oppopanaxFeb 8, 2025
nullagent

Major privacy alert for Android users.

https://mastodon.sdf.org/@jack/113952225452466068

@jack #Privacy #Android #cybersecurity

jack (@[email protected])

You remember #Apple scanning all images on your #mobile device? If you have an #Android #phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by #Google. It is called #AndroidSystemSafetyCore and does exactly the same - scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so "to protect your #privacy". You can uninstall this app safely via System -> Apps. https://developers.google.com/android/binary_transparency/google1p/overview

Mastodon @ SDF
Feb 8, 2025 at 3:16amWeb
Show threadnullagentFeb 8, 2025

For folks looking for exactly how the Android client side image scanning works or if it's present see the below. 👇🏿

https://partyon.xyz/@nullagent/113966306389483827

nullagent (@[email protected])

Attached: 1 image The system definitely scans photos for nudity already. Today they claim the feature only runs on certain apps but as we've seen with Apple and various world governments there's a major tendency for these sorts of features to creep into all of your content whether that's what Google intended in their first release or not. https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html @[email protected] @[email protected]

PartyOn
Show threadnullagentFeb 8, 2025

A few folks are questioning if AI scanning like what Android is doing can be missused. The last time a similar feature was coming to Apple's iOS the media rightly described it as an extremely dangerous warrantless surveillance tool.

Regardless of what Android developers intended this client side scanner to do it will be enlisted by governments of the world to spy on you and break strong encryption.

https://9to5mac.com/2023/09/01/csam-scanning-flaw/

#privacy #cybersecurity #apple #android #ai #clientsidescanning

Apple finally admits the CSAM scanning flaw we all pointed out

Almost nine months after Apple confirmed that it had abandoned plans to carry out CSAM scanning, the company has finally...

9to5Mac
Show threadnullagentFeb 8, 2025

And if you look at the current reporting on Apple and government requests for your private data...

"The encrypted data of millions of Apple users worldwide could reportedly be handed over to the government.

The Home Office has ordered Apple to let it access encrypted data stored in its cloud service, The Washington Post reported."

Demanding access to every last bit you have in any cloud is normal government stuff these days

https://metro.co.uk/2025/02/08/privacy-fears-millions-government-demands-access-messages-photos-22520358/

#UKPol #EU #UK #Apple #Privacy #HomeOffice

Privacy fears for millions after government demands access to messages and photos

The encrypted data of millions of Apple users worldwide could reportedly be handed over to the government.

Metro
Show threadFerryoonsFeb 8, 2025
@nullagent And the Home Office can fuck right off
Show threadOldmeanroyFeb 8, 2025
@nullagent yet another reason to tell those cloud folks to fuck right off!
If it ain't there they won't find it.
Show threadℒӱḏɩę 💾☮∞🎶♲☀🔋Feb 8, 2025
@nullagent
Show threadlegally distinct octoFeb 8, 2025

@nullagent wow. I just saw this app today on my app lists and thought it was something that updated and changed a name but nope. much worse.

thanks Google /s

bur definitely thanks for the heads up!

Show threadShadow HeartFeb 8, 2025
@nullagent @jack yeah I really need to pick up a Linux phone ASAP. @furilabs looking hard at picking one up from you.
Show threadDave CarlsonFeb 8, 2025

@Sh4d0w_H34rt @nullagent @jack @furilabs i totally agree! linux phones are almost there... but not enough to switcch as a daily driver. I've been running AOSP (LineageOS) for a while now and it's pretty good, but I'd prefer a purer linux OS.

really, if the Linux phone browser worked like the android version of Firefox then a user could do all the "app things" via web browser while we develop the apps, but all the variations I've tried to date just aren't there yet. maybe 2025 is the year?!

Show threadShadow HeartFeb 8, 2025

@beepcheck my biggest issue and one I've had with ever deGoogled ROM is banking apps refusing to run. I hate it when banking apps and their website don't have feature parity. Then there's the issue of support for hardware 2fa keys, which has been hit or miss.

Call reliability is also a concern that Linux phones at least used to have an issue with.

Show threadChristianFeb 14, 2025
@Sh4d0w_H34rt
If you value privacy without Google, you should favour #GrapheneOS. @kuketzblog explained it, linked in german Wiki 😎
@beepcheck https://grapheneos.social/@GrapheneOS/113967707386558473
GrapheneOS (@[email protected])

@[email protected] @[email protected] @[email protected] It's not included in GrapheneOS but the claims aren't accurate anyway.

GrapheneOS Mastodon
Show threadShadow HeartFeb 14, 2025
@ChristianKuhn @kuketzblog @beepcheck how do I put this politely...HELL NO! F GrapheneOS
Show threadRaFeb 8, 2025
@nullagent @jack hey @GrapheneOS ELI5, is this a prob'? #grapheneos
Show threadNoxy 🐾🏳️‍🌈Feb 8, 2025

@Ra @nullagent @jack @GrapheneOS nope.

no such trash has shown up on my Pixel 8 Pro running GrapheneOS.

