Samsung embeds IronSource spyware app on phones across WANA
411the-anarchist2356/21/2025, 3:06:42 AM smex.org ↗
Comments (235)
boramalper · 7h ago
I suspect a strong link between mass surveillance (by corporations for advertising or by states for intelligence purposes) and the very recent targeting of the senior Iranian nuclear scientist and military officers at their homes in Iran.
Wherever you are from or whatever side of the conflict you are on, I think we can all agree that it’s never been easier to infer so much about a person from “semi-public” sources such as companies selling customer data and built-in apps that spy on their users and call home. It allows intelligence agencies to outsource intelligence gathering to the market, which is probably cheaper and a lot more convenient than traditional methods.
“Privacy is a human right” landed on deaf ears but hopefully politicians will soon realise that it’s a matter of national security too.
FilosofumRex · 6h ago
Almost all of Iran's cell network system was originally installed by S. Korean firms. They've changed some to Chinese brands, but apparently the compromised S. Korean brands are still around.
throw123xz · 1h ago
It's a mistake to assume that a very capable country can't get into a network that uses Chinese equipment/software.
Dah00n · 34m ago
It's also a mistake to assume that a very capable country can't get into a network that uses US equipment/software... especially Cisco equipment with all the "forgotten" hardcoded logins. Iran is better off with Chinese equipment than American or Korean.
kragen · 5m ago
Nobody knows enough to say whether Iran is better off with Chinese equipment.
Digital28 · 5h ago
Changing from SK to CN is a trade from intentional vulnerability to unintentional vulnerability. I’ve yet to see a secure piece of software come out of China in my 30+ years of coding.
Dah00n · 32m ago
Yet in telco it is much easier and faster to get a bug fixed in Chinese equipment. IMO it is more likely you don't work with critical infrastructure than the problem being Chinese equipment.
mike_d · 5h ago
> I suspect a strong link between mass surveillance [...] and the very recent targeting of the senior Iranian nuclear scientist and military officers at their homes in Iran.
We all like to imagine this super cool clandestine hacking operation using peoples mobile phones to secretly track people who visit nuclear facilities back to their homes.
The much more logical explanation is someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university.
boramalper · 1h ago
Israel, like any other state, must be using a variety of methods including good old "human intelligence" so it's not either-or.
In addition, saying that
> someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university
is an oversimplification on multiple levels:
1. Low-level employees typically don't have access to sensitive information.
2. With human intelligence, there is always a risk that the person you (e.g. Israel) are in touch with (e.g. an Iranian officer) who pretends to be a "double agent" (e.g. leaking info to Israel), is in fact a "triple agent" (e.g. actually working for Iran to mislead Israel).
3. You can send your kids to foreign universities but not your siblings, your parents, your wife's family, and so on... Some of your beloved ones are almost certain to suffer the consequences of your actions. High treason is no joke.
aussieguy1234 · 6h ago
Weather apps are one of the worst offenders here. Almost all share your location info with data brokers if you give them location access.
Check the weather today, get bombed tomorrow.
chaosbolt · 3h ago
I suspect Israel has backdoor access to most CPUs.
Here is how Pegasus seems:
- China has 1.5 billion people, lots of resources, would profit a lot economically if they found a way to hack iOS, etc. But yet couldn't hack it.
- Israel with its 7 million people, not only hacks iOS multiple times, but does it to spy on its allies.
Now I've seen the threads analysing Pegasus' complexity, I don't know if it's been reproduced, and if it has then I guess it logically proves me wrong (the tinfoil hatter in me still thinks its right though).
Here is why:
Israel has a lot of silicon fabs or R&D centers, now it makes ZERO sense for the US to have fabs or R&D centers in Israel, since that country is (allegedly) always at the risk of being bomber for no reason at all (yeah right).
Intel has had fabs in Israek since the 80s, why not in Japan or France or the UK (France and the UK are close allies to the US and have no earthquakes or risk of being bombed), why not even Canada?
And I compared the dates of when intel started putting the Intel Management Engine in all of their CPU and the date of which they built their biggest fab in Israel, then I went down the rabbit hole of when AMD started using PSP (similar tech to Intel ME), and it coinciding with it buying a large pentesting startup in Israel, then starting to build its R&D centers there, Apple and Qualcomm have similar stories.
Obviously this is all tinfoil, and while the dates coincide it's obviously not enough.
But to each their own, and I choose to treat my tech as if it was all was backdoored already, because for me the evidence (while not enough to be sure) is enough for how much I value my privacy.
No comments yet
htowi3j4324234 · 4h ago
If a state actor is after you, cookie and GAIA-id tracking should be the least of your concerns.
PartiallyTyped · 1h ago
Europol now argues that privacy is not a right and that we need to “think of the children”. EU is now pushing some abhorrent policies and legislation to demand backdoors.
We, the people, need to demand and force our politicians to work for us.
bongodongobob · 6h ago
Politicians are just the sales and marketing department for multinational corporations and defense contractors. They will never care.
grishka · 7h ago
The "unremovable" part is inaccurate. While you can't completely remove it because it resides on the system partition, you most probably can still disable it with an adb command:
adb shell pm uninstall --user 0 com.package.name
This command is very powerful as it works for any app, even those that have "disable" greyed out in the settings. I disabled the Galaxy Store on my S9 this way for example.
acdha · 2m ago
Samsung has an entire PR team who get paid to misrepresent things — you should at least get paid for what you’re doing. You’ve already admitted that it can’t be removed and if it takes some shell work you’re not even sure about to disable it, that almost certainly means it’s coming back on every update.
hysan · 7h ago
> "unremovable"
> you can't completely remove it
Maybe my English isn’t very good but that sounds like the definition of unremovable.
grishka · 5h ago
To be pedantic, yes, but not in a way that matters. The system partition is read-only. Mounting it read-write would require root and any modifications would break system updates. The apk will still be physically present in the file system, however, none of its code will run and it will be removed from your launcher and installed app list in settings, which IMO still counts as a removal.
Also, English is not my native language. I feel like I did get my point across anyway.
hmcq6 · 5h ago
It's not being pedantic. Disabling the application does not give me the storage space back.
If people are paying for upgrades to storage space it's completely reasonable for them to be annoyed by bloatware
grishka · 5h ago
The system partition is usually the same size regardless of which storage option of the same phone model you get.
bracketfocus · 4h ago
But if the system partition could be smaller, other partitions could be larger.
grishka · 4h ago
The system partition is made some fixed size, the same way disk partitioning works on PCs, and never resized, because resizing file systems is still a non-trivial task. It often has some free space too to accommodate future system updates.
On my 128 GB Pixel 9 Pro, /data is 109 GB. The rest is /system (although `df -h` doesn't show it explicitly, no idea what's up with that) and various other system-related partitions.
sedatk · 6h ago
There’s an enormous difference between “it can’t be stopped” and “its storage area can’t be reclaimed” though.
a012 · 6h ago
Your English is perfect. The GP is a fool to try down play it and proved themselves wrong in the same sentence
charcircuit · 6h ago
It's in a read only filesystem. You can't modify read only data, but you can choose to ignore it.
npteljes · 57m ago
Words don't just have a literal, technical meaning. If the phone itself doesn't allow a straightforward, user friendly happy-path for removal, it might as well be "unremovable" in a sense that it is indeed unremovable for most users. "adb shell etc" implies that one has a PC with this tool correctly installed, and many people don't even have a PC in the first place. Then comes the case of installing adb, setting it up correctly, and having a cable to connect the two, enabling debug mode, and doing the thing. This is much more like a service thing, than a do it yourself at home thing. Not much unlike "chip tuning" for cars.
Zak · 13m ago
The article claims the app can only be removed with root access, which requires more difficult and technical steps to attain than running an adb command. If uninstalling the app with adb works and doesn't result in the app being promptly reinstalled, then the article has a significant factual error.
grishka · 40m ago
This doesn't strictly require a PC. There's this trick with using the wireless debugging feature to connect the phone to itself. You can do it with a terminal app like Termux but Shizuku is a nice GUI that streamlines this process and exposes an API for other apps to use. After a quick web search I found https://github.com/samolego/Canta which is, again, a GUI app that uses Shizuku to uninstall apps via adb.
I agree that it's not easy, but anyone sufficiently annoyed by these non-otherwise-removable apps who is able to follow instructions should be able to get it done without needing a computer or special knowledge or messing with the command line.
scalableUnicon · 6h ago
I had a Samsung phone and did the same with mine. Wrote a small tutorial here(https://harigovind.org/notes/removing-samsung-android-bloatw...). But even then, these apps will pop right back after system updates and those were becoming more frequent. I got rid of it shortly after, nowadays I use Moto where bloatwares are comparatively minimal.
gblargg · 1h ago
I've had a few Moto phones and have also been pleased with the fairly stock OS and durability.
