Start Up: phone and home surveillance, stop iCloud phishing, 2014’s lost Lumia, PCs slump, and more

What if your phone is spying on you? Or a home device? Or you’re being phished? Or a government is after your data? Photo by ShellyS on Flickr.

A selection of 10 links for you. Word of the day: surveillance. I’m @charlesarthur on Twitter. Observations and links welcome.

OnePlus OxygenOS built-in analytics • Chris Moore

Moore was doing a holiday hack project, and happened to leave his OnePlus2 phone’s internet traffic going through an analyser, which showed some heading for


OK, so it looks like they’re collecting timestamped (the ts field is the event time in milliseconds since unix epoch, which we’ll be seeing more of) metrics on certain events, some of which I understand – from a development point of view, wanting to know about abnormal reboots seems legitimate – but the screen on/off and unlock activities feel excessive. At least these are anonymised, right? Well, not really – taking a closer look at the ID field, it seems familiar; this is my phone’s serial number. This I’m less enthusiastic about, as this can be used by OnePlus to tie these events back to me personally (but only because I bought the handset directly from them, I suppose).

I leave the traffic proxied for some time, to see what other information is collected, and boy am I in for a shock…
[picture shows the data flow…]

Amongst other things, this time we have the phone’s IMEI(s), phone numbers, MAC addresses, mobile network(s) names and IMSI prefixes, as well as my wireless network ESSID and BSSID and, of course, the phone’s serial number. Wow, that’s quite a bit of information about my device, even more of which can be tied directly back to me by OnePlus and other entities.

It gets worse.
[picture shows more data slows]

Those are timestamp ranges (again, unix epoch in milliseconds) of the when I opened and closed applications on my phone. From this data we can see that on Tuesday, 10th Jan 2017, I had Slack open between 20:25:40 UTC and 20:25:52 UTC, and the Microsoft Outlook app open between 21:38:41 UTC and 21:38:53 UTC, to take just two examples, again stamped with my phone’s serial number.

It gets even worse.


Basically, surveilling you; you have to remove the OnePlus Device Manager app, which isn’t trivial.

Next question: how many other Android smartphones do this on the quiet? If OnePlus does, presumably other Oppo and vivo phones do too. And those sites will be targets for hackers.
link to this extract

Equifax says 15.2 million UK records exposed in cyber breach • Reuters

John McCrank:


Credit reporting agency Equifax Inc said on Tuesday that 15.2 million client records in Britain were compromised in the massive cyber attack it disclosed last month, including sensitive information affecting nearly 700,000 consumers.

The US-based company said 14.5 million of the records breached, which dated from 2011 to 2016, did not contain information that put British consumers at risk.

Overall, around 145.5 million people, mostly in the United States, had their information compromised, including Social Security numbers, birth dates and addresses.


Marvellous. Expect phishing attacks based around this soon too.
link to this extract

Google is nerfing all Home Minis because mine spied on everything I said 24/7 [Update] • Android Police

Artem Russakovskii:


Without fail, every time a new listening device comes to market, some tinfoil hat-wearer points out how perfect they would be as modern-day Trojan horses for any of the three-letter acronym organizations – NSA, CIA, FBI – you name it. Manufacturers, on their part, assure us their devices are perfectly safe and only listen when prompted. We brush the concerns off and move on with our lives, but not before granting our smart pineapples (did you know “pineapple” is the codename for Google Home?) access to the smart rice maker, smart vacuum, and smart toothbrush.

I didn’t give too much thought to these privacy concerns because they all sounded theoretical and unlikely. My four Google Homes and three Echos sat quietly on their respective desks and counters, and only turned on when one of three things happened:

• I called out a hotword (Alexa for Echos and Hey or OK Google for Homes).
• A video I was watching or podcast I was listening to did this (I’m looking at you, Marques!)
• They heard a noise or word that they thought sounded like a hotword but in reality was not. This happened once or twice every few days.

That is until last week, when a 4th case came along – 24/7 recording, transmission to Google’s servers, and storing on them of pretty much everything going on around my Home Mini, which I had just received at the Made by Google October 4th launch event.


The Home Mini was recording everything, and storing it on Google’s servers. Google says it was a hardware flaw on the batches given out at the “Made by Google” events introducing this. Russakovskii estimates that’s at least 4,000 of them. It has disabled the long-press functionality as a result.
link to this extract

Deputy attorney general Rosenstein’s “responsible encryption” demand is bad and he should feel bad • Electronic Frontier Foundation

Kurt Opsahl takes Rod Rosenstein’s recent speech, which introduced the idea of “responsible encryption”, to task:


For a long time, people have had communications that were not constantly available for later government access. For example, when pay phones were ubiquitous, criminals used them anonymously, without a recording of every call. Yet, crime solving did not stop. In any case, law enforcement has been entirely unable to provide solid examples of encryption foiling even a handful of actual criminal prosecutions.

