Was Huawei allowing an unknown app to invade into our phones?

7

October

2019

5/5 (2)

As many of you probably know already, the Trump administration banned US companies from doing business with Huawei a few months ago. As a consequence, the Mate 30 Pro, Huawei’s latest flagship phone was launched without Google apps due to the import ban. The phone came with a basic, open-source Android instead of the advanced Google Mobile Service (e.g. Google Play Store, Gmail and Google Maps) we are accustomed to.

However, a few months ago an anonymous Chinese company called Lzplay came with a workaround. Through their website, you can easily download their app to gain access to Google services. Google apps should not be able to work on Mate 30 due to the lack of system-level permissions. However, Lzplay’s method managed to do so. Nonetheless, not without a price. According to John Wu, an Android security researcher, Lzplay used undocumented Huawei APIs inside the operating system that is used for device security to trick Google servers. What does this mean for your phone? After the installation of Lzplay, your Mate 30 Pro’s security is at risk since the application has administrator rights. That means that Lzplay can easily brick your phone or install ransomware without you noticing.

According to Huawei’s documentation for security authorization SDK, third party developers are required to sign legal agreements and let Huawei review it in order to gain access to the software development kit (SDK). Therefore, the developer of Lzplay was somehow aware of these undocumented APIs, signed the legal agreements, went through the reviews and eventually have the app signed by Huawei. It should also be noted that Lzplay was launched 3 days before the public launch of the Mate 30 Pro which means that Lzplay knew well about all of this before the launch and had the time to build an app, went through the review process, and launch a website. Wu suggested that Huawei is aware of the secret tools Lzplay used and explicitly allowed its existence since this will allow people to get Google Play onto the devices that would have been blocked otherwise.

Last week, Wu revealed the information regarding Lzplay and shortly after, the website of Lzplay was taken offline and the signature was remotely revoked by Huawei. Does this mean that Huawei played a part in this? It’s hard to say. According to a Huawei spokesperson, the multinational technology company has no involvement with Lzplay. It could be that Huawei created Lzplay to alleviate Google app anxiety for potential Mate 30’s customers. If this was the case, then it sure did backfire Huawei. Albeit, the backdoor may be shut for now but could be opened again through another method. Probably, a more solid one than the one Lzplay offered.

References:

Amadeo, R. (2019). ‘The Internet’s horrifying new method for installing Google apps on Huawei phones’. Accessed on 7 October 2019 on https://arstechnica.com/gadgets/2019/10/the-internets-horrifying-new-method-for-installing-google-apps-on-huawei-phones/2/

Cooper, D. (2019). ‘Huawei’s Mate 30 loses workaround for installing Google apps’. Accessed on 7 October 2019 on https://www.engadget.com/2019/10/02/huawei-mate-30-workaround-lzplay-shut-down/?guce_referrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8&guce_referrer_sig=AQAAAF-jsfJEpD19GyD_nXAQn-U0-gpP1qukCY-g7MT-c7nx7eTOV_o2k3bTYi6CoLTeBDOS1_K3xhhys9OsnNdzjmrZrp7qcUacIYBP-q26AJX2LK8XiuegqjcUF0iudVPLpmCsC2Al37FZae8eKAlFkXE0UJEBUWYTcHe4npVX0gmw&guccounter=2

Huawei (n.d.) ‘安全类授权开放开发指南’. Accessed on 7 October 2019 on https://developer.huawei.com/consumer/cn/devservice/doc/30702

Phelan, D. (2019). ‘Huawei Shock: Mate 30 Pro’s Back Door To Google Apps Slams Shut’. Accessed on 7 October 2019 on https://www.forbes.com/sites/davidphelan/2019/10/01/huawei-mate-30-pro-has-the-back-door-to-loading-google-apps-just-slammed-shut/#c69d7dc76a82

Wu, J. (2019). ‘Huawei’s Undocumented APIs – A Backdoor to Reinstall Google Services’. Accessed on 7 October 2019 on https://medium.com/@topjohnwu/huaweis-undocumented-apis-a-backdoor-to-reinstall-google-services-c3a5dd71a7cd

 

Please rate this

Is your phone listening?

1

October

2019

5/5 (3)

… No, but the truth is even scarier

Most of us experienced it before. You talked about something out loud, only for ads to appear on Facebook, Instagram or the web browser the day or even minutes after. It feels like your phone is monitoring your conversation and shows you the corresponding ads.
Could that be true?

Well, technically it is possible for apps and phones to secretly observe your microphone recordings. Many people do believe the modern myth and are certain that some personal ads can only come from bugging. Especially Facebook seems to be the centre of accusations.

But, all-clear. According to Facebook’s official statement in June 2016: „Facebook does not use your phone’s microphone to inform ads or to change what you see in News Feed“. So far, researchers have failed to find evidence against this statement (Fowler, 2019).


If Facebook does not listen – how do they know?

Well, Facebook does not need to spy on our conversations, because it already has all the data it needs to propose targeted advertising. In fact, the data we voluntarily share with Facebook (and many other apps) is more than sufficient, even without accessing our microphones (Here you can find out what Facebook knows about you).

There are many ways for Facebook to target us based on our released data, demographics and location. Also, many other websites or apps use Facebook plugins, login and widgets. With this Facebook can collect data on our web journey – what items we look at, what we click on, how much time we are spending reading, what products we put in our shopping cart, etc. Further, Facebook’s algorithm determines that if a friend with similar characteristics likes something, we might be equally interested in the product. Those tracking methods are so precise, that we have the impression that our phone is listening.


But, is your phone still snooping?

Indeed, a study of Northeastern University had some surprising and disturbing findings when investigating 17,260 popular Android apps. The researchers reveal several alarming privacy risks in the Android app ecosystem. According to the study, several apps were taking screenshots or recording videos of smartphone activity and shared that data with third parties in unexpected ways, without the permission of the user (Choffnes et al., 2018). Protecting us against this kind of spying seems impossible.

No, our phones are not listening to our conversations. But isn’t the truth even more disturbing?
What do you think? Did you also already have the feeling your phone was secretly snooping on you for advertising purposes? Do you mind?

 

Bibliography:

Choffnes, D., Lindorfer, M., Pan, E., Ren, J. & Wilson, C. (2018). Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications. Proceedings on Privacy Enhancing Technologies 2018. 18 (4): 1–18.

Facebook. (2016). Facebook does not use your phone’s microphone for ads or news feed stories. [online] Facebook Newsroom. Available at: https://newsroom.fb.com/news/h/facebook-does-not-use-your-phones-microphone-for-ads-or-news-feed-stories/ [Accessed 29.09.2019].

Fowler, B. (2019). Is Your Smartphone Secretly Listening to You? It’s technically possible, but researchers and security experts say the answer is likely no. [online] Consumerreports.org. Available at: https://www.consumerreports.org/smartphones/is-your-smartphone-secretly-listening-to-you/ [Accessed 01.10.2019].

Graham, J. (2019). Is Facebook listening to me? Why those ads appear after you talk about things. [online] USAtoday.com. Available at: https://eu.usatoday.com/story/tech/talkingtech/2019/06/27/does-facebook-listen-to-your-conversations/1478468001/ [Accessed 01.10.2019].

Tiffany, K. (2018). The perennial debate about whether your phone is secretly listening to you, explained. [online] Vox.com. Available at:  https://www.vox.com/the-goods/2018/12/28/18158968/facebook-microphone-tapping-recording-instagram-ads [Accessed 30.09.2019].

Please rate this