AzzyHN · 7h ago
Yes, but for most people (I'd guess 99% or more), they would never know to use the above, and I'm those who did find a guide might have issues using adb on their likely Windows or MacOS machine.
encom · 1h ago
I had a OnePlus whatever as a work phone in my last job. Every time I used adb to purge the OnePlus crap, it would somehow find its way back. Eventually I settled on disabling autoupdates from the play store, so it was stuck at whatever outdated, and hopefully broken, version the phone shipped with.
ehnto · 5h ago
Don't even need that, you can disable it within the OS app settings.
mvdtnz · 5h ago
So you're saying it can't be removed?
awaisraad · 7h ago
Do you know if the same apps remain installed in "Secure Folder" as well?
reccy · 27m ago
This article has basically no technical details and scant evidence for the claims made by the authors. It's rage bait that is intended for emotional reaction rather than a curious and intelligent analysis.
The article leaves out quite a lot about what AppCloud is, but it's essentially how Samsung monetizes their non-flagship device users and can do things like insert installation advertisements into the notification tray, and silently install apps.
Personally, if I found this on my device it'd be the final straw to grit my teeth and finally get a personal apple device.
andrewflnr · 7h ago
Or just don't get Samsung? I guess I don't know for sure that my phone brand doesn't do anything similar, but it at least hasn't hit the news yet.
boramalper · 7h ago
> AppCloud—pre-installed on Samsung’s A and M series smartphones.
Samsung’s A and M series smartphones are their cheapest models so their buyers probably cannot afford better phones. I don’t know of any other brands selling in the region with similarly priced models that have better privacy practices than Samsung either—they’re all the same at that price point I’m afraid.
anonymars · 6h ago
In my case I wanted a damn SD card slot. And more than 2 years of security updates.
lmm · 3h ago
Sony still sells flagship phones with an SD slot. I wish my Xperia was cheaper but other than that I'm very happy with it.
mellow-lake-day · 3h ago
Not in the US.
pomian · 4h ago
Motorola. Plus it still has an audio port.
imp0cat · 5h ago
Ano now you see why Samsung is able to provide all that at an attractive price. The real costs are hidden.
more-nitor · 4h ago
hmm have you actually read the article? did you find anything of "substance" other than hand-wavy "this company is from israel, so must be mosad" or "has notorious for its questionable practices" (without even giving actual examples or incidents)?
I mean, if I was the mosad guy planting a deal with samsung, I wouldn't even name the app "AppCloud"
heck, why would you even make it appear to the user?
this is a classic competitor-bashing article -- no substance, only hand-wavy "this guys bad!"
I'm guessing this can be traced to others like xiami/huawei/etc who definitely want to get samsung's slice of the market there
hedora · 6h ago
Looking around, you can get an A series or unlocked iPhone 13 new from a prepaid mvno for $0.
A refurbished iPhone 13 is $300 on amazon, which is close to the cheapest M ($250). I can’t find new 13’s for sale except via budget carriers.
(Sent from my 12 mini which is better than all that followed it: $200-ish for excellent condition, refurbished.)
boramalper · 5h ago
> A refurbished iPhone 13 is $300 on amazon
Is this Amazon US? Because even in Ireland, iPhone 16 costs 41% higher than in the US (979 EUR = 1,128 USD in Ireland vs 799 USD in the US).
beagle3 · 9m ago
Half of the difference is likely VAT, which is included in European listings but the similar US sales tax is more often NOT included in listings.
(Some US states have no sales tax, but most do)
bigyabai · 6h ago
You're better off getting a preowned Pixel to flash with a secure ROM in this scenario. Getting an iPhone won't help if you if later down the line Apple decides to push an OTA update that forces the same functionality. A Pixel won't protect you from every vulnerability, but it goes much further towards stopping these sorts of attacks than the iPhone does.
Now hey, I won't suggest that Apple would stoop as low as Samsung has here. But discerning customers might not want Tim Apple's phone if he's been cozying up to a crusty politician that can remember to stay for dinner but can't recall his name.
chaosbolt · 3h ago
No there are lots of Chinese phones with minimal bloatware, like the nothing phone cmf 1, sure they only come with 2 years of updates but what you gonna do at that price...
If you're in the middle east, I'm sure you'd rather be spied on by China.
Do you imagine that shit? You're a nuclear scientist, working on a program for generating electricity, your country is open to being audited and complies with the restrictions and has no weapon's program, one day you come home and then a fucking rocket comes right inside your appartment and kils you and your whole family.
Ain't that a bitch? I get Khamas was hiding there too...
And since they have all that precise rockets that can take a single appartment down, why did they reduce Gaza to rubble?
The ramifications of this make me sick: evil not only wins but also writes history... And yeah the midwits here will unironically look you in the eye and explain how killing children is ok because of this of that... You being able to explain horrors doesn't make you smart or pragmatic, it makes you have no self respect and makes your personal boundaries weak, and the same mind that finds arguments to cope with the horror his tax money funds will find arguments to cope with a lot more until it's his turn on the grinder and by then it'll be too late.
aucisson_masque · 5h ago
All Android phone but pixel ones have bloatware preinstalled. Some are worst, like Xiaomi.
If you don’t want bloatware (spyware), it’s either pixel or iPhone.
burnt-resistor · 5h ago
The trick is to define "bloatware". Is that known knowns (stuff that's visible), known unknowns (stuff that's added that's not visible), and/or unknown unknowns (stuff added we are pretty sure is there but can't prove)? Apple adds all kinds of carrier-specific crap on every phone, but it's not readily discoverable. Android mfgrs must also because of carrier contracts and country-specific regulatory approval requirements. There's likely little means of escaping this without a BYOD non-Android, non-overseas, non-Apple phone that may or may not exist. Surely there is an obvious, viable alternative somewhere I'm missing that I hope exists.
sabellito · 2h ago
That's incorrect. Zenphone is a bliss.
torginus · 1h ago
Just buy a 5 year old iPhone - it's likely to be still better than the cheapo phone, and will get longer support as well, while being sold at rock bottom prices.
I just replaced my iPhone XS, not out of necessity, but I wanted to see what the new ones were like. The 16 is barely better and I was suprised to find just how little the old one was worth second hand, considering it still runs circles around most midrange Android handsets.
the-anarchist · 7h ago
As this post is trending quicker and more than I would have expected it to, I would like to add to this story:
It appears to be a similar case across the MENA region. While the SMEX post primarily focuses on WANA, it is possible to find other reports (e.g. [1]) from the MENA region that describe similar practices by Samsung. There, however, the stories talk about "Aura", rather than "AppCloud".
Same same. SMEX is based in Lebanon — (S)WANA is an obnoxious term that’s going around for MENA.
Mistletoe · 6h ago
We don't know what any of these acronyms mean!
hmcq6 · 5h ago
MENA - Middle East & North Africa
WANA - West Asia & North Africa
SMEX - "a non-profit that advocates for and advances human rights in digital spaces across West Asia and North Africa." (from their website)
more-nitor · 4h ago
"non-profit" doesn't mean "this guys are morally right and only conveys truths"
it just means that they don't pay taxes
bapak · 5h ago
"Arab countries"
eddythompson80 · 7h ago
What is the difference between WANA and MENA. Sounds like the same territory
the-anarchist · 6h ago
Yes, but, no. It's one of these things where multiple terms mean the same thing but then again come from different times/areas and, upon closer inspection, mean different things. But they're the same. But not really. [1]
A.k.a. I tried to be as politically correct and cite the term used by the respective reporting. The main point I was trying to bring across was that apparently there are two apps involved, not only a single one.
Ah, I see. Trying to find a way to include Pakistani, Afghanistan, Somalia i.e non-Arab or Persian Muslim states in the vicinity.
nacos · 52m ago
I used to manage an enterprise fleet of mobile devices.
This AppCloud crap has also been pushed to devices in the Europe Open Market.
I also know that this shouldn't have been installed on enterprise devices (either Android Enterprise managed by MDM or E-FOTA managed - don't remember exactly). We had an akward conversation with some Samsung representatives..
ehnto · 5h ago
Was installed on my device bought in Australia as well.
thenthenthen · 5h ago
AppCloud, developed by the controversial Israeli-founded company ironSource (now owned by the American company Unity)
Yes the Unity 3D engine company wow.
willtemperley · 4h ago
So Unity can now be considered malware by association.
lol the article simply doesn't have 0.000001 ounce of substance
"this company is from israel (so must be mosad)" or "has notorious for its questionable practices" (without even giving actual examples or incidents)?
I mean, if you're the mosad guy making a deal with samsung, why would you even make it appear to the user?
this is a classic competitor-bashing article -- no substance, only hand-wavy "this guys bad!"
"non-profit" doesn't make "smex" the morally-right side of the game. it just means they don't pay taxes and receive donations...
maybe it's time to trace where those donation money comes from?
smells like competitors (xiaomi, huawei) who wants to take a cut from samsung?
more-nitor · 2h ago
lol downvote without any counter-arguments..?
seriously?
definitely a smell of some dirty play going on here
hoppyhoppy2 · 30m ago
>Please don't comment about the voting on comments. It never does any good, and it makes boring reading.
>Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.
The weirdest part of that merger was Unity paid $4.4billion for IronSource.
userbinator · 6h ago
making it nearly impossible for regular users to uninstall it without root access, which voids warranties and poses security risks
Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.
ulrikrasmussen · 4h ago
We need regulation which defines that any hardware device capable of running software developed by a third party different from the hardware manufacturer qualifies as a general purpose computing device, and that any such device is disallowed to put cryptographic or other restrictions on what software the user wants to execute. This pertains to all programmable components on the device, including low-level hardware controllers.
These restrictions extend outside the particular device. It must also be illegal as a commercial entity to enforce security schemes which involve remote attestation of the software stack on the client device such that service providers can refuse to service clients based on failing attestation. Service providers have other means of protecting themselves, taking away users control of their own devices is a heavy handed and unnecessarily draconian approach which ultimately only benefits the ad company that happens to make the software stack since they also benefit from restricting what software users can run. Hypothetically, they might be interested in making it impossible to modify video players to skip ads.
miki123211 · 3h ago
I agree, but I think three extra conditions would need to be added here.
1. Devices should be allowed to display a different logo at boot time depending on whether the software is manufacturer-approved or not. That way, if somebody sells you an used device with a flashed firmware that steals all your financial data, you have a way to know.
2. Going from approved to unapproved firmware should result in a full device wipe, Chromebook style. Possibly with a three-day cooldown. Those aren't too much of an obstacle for a true tinkerer who knows what they're doing, but they make it harder to social engineer people into installing a firmware of the attackers' choosing.
3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons. Otherwise, devices become extremely attractive to steal.
xg15 · 48m ago
> Devices should be allowed to display a different logo at boot time depending on whether the software is manufacturer-approved or not.
Not sure how to phase this legally, but please also add a provision against manufacturers making the "custom firmware" logo hideously ugly on purpose to discourage rooting - like e.g.Microsoft did for Surface tablets.
> 3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons.
Full agreement here. I very much would like to keep the bootloader locked - just to my own keys, not the OEMs.
gmueckl · 1h ago
4. Apps with special security needs are allowed to detect whether a device is unlocked and can either disable themselves or go into a mode that shifts ALL related liability onto the user. It's not the bank's fault if the user disabled protections and some spyware logs the online banking password or something like that.
Zak · 39m ago
I'm pretty sure I'm against this. I could be convinced otherwise by documentation of significant fraud involving compromised devices (especially Android phones) that would have been stopped by a device attestation scheme.
I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.
If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.
mmh0000 · 53m ago
It is the banks fault if they allow non-reversible, weird or large transactions without a secondary authorization capability.
The bank’s bad processes are not an end device fault.
xg15 · 39m ago
Yeah, nope. All apps have "special security needs" according to their manufacturers. Every app that relies on spying for revenue will use that to disable itself. (Or worse, actively malfunction - e.g. that banking app could switch into a special mode where it does transactions on its own that are not in the interest of the user. If the user has accepted all liability, there isn't much they could do against that)
I'm alright with limiting liability for an unlocked/customized phone (for things that happen from that phone) - but that's a legal/contractual thing. For that to work, it's enough for a judge to understand that the phone was customized at that time - it doesn't require the app to know.
Sophira · 2h ago
While I agree in theory, this is never going to happen. There's too much DRM in use for it to work out.
jimjimwii · 2h ago
Repeal and outlaw drm. It was a mistake that violates everyone's constitutional rights.
mmh0000 · 50m ago
“constitutional rights”
Words written on toilet paper. Only thing that exists today are “billionaire rights”.
reactordev · 43m ago
Exactly. DRM isn’t going anywhere so long as copyrights exist.
xg15 · 33m ago
Not even that. Companies are already lobbying massively for selective enforcement of copyright as to not harm the AI boom (immediate jail terms for individuals torrenting a movie, "it's a complex issue" for AI companies scraping the entire internet)
But even the DRM that is already there often only uses copyright laws as suggestions. E.g. YouTube's takedown guidelines are defined through their TOS, not through the DMCA.
al_borland · 32m ago
DRM is a barrier to legally protected purchasing digital media for me. I will buy an album from iTunes (no DRM), but I will not buy digital movies the same way.
akoboldfrying · 3h ago
> any such device is disallowed to put cryptographic or other restrictions on what software the user wants to execute
Won't this also forbid virus scanners that quarantine files?
> This pertains to all programmable components on the device, including low-level hardware controllers.
I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted.
afeuerstein · 2h ago
> Won't this also forbid virus scanners that quarantine files?
Yes. If I really _want_ to execute malware on my device, I should be allowed to do so by disabling the antivirus or disregarding a warning.
> I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted
It is very reasonable and already the rule of law in "sane" jurisdictions, that manufacturer and mandated warranties are not touched by unrelated, reversable modifications to both hard- and software.
fc417fc802 · 3h ago
It wouldn't forbid shipping the device with a virus scanner. It would only forbid refusing the user control over what software does and does not run.
There might be a couple messy edge cases if applied at the software level but I think it would work well.
Applied at the hardware level it would be very clear cut. It would simply outlaw technical measures taken to prevent the user from installing an arbitrary OS on the device.
You can (and should, imho) remove anti-virus software.
perching_aix · 6h ago
Didn't we backslide hard enough at this point that it is now architecturally ensured that there is a security downside to rooting? Prevents verified boot for example, since the attestation is tied to said corporations, and not you.
franga2000 · 2h ago
Not having verified boot is not a security downside for most people. Unless your threat model includes the evil maid attack, which it doesn't for thr vaaaaaast majority of people, verified boot is just another DRM anti-feature.
ignoramous · 1h ago
Verified Boot isn't merely to thwart Evil Maids, but by and large provide what's known as "Trusted Computing Base". And yes, given the proliferation of smartphones and the nature of sensitive applications built on top, most people, even if they don't realise it, need it.
userbinator · 1h ago
but by and large provide what's known as "Trusted Computing Base".
(I knew from the beginning that this was known as the Palladium project, and until recently, a search for "Palladium TCG" would find plenty of information about that history, yet now references to that group and its origins in DRM have seemingly disappeared from Google. Make of that what you will...)
fc417fc802 · 3h ago
AFAIK that's true for many vendors but for example Pixels (and IIRC also OnePlus at least a few years ago) you can relock the bootloader with other keys.
The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Also for the record I think it's a silly attack vector for the average person to worry about. A normal person does not have secret agents attempting to flash malicious images to his phone while he's in the shower.
acdha · 54m ago
> A normal person does not have secret agents attempting to flash malicious images to his phone while he's in the shower.
No, but millions of women have controlling partners or friends who betray their trust and, for example, many people going through U.S. Customs are being asked to surrender control of their devices so they can be used without their knowledge. There’s a well-funded malware industry with a lot of customers now.
perching_aix · 2h ago
> AFAIK that's true for many vendors but for example [on] Pixels you can relock the bootloader with other keys
Oh that's pretty cool, wasn't aware.
> The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Hold on, could you elaborate a bit on this? I thought it was an either/or type deal cause they do the same thing.
fc417fc802 · 2h ago
Many devices if you load up fastboot mode (is that the right name?) it will give you chipset and other information and it will have secureboot info there. It's permanently locked to chain into the AVB image. AVB is a much more complicated beast that specifies the existence of multiple partitions including (IIRC) one for storing authorized keys, one for the recovery, and a bunch of other stuff.
It's possible this has changed or was never widespread in the first place. I have a very limited (and historic) sample size.
torginus · 1h ago
I don't follow the reasoning behind this - even in a verified boot scenario you can just choose to not load the offending kernel module without compromising security.
Incipient · 3h ago
I'm pretty sure the recent switch 2 "license to use the hardware" has entirely killed any notion that you actually own the hardware and are free to do anything with it.
Especially in Africa, where privacy and consumer rights are probably less relevant than the US/EU.
hilbert42 · 2h ago
""license to use the hardware"…."
Well, then it's high time the laws of ownership in just about evey country in the world were updated.
As it stands, if I buy something then I own it.
makeitdouble · 2h ago
> if I buy something then I own it.
That's the point: you can't buy it, only license.
smokel · 25m ago
Even though you seem to have a lot of support on Hacker News, I don't think making root access a fundamental right is preferable.
Historically, computers have not granted you access to everything. Most home computers used to have ROM cartridges, which could not be modified, at least not by an average user. Also, when using unrestricted operating systems, such as as MS-DOS, a simple virus could wipe all your hard work.
In our current time, devices are connected to other machines, and the problem of security and privacy has increased dramatically. Unfortunately, we still don't have operating systems that are secure enough to be used by untrained persons. It makes perfect sense to lock down these devices.
I basically see only two ways out:
1. Allow developers exclusive access to development systems, similar to how console development works.
2. Implement a secure operating system.
It will take an extreme amount of effort to do the latter, and it might even be impossible to gradually absorb the mess of interfaces that people and companies expect to work.
