motivation to deGoogle: Creditors can lock your Android remotely if you are delinquent. ( infosec.pub )

The technical mechanism:

https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock

update

To be clear, I am not the OP who experienced this problem. I just linked them from here.

noxfriend ,
@noxfriend@beehaw.org avatar

Why can I not find that post on beehaw? Some ActivityPub weirdness?

coffeeClean OP , (edited )

beehaw.org defederated from lemmy.ml. And I don’t blame them. I actually try not to post to lemmy.ml or any of the Cloudflare-centralized nodes (lemmy.world, sh.itjust.works, lemm.ee, etc) but it slipped my mind when I posted here.

(edit) sorry, i'm confused. I thought beehaw.org defederated from lemmy.ml, but both the post herein and the original are on lemmy.ml yet you can reach this one. So I’m missing something. I wonder if you are able to see infosec.pub-mirrored content and maybe the original community has no infosec subscribers? hard to say.

Philharmonic3 ,

Everyone in this thread is wild. Buying a phone on credit makes sense with how expensive they are. How else can Google protect themselves though? Just like cars get repossessed if you didn't pay, this is a two-way street. Otherwise people could have a phone sent to them and then never pay anything for it.

coffeeClean OP ,

If the creditor wants to collect on a debt, there is a court process for that. I’ve used it. It works.

Locking the phone is not repossession. It does nothing other than sabotage the device the consumer may need to actually make the payment. The phone remains in the buyer’s possession and useless to the seller.

Power is also misplaced. What happens when the creditor decides to (illegally) refuse cash payments on the debt? Defaulting is not necessarily the debtor’s fault. This in fact happened to me: Creditor refused my cash payment and dragged me into court for delinquency. Judge ruled in my favor because cash acceptance is an obligation. But this law is being disregarded by creditors all over. If the creditor had the option to sabotage my lifestyle by blocking communication and computing access, it would have been a greater injustice.

#WarOnCash

coffeeClean OP ,

I guess a closer analogy would be rental storage. If you don’t pay your mini storage bill, in some regions the landlord will confiscate your property, holding it hostage until you pay. And if that fails, they’ll even auction off your contents.

So in the case at hand the creditor is holding the debtor’s data hostage. One difference is that the data has no value to the creditor and is not in the creditor’s possession. It would be interesting to know if the contracts in place legally designate the data as the creditor’s property. If not, the data remains the property of the consumer.

This is covered by human rights law. Universal Declaration of Human Rights, Article 17 ¶2:

“No one shall be arbitrarily deprived of his property.”

If the phone user did not sign off on repossession of their data, and thus the data remains their property, then the above-quoted human right is violated in the OP’s scenario.

Flax_vert ,

Lemmy moment. Claims human rights are being violated because smartphone gets locked

coffeeClean OP ,

Don’t try to strawman this. Human rights are violated when someone is deprived of their property (their data in the case at hand). If food is withheld from starving people in Gaza, your argument is like saying:

“Claims human rights are being violated because someone failed to drive a truck”

Flax_vert ,

Someone not paying a phone bill doesn't equate to someone bombing Israel

coffeeClean OP ,

They’re not at odds. We don’t have to choose between protecting UDHR Art.3 and Art.17. It’s foolish to disregard some portion of the UDHR needlessly and arbitrarily.

owen ,

He presented his logic and included well-recognised definitions and sources. He literally could not have done better without a peer review in the field 🤣🤣

So: shut up bitch

scoobford ,

I agree that this makes sense in the context of a creditor securing a loan, but I disagree that getting your phones on credit makes sense.

New, flagship devices can be had around $500 US, which is attainable for most Americans in a fairly short timeframe. Spending years locked into a carrier contract where you don't own your device just doesn't make sense unless you're spending thousands on a foldable device or something.

MetaCubed ,

can be had around $500 US

attainable for most Americans in a fairly short timeframe

This is a frankly deranged take considering that 40% of americans dont even have the funds to save for a $400 emergency as of May 2023

etbe ,

https://www.accc.gov.au/media-release/telstra-to-pay-50m-penalty-for-unconscionable-sales-to-indigenous-consumers

For people who know as much about technology as most people in this discussion the thing to do if short of cash would be to buy a cheaper phone. I recently got myself a quite decent Note9 for $109AU and I could have got something even cheaper if I needed to. But many people aren't as well informed, the above article is one example of people who are less well off being scammed by a corporation.

