Mastodawn

Rassilonian Legate Apr 20, 2023

@ajsadauskas

@technology @pluralistic

And with that I continue to inch closer and closer to giving up and getting a linux phone...

Now at @[email protected]Apr 20, 2023

@RassilonianLegate @technology @pluralistic I have to say, Plasma Mobile is certainly looking increasingly tempting...

https://plasma-mobile.org/

#KDE #PlasmaMobile #Linux #Android

Plasma Mobile

Privacy-respecting, open source and secure phone ecosystem

Plasma Mobile

Rassilonian Legate Apr 20, 2023

My plan currently is to switch to a Linux phone after my (unrootable) Samsung starts dying, but if Samsung follows suit here (as they are known to do with plenty of other things) I might just have to start looking for something a bit sooner than I expected

aardvark Apr 20, 2023

@RassilonianLegate unrootable? how?

Rassilonian Legate Apr 20, 2023

@aardvark
Okay I'm not sure that could be out of date, when I last checked my phone (SM-N986U1) there was no way to root it, I'm not up to checking rn but if there is I might just switch to a custom android until this phone dies (at which point I will switch to a linux phone like I planned)

aardvark Apr 21, 2023

@RassilonianLegate “No way to root it” means no vulnerabilities to exploit to gain code execution. That’s what I’m curious about. It’s Turing complete, it must have defects, so the claim seems extraordinary.

Andrew Certain

Apr 22, 2023

@aardvark @RassilonianLegate Having just worked on a contract to root a bunch of Android phones, I believe what it means it's that there's no way to officially unlock the bootloader. If you look on phone forums about rooting phones to install your own OS, or other high-access packages, that's always what they mean - they aren't finding exploits.

Many phone/carrier combinations offer official ways to do so, many do not. Lots of Samsung phones in particular do not offer a way to unlock the bootloader.

aardvark Apr 22, 2023

@tacertain @RassilonianLegate I see. So, to translate, some phone vendors don’t offer root kits for some phones. Pwning those phones is left as an exercise for the reader (or NSO and its ilk) (or you).

Andrew Certain

Apr 22, 2023

@aardvark @RassilonianLegate In a word, yes.

In a few more words, unlocking the bootloader is built into Android and is enabled by phone/carrier combinations. Once unlocked in this manner, the phone displays a warning on power up that it has been unlocked. If you can find an exploit, all bets are off, of course. Though Samsung images are encrypted, so they do make it harder for somebody to permanently modify the phone, even if exploited.

aardvark Apr 22, 2023

@tacertain I posit that the existence of vendor-support unlocking of boot loaders leads to a false sense of security. Secure devices without vendor backdoors get pwned because they have vulnerabilities (because they're complex and made by flawed humans) and motivated threat actors are
motivated.

@aardvark This isn't an exploit. The user of the phone needs to enable this capability and confirm their identity when doing so -- https://www.lifewire.com/how-to-unlock-bootloader-android-phone-4689186 -- then when you do the unlock to flash a new image the entire device will be wiped as part of that process.

If there was no way to do this, nobody could do Android OS development without buying special development devices. And again this is NOT AN EXPLOIT OR BACKDOOR in any definition of those words.

Easily Unlock Your Android Bootloader With Fastboot

Unlocking Android's bootloader is the first step towards rooting your device. One tool, Fastboot, makes the process simple and straightforward.

Lifewire

aardvark Apr 24, 2023

@hackbod I didn't claim that the vendor-supplied feature is an exploit, or even a vulnerability.
I posited that by offering unlock, it may leave a wrong impression with the public that, as the OP suggested (and bears witness to), their devices are "unrootable".
Locked or unlocked, if they have software defects (and they do; all complex software products do), and those add up to enough vulnerabilities, sufficiently committed researchers can (and do) create exploit chains to fully pwn those "unrootable" devices.

@aardvark I don't think this matches what people associate with "unrootable", either, which would be that if someone else gets ahold of their phone they can get access to the data on it.

And like nobody should be claiming anything is unrootable because, as you say, there are always going to be defects.