So that probably leaves us with the first option. Personally, I would love devices to be locked down more, so that the crazy threats from hackers will be less severe. But I would also love to keep developing software. Having to jump through some hoops is probably unavoidable. The situation could be compared to requiring a driver's license in order to safely drive on the shared infrastructure.
As much as I agree with your sentiment to have freedom, it still seems somewhat overly optimistic to expect this to work in our complex society.
npteljes · 1h ago
The current legal reality might be corporate propaganda, but not exclusively corporate propaganda, it's the current legal reality as well. "root access voids warranties" is a fact in many jurisdictions, regardless of how it came to be. Hence, it's not as much parroting propaganda, as in furthering a cause, but just stating it how it is.
jrflowers · 6h ago
This is a good point. While there is nothing factually incorrect in the statement “rooting your phone can void your warranty and pose a security risk”, if you imagine factual statements are the same thing as value judgments it becomes very problematic.
Similarly it is pretty messed up when people say stuff like “fire can burn you if you aren’t careful” because so many people rely on fire for food and warmth.
fc417fc802 · 2h ago
Having your vehicle serviced by someone other than the dealer could void your warranty and poses a safety risk.
Cooking animal products at home poses a health risk. You should be sure to only ever consume animal products prepared by a duly licensed establishment.
The chauffeur's union would like to take this opportunity to remind you that amateurs operating their own motor vehicles risk serious injury and even death.
The FSD alliance would like to point out that hiring a licensed chauffeur also poses a non-negligible risk. Should you choose to make use of a personal vehicle it is strongly recommended that you select one certified by the FSD alliance. Failure to do so could potentially impact your health insurance premium.
theluketaylor · 20m ago
> Having your vehicle serviced by someone other than the dealer could void your warranty and poses a safety risk
Good tongue in cheek post, but in the US Magnuson-Moss prohibits warranty claim denials merely on the basis of non-OEM parts and service. It also puts the burden on the manufacturer to demonstrate the defect or failure was the direct result of the non-OEM part. Other jurisdictions have similar laws on the books.
Right to repair already exists in certain aspects and needs to be expanded (and enforced. Tons of those ‘will void warranty’ stickers are lies and you have legal rights to poke around)
jrflowers · 1h ago
You make an interesting point here. While “rooting your phone can void your warranty and pose a security risk“ may be a factually true statement, we must also consider some entirely unrelated and possibly untrue statements that could be theoretically uttered in another reality.
We can get so bogged down with “things that are real” and “exist in this universe” that we completely fail to focus on the vital stuff like “Bigfoot is circumcised” and “Who did it?” and “Why?”
fc417fc802 · 1h ago
On the contrary. My statements bear equivalent accuracy to yours in our current reality. My statements are also very obviously FUD. So is yours.
Or do you dispute that you could be hospitalized for salmonella if you botch cooking poultry at home? Or perhaps you feel that there is no straightforward way to inadvertently endanger your life by servicing your vehicle incorrectly?
jrflowers · 1h ago
Interesting. While there is no such thing as a chauffeurs union or an FSD alliance, if we say that they exist maybe they do. Similarly, if you say something is “FUD” then maybe it becomes that.
I genuinely do not understand the last two sentences. Are you pro- or anti- “telling people that salmonella exists” ? Is saying “salmonella exists and can be a problem” FUD or what? Do you think salmonella isn’t real
franga2000 · 1h ago
In fact there is a lot factually incorrect.
For starters, in most places, warranty is a legal requirement and the manufacturer isn't allowed to void it for whatever reason they want. If my phone's battery starts getting really hot in normal use, or I start getting dead pixels on my screen or whatever else, the fact I have a custom OS on my phone isn't relevant to the warranty claim any more than having it in a case or putting some stickers on it. Yes, it'll make claiming it more difficult, but that doesn't mean it's void, just that you'll have to fight through a few more tiers of support agents to get it fixed.
More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits. The same can be said for any other system-level software. Like if you buy an Nvidia graphics card in your computer and that loads its kernel driver, malware now has one more place to exploit. Are Nvidia graphics cards a security risk?
We've come an incredibly long way from just dropping /xbin/su and calling it a day. Modern (as in the last 10 years) root solutions have caller checks based on a user-defined whitelist and really modern implementations use kernel-level checks to make sure the app wanting root access is allowed to get it. The only way this can be dangerous is if one of those apps or the root solution itself has a code execution exploit. But again, the same can be said for the plethora of system-level bloatware vendors install these days.
jrflowers · 1h ago
>For starters, in most places, warranty is a legal requirement and the manufacturer isn't allowed to void it for whatever reason they want.
This only makes the statement untrue if you use “can” and “will” interchangeably.
>More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits.
This is a good point. What even is “attack surface” anyway? Does anybody actually consider it when “evaluating security posture”? If I simply choose not to care about attack surface because I don’t want to, then doesn’t it simply become a factual nonissue? There are no answers to these questions
menzoic · 3h ago
How is the security risk propaganda?
msgodel · 2h ago
If your security model means me having access to my own hardware is a security risk you're malicious and your security model is bad.
flotzam · 2h ago
It's not (only) propaganda. Rooting disables or bypasses verified boot, allowing exploits to persist across a reboot.
franga2000 · 2h ago
Malware van persist across reboots regardless of verified boot. What it can't do is persist through a factory reset.
But if you really want a thorough reset, simply re-lock the bootloader and flash stock firmware from there. Nothing can persist through that without an exploit in the verification chain and if you have that kind of exploit, you don't need the bootloader to be unlocked in the first place.
Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
flotzam · 1h ago
> Malware [c]an persist across reboots regardless of verified boot.
Some can, some can't. Even when it can persist, escalating to root after every reboot may be unreliable or noisy (e.g. 70% chance of success, 30% crash) compared to straight persistence as root without verified boot.
> Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
This still applies to those devices. It's the main reason GrapheneOS (which exclusively runs on Pixels, with the bootloader relocked to a GrapheneOS key) is opposed to building in root access: Verified boot would be "enabled", but effectively bypassed. https://xcancel.com/GrapheneOS/status/1730435135714050560
ahoka · 3h ago
It's the hardware vendor's "think of the children".
charcircuit · 6h ago
Root access is an outdated security concept from the previous century. Trying to mandate such a concept is parroting UNIX propaganda. Users can be given control of devices without them having a "root" account.
Zak · 22m ago
I agree. I would love to have an "advanced permissions manager" that lets me specify that AccA can write to the /sys devices for the charge controller and AdAway can write to /etc/hosts, but not the reverse.
That doesn't give me any less power than root, but does give those apps less power and limits the potential impact if one gets compromised. I think when most people say the device owner should be able to get root, they mean that the owner, rather than the manufacturer or OS vendor should have the final say in all cases, not that it has to literally work just like root on Unix.
WarOnPrivacy · 5h ago
> Users can be given control of devices without them having a "root" account.
Can be given control [by handset manufacturers] is an unfulfilled potential. And it will always be unfulfilled - because otherwise, users could protect themselves from manufacturers/providers foistware.
Given their reality, users root.
mrusme · 5h ago
How?
charcircuit · 3h ago
By following the principle of least privilege. Like with apps the user should only have privileges for what they are allowed to control and nothing more. So if the user should have privilege to disable apps, then the settings app could expose a way for the user to do so.
Yes, this is kind of approach of coming up with a design to security instead of going with the easy route of everything being allowed is harder to do and takes more time, but it leads to better security.
tsegers · 2h ago
I believe that the top-level comment you replied to is making the point that there should not be any authority that either allows or disallows what a user can do with the device they own. Purchasing a device should make one that authority, free to decide how much security to trade for how much privilege.
arendtio · 1h ago
Okay, and how am I going to give the user the right to wipe all software from the device and use a completely custom software?
I mean, we all agree that such permissions are not required during everyday operations, but there should be a way for the consumer to have control over the software being used. And I mean all aspects of the software: firmware should be updatable, the OS should be replaceable, and the security concepts within the OS should be customizable by the user as well. I have no problem with hiding such functionality and requiring users to read the documentation to find out how it can be done, but it should still be possible.
burnt-resistor · 5h ago
By having a "maintenance mode" that can be entered and left.
peterbraden · 5h ago
Maintenance mode == root
burnt-resistor · 5h ago
You're projecting your meaning of it, not mine. Not if it can't be undone in a way other than reinstalling everything. A mode that allows changing things with a temporary reduction of security system-wide and restoring them later, but putting all of the upgrade and support liability on the user without sacrificing functionality. Think VMware ESXi. If tech support wants to not support it, that's fine, but payments and such should still work.
realusername · 5h ago
Well maybe in theory but in practice they don't. How do I restrict or inspect what the Play Store is doing on my device at the moment without root?
throwaway290 · 5h ago
Stop parroting orthodox agenda without thinking of what it means. If everyone had root access it would be heaven for ransomware/spyware/malware operators.
Having root access is not in the interest OR benefit of most regular users. Rooting your phone is a footgun for 99% of people who install random apps and will get hacked and have their life savings transferred or ransomed.
