024
174 points (89.2% liked)

DeGoogle Yourself

7743 readers
1 users here now

A community for those that would like to get away from Google.

Here you may post anything related to DeGoogling, why we should do it or good software alternatives!

Rules

  1. Be respectful even in disagreement

  2. No advertising unless it is very relevent and justified. Do not do this excessively.

  3. No low value posts / memes. We or you need to learn, or discuss something.

Related communities

!privacyguides@lemmy.one !privacy@lemmy.ml !privatelife@lemmy.ml !linuxphones@lemmy.ml !fossdroid@social.fossware.space !fdroid@lemmy.ml

founded 4 years ago
MODERATORS