Are you saying this particular functionality adds a significant number of new defects due to its existence? Because I don't think we have yet had an exploit related to it.

aardvark Apr 24, 2023

@hackbod no, I'm not saying anything about the "unlock" technical implementation.

Rather, it's the existence of the feature that led at least one poster to misapprehend the security of their device.

They claimed that, because it's a certain make and doesn't offer unlocking, it's unrootable.

My supposition is that Android's feature may allow for misunderstanding of its security. An attribution of security characteristics not actually imbued by the feature (or lack thereof).

aardvark Apr 24, 2023

@hackbod since we're on the topic, I haven't heard back from a friend about this, so I'm curious what you might think about the post that started this thread
https://aus.social/@ajsadauskas/110231285083374549

AJ Sadauskas (@[email protected])

Attached: 1 image So Google is now preventing people from removing location data from photos taken with Pixel phones. Remember when Google's corporate motto was "don't be evil?" Obviously, accurate location data on photos is more useful to a data mining operation like Google. From Google: "Important: You can only update or remove estimated locations. If the location of a photo or video was automatically added by your camera, you can't edit or remove the location." It's enshitification in action. Source: https://support.google.com/photos/answer/6153599?hl=en&sjid=8103501961576262529-AP #technology #tech @[email protected] #business #enshitification #Android #Google @[email protected] #infosec

Aus.Social

@aardvark I don't work on Photos, so really can't comment on it. (Nor is this something I would ever consider saying anything specific about due to the sensitivity.)

I very much doubt there is anything ulterior going on. Pretty much all of the changes I am aware of around location are tightening it down.

There tend to be these extremes of "everything Apple does is users over Apple" and "everything Google does is Google over users" when truth on both sides is more in the middle.

aardvark Apr 25, 2023

@hackbod fair enough. I see nothing that provides a basis for assuming anything about intent, one way or the other. However, it’s clear (to me, at least) that this posture/policy/misfeature undermines privacy and likely will lead to harm. I sure hope Google either explains or simply changes the policy.

@aardvark Hm, okay. It seems like from that perspective there would be a similar confusion about how rootable iOS devices are? I'm not sure what you are saying then... that Android shouldn't have the feature because some people could have this confusion?

aardvark Apr 25, 2023

@hackbod nope, I’m not saying that. However, I might say that if people are confused, conflating locked with invulnerable, the purveyor of the confusing notion might do well to promote clarity in the form of some affirmative effort. It undermines someone’s security to hold a wrong belief ascribing security benefits to something intended for customization, possibly leading to risk taking based on an incorrect assumption.

butter Apr 20, 2023

I'm also looking for a Linux phone. I don't even need broad app support. I need calls, text (including MMS), and a web browser.

You don't know if any active communities on the subject, do you?

Edit: I'm willing to donate, I'm just not sure who to donate to

CalcProgrammer1 Apr 21, 2023

Get a PinePhone Pro. It can do all of those things. I'm typing on mine now with the keyboard case.

butter Apr 21, 2023

I have a non pro pinephone. But it's been a minute since I've used it. Where is it at with software? If I go home and update it all the way, which is the most usable OS?

I'd love to make the switch

CalcProgrammer1 Apr 25, 2023

I haven't tried all the available OSes recently, but I've been happy with postmarketOS lately after having used Arch for a while. I switched to pmOS as I was also using it on the OnePlus 6T. I ended up going back to my PinePhone Pro for daily driving due to some call audio bugs with the OP6T. On the OG PinePhone, it is pretty usable but slow. On the Pro, it's faster but cameras don't work. Battery life isn't great on either PinePhone though.

CalcProgrammer1 Apr 21, 2023

I'm personally a fan of the Phosh UI but Linux phone in general is the way to go. No capitalistic bullshit decisions guiding your mobile experience.

YurkshireLad Apr 20, 2023

@ajsadauskas @technology @pluralistic My previous phone was a Pixel 2. My new phone is an iPhone as I've had enough of Google. Not that Apple is perfect. It's all levels of evil really.

@ajsadauskas @technology @pluralistic I have the current Pixel. Updated Android this morning. The camera app still has a toggle for this.