For them the article does the right thing. For everyone else, like you or me, we will not care what this article says anyway.
That's why what Samsung does is double bad. Noot rooting phone is good hygiene if your phone respects you. But if it comes with malware then thats a stab in the back.
callc · 4h ago
> Having root access is not in the interest OR benefit of most regular users.
What about desktop OSes for the last 40/50 years?
Sure they aren’t the foam-padded locked down phone OSes, but isn’t this fear a case of leaving said padded room?
throwaway290 · 4h ago
Computer usage and consequently threat landscape went through a crazy change from 40/50 years ago. Desktops are a minority of devices. If you take personal devices even more so. Most people in the world with a computer have just a pocket one. Especially in WANA countries discussed
If you talk to regular non IT savvy people many of them don't bother and correctly assume that at some point it will "get a virus" or something. And it is fine for them because almost no one uses desktop for critical stuff like payment or finance. But majority do use phones for that. They jumped from cash straight to phones and now it's a lucrative attack vector.
Edit to reply because throttled by downvotes: yea I'm in your boat, we live in a bubble. It's hard to believe. But now I'm using a payment system that literally has "get app" on its site and no other way to manage money or even sign up. And apps like that can be the only way for many people to get some sort of plastic card to pay cashless
And I see how it happened. Many people have no personal desktop computers. Many payment vendors don't trust desktop computers because an ordinary person's windows machine is a malware breeder.
So many people in the world depend on mobile security (especially underprivileged people). Anyone who wants them all to get fucked for own libertarian ideal of "hardware ownership" is basically a psychopath to me. Especially considering that he is literally free to root his device and not make it a problem for others.
mumbisChungo · 4h ago
>almost no one uses desktop for critical stuff like payment or finance.
I'm not saying this is wrong (in fact I assume it is accurate), but relative to my life experience this is crazy to me.
tokioyoyo · 3h ago
Worked on some financial stuff before, and dashboards showed the opposite of your experience, if I’ll be honest. An average user is very different from us.
jjav · 1h ago
> almost no one uses desktop for critical stuff like payment or finance
What? This makes no sense. For something where security matters, using the desktop is the only rational choice. I never, ever, allow any sensitive information through the phone since it is not a trusted device.
throwaway290 · 20m ago
You are just another example why most people ranting on HN about the topic of rooting phones are out of touch. No offense.
ozim · 1h ago
My grandma should not have root on her phone and a lot of younger people as well.
Making it easy to root phone makes it easy for scammers to ask people to unlock it.
It should not void warranty if you unlock the phone. But security concerns are real. Mobile banking apps refuse to run on rooted phones.
v5v3 · 2h ago
Samsung is a South Korean company.
South Korean needs USA to protect it.
Consider everything from South Korea to be under the blessings of the NSA.
0rzech · 5h ago
Same thing in Europe and North America. AppCloud is present on Samsung devices. Sometimes from the get go, sometimes after system update, sometimes after security update (the irony of that!). Carrier-locked or not, it doesn't matter. Sometimes it's visible only after switching the "Show system applications" toggle on application list in device settings. There are many people reporting that their Galaxy S series phones have it too. This AppCloud stuff is absolutely outrageous!
mellosouls · 50m ago
Editorialized title. Even the original calls it bloatware not spyware.
msgodel · 3h ago
I've given up on smartphones. They're all unacceptably bad and for the most part take value out of your life rather than adding it.
I own a $50 Android tablet just for the required certificates to run DUO for work and other than that just use a UMPC with a modem card and VOIP for everything.
anshumankmr · 4h ago
I observed this when I purchased a Samsung phone in 2022. My phone cost 35K INR. Even I found it alarming, apart from having bs apps pre-loaded. Switched to an iPhone a year or so later. Never looked back.
ehnto · 5h ago
Samsung Phone on Australia, it was present on my device also. So not just West Asia and Africa.
I was able to disable it but not remove it, unclear if it will re-enable itself. It had sent about 35mb of data since March 1st, and was enabled as a background service.
ahmedfromtunis · 3h ago
Did try to see if using blockada (or similar apps) to block the apps access to the internet would work or cause and side effects (like other core apps not loading, ...)?
b0a04gl · 5h ago
we're past the point of blaming carriers or oems individually. the entire supply chain is complicit. you want clean firmware? you either flash it yourself or buy from the handful of vendors that haven't sold out yet. that’s where we are
ArtTimeInvestor · 5h ago
I sometimes think that "track record" is the main value of Google and Apple. They have been around for decades, and except in their own interest to collect data for themselves, I am not aware of any blatant privacy violations of these companies. And one can hope that in their own interest, they keep it that way. That's not great, but it's better than the other companies.
I don't see how any company can compete with this unless they somehow figure out how to make a vastly superior product.
So in addition to the licensing controversy, it's a good idea to assume any Unity game contains spyware now?
Iolaum · 1h ago
A user may not be able to uninstall it, but can they disable it?
mightyrabbit99 · 4h ago
The only phone brands that I am aware of which sells phones that are able to be rooted are Samsung and Xiaomi. I'm also in need of a phone that has an SD card slot so I don't see myself switching to any other brand.
yahoozoo · 1h ago
That feel when you’re going to make an Israeli spy joke then read the article headline and it’s ACTUALLY about an Israeli spy operation.
Abishek_Muthian · 5h ago
Even in India the entry level Samsung phones are subsidised by bloatwares, Unfortunately there’s not many options for an entry level phone with regular updates.
So the question is who would we like to be exploited by?
ggm · 7h ago
Would sufficient people change purchase decisions in ways which they could recognise this as a root cause?
nguyenkien · 3h ago
There not much of choice if you don't have money.
akersten · 7h ago
In my experience, Samsung is a label that means "stay far, far away." From the Galaxy Note fiasco to my microwave to my dishwasher to ... Probably at least three other products before I learned my lesson.
I even refuse to buy QD-OLED monitors out of indignation that Samsung makes the panels. Maybe I'm alone but maybe one day we'll boycott lousy companies out of business.
danparsonson · 1h ago
Great SSDs though, generally speaking
anonymars · 6h ago
In favor of what? The Android ecosystem is pretty lousy. Which manufacturers allow you to easily migrate to a new phone (Samsung has Smart Switch) and have, let's say, 4+ years of security updates?
Genuine question.
In my case I also wanted an SD card slot so it was slim slim pickings indeed. (And still there are some misfits who insist that there is no such thing as progress!)
Thorrez · 2h ago
>Which manufacturers allow you to easily migrate to a new phone (Samsung has Smart Switch) and have, let's say, 4+ years of security updates?
Pixel phones get 7 years of OS and security updates. Do you consider Pixel phones to allow you to easily migrate to a new phone?
Disclosure: I work at Google, but not on Android or Pixel.
throw123xz · 1h ago
Going from a phone with a Snapdragon SoC to a Pixel with the Tensor SoC was a big downgrade for me. It gets hotter quicker when doing more demanding tasks, battery drains faster if network conditions are not perfect, etc.
We've been having some warm weather (~30ºC) around here and the other day my Pixel 8 Pro started warning me about the phone being too hot when I tried to record a video.
I like Google's Android skin and their long support periods, but Tensor holds these newer Pixels back.
fud101 · 1h ago
Pixel phones have been awful hardware since the 5. So there is that. The tensor chip is a dud and can't be fixed. I'm done with Samsung for good after my current phone which I bought a few months ago. I'll probably replace it with an Oppo or something again, never going back to Samsung.
npteljes · 54m ago
Pixel of course. And yeah the Androids suck mostly. Pixels suck too in some ways, for example, they are quite bulky, and heat up a bunch. But overall, by far the best Android experience in my opinion. No SD slot though.
acidburnNSA · 47m ago
No SD slot is a showstopper for many.
ryukoposting · 6h ago
LG back in the day. I miss my V20. What a weird, but wonderful phone.
gblargg · 1h ago
I'm still using a V20 as my main phone. The recent app icons at the extra top section of the screen really make juggling active apps fast. I don't think any phone has had this feature since.
ryukoposting · 15m ago
I loved the second screen. Does Spotify still work with it? That was a cool thing.
moooo99 · 3h ago
I was an LG G3 user a long time ago. With the exception of the overheating issue, it was a lovely phone. LG really did have some unique devices
tock · 5h ago
I love the phones Nothing makes. And they are offering five years of Android updates and seven years of security upgrades on their upcoming Nothing phone 3.
mellow-lake-day · 3h ago
All the nothing phones are too big. Give me something the size of the s25.
msgodel · 2h ago
Get a UMPC with a modem card, put Linux on it, use jmp.chat to do all your carrier value add over IP.
blacksmith_tb · 7h ago
I have a Samsung clothes washer and a drier, they've been solid (but they aren't net-enabled... luckily).
makeitdouble · 7h ago
> Galaxy Note fiasco
Has any smartphone maker succeeded in getting more than a few percent of market share, released more that 2 phones while being immune to that level of fiasco ?
