Mastodawn

nullagent Feb 8, 2025

Major privacy alert for Android users.

https://mastodon.sdf.org/@jack/113952225452466068

jack (@[email protected])

You remember #Apple scanning all images on your #mobile device? If you have an #Android #phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by #Google. It is called #AndroidSystemSafetyCore and does exactly the same - scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so "to protect your #privacy". You can uninstall this app safely via System -> Apps. https://developers.google.com/android/binary_transparency/google1p/overview

Mastodon @ SDF

Show thread

GrapheneOS Feb 8, 2025

@nullagent This isn't an accurate description of what that Google Mobile Services component does and how it's integrated into the OS.

Show thread

jonny (good kind)

@GrapheneOS @nullagent honestly i can't imagine a group that has more direct knowledge of this while still being directly antagonistic to google that i would want to hear more from about what this is/how this works, if you had the time

Show thread

d@nny disc@ mc² Feb 8, 2025

@jonny @GrapheneOS @nullagent i've been forwarding people to this post to tell them we probably don't need to sound the alarm but would love to have something more specific to point to regarding what this added module does

Show thread

GrapheneOS Feb 8, 2025

@hipsterelectron @jonny @nullagent

Here's a thread on what it is:

https://grapheneos.social/@GrapheneOS/113969399311251057

It's tiring going through endless news cycles of fake privacy and security threats and we don't really have the energy to deal with it more than that.

We're dealing with ongoing attacks on GrapheneOS on X by several different charlatans/scammers and we've been focused on dealing with that rather than writing about something like this. Threw together a quick thread about what it is though.

GrapheneOS (@[email protected])

The functionality provided by Google's new Android System SafetyCore app available through the Play Store is covered here: https://security.googleblog.com/2024/10/5-new-protections-on-google-messages.html Neither this app or the Google Messages app using it are part of GrapheneOS and neither will be, but GrapheneOS users can choose to install and use both. Google Messages still works without the new app.

GrapheneOS Mastodon

Show thread

d@nny disc@ mc² Feb 8, 2025

@GrapheneOS @jonny @nullagent really appreciate this and will refer to this in future so you can focus on protecting people. thanks

Show thread

Bitslingers-R-Us Feb 8, 2025

@GrapheneOS @hipsterelectron @jonny @nullagent "The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc."

Forgive me if I'm not understanding correctly, but to clarify:

That statement could be misconstrued to suggest that "on-device machine learning models usable by applications to classify content" is different and distinct from "client-side scanning". To clarify, those're two ways of saying the same thing, with one being more specific. Do you really intend to just point out that it doesn't report things to Google or anyone else by default, and/or that the "client side scanning" is a scan-on-request thing, and not a let's-scan-the-whole-device-by-default thing?

What's stopping any app from using the output of the "on-device machine learning models" to report to third parties?

Show thread

GrapheneOS Feb 8, 2025

@AnachronistJohn @hipsterelectron @jonny @nullagent We're pointing out neither this app or Google Messages is using it to report something. It's also not scanning for illegal content. Apps also don't need this app to use local ML models. It only provides certain already made models. Apps have always been able to run local classifiers and can use hardware acceleration for it, which has been there for many years. It's not something which just showed up recently with the recent AI craze.

Show thread

GrapheneOS Feb 8, 2025

@AnachronistJohn @hipsterelectron @jonny @nullagent People are using the term client side scanning to refer to doing content scanning for a service on the client side and reporting to the service. That's not what this is doing. This also doesn't somehow enable that in a way that wasn't already doable by any apps wanting to do it. It's a specific implementation of detecting certain kinds of content used by Google Messages for local warnings and blurring with a dialog to bypass it.

Show thread

Bitslingers-R-Us Feb 8, 2025

@GrapheneOS @hipsterelectron @jonny @nullagent I see. Thanks for the clarification. It's quite helpful to know what's specifically going on when we're the ones tasked with warning others :)

Show thread

jonny (good kind)Feb 8, 2025

@GrapheneOS
I've said it before and I'll say it again, really appreciate what you do.

Show thread

chuckwalla, esq Feb 9, 2025

@jonny @GrapheneOS same. i think jonny's mentioning it a while back is how i came to know about it and it has been great. i use the alpha channel to try to help spot any issues, and there has been nothing for me to report. great work and it is appreciated.