CubitOom ,

I for one am glad that it was deemed safe for 3 year olds to be indebted to creditors.

Omega_Haxors ,

Since this software comes preinstalled and you can't get rid of it, that means it is illegal to sell this phone to anyone under the age of 3.

That or the software itself is illegal which sounds a little more accurate.

owen ,

I just thought of a new business: Baby Debt.

We trick children into signing contract so we can legally control them financially for life.

Baby Debt: It's Not Illegal

IsThisAnAI ,

Don't buy a phone on random creditors that install this shit. This has nothing to do with Google.

You going to ditch Linux because they support remote management too?

coffeeClean OP ,

This has nothing to do with Google.

Google welded anti-consumer logic into the kernel. Of course that’s on Google. Just like Intel started making CPUs with a management engine that can only work against non-corporate consumers, basically saying fuck the individuals’ needs.. putting individuals at unconscionable risk without their knowledge or consent.

Consumers have decisions to make. Is a consumer happy to feed a supplier who sells them something that works against them? Some are. I’m not. Going forward they fail to earn my business because they have too many masters.

You going to ditch Linux because they support remote management too?

Linux is not locked down. Users can remove anything they want from it.

IsThisAnAI ,

If you get Linux from work it school it uses the same exact tech. No, you can't remove it. You don't own the phone. That's how credit works. Don't like it, buy the phone. You are just pissed that creditors are using it. Welding against the consumers 🤦‍♂️.

coffeeClean OP ,

You don’t own the phone. That’s how credit nonfree software works.

↑ corrected that for you.

IsThisAnAI ,

https://lemmy.world/pictrs/image/a07c449c-f384-4cb2-b637-a1a0e763aaba.png

MisterFrog ,
@MisterFrog@lemmy.world avatar

I'm OOP, I bought this phone outright. Google seems to be installing this on phones by default (the actual pattern based on people's comments seems to be more recent phones, but not all have it).

It's even shipping within de-googled phones, at some base ASOP level (or the hardware, I dunno, not that knowledgeable), as some GrapheneOS use reported having it on their phones too.

I'm pissed because: 1. It's installed when it shouldn't be, 2. Gives inappropriate power to creditors, which hurts the most vulnerable.

ichbinjasokreativ ,

I bought a pixel from a german carrier in germany and installed GrapheneOS on it and this 'app' is still installed.

IsThisAnAI ,

Then don't pay over time if you don't like not owning the device.

coffeeClean OP ,

If you don’t control it, you don’t own it.

IsThisAnAI ,

Which is why I bought my phone. See, my pixel doesn't have remote management. Shocking how that works when you don't choose to rent the phone.

RogueBanana ,

I also paid full price and bought it from an official store with no connection to any carriers. Installed grapheneos and can confirm it is still present, whether anyone can use it is not is irrelevant if your putting shit in my phone that could potentially harm me. And you seem to take some kind of weird moral ground thinking people who default on a payment can have their phone which is a necessity in this era, turn into a brick if they choose to. You're lucky you can afford to but be more empathetic to those who can't.

IsThisAnAI ,

Nobody needs a pixel. There are plenty of phones far more inexpensive than pixels lol. I NEED A PIXEL TO LIVE!

RogueBanana ,

Who's taking about pixel mate? We are taking about android here. Not the hardware but the simple fact that a device I paid for has harmful shit I didn't ask for. Pixel or whatever, this shouldn't be installed on anything period

owen ,

Dude, he bought a full priced phone and the distributor preinstalled ransomeware on it.

If you think this is acceptable just say it:
"Distributors reserve the right to install ransomeware on the devices they sell."

Just say that.

coffeeClean OP , (edited )

You’re not getting it. Again:

If you don’t control it, you don’t own it.

Buying something does not mean you control it. You might have bought an Amazon Ring doorbell but if Amazon does not like your behavior they can (and will) render it dysfunctional.

If you don’t control it, you don’t own it.

IsThisAnAI ,

Ah magical slippery slope stuff any another product 🙄👌👍

coffeeClean OP ,

No amount of money you pay for your phone up-front will make that malicious code magically go away. You can pay cash, and you can even tip the seller. The code that reduces your control remains in that device. If you don’t control it, you don’t own it.