Zak · 4m ago
Yes. I have never been asked "do you have any weapons, explosives or [phone model]?" before boarding an airplane about any other phone, ever.
There have been other phones that had very occasional battery fires, but nothing on remotely the same level.
brianbest101 · 6h ago
It’s really hard to beat the “it’s a felony to knowingly carry our phones on to an airplane” level of fiasco
Gigachad · 7h ago
Samsung phones have been filled with preinstalled spyware since the beginning. Outside of fairly unusable Linux phones, Apple seems to be the only one taking privacy seriously.
compootr · 6h ago
manufacturers aside, grapheneos and lineage work well because of Google's work on their phones
sitzkrieg · 5h ago
apple privacy is marketing but ok
int_19h · 4h ago
If it's mostly marketing, why was Facebook so up in arms about forced opt-in for tracking in iOS?
Grimeton · 37m ago
Because Apple blocks everybody else from spying on you but Apple themselves are still perfectly spying on you. And not just that, by disallowing all other apps to get their hands on your data you even tell Apple which data it can sell for a higher price because it's only available via Apple and noons else...
Let that sink in.
xchip · 1h ago
> AppCloud, developed by the controversial Israeli-founded company ironSource (now owned by the American company Unity), is embedded into devices
We have new spyware coming from Israel, let's update the list:
- Pegasus
- Candiru
- QuaDream
- Cellebrite
- Paragon Solutions
- Nemesis
- AppCloud
theyinwhy · 5h ago
Should we expect to have trojans in every unity game now?
Atlas667 · 6h ago
THEY WILL TARGET YOU too if you ever find yourself against western and/or Israeli interests.
Capitalist technologies are the surveillance state incarnate. They must study people in order to manufacture consent.
Remember democracy is majority rule, when have you ever had true control over your political destiny? You KNOW the answer is never.
Democracy =/= trust.
Democracy = control.
v5v3 · 2h ago
Many 'democracies' are not democracies, as you can only really vote for one of 2 parties. The system is fully designed to supress smaller parties and independents.
Only countries with regular coalition governments can be classed as a actual democracies.
sneak · 7h ago
Buying a device that only runs OEN Android is ridiculous for this exact reason.
We need to decouple phone hardware from phone software, as we did with computers.
bilkow · 7h ago
We do, but I don't see it happening anytime soon. Many banking / government apps and even some games use the Play Integrity API, which AFAIK is starting to require remote attestation for newer devices.
As it's usually not viable to opt-out of those, the solution seems to be having a separate device.
gmerc · 7h ago
If anyone needed another reason to stay the fuck away from Unity
OutOfHere · 6h ago
Samsung currently has an unremovable spyware app on North American phones that pastes (records) everything copied to the clipboard by any app. It is the Samsung Keyboard app. It cannot be removed. It doesn't matter if you're using any other keyboard app. Samsung Keyboard pastes (records) everything that gets copied to the clipboard by any app. The Samsung Keyboard app cannot even be disabled from Android.
As an aside, I recall getting a lot more ads when I used Samsung Keyboard.
noisy_boy · 6h ago
Sometimes I will see a small random "copied" floating notification (not in the notification tray) and I always wondered where it came from. Maybe they have put in some code to suppress it but due to some bug, it leaks out. No proof but I can only hypothize.
bapak · 5h ago
Every day it feels like regulators need to increase enforcement by an order of magnitude. For every fine they dish out, 10 more abuses go unnoticed.
logicchains · 1h ago
The regulators work for the same governments and intelligence agencies that are making companies add such clandestine spyware.
Don't even get me started on the Samsung smart TVs. Just horrible all-around.
spinlock_ · 2h ago
Thats why my Samsung TV has no internet access and I'm using Apple TV instead.
Dah00n · 19m ago
From the fire into....
TZubiri · 4h ago
"AppCloud is developed by ironSource, an Israel-founded company (now acquired by American company Unity)"
I did not expect the thing I made games with as a teen to be involved in a global war.
bdavbdav · 3h ago
Is this where we discover we’ve got another Pegasus preloaded.
ingohelpinger · 6h ago
we need a satslink now!
hd4 · 3h ago
it's now a case of choosing between who you least care about spying on you - think I'll choose a Chinese phone next time, at least they're not currently engaged in genociding children
danparsonson · 1h ago
They're currently engaged in doing all kinds of awful things that we know about, and no doubt lots of even worse things that we don't. Try looking up Xinjiang, Tibet, or the Falun Gong for a taste.
There are no innocent world superpowers.
Dah00n · 17m ago
No, but China has a better track record than the US.
TiredOfLife · 5h ago
"Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize."
Wherever you are from or whatever side of the conflict you are on, I think we can all agree that it’s never been easier to infer so much about a person from “semi-public” sources such as companies selling customer data and built-in apps that spy on their users and call home. It allows intelligence agencies to outsource intelligence gathering to the market, which is probably cheaper and a lot more convenient than traditional methods.
“Privacy is a human right” landed on deaf ears but hopefully politicians will soon realise that it’s a matter of national security too.
We all like to imagine this super cool clandestine hacking operation using peoples mobile phones to secretly track people who visit nuclear facilities back to their homes.
The much more logical explanation is someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university.
In addition, saying that
> someone approached a low level employee at the MEAF who turned over a USB stick with the governments org charts and payroll records in exchange for their kids getting a full ride to a prestigious foreign university
is an oversimplification on multiple levels:
1. Low-level employees typically don't have access to sensitive information.
2. With human intelligence, there is always a risk that the person you (e.g. Israel) are in touch with (e.g. an Iranian officer) who pretends to be a "double agent" (e.g. leaking info to Israel), is in fact a "triple agent" (e.g. actually working for Iran to mislead Israel).
3. You can send your kids to foreign universities but not your siblings, your parents, your wife's family, and so on... Some of your beloved ones are almost certain to suffer the consequences of your actions. High treason is no joke.
Check the weather today, get bombed tomorrow.
Here is how Pegasus seems: - China has 1.5 billion people, lots of resources, would profit a lot economically if they found a way to hack iOS, etc. But yet couldn't hack it. - Israel with its 7 million people, not only hacks iOS multiple times, but does it to spy on its allies.
Now I've seen the threads analysing Pegasus' complexity, I don't know if it's been reproduced, and if it has then I guess it logically proves me wrong (the tinfoil hatter in me still thinks its right though).
Here is why:
Israel has a lot of silicon fabs or R&D centers, now it makes ZERO sense for the US to have fabs or R&D centers in Israel, since that country is (allegedly) always at the risk of being bomber for no reason at all (yeah right).
Intel has had fabs in Israek since the 80s, why not in Japan or France or the UK (France and the UK are close allies to the US and have no earthquakes or risk of being bombed), why not even Canada?
And I compared the dates of when intel started putting the Intel Management Engine in all of their CPU and the date of which they built their biggest fab in Israel, then I went down the rabbit hole of when AMD started using PSP (similar tech to Intel ME), and it coinciding with it buying a large pentesting startup in Israel, then starting to build its R&D centers there, Apple and Qualcomm have similar stories.
Obviously this is all tinfoil, and while the dates coincide it's obviously not enough.
But to each their own, and I choose to treat my tech as if it was all was backdoored already, because for me the evidence (while not enough to be sure) is enough for how much I value my privacy.
No comments yet
We, the people, need to demand and force our politicians to work for us.
> you can't completely remove it
Maybe my English isn’t very good but that sounds like the definition of unremovable.
Also, English is not my native language. I feel like I did get my point across anyway.
If people are paying for upgrades to storage space it's completely reasonable for them to be annoyed by bloatware
On my 128 GB Pixel 9 Pro, /data is 109 GB. The rest is /system (although `df -h` doesn't show it explicitly, no idea what's up with that) and various other system-related partitions.
I agree that it's not easy, but anyone sufficiently annoyed by these non-otherwise-removable apps who is able to follow instructions should be able to get it done without needing a computer or special knowledge or messing with the command line.
https://web.archive.org/web/20250506145643/https://smex.org/...
The article leaves out quite a lot about what AppCloud is, but it's essentially how Samsung monetizes their non-flagship device users and can do things like insert installation advertisements into the notification tray, and silently install apps.
Personally, if I found this on my device it'd be the final straw to grit my teeth and finally get a personal apple device.
Samsung’s A and M series smartphones are their cheapest models so their buyers probably cannot afford better phones. I don’t know of any other brands selling in the region with similarly priced models that have better privacy practices than Samsung either—they’re all the same at that price point I’m afraid.
I mean, if I was the mosad guy planting a deal with samsung, I wouldn't even name the app "AppCloud"
heck, why would you even make it appear to the user?
this is a classic competitor-bashing article -- no substance, only hand-wavy "this guys bad!"
I'm guessing this can be traced to others like xiami/huawei/etc who definitely want to get samsung's slice of the market there
A refurbished iPhone 13 is $300 on amazon, which is close to the cheapest M ($250). I can’t find new 13’s for sale except via budget carriers.
