2.2 F-Droid Store Features
With the F-Droid Store, an alternative app store has established itself. Critical users who value free and open source applications will particularly benefit from the FOSS apps available there. The lower selection of apps in the F-Droid Store compared to the Google Play Store may seem a bit "frightening" at first glance. Apps, which you know from the Google Play Store so far, you will probably search in F-Droid in vain. In the F-Droid Store, however, you'll also find useful open source alternatives to most of Google Play's apps, which you should definitely give a chance to
Especially users, for whom data protection or the protection of secrets plays an important role, such as lawyers or doctors, should always take care for ethical reasons alone not to install (proprietary) apps, where the data processing is intransparent and thus there is always the danger that apps access information of their clients or patients, which in turn can also be associated with criminal and professional consequences.
Despite the sympathy I have for F-Droid Store, I don't want to hide the fact that this alternative app distribution channel also has a few special features and "shortcomings", which are briefly described in the following:
Use at your own risk:
In the terms of use for the F-Droid Store, the operators point out that despite all efforts they cannot completely guarantee that no malware is offered through the F-Droid Store.
However, before releasing an app, F-Droid operators check the source code of the app to be discontinued for potential security or "privacy" issues. If they don't find any problems, compile them and make the app available in the F-Droid Store. Because this procedure is not a deep or complete "code audit", the F-Droid Store should not be seen as a guarantee for a malware-free marketplace. Rather, we must always have a healthy mistrust of these apps as well. The question as to whether an app is defective or not can often only be answered by extensive and extensive long-term tests of the app.
The F-Droid operator (understandably) cannot and will not perform these tests. A first "shortcoming" of the F-Droid Store is therefore that a new app to be discontinued is generally not or cannot be fully tested. This is different, at least according to Google, e.g. at the Google Play Store. Before a new app is added to the Google Play Store, so-called bouncers automatically check it for "malware". The apps are executed in a virtual environment (similar to antivirus scanners) and screened by the main system for their behavior and functionality. This measure sounds very promising, but as the following examples illustrate, Google cannot guarantee a malware-free store:
With the F-Droid Store, an alternative app store has established itself. Critical users who value free and open source applications will particularly benefit from the FOSS apps available there. The lower selection of apps in the F-Droid Store compared to the Google Play Store may seem a bit "frightening" at first glance. Apps, which you know from the Google Play Store so far, you will probably search in F-Droid in vain. In the F-Droid Store, however, you'll also find useful open source alternatives to most of Google Play's apps, which you should definitely give a chance to
Especially users, for whom data protection or the protection of secrets plays an important role, such as lawyers or doctors, should always take care for ethical reasons alone not to install (proprietary) apps, where the data processing is intransparent and thus there is always the danger that apps access information of their clients or patients, which in turn can also be associated with criminal and professional consequences.
Despite the sympathy I have for F-Droid Store, I don't want to hide the fact that this alternative app distribution channel also has a few special features and "shortcomings", which are briefly described in the following:
Use at your own risk:
In the terms of use for the F-Droid Store, the operators point out that despite all efforts they cannot completely guarantee that no malware is offered through the F-Droid Store.
However, before releasing an app, F-Droid operators check the source code of the app to be discontinued for potential security or "privacy" issues. If they don't find any problems, compile them and make the app available in the F-Droid Store. Because this procedure is not a deep or complete "code audit", the F-Droid Store should not be seen as a guarantee for a malware-free marketplace. Rather, we must always have a healthy mistrust of these apps as well. The question as to whether an app is defective or not can often only be answered by extensive and extensive long-term tests of the app.
The F-Droid operator (understandably) cannot and will not perform these tests. A first "shortcoming" of the F-Droid Store is therefore that a new app to be discontinued is generally not or cannot be fully tested. This is different, at least according to Google, e.g. at the Google Play Store. Before a new app is added to the Google Play Store, so-called bouncers automatically check it for "malware". The apps are executed in a virtual environment (similar to antivirus scanners) and screened by the main system for their behavior and functionality. This measure sounds very promising, but as the following examples illustrate, Google cannot guarantee a malware-free store:
Google Play:
Millions of camera apps steal photos (February 2019)
For the F-Droid Store, however, I don't know yet that a faulty app has been found so far. A little exaggerated, one can conclude that F-Droid actually seems to be the "malware-free" store.
Delayed (security) updates:
In contrast to the Google Play Store, app developers in the F-Droid Store have practically no control / no influence over the release and update process of their app. Rather, maintainers are responsible for posting the releases and updates of the apps in the F-Droid Store. If the maintainer is negligent or "prevented" from doing so, this can result in the worst-case scenario where security holes in apps that have become known are not reacted to promptly, even though the developer has already closed them. At least for many apps we can rely on the fact that an app maintainer has not made any changes to the source code that could have a negative effect on our data or device. F-Droid supports Reproducible_Builds.
Weak spots:
Like all software, F-Droid has to struggle with bugs that can lead to security vulnerabilities. In early 2015, a security audit of the F-Droid App and the service infrastructure identified a number of security vulnerabilities, all of which were promptly addressed. Security vulnerabilities are generally unavoidable. Rather, one must simply reckon with the fact that each software has some gaps. It is therefore all the more important to deal with them professionally once any security vulnerabilities have become known. Since the F-Droid team deals professionally and openly with the vulnerabilities found, this is a good indication that the team is aware of its responsibility. Also worthy of positive mention are the continuous security audits. The last audit, for example, is dated September 2018.
Despite the above-mentioned aspects, which I regard as "shortcomings", I would like to mention a special feature or "service" of the F-Droid Store. This special feature is due to the FOSS apps included in the F-Droid Store. Due to the fact that basically everyone at FOSS-Apps is able to change the source code under certain conditions, the F-Droid team makes use of this option from time to time. It sometimes (arbitrarily) removes so-called "antifeatures" from the original app version. One of the antifeatures in apps is the F-Droid project:
✅Ads (advertising)
✅tracking
✅NonFreeNet (uses non-free services in the network)
✅NonFreeAdd (recommends non-free add-ons)
✅NonFreeDep (depends on non-free components such as Google Play Services)
✅UpstreamNonFree (missing functionalities because non-free components had to be removed)
✅NonFreeAssets (contains non-free components - mostly multimedia data under non-free license)
A prominent example in which the team of the F-Droid Store became active and removed corresponding antifeatures from the corresponding app was the Telegram Messenger. The team issued a message to this effect:
Millions of camera apps steal photos (February 2019)
https://www.heise.de/security/meldung/Google-Play-Millionenfach-verbreitete-Kamera-Apps-klauen-Fotos-4295992.htmlFake app in Google's Play Store should steal crypto money (February 2019)
https://www.heise.de/newsticker/meldung/Fake-App-in-Googles-Play-Store-sollte-Kryptogeld-stehlen-4304280.htmlTrojan apps discovered with 4.5 million downloads in Google Play (January 2018)
https://www.heise.de/security/meldung/Trojaner-Apps-mit-4-5-Millionen-Downloads-in-Google-Play-entdeckt-3952145.htmlOne million Android users download false WhatsApp messenger from Google Play (November 2017)
https://www.heise.de/security/meldung/Eine-Million-Android-Nutzer-laden-falschen-WhatsApp-Messenger-aus-Google-Play-3880190.htmlAndroid spyware undetected in Play Store for three years (April 2014)
https://www.heise.de/security/meldung/Android-Spyware-drei-Jahre-lang-im-Play-Store-unentdeckt-3691154.html[…]
For the F-Droid Store, however, I don't know yet that a faulty app has been found so far. A little exaggerated, one can conclude that F-Droid actually seems to be the "malware-free" store.
Delayed (security) updates:
In contrast to the Google Play Store, app developers in the F-Droid Store have practically no control / no influence over the release and update process of their app. Rather, maintainers are responsible for posting the releases and updates of the apps in the F-Droid Store. If the maintainer is negligent or "prevented" from doing so, this can result in the worst-case scenario where security holes in apps that have become known are not reacted to promptly, even though the developer has already closed them. At least for many apps we can rely on the fact that an app maintainer has not made any changes to the source code that could have a negative effect on our data or device. F-Droid supports Reproducible_Builds.
Weak spots:
Like all software, F-Droid has to struggle with bugs that can lead to security vulnerabilities. In early 2015, a security audit of the F-Droid App and the service infrastructure identified a number of security vulnerabilities, all of which were promptly addressed. Security vulnerabilities are generally unavoidable. Rather, one must simply reckon with the fact that each software has some gaps. It is therefore all the more important to deal with them professionally once any security vulnerabilities have become known. Since the F-Droid team deals professionally and openly with the vulnerabilities found, this is a good indication that the team is aware of its responsibility. Also worthy of positive mention are the continuous security audits. The last audit, for example, is dated September 2018.
Despite the above-mentioned aspects, which I regard as "shortcomings", I would like to mention a special feature or "service" of the F-Droid Store. This special feature is due to the FOSS apps included in the F-Droid Store. Due to the fact that basically everyone at FOSS-Apps is able to change the source code under certain conditions, the F-Droid team makes use of this option from time to time. It sometimes (arbitrarily) removes so-called "antifeatures" from the original app version. One of the antifeatures in apps is the F