Finally, in his conclusion, Rosenstein misstates the law and misunderstands the Constitution.


Allow me to conclude with this thought: There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.


This is simply incorrect. Code is speech, and courts have recognized a Constitutional right to distribute encryption code. As the Ninth Circuit Court of Appeals noted:


The availability and use of secure encryption may … reclaim some portion of the privacy we have lost. Gov’t efforts to control encryption thus may well implicate not only the First Amendment rights … but also the constitutional rights of each of us as potential recipients of encryption’s bounty.


Here, Rosenstein focuses on a “right to sell,” so perhaps the DOJ means to distinguish “selling” under the commercial speech doctrine, and argue that First Amendment protections are therefore lower. That would be quite a stretch, as commercial speech is generally understood as speech proposing a commercial transaction. Newspapers, for example, do not face weaker First Amendment protections simply because they sell their newspapers.


If you’re wondering why Rosenstein’s name seems familiar, he’s the one who wrote the memo post-justifying Trump’s decision to fire James Comey as head of the FBI. Misstating the law and misunderstanding the US constitution seems like par for the course for someone who did that.
link to this extract

iOS Privacy: steal.password – Easily get the user’s Apple ID password, just by asking • Felix Krause


How can you protect yourself

• Hit the home button, and see if the app quits:
-If it closes the app, and with it the dialog, then this was a phishing attack
-If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app.
• Don’t enter your credentials into a popup, instead, dismiss it, and open the Settings app manually. This is the same concept, like you should never click on links on emails, but instead open the website manually
• If you hit the Cancel button on a dialog, the app still gets access to the content of the password field. Even after entering the first characters, the app probably already has your password.

Initially I thought faking those alerts requires the app developer to know your email. Turns out some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password.


Modern web browsers already do an excellent job protecting users from phishing attacks. Phishing within mobile apps is a rather new concept, and therefore still pretty unexplored.

• When asking for the Apple ID from the user, instead of asking for the password directly, ask them to open the settings app
• Fix the root of the problem, users shouldn’t constantly be asked for their credentials. It doesn’t affect all users, but I myself had this issue for many months, until it randomly disappeared.
• Dialogs from apps could contain the app icon on the top right of the dialog, to indicate an app is asking you, and not the system. This approach is used by push notifications; also, this way, an app can’t just send push notifications as the iTunes app.


This is still bad, and Apple’s security people should have stamped it out ages ago. I suspect they couldn’t and so their pivot has been to try to persuade people to enable two-factor authentication on accounts.

But as Krause points out, even if you’ve got 2FA, that won’t protect any accounts where you’ve used the same username/password combination.
link to this extract

AirPods can activate Google Assistant on your Android device with this app • Android Police

Corbin Davenport:


The app is called ‘AirpodsForGA,’ and it allows you to trigger Google Assistant by double-tapping on either AirPod. That’s the same shortcut used to activate Siri when paired with an iPhone. It’s worth noting that you could already use the ‘OK Google’ hotword to open Google Now/Assistant on AirPods (at least according to this review), but this is obviously quicker. Due to limitations with Android’s media button events, this app doesn’t always work when the phone is unlocked, but it should work fine when locked.

I’m unable to test the app myself, since I don’t own a pair of AirPods, but there’s four Play Store reviews saying it works great.


Complaints (in the comments) are that it goes to full volume when Google Assistant talks in your ear. But that might be a one-off. (The rest of the comments are pretty predictable. The smartphone wars are still being fought, like Japanese soldiers in the jungle, in the comments sections of fan sites.)
link to this extract

Traditional PC market further stabilizes as top companies consolidate share • IDC


Worldwide shipments of traditional PCs (desktop, notebook, workstation) totaled 67.2m units in the third quarter of 2017 (3Q17), which translates into a slight year-over-year decline of 0.5%, according to the International Data Corporation (IDC) Worldwide Quarterly Personal Computing Device Tracker. The results were better than projections of a 1.4% decline, and further demonstrate the trend of market stabilization in recent quarters. Improvement in emerging markets as well as back-to-school promotions helped boost results.