(Sent from my 12 mini which is better than all that followed it: $200-ish for excellent condition, refurbished.)
Is this Amazon US? Because even in Ireland, iPhone 16 costs 41% higher than in the US (979 EUR = 1,128 USD in Ireland vs 799 USD in the US).
(Some US states have no sales tax, but most do)
Now hey, I won't suggest that Apple would stoop as low as Samsung has here. But discerning customers might not want Tim Apple's phone if he's been cozying up to a crusty politician that can remember to stay for dinner but can't recall his name.
If you're in the middle east, I'm sure you'd rather be spied on by China.
Do you imagine that shit? You're a nuclear scientist, working on a program for generating electricity, your country is open to being audited and complies with the restrictions and has no weapon's program, one day you come home and then a fucking rocket comes right inside your appartment and kils you and your whole family.
Ain't that a bitch? I get Khamas was hiding there too... And since they have all that precise rockets that can take a single appartment down, why did they reduce Gaza to rubble?
The ramifications of this make me sick: evil not only wins but also writes history... And yeah the midwits here will unironically look you in the eye and explain how killing children is ok because of this of that... You being able to explain horrors doesn't make you smart or pragmatic, it makes you have no self respect and makes your personal boundaries weak, and the same mind that finds arguments to cope with the horror his tax money funds will find arguments to cope with a lot more until it's his turn on the grinder and by then it'll be too late.
If you don’t want bloatware (spyware), it’s either pixel or iPhone.
I just replaced my iPhone XS, not out of necessity, but I wanted to see what the new ones were like. The 16 is barely better and I was suprised to find just how little the old one was worth second hand, considering it still runs circles around most midrange Android handsets.
It appears to be a similar case across the MENA region. While the SMEX post primarily focuses on WANA, it is possible to find other reports (e.g. [1]) from the MENA region that describe similar practices by Samsung. There, however, the stories talk about "Aura", rather than "AppCloud".
[1] https://www.moroccoworldnews.com/2025/06/212144/samsung-embe...
WANA - West Asia & North Africa
SMEX - "a non-profit that advocates for and advances human rights in digital spaces across West Asia and North Africa." (from their website)
it just means that they don't pay taxes
A.k.a. I tried to be as politically correct and cite the term used by the respective reporting. The main point I was trying to bring across was that apparently there are two apps involved, not only a single one.
[1] https://en.wikipedia.org/wiki/Middle_East_and_North_Africa
This AppCloud crap has also been pushed to devices in the Europe Open Market.
I also know that this shouldn't have been installed on enterprise devices (either Android Enterprise managed by MDM or E-FOTA managed - don't remember exactly). We had an akward conversation with some Samsung representatives..
Yes the Unity 3D engine company wow.
https://www.pcgamer.com/unity-is-merging-with-a-company-who-...
"this company is from israel (so must be mosad)" or "has notorious for its questionable practices" (without even giving actual examples or incidents)?
I mean, if you're the mosad guy making a deal with samsung, why would you even make it appear to the user?
this is a classic competitor-bashing article -- no substance, only hand-wavy "this guys bad!"
"non-profit" doesn't make "smex" the morally-right side of the game. it just means they don't pay taxes and receive donations...
maybe it's time to trace where those donation money comes from? smells like competitors (xiaomi, huawei) who wants to take a cut from samsung?
seriously?
definitely a smell of some dirty play going on here
>Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.
https://news.ycombinator.com/newsguidelines.html
Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.
These restrictions extend outside the particular device. It must also be illegal as a commercial entity to enforce security schemes which involve remote attestation of the software stack on the client device such that service providers can refuse to service clients based on failing attestation. Service providers have other means of protecting themselves, taking away users control of their own devices is a heavy handed and unnecessarily draconian approach which ultimately only benefits the ad company that happens to make the software stack since they also benefit from restricting what software users can run. Hypothetically, they might be interested in making it impossible to modify video players to skip ads.
1. Devices should be allowed to display a different logo at boot time depending on whether the software is manufacturer-approved or not. That way, if somebody sells you an used device with a flashed firmware that steals all your financial data, you have a way to know.
2. Going from approved to unapproved firmware should result in a full device wipe, Chromebook style. Possibly with a three-day cooldown. Those aren't too much of an obstacle for a true tinkerer who knows what they're doing, but they make it harder to social engineer people into installing a firmware of the attackers' choosing.
3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons. Otherwise, devices become extremely attractive to steal.
Not sure how to phase this legally, but please also add a provision against manufacturers making the "custom firmware" logo hideously ugly on purpose to discourage rooting - like e.g.Microsoft did for Surface tablets.
> 3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons.
Full agreement here. I very much would like to keep the bootloader locked - just to my own keys, not the OEMs.
I should note Google has such an attestation scheme, and there are reliable defeats for it in most situations given root access. Apps have been able to insist on hardware-backed attestation which has not been defeated for some time, but that isn't available for old devices. Almost none do so.
If this had a meaningful impact on fraud, more apps would insist on the hardware-backed option, but that's quite rare. Even Google doesn't; I used Google Pay contactless with LineageOS and root this week. I'm currently convinced it's primarily a corporate power grab; non-Google-approved Android won't be a consumer success if it doesn't run your banking app, and the copyright lobby loves anything that helps DRM.
The bank’s bad processes are not an end device fault.
I'm alright with limiting liability for an unlocked/customized phone (for things that happen from that phone) - but that's a legal/contractual thing. For that to work, it's enough for a judge to understand that the phone was customized at that time - it doesn't require the app to know.
Words written on toilet paper. Only thing that exists today are “billionaire rights”.
But even the DRM that is already there often only uses copyright laws as suggestions. E.g. YouTube's takedown guidelines are defined through their TOS, not through the DMCA.
Won't this also forbid virus scanners that quarantine files?
> This pertains to all programmable components on the device, including low-level hardware controllers.
I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted.
Yes. If I really _want_ to execute malware on my device, I should be allowed to do so by disabling the antivirus or disregarding a warning.
> I don't think it's reasonable to expect any manufacturer to uphold a warranty if making unlimited changes to the system is permitted
It is very reasonable and already the rule of law in "sane" jurisdictions, that manufacturer and mandated warranties are not touched by unrelated, reversable modifications to both hard- and software.
There might be a couple messy edge cases if applied at the software level but I think it would work well.
Applied at the hardware level it would be very clear cut. It would simply outlaw technical measures taken to prevent the user from installing an arbitrary OS on the device.
Regarding warranties, what's so difficult about flashing a stock image to a device being serviced? At least in the US wasn't this already settled long ago by Magnuson-Moss? https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty...
You can (and should, imho) remove anti-virus software.
In other words, DRM.
https://en.wikipedia.org/wiki/Trusted_Computing#Criticism
(I knew from the beginning that this was known as the Palladium project, and until recently, a search for "Palladium TCG" would find plenty of information about that history, yet now references to that group and its origins in DRM have seemingly disappeared from Google. Make of that what you will...)
The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Also for the record I think it's a silly attack vector for the average person to worry about. A normal person does not have secret agents attempting to flash malicious images to his phone while he's in the shower.
No, but millions of women have controlling partners or friends who betray their trust and, for example, many people going through U.S. Customs are being asked to surrender control of their devices so they can be used without their knowledge. There’s a well-funded malware industry with a lot of customers now.
Oh that's pretty cool, wasn't aware.
> The crazy thing is that on all the devices I've had AVB is implemented on top of secureboot. Being able to set your own secureboot keys is bog standard on corporate laptops. The entire situation makes absolutely no sense.
Hold on, could you elaborate a bit on this? I thought it was an either/or type deal cause they do the same thing.
It's possible this has changed or was never widespread in the first place. I have a very limited (and historic) sample size.
Especially in Africa, where privacy and consumer rights are probably less relevant than the US/EU.
Well, then it's high time the laws of ownership in just about evey country in the world were updated.
As it stands, if I buy something then I own it.
That's the point: you can't buy it, only license.
Historically, computers have not granted you access to everything. Most home computers used to have ROM cartridges, which could not be modified, at least not by an average user. Also, when using unrestricted operating systems, such as as MS-DOS, a simple virus could wipe all your hard work.
In our current time, devices are connected to other machines, and the problem of security and privacy has increased dramatically. Unfortunately, we still don't have operating systems that are secure enough to be used by untrained persons. It makes perfect sense to lock down these devices.
I basically see only two ways out:
1. Allow developers exclusive access to development systems, similar to how console development works.
2. Implement a secure operating system.
It will take an extreme amount of effort to do the latter, and it might even be impossible to gradually absorb the mess of interfaces that people and companies expect to work.
So that probably leaves us with the first option. Personally, I would love devices to be locked down more, so that the crazy threats from hackers will be less severe. But I would also love to keep developing software. Having to jump through some hoops is probably unavoidable. The situation could be compared to requiring a driver's license in order to safely drive on the shared infrastructure.