IsThisAnAI ,

Lolol, nobody is using the API on my phone. Its existence doesn't harm me in the last bit. You should stop using Linux if the existence of remote management bothers you.

coffeeClean OP ,

You’re very trusting of your corporate overlords. I’m sure they are grateful for your steadfast loyalty and trust.

IsThisAnAI ,

You honestly don't know how this tech works, do you...

IsThisAnAI , (edited )

Imagine acting like having a $1000 phone is a right. If you didn't want creditors shutting down your phone, pay for it. Apparently this is an undue burden these days.

coffeeClean OP , (edited )

The code is inherently in the firmware (edit: kernel) no matter how you acquire the phone.

IsThisAnAI , (edited )

Every OS, including Linux, has a way to install remote management. Every one. You are just pissed at how the phone company implemented it. Might as well blame Linus for making the os extensible.

coffeeClean OP , (edited )

You’re still not grasping how free software works. Users have a right to see the code and the right to change it. They also have the right to redistribute the code. Your complaint is unfounded because not a single user of a fully free platform is forced to have remote management code installed.

IsThisAnAI ,

Might as well blame Linus for supporting this.

coffeeClean OP ,

If you fail to use rights granted to you by free software licenses, you can blame yourself.

MisterFrog ,
@MisterFrog@lemmy.world avatar

This isn't about my phone in particular.

The fact you cannot even imagine a situation where this kind of power would lead to vulnerable people having their lives be made even harder for missing a payment, shows how little you imagination and empathy you have.

This kind of power should lie with regulators and the justice system, not private companies.

Also why is this app ON MY PHONE WHICH I BOUGHT OUTRIGHT?
ffs.

marathon ,
@marathon@liberdon.com avatar

@coffeeClean
Won't disabling that not allow me to find my device and to disable the phone remotely if stolen?

coffeeClean OP ,

Probably. But if you want that anti-theft feature, I wonder if you could disable it and then install another app for that which serves you alone. Whatever you install probably wouldn’t be baked into the kernel but probably a good trade-off.

marathon ,
@marathon@liberdon.com avatar

@coffeeClean
I don't know but that article probably only applies to 'murica, if it's even accurate. I'm doubtful. Doesn't apply to Canada, that's illegal practice hete I'm sure.

coffeeClean OP ,

I think the author said he was in Australia.. but he felt like it’s an encroachment by the US in some way.

marathon ,
@marathon@liberdon.com avatar

@coffeeClean Not sure. I wonder if these other roms support the crypto in the Google Pixel chip or support the camera well. Somehow I doubt it. 15 years ago I was into playing with custom roms, but they usually didn't support the hardware completely, especially the camera. I mean it would work, but the quality wasn't good as the native rom.

coffeeClean OP ,

I wouldn’t choose a custom rom on the sole basis of anti-theft. My ½-baked suggestion was simply disable the playstore framework (so it’s present but just dead code) and installing an app on the side.

Anyway, I have no interest in anti-theft bricking myself. I don’t envision ever having a phone where i would care about the hardware and would not likely spend more than $50 on a phone. Exceptionally I could one day get a Fairphone. But remote bricking does not tempt me. Making the phone a brick more quickly gets the phone into a landfill as it becomes useless for everyone.

It’s worth noting why phones get stolen. Even cheap phones are getting stolen. It’s not for the hardware. It’s because SIM registration makes it hard for criminals to get anonymous burner chips. So they steal phones just for GSM chips that are registered to someone else.

Norgur ,

Wasn't this app some exclusive thing for a marketing scheme in Kenya for Android Go? If so… maybe your phone has a… African history?
https://blog.google/intl/en-africa/products/android-chrome-play/growing-access-and-inclusion-with-more/

MisterFrog ,
@MisterFrog@lemmy.world avatar

I bought it practically on launch in Australia, directly from Google (I'm OOP), so I'd be surprised unless there was some last minute redirection of inventory from Kenya to Australia ¯_(ツ)_/¯

cyborganism ,

You have a pixel phone. Just install Calyx OS on it.

electricprism ,

Is that the one that was the confirmed FedOp?

cyborganism ,

What does that mean?

electricprism ,

One of the "secure" android was a honeypot, can't remember the name. A false flag, a false beacon , a false sanctuary.

coffeeClean OP ,

To be clear I linked to someone else’s post. I don’t have the Pixel phone.

cyborganism ,

Ah my bad. I thought I read you had a pixel phone.