The component shortages of recent quarters have continued to improve and did not factor as a significant hindrance to production volumes. Nonetheless, higher component prices and inventory in some markets meant limited shipments and validated IDC assumptions about a muted third quarter. Not surprisingly, competitive pressures further cemented the dominance of the top five PC companies, which accounted for nearly 75% of the total traditional PC market…

…”The U.S. traditional PC market exhibited lower overall growth, contracting 3.4% in 3Q17,” said Neha Mahajan, senior. research analyst, Devices & Displays. “Despite the overall contraction, Chromebooks remain a source of optimism as the category gains momentum in sectors outside education, especially in retail and financial services.”


Gartner says the decline was worse – it puts the decline at 3.6% – but has almost exactly the same shipment figure for the quarter, at 67.0m. Gartner doesn’t include Chromebooks in its figures, so it’s a little hard to see the source of IDC’s enthusiasm; IDC doesn’t show Acer (which ships a lot of Chromebooks) as outselling Apple.

Also of note: Gartner says Lenovo’s PC shipments have declined year-on-year in eight of the past 10 quarters. IDDC puts HP ahead of Lenovo all of this year.

Even so, this looks like the market bottoming out. Though it always then finds a new bottom.
link to this extract

White-box tablet players turn to new markets for survival • Digitimes

Sammi Huang and Joseph Tsai:


With first-tier tablet brand vendors’ product ASP dropping, rising competition from large-size smartphones and prices for key components – including panels and memory – hiking, white-box tablet players are struggling.

Some white-box players have already turned to new market segments such as those for smart speakers, smartphones, car-use electronics, wearables, gaming and education applications.

Digitimes Research’s figures show that Apple, Samsung Electronics and Amazon will be the top-3 tablet vendors worldwide in 2017, while China-based Huawei will be number four, surpassing Lenovo.


Lenovo really is struggling to make things happen. PCs, smartphones, tablets – nothing is quite energising.
link to this extract

TCL sells shares of handset business unit to strategic partners • Digitimes

Jean Chu and Steve Shen:


China-based TCL Group has disclosed that it has transferred up to 49% of its holdings in TCL Communication Technology Holdings to three strategic partners for HK$490 million (US$62.79m).

TCL will sell an 18% stake of its handset business unit to Unisplendour Technology Venture Capital, an investment arm of Tsinghua Unigroup, for HK$180m.

Meanwhile, TCL will also release an 18% and 13% stake of TCL Communication Technology to Oriente Grande Investment Fund and Vivid Victory Developments for HK$180m and HK$130m, respectively, according to the announcement.

Oriente Grande Investment Fund is the holding company of China-based handset ODM Wingtech Group.

TCL Communication Technology posted revenues of CNY6.87 billion (US$1.043bn) in the first half of 2017, decreasing 26.1% from a year earlier. Net losses for the January-June period totaled CNY852 million (US$130m).


This is tucked away, but it’s significant. TCL has been pushing a lot of phones in China and the rest of Asia; it has been among the world’s top 10 in volume. What this makes clear is that it’s been making a loss on that. So now it’s found some people to pump some money in.

The hope on the part of both is that this cash infusion will push it over the line into profitability. The concern should be that profitless commoditisation is going to continue at the low end of the market, where TCL is currently stuck with scores of other OEMs. A consolidation might not be far off.
link to this extract

A look at Microsoft’s unreleased ‘all screen’ Lumia Windows phone • Windows Central

Zac Bowden on a phone that would have been unusual in 2014:


The standout feature of this device is easily its design. Featuring an almost “all-screen” front, this Lumia is a stunner. It’s a super clean, minimalist and futuristic design that definitely doesn’t belong on a sub-$200 Windows phone in 2014. Holding this device feels like you’re holding nothing but a screen, and that’s what makes this Lumia different from all the rest.

Of course, when I say “all screen,” I’m being a little overzealous. It’s almost all screen, except for the bottom bezel, which is pretty large. This phone has a big “chin,” which is a pretty standout defect in this phone’s design. Even with the chin, it would’ve been considered “all screen” in 2014.

There’s a reason for the larger-than-usual bottom bezel, however: it’s where the front-facing camera sits. Yes, this phone has a front-facing camera on the bottom bezel. There’s no room for it at the top, and pretty much every phone these days comes with a front camera of some sort.


What might have been is always fascinating. The front camera problem is perhaps what caused Microsoft to kill this. That, and the reality that it would have lost a ton of money.
link to this extract

Errata, corrigenda and ai no corrida: none notified

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.