Sounds like this is more about not being able to remove the metadata in the file in Google Photos, only the metadata stored by the app (outside the file) itself. I'm not sure Google Photos had a way to strip the metadata from the file before.

Now at @[email protected]Apr 20, 2023

@alan @technology @pluralistic Go into Google Photos.

Open a recent photo you've taken with your camera.

Scroll down to the toggle to edit the location data, tap it, and see what happens.

David Geary Apr 20, 2023

@ajsadauskas @alan Yep, can confirm

@zudnick @ajsadauskas That doesn't contradict what I said. That just sounds like Google Photos no longer provides a way to remove EXIF metadata from the files themselves and I'm not sure it ever did so to begin with. And my Pixel phone still has the toggle in the camera app to store location in EXIF metadata or not.

I'm not trying to defend Google. There are plenty of reasons to hate them but I prefer criticism to be accurate because exaggerations always backfire.

@zudnick @ajsadauskas FWIW my argument is mostly that this has nothing to do with Pixel. Also this removes the option to *edit* camera location data. Editing (i.e. falsifying) EXIF data is probably not something you want to make easier so that makes sense. Of course the problem is that this also means there's no way to *remove* EXIF data, which is usually done for privacy purposes. And of course either way this is just security by obscurity.

The bigger concern is that there doesn't seem to be any way in Google Photos to tell Google not to process location data at all. The closest you can get is telling it not to infer missing data.

Jennifed Apr 20, 2023

@ajsadauskas @alan @technology @pluralistic Location is always off on my phone. Location data on photos only has option to add a location.
Yes, I have tape over my PC and tablet cameras, and access to mics is off, too. 🤷‍♀️

Rassilonian Legate Apr 22, 2023

@jenned

I'm planning on my next laptop being a framework and personally while I like the fact that they have physical switches on the camera and mic, I really want to see of I can remove them fully

Simeon.__proto__Apr 22, 2023

@ajsadauskas @alan @technology @pluralistic You're talking about Photos, not the camera app. You can disable location data collection in the camera app: https://support.google.com/photos/answer/9921876?hl=en#zippy=%2Cgoogle-devices

Cameras write location data to the image itself as metadata. If they're using a content addressable storage system, they can't update this data without changing the underlying image itself. Seems like edits in Photos are stored separate from the image itself. Editing image metadata may require architectural changes.

Change your camera location settings - Google Photos Help

You can control whether your camera adds location information to your photos. When you have location settings on, you can organize, search and explore your photos better. Tip: Photos without location

Efi (nap pet) 🦊💤Apr 20, 2023

@ajsadauskas @technology @pluralistic do we have start lawyering for exif data to be owned by the author???

Moved to @[email protected]Apr 20, 2023

@ajsadauskas @technology @pluralistic Not to defend Google or anything, but its worth noting that you can still disable location data in the camera app itself.

demi

@ajsadauskas @[email protected] Sorry, but this is kind of misinformation, it's not "photos taken with Pixel phones", but the Google Photos app in general. The camera app still has a toggle for it. Not even going to mention how almost all modern apps nowadays automatically remove location data from images while uploading. You are still free to delete it from photos using other (and better) gallery apps too.

Pxtl Apr 20, 2023

Did it used to allow you to remove the exif data?

mxk Apr 20, 2023

@ajsadauskas @technology @pluralistic when using stock pixel android, Google does not need the location from Fotos to have your location data.
On the other side, Google is actually building pretty cool things still under NDA to prevent location data to leak to other apps
.
If you don't trust Google, don't use Android with Google services. It always has been that simple.

aardvark Apr 20, 2023

@mxk ooh, appeal to secret knowledge. One of my favorite ploys!

@aardvark https://www.phoronix.com/news/ExtFUSE-Faster-FUSE-eBPF 😉

mxk Apr 20, 2023

ExtFUSE: Making FUSE File-Systems Faster With eBPF

aardvark Apr 22, 2023

@mxk so…faster external files systems offer privacy guarantees? Not quite sure about that.

Christopher Scott Apr 20, 2023

@ajsadauskas @technology @pluralistic this isn't necessarily addressing the issue/concern but I urge everyone to use an exif stripper before sharing a photo. Scrambled eggsif is doing that in a convenient way, share to the app and it will allow you to share to the destination of your choice (piping). https://play.google.com/store/apps/details?id=com.jarsilio.android.scrambledeggsif

Scrambled Exif - Apps on Google Play

Remove the metadata from your pictures before sharing them

7eter Apr 21, 2023

yess! and it's FOSS and also available through F-Droid 🤩

Scrambled Exif | F-Droid - Free and Open Source Android App Repository

Remove the metadata from your pictures before sharing them

ceoln Apr 20, 2023

@ajsadauskas

Is this a change? My initial reading is that since this help page is only about some google-photos-specific metadata, it can't mess with the exif data, if any, inside the image. Did Google photos used to provide a way to remove exif data? It would seem like a useful function, but was it ever there?

(Note that I work for Google, but not anywhere near Photos or Android, and speak only for myself etc etc.)

@technology

rabimba Apr 20, 2023

@ajsadauskas @technology @pluralistic doesn't that just mean that the exit data editing is not possible using Photos app. Instead of "preventing" geo location removal. I never thought exit data editing was part of Photos app. Or any gallery app in that case

rabimba Apr 20, 2023

@ajsadauskas @technology @pluralistic please read "exif" instead of "exit".

Courtesy my autocorrect

Kelson's Sorta Old Account Apr 20, 2023

@ajsadauskas @technology @pluralistic I ran into this a while back.

1. It's not new
2. It's not specific to Pixel photos.

The app and cloud service just don't have support for modifying the EXIF tags, so if *any* camera has added GPS data, you can't use Google Photos to change or remove it.

The estimated location is stored in the Google Photos database and can be modified within the app.

You *can* turn GPS off in the camera app.

Kelson's Sorta Old Account Apr 20, 2023

@ajsadauskas @technology @pluralistic A few months ago I dug into ways to work around this with photos that had already been taken with the GPS coordinates. Annoyingly, you mostly have to save the photo, remove the tag, and re-upload it.

https://kvibber.com/tech-tips/gps-remove/

How to Remove GPS Location Data After Taking a Photo

Google Photos won't remove GPS data from an image, but you can easily remove just the location data using a desktop or laptop.

KV Tech Tips

Kelson's Sorta Old Account Apr 20, 2023

@ajsadauskas @technology @pluralistic (I take a lot of photos for iNaturalist and reference photos for OpenStreetMap editing, so I'm constantly turning GPS on for those, and then back off for personal photos, and sometimes I forget.)

Soh Kam Yung Apr 21, 2023

@KelsonV

I use the OsmAnd app to take waypoint photos (with GPS info) for iNaturalist. These shots don't get uploaded to Google Photos unless I want them to. I usually copy them to my Download folder for later uploading to iNat.

So I could turn off GPS in the Photo app, and keep personal and iNat shots separate.

https://osmand.net/docs/user/plugins/audio-video-notes/#create-waypoints

Audio/video notes | OsmAnd

-->

Kelson's Sorta Old Account Apr 21, 2023

@sohkamyung @ajsadauskas @technology @pluralistic I should give that a try! I use Vespucci for OSM, and it's similar in that it saves photos to its own folder, but it uses the default camera app, so again I have to turn GPS on before a mapping session and off again afterward.

Soh Kam Yung Apr 21, 2023

@KelsonV

I tried using the OsmAnd Audio/Video plugin to take shots using the system photo app with Location Info disabled.

Photos I take directly using the photo app have no location info. But looks like location info is still available with shots taken using the OsmAnd plugin.

Soh Kam Yung Apr 21, 2023

@KelsonV

Maybe you could try OSMTracker. It might use its own camera app to take shots.

https://learnosm.org/en/mobile-mapping/osmtracker/

On F-Droid: https://f-droid.org/en/packages/net.osmtracker/

LearnOSM

FiXato May 1, 2023

@KelsonV maybe having a separate camera app, such as OpenCamera or ObscuraCam, for one of those uses, so you don't need to swap settings constantly, would help in your situation?
@ajsadauskas @technology @pluralistic