Senseless ,

I don't think that necessarily helps. I'm running GrapheneOS and "DeviceLockController" is installed there as well. From what I read, it's because it's part of AOSP.

I did take all permissions and from the system logs it reads that this app never has been used or tried to send anything to begin with.

flora_explora ,
@flora_explora@beehaw.org avatar

I'm running CalyxOS and cannot find this app. Is it listed among regular apps?

Senseless ,

No. It's a system app. Look for "DeviceLockController" or "com.android.devicelockcontroller"

flora_explora ,
@flora_explora@beehaw.org avatar

Thanks, apparently not installed anyways :)

MisterFrog ,
@MisterFrog@lemmy.world avatar

Even if this would help (I'm OOP, and according to some commenters it's still installed on their phones running other OSes), I'm still outraged at the concept and the fact it's installed by default.

Plus, "just" installing a different OS is not a terribly mass-market friendly thing.

It should be regulated against by governments. The EU is slowly heading in the right direction. We're letting these tech companies do whatever the fuck they want to.

Most people don't have the time or knowledge necessary to make their digital lives entirely private.

This has "stop global warming by making personal choices" vibes to it.

I want privacy by default, and I'm not going to apologise for that.

cyborganism ,

I agree with you 💯 percent.

coffeeClean OP ,

It should be regulated against by governments. The EU is slowly heading in the right direction. We’re letting these tech companies do whatever the fuck they want to.

I wonder if it already is illegal. Have you looked into that? Did they disclose this “feature” in any of the agreements or literature that came with the device so that you could return it for a refund? Maybe you have a good legal case here.

AdmiralShat ,

Couldn't you just remove it with ADB?

cm0002 ,

Iirc when this came up yesterday, it disables Developer tools when active

kratoz29 ,

Root or get out, I have been rooting since 2020 and I decide what the heck to do with my phone 😁

coffeeClean OP , (edited )

If I were to simultaneously demand:

  • a phone with a relatively non-evil brand (thus obscure), and
  • a rootable phone (thus a mainstream one)

that leaves me with no phone at all. Because only popular mainstream models get rooted and they’re all made by the worst companies.

When my current phone loses its usefulness I might even go without. Or possibly get one 2nd hand although the 2nd hand market still supports the 1st hand market.

N4CHEM ,

You could use a FairPhone

coffeeClean OP ,

I think Fairphone did not exist when I last bought a phone. But you make a good point; I overlooked that. It will probably be my next phone whenever I reach a point where open street maps no longer updates on my phone.

AdmiralShat ,

I mean, the people this was targeted at were Kenyans who otherwise couldn't afford a phone, I don't think the people this applies to can afford to chose a phone model

coffeeClean OP ,

I think someone mentioned this is in the Playstore services stuff that’s hardwired in to the platform. Which means if a device is unrooted you can possibly do: $ adb shell 'pm disable --user 13 com.google.android.gms'.

TheAnonymouseJoker ,

User ID is 0, not 13, for the main phone user. Work is usually 10, could be different.

Also, to check list of users, adb shell pm list users

coffeeClean OP ,

I think I read somewhere it’s normally 13, and that’s what worked for me. Thanks for the 'list users' command.. that confirmed it on my phone.

Blaster_M ,

Don't buy a phone on collateral credit (like from a cell provider that "gives" you a phone with service). If you must, ebay a phone and use paypal.

If you can't afford a $1200 phone by paying for it in "cash", you need to aim lower.

cm0002 ,

I don't think any of the major (I know someone will probably come in here and tell me about some tiny provider that's only in like 2 states that does) US carriers that do phones on secured credit, they default to unsecured credit. Maybe, they have an alternative plan for people with not so great credit, but I doubt it.

coffeeClean OP ,

Someone in the original thread said this swindle does not apply to the US. Though I’m a bit surprised.. it’s the first place where I would expect this to happen.

halcyoncmdr ,
@halcyoncmdr@lemmy.world avatar

The US carriers install their own software loads onto phones they sell, with similar functionality, they don't need to use this mechanism.

electricprism ,

Comments from the last post indicated it made no difference to having the killswitch on their devices as per screenshots.

Still I agree, buying on credit is not a good idea.

coffeeClean OP ,

The real problem with @Blaster_M’s comment was to blame the victim. It may be sensible to blame the victim, but let’s not lose focus on the perp.

coffeeClean OP , (edited )

I must say Paypal shares customer data with over 600 corporations among other scummy things, so I boycott them. I also boycott eBay because the javascript required to use their website port sniffs your LAN and feeds that back to them, apart from other evils.