Show threadGrapheneOSFeb 8, 2025
@noxypaws @Ra @nullagent It's not included in GrapheneOS but the claims aren't accurate anyway.
Show threadGrapheneOSFeb 8, 2025
@noxypaws @Ra See https://grapheneos.social/@GrapheneOS/113969399311251057.
GrapheneOS (@[email protected])

The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here: https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.

GrapheneOS Mastodon
Show threadGrapheneOSFeb 8, 2025
@Ra @nullagent It's not included in GrapheneOS but the claims aren't accurate anyway.
Show threadGrapheneOSFeb 8, 2025
@Ra @nullagent See https://grapheneos.social/@GrapheneOS/113969399311251057.
GrapheneOS (@[email protected])

The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here: https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.

GrapheneOS Mastodon
Show thread霖 リンFeb 9, 2025
@GrapheneOS Thanks for clarification
Show threadvriska, thief of light Feb 8, 2025
@nullagent this post is misinformation, it's the "sensitive content warnings" feature described in this blog post https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html
5 new protections on Google Messages to help keep you safe

Posted by Jan Jedrzejowicz, Director of Product, Android and Business Communications; Alberto Pastor Nieto, Sr. Product Manager Google Messa...

Google Online Security Blog
Show threadvriska, thief of light Feb 8, 2025
@nullagent the source it links does not back up its claims whatsoever
Show threadtibiFeb 8, 2025

@leo @nullagent hey thanks for clearing this up! so it looks like, since I don't use Google messages this is useless to have around.

otoh, if goog can just install whatever the fuck they want on my phone apparently, then it would just come back after removing anyway. ugh

Show threadhazelnot Feb 8, 2025
@leo @nullagent Ok, and how would it do any of that stuff without scanning every image you at least try to send or receive?
Show threadZimmieFeb 8, 2025

@leo @nullagent The post also repeats long-debunked misinformation about Apple’s CSAM scanning plan. It was run on-device, but was never going to scan images simply sitting on your device. It was only for images sent to iCloud, as part of a plan to add end-to-end encryption for those images.

The feature to scan images just sitting on a device was added 15 years ago and is called Spotlight.

Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️Feb 8, 2025
@nullagent @jack
Thank god it's not a part of AOSP
Show threadAvi    Feb 8, 2025

@nullagent @jack glad i left standard android and went back to calyx a few months ago

it doesnt seem to be in the aosp, its something google adds after, possibly thru play services or some other proprietary blob

Show threadunion whoreFeb 8, 2025
@error420 @nullagent @jack I installed /e/ os some months ago and never regretted it.
Show threadRejZoRFeb 8, 2025

@error420 @nullagent @jack AOSP basically has no functionality. Basing judgement on that is pointless, you may as well go back to dumb phone then. That's the sad reality.

Every single commercially sold phone for the masses uses Google Services which includes this stuff. You can't buy phone without Google. Unless you buy Huawei. But then you may just as well have AOSP Android if you're not in China.

Show threadRené Seindal (MOVED)Feb 8, 2025

@rejzor @error420 @nullagent @jack

Not quite true. There are commercial phones with degoogled Android. I'm writing on one.

@murena @WeAreFairphone

Show threadRejZoRFeb 8, 2025
@seindal @error420 @nullagent @jack @murena @WeAreFairphone As I said, not for the masses, they are super niche ones and if you ask normies they'd never heard about any of them.
Show threadRené Seindal (MOVED)Feb 8, 2025

@rejzor @error420 @nullagent @jack @murena @WeAreFairphone

Then tell people about them.

They're commercially available products any 'normie' can use out of the box.

Show threadRejZoRFeb 8, 2025
@seindal @error420 @nullagent @jack @murena @WeAreFairphone Good luck selling normies a 600€ phone that requires them to manually install APKs and use F-Droid that doesn't have Facebook and Instagram app on it...
Show threadRené Seindal (MOVED)Feb 8, 2025

@rejzor @error420 @nullagent @jack @murena @WeAreFairphone

You've clearly never used one of these phone.

You got every single 'fact' wrong.

Show threadRejZoRFeb 8, 2025
@seindal @error420 @nullagent @jack @murena @WeAreFairphone Sure.
Show threadNoopss 🤓Feb 8, 2025
@nullagent @jack thanks !
Show threadᔅᑕᕐᐗᓪFeb 8, 2025
@nullagent it just never fuckin ends does it
Show threadSpaceLifeFormFeb 8, 2025

@nullagent @jack

Do I have to get a newer phone to get this feature? /s

Show thread^[[200~MichaelFeb 8, 2025
@nullagent @jack Should read "uploads"... 😠
Show threadXuebitFeb 8, 2025
@nullagent @jack I'm currently on the below version (I do have an update pending), and don't have the app. I'll update and let you know if I have it or not. Do we know what the affected versions are?
Show threadXuebitFeb 9, 2025
@nullagent @jack Just updated, I don't have the app installed as part of the recent upgrade
Show threadAlexander Sosedkin Feb 8, 2025
@nullagent @jack Google Play users problems
Show threadSerge DrozFeb 8, 2025

@nullagent @jack To me it's not clear what this app does, in particular if it sends data back somewhere. That is the problem. That an OS regularly installs new components seems normal.

