Foxes (or asses) guarding the hen house
Six months ago when the iPhone location logging story broke, this Android fan refrained from gloating. Why? Because you can trust the corporate intelligence of handset manufacturers and wireless service providers about as much as #occupywallstreet protesters can trust the NYPD to lead them merrily across the Brooklyn Bridge.
It was just a matter of time before a severe data breach occurred with the variants of Android that carriers and manufacturers cobble together. We’ve already seen a pretty amazing data destruction bug from Samsung. Everybody’s system customizations are closed source, so nobody else knows what kind of foolishness is going on in there. For a while.
I am quite speechless right now. Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev’s findings deep inside HTC’s latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.
— Android Police
Did they find this scary thing before the “bad guys”? Who knows. The bad guys stand to make a lot of money by finding such vulnerabilities quickly, and keeping them secret.
In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness - it doesn’t matter.
Android Police gets that point right away. It doesn’t matter what the explanation is for this breach, or that breach. This one is worse than Apple’s because the data (including but not limited to location) is accessible to third-party apps. Neither came from building features that users actually want.
The reason these privacy breaches keep happening, in general and across different mobile platforms, is that mobile commercial interests are largely at odds with those of device owners and users. And since there’s little consequence to sellers for using/abusing their power over buyers, it’s only natural for them to do so.
The iPhone location logging incident convinced me that, for devices we take everywhere and use for everything, an open-source operating system is even more necessary than it is on old-fashioned desktops and laptops. It’s the only way to have any confidence that your phone is not, actually, a fancy piece of spy equipment with you as its subject.
But it takes some time and effort to root and flash a phone, and when I got a new (used) HTC Incredible I did really appreciate the famously hawt HTC weather app. (It actually flashes your screen in a thunderstorm!) I allowed myself to slip again into a misplaced trust in the manufacturer to code a better “user experience” for their device than anyone else. That trance could have lasted many more months, but it finally broke when I broke my Incredible’s touchscreen.
I decided to try to replace the glass with my own fumbling fingers. At one low point it seemed like the hardware was borked anyway (it wasn’t), so I went ahead and flashed CyanogenMod on it for fun.
It was love at first sight.
Touchscreen phones are pretty awesome toys in the first place, but having system software that is actually written for its user is a whole new game. The differences come out in unexpected places, like finally being able to set the screen brightness for particular levels of ambient light. Why can’t you do that on any stock phone? Because the people who make them are stupid, or they think you are. Either way.
And screenshots. I’m now allowed to take screenshots, you guys! So crazy.
A clean install of Android 2.3 is pretty great in general. I had been stuck on 2.2 because HTC isn’t updating the original Incredible these days—why would they? But with CyanogenMod this old battle axe is as sharp as any new phone, which is a funny thing considering you can get a used Incredible for a little over a hundred dollars on eBay. It’s almost as if you don’t need to sign a multi-year, multi-thousand-dollar service contract to be able to “afford” a good wireless touchscreen computer.
But most of the improved value is in the knowledge that all of the code in the OS is open to the public. There is no completely daft insecure logging going on, the way there is right now on stock HTC phones, because nobody would commit such garbage under their own public name. Want to double-check CyanogenMod’s optional, anonymous statistics collection? It’s on github.
If you have a stock HTC phone that can be flashed to an unencumbered operating system, you’d better do it right now to be safe. Or, if you have some other device with mystery meat software running the show, don’t get too comfortable in that hen house.
Whether it’s foxes or asses guarding the door, chickens are somebody’s dinner.