But most importantly, I’m not necessarily worried that I would personally get burnt by this. But just like my unwillingness to buy an Intel CPU with a management engine (or AMD’s flavor of this), I am unwilling to buy a product that was designed to work against me. I do not want to finance anti-consumer suppliers. ATM I don’t know how to check whether my version of AOS has this “feature”.

(BTW, I’m not the OP; I just linked their post here)

deur ,

So you just don't buy anything? Get over yourself and your unhealthy obsessions.

coffeeClean OP ,

Ethical consumers patronize the lesser of evils, and go without if it’s feasible given only quite shitty options. Affluenza-driven OCD consumption is the unhealthy obsession that ethical consumers manage to avoid.

Blaster_M ,

Sniffs your local pc to look for remote desktop and vnc ports on it. I can see this being useful in finding RAT risks, but the portscan thing is something the browser should be blocking or sandboxing.

As for PayPal, well, your cc / bank also shares lots of data.

If your threat modelling is that severe, your best bet is Tor Craigslist, a couple blokes packing heat and a briefcase of money in a place with no parking lot surveillance.

But then at that point security and safety is on you and your mates to implement.

coffeeClean OP , (edited )

As for PayPal, well, your cc / bank also shares lots of data.

Paypal is not a bank. Paypal is an additional MitM. Using Paypal adds another surveillance capitalist to the chain along with your bank and credit network. But indeed, the banks and credit cards are shit so I am fighting the war on cash quite hard. I’ve already been dragged into court for insisting on paying a creditor in cash. I won that case and will continue insisting on cash payments.

If your threat modelling is that severe

My threat model simply includes mass surveillance. Which is in the threat model of everyone who understands and embraces privacy. It’s worth noting that it’s not purely and infosec stance. I also object to feeding a supplier who is acting against me. The moment I detect that a supplier is working against me, I walk on ethical grounds. They have failed to earn my business. The snooping just happens to be the manner in which they are working against me.

your best bet is Tor Craigslist,

I was doing that at one time but something pushed me off. I don’t recall what.. whether it was SMS verify or CAPTCHAs or phone numbers or fussy email address verifiers... something drove me off.

Blaster_M ,

Can't help you there. Buying stuff isn't anonymous, even brick and mortar stores have cloud surveillance cams now.

coffeeClean OP ,

Most of my shopping is done at street markets. When a big parking is filled with vans and portable tables on a weekly basis, there is no surveillance. But if I need something very particular then the cash option gets threatened. E.g. I would like to have a Flipper Zero but these are never at street markets and not even on any shelves anywhere.

Synnr ,

I have a Flipper Zero (and case and the extra components) that I'll 99.99% likely never use. I'd love to get cash for it but I'd be asking twice what it's worth because I like having it on 'what if' grounds.

But I feel you, it's unfortunate about the state of things. The EU just banned privacy coins. US is soon coming I'm sure. They won't allow people to legally use them after the release of a central bank coin.

MisterFrog ,
@MisterFrog@lemmy.world avatar

I'm OOP, I bought this Pixel 6 phone outright directly from Google. This system app has no business being on my phone.

And even IF it was purchased on credit, this is such an unfair power dynamic which hurts the most vulnerable in society.

Miss a phone payment, get locked out, haha have fun trying to access your bank account (many people have a phone as their primary computing device to access banking, and further, many banks might have SMS 2FA).

I say, there is no excuse for this. There were repo methods before software locks, and we'd ought to keep it that way.

It doesn't appear to actually be used, at least in Australia, but having the functionality built in at all should be straight up illegal in a caring society.

BleatingZombie ,

(/s)

You're THE object oriented programming?! I'm always asked questions about you. I'm downright starstruck!

Shouted ,

Everyone is too busy in the Apple circlejerk threads to care about this type of thing

themoonisacheese ,
@themoonisacheese@sh.itjust.works avatar

Apple has the exact same thing btw. In the same situation, a creditor can icloud lock your iphone.

Shouted ,

Never said they didn’t.

ReakDuck ,

Ah, you wanted yo say that apple users are used to this thing and thats why they dont care.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • degoogle@lemmy.ml
  • test
  • worldmews
  • mews
  • All magazines
    •