As much as I agree with your sentiment to have freedom, it still seems somewhat overly optimistic to expect this to work in our complex society.
Similarly it is pretty messed up when people say stuff like “fire can burn you if you aren’t careful” because so many people rely on fire for food and warmth.
Cooking animal products at home poses a health risk. You should be sure to only ever consume animal products prepared by a duly licensed establishment.
The chauffeur's union would like to take this opportunity to remind you that amateurs operating their own motor vehicles risk serious injury and even death.
The FSD alliance would like to point out that hiring a licensed chauffeur also poses a non-negligible risk. Should you choose to make use of a personal vehicle it is strongly recommended that you select one certified by the FSD alliance. Failure to do so could potentially impact your health insurance premium.
Good tongue in cheek post, but in the US Magnuson-Moss prohibits warranty claim denials merely on the basis of non-OEM parts and service. It also puts the burden on the manufacturer to demonstrate the defect or failure was the direct result of the non-OEM part. Other jurisdictions have similar laws on the books.
Right to repair already exists in certain aspects and needs to be expanded (and enforced. Tons of those ‘will void warranty’ stickers are lies and you have legal rights to poke around)
We can get so bogged down with “things that are real” and “exist in this universe” that we completely fail to focus on the vital stuff like “Bigfoot is circumcised” and “Who did it?” and “Why?”
Or do you dispute that you could be hospitalized for salmonella if you botch cooking poultry at home? Or perhaps you feel that there is no straightforward way to inadvertently endanger your life by servicing your vehicle incorrectly?
I genuinely do not understand the last two sentences. Are you pro- or anti- “telling people that salmonella exists” ? Is saying “salmonella exists and can be a problem” FUD or what? Do you think salmonella isn’t real
For starters, in most places, warranty is a legal requirement and the manufacturer isn't allowed to void it for whatever reason they want. If my phone's battery starts getting really hot in normal use, or I start getting dead pixels on my screen or whatever else, the fact I have a custom OS on my phone isn't relevant to the warranty claim any more than having it in a case or putting some stickers on it. Yes, it'll make claiming it more difficult, but that doesn't mean it's void, just that you'll have to fight through a few more tiers of support agents to get it fixed.
More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits. The same can be said for any other system-level software. Like if you buy an Nvidia graphics card in your computer and that loads its kernel driver, malware now has one more place to exploit. Are Nvidia graphics cards a security risk?
We've come an incredibly long way from just dropping /xbin/su and calling it a day. Modern (as in the last 10 years) root solutions have caller checks based on a user-defined whitelist and really modern implementations use kernel-level checks to make sure the app wanting root access is allowed to get it. The only way this can be dangerous is if one of those apps or the root solution itself has a code execution exploit. But again, the same can be said for the plethora of system-level bloatware vendors install these days.
This only makes the statement untrue if you use “can” and “will” interchangeably.
>More importantly, rooting is only a security risk in the sense that it increases the attack surface for exploits.
This is a good point. What even is “attack surface” anyway? Does anybody actually consider it when “evaluating security posture”? If I simply choose not to care about attack surface because I don’t want to, then doesn’t it simply become a factual nonissue? There are no answers to these questions
But if you really want a thorough reset, simply re-lock the bootloader and flash stock firmware from there. Nothing can persist through that without an exploit in the verification chain and if you have that kind of exploit, you don't need the bootloader to be unlocked in the first place.
Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
Some can, some can't. Even when it can persist, escalating to root after every reboot may be unreliable or noisy (e.g. 70% chance of success, 30% crash) compared to straight persistence as root without verified boot.
> Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.
This still applies to those devices. It's the main reason GrapheneOS (which exclusively runs on Pixels, with the bootloader relocked to a GrapheneOS key) is opposed to building in root access: Verified boot would be "enabled", but effectively bypassed. https://xcancel.com/GrapheneOS/status/1730435135714050560
That doesn't give me any less power than root, but does give those apps less power and limits the potential impact if one gets compromised. I think when most people say the device owner should be able to get root, they mean that the owner, rather than the manufacturer or OS vendor should have the final say in all cases, not that it has to literally work just like root on Unix.
Can be given control [by handset manufacturers] is an unfulfilled potential. And it will always be unfulfilled - because otherwise, users could protect themselves from manufacturers/providers foistware.
Given their reality, users root.
Yes, this is kind of approach of coming up with a design to security instead of going with the easy route of everything being allowed is harder to do and takes more time, but it leads to better security.
I mean, we all agree that such permissions are not required during everyday operations, but there should be a way for the consumer to have control over the software being used. And I mean all aspects of the software: firmware should be updatable, the OS should be replaceable, and the security concepts within the OS should be customizable by the user as well. I have no problem with hiding such functionality and requiring users to read the documentation to find out how it can be done, but it should still be possible.
Having root access is not in the interest OR benefit of most regular users. Rooting your phone is a footgun for 99% of people who install random apps and will get hacked and have their life savings transferred or ransomed.
For them the article does the right thing. For everyone else, like you or me, we will not care what this article says anyway.
That's why what Samsung does is double bad. Noot rooting phone is good hygiene if your phone respects you. But if it comes with malware then thats a stab in the back.
What about desktop OSes for the last 40/50 years?
Sure they aren’t the foam-padded locked down phone OSes, but isn’t this fear a case of leaving said padded room?
If you talk to regular non IT savvy people many of them don't bother and correctly assume that at some point it will "get a virus" or something. And it is fine for them because almost no one uses desktop for critical stuff like payment or finance. But majority do use phones for that. They jumped from cash straight to phones and now it's a lucrative attack vector.
Edit to reply because throttled by downvotes: yea I'm in your boat, we live in a bubble. It's hard to believe. But now I'm using a payment system that literally has "get app" on its site and no other way to manage money or even sign up. And apps like that can be the only way for many people to get some sort of plastic card to pay cashless
And I see how it happened. Many people have no personal desktop computers. Many payment vendors don't trust desktop computers because an ordinary person's windows machine is a malware breeder.
So many people in the world depend on mobile security (especially underprivileged people). Anyone who wants them all to get fucked for own libertarian ideal of "hardware ownership" is basically a psychopath to me. Especially considering that he is literally free to root his device and not make it a problem for others.
I'm not saying this is wrong (in fact I assume it is accurate), but relative to my life experience this is crazy to me.
What? This makes no sense. For something where security matters, using the desktop is the only rational choice. I never, ever, allow any sensitive information through the phone since it is not a trusted device.
Making it easy to root phone makes it easy for scammers to ask people to unlock it.
It should not void warranty if you unlock the phone. But security concerns are real. Mobile banking apps refuse to run on rooted phones.
South Korean needs USA to protect it.
Consider everything from South Korea to be under the blessings of the NSA.
I own a $50 Android tablet just for the required certificates to run DUO for work and other than that just use a UMPC with a modem card and VOIP for everything.
I was able to disable it but not remove it, unclear if it will re-enable itself. It had sent about 35mb of data since March 1st, and was enabled as a background service.
I don't see how any company can compete with this unless they somehow figure out how to make a vastly superior product.
https://en.m.wikipedia.org/wiki/PRISM
Unity the ones doing a game engine?
So the question is who would we like to be exploited by?
I even refuse to buy QD-OLED monitors out of indignation that Samsung makes the panels. Maybe I'm alone but maybe one day we'll boycott lousy companies out of business.
Genuine question.
In my case I also wanted an SD card slot so it was slim slim pickings indeed. (And still there are some misfits who insist that there is no such thing as progress!)
Pixel phones get 7 years of OS and security updates. Do you consider Pixel phones to allow you to easily migrate to a new phone?
Disclosure: I work at Google, but not on Android or Pixel.
We've been having some warm weather (~30ºC) around here and the other day my Pixel 8 Pro started warning me about the phone being too hot when I tried to record a video.
I like Google's Android skin and their long support periods, but Tensor holds these newer Pixels back.
Has any smartphone maker succeeded in getting more than a few percent of market share, released more that 2 phones while being immune to that level of fiasco ?
There have been other phones that had very occasional battery fires, but nothing on remotely the same level.
Let that sink in.
We have new spyware coming from Israel, let's update the list:
- Pegasus
- Candiru
- QuaDream
- Cellebrite
- Paragon Solutions
- Nemesis
- AppCloud
Capitalist technologies are the surveillance state incarnate. They must study people in order to manufacture consent.
Remember democracy is majority rule, when have you ever had true control over your political destiny? You KNOW the answer is never.
Democracy =/= trust.
Democracy = control.
Only countries with regular coalition governments can be classed as a actual democracies.
We need to decouple phone hardware from phone software, as we did with computers.
As it's usually not viable to opt-out of those, the solution seems to be having a separate device.
As an aside, I recall getting a lot more ads when I used Samsung Keyboard.
Yeah, all Samsung software is a liability.
Don't even get me started on the Samsung smart TVs. Just horrible all-around.
I did not expect the thing I made games with as a teen to be involved in a global war.
There are no innocent world superpowers.