So once again, people complain about the wrong issues, and I feel this doesn't help, even if it is popular. It doesn't help, because Google can now say, all these complaints have nothing to do with reality, which is not wrong. But instead we should ask for more transparent and easily accessible info.

And I'm not saying this App is harmless. I just seem to have difficulties finding info about it.

Show threadXuebitFeb 8, 2025
@nullagent @jack I've been thinking about doing a de-Google service for people, if you're interested reach out.
Show threadAnge des ténèbres 🐈Feb 8, 2025

@nullagent I checked and I confirm it was installed on m'y phone.

Now removed 🐱

@jack

Show threadKRDLFeb 8, 2025
@nullagent @jack @veronica sounds spooky
Show threadGrapheneOSFeb 8, 2025
@nullagent This isn't an accurate description of what that Google Mobile Services component does and how it's integrated into the OS.
Show threadjonny (good kind)Feb 8, 2025
@GrapheneOS @nullagent honestly i can't imagine a group that has more direct knowledge of this while still being directly antagonistic to google that i would want to hear more from about what this is/how this works, if you had the time
Show threadd@nny disc@ mc²Feb 8, 2025
@jonny @GrapheneOS @nullagent i've been forwarding people to this post to tell them we probably don't need to sound the alarm but would love to have something more specific to point to regarding what this added module does
Show threadGrapheneOSFeb 8, 2025

@hipsterelectron @jonny @nullagent

Here's a thread on what it is:

https://grapheneos.social/@GrapheneOS/113969399311251057

It's tiring going through endless news cycles of fake privacy and security threats and we don't really have the energy to deal with it more than that.

We're dealing with ongoing attacks on GrapheneOS on X by several different charlatans/scammers and we've been focused on dealing with that rather than writing about something like this. Threw together a quick thread about what it is though.

GrapheneOS (@[email protected])

The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here: https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.

GrapheneOS Mastodon
Show threadd@nny disc@ mc²Feb 8, 2025
@GrapheneOS @jonny @nullagent really appreciate this and will refer to this in future so you can focus on protecting people. thanks
Show threadBitslingers-R-UsFeb 8, 2025
@GrapheneOS @hipsterelectron @jonny @nullagent "The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc."

Forgive me if I'm not understanding correctly, but to clarify:

That statement could be misconstrued to suggest that "on-device machine learning models usable by applications to classify content" is different and distinct from "client-side scanning". To clarify, those're two ways of saying the same thing, with one being more specific. Do you really intend to just point out that it doesn't report things to Google or anyone else by default, and/or that the "client side scanning" is a scan-on-request thing, and not a let's-scan-the-whole-device-by-default thing?

What's stopping any app from using the output of the "on-device machine learning models" to report to third parties?
Show threadGrapheneOSFeb 8, 2025
@AnachronistJohn @hipsterelectron @jonny @nullagent We're pointing out neither this app or Google Messages is using it to report something. It's also not scanning for illegal content. Apps also don't need this app to use local ML models. It only provides certain already made models. Apps have always been able to run local classifiers and can use hardware acceleration for it, which has been there for many years. It's not something which just showed up recently with the recent AI craze.
Show threadGrapheneOSFeb 8, 2025
@AnachronistJohn @hipsterelectron @jonny @nullagent People are using the term client side scanning to refer to doing content scanning for a service on the client side and reporting to the service. That's not what this is doing. This also doesn't somehow enable that in a way that wasn't already doable by any apps wanting to do it. It's a specific implementation of detecting certain kinds of content used by Google Messages for local warnings and blurring with a dialog to bypass it.
Show threadBitslingers-R-UsFeb 8, 2025
@GrapheneOS @hipsterelectron @jonny @nullagent I see. Thanks for the clarification. It's quite helpful to know what's specifically going on when we're the ones tasked with warning others :)
Show threadjonny (good kind)Feb 8, 2025
@GrapheneOS
I've said it before and I'll say it again, really appreciate what you do.
Show threadchuckwalla, esqFeb 9, 2025
@jonny @GrapheneOS same. i think jonny's mentioning it a while back is how i came to know about it and it has been great. i use the alpha channel to try to help spot any issues, and there has been nothing for me to report. great work and it is appreciated.
Show threadTom WalkerFeb 8, 2025
@nullagent @jack People shouldn't delete things like this from their phone based on random (and it seems disputed) social media posts. This is the slightly smarter equivalent of "delete System32"
Show threadGytis RepečkaFeb 8, 2025
@tomw @nullagent @jack Did you read through linked Google's documentation? It corroborates the post - mentioned app that is installed invisibly without any warning or consent does scan for nudes.
Show threadTom WalkerFeb 8, 2025
@gytisrepecka @nullagent @jack If you read the rest of the thread there are *loads* of caveats to that. My point is don't delete things with names like "system safety core" because you saw a viral social media post.
Show threadGytis RepečkaFeb 8, 2025
@tomw @nullagent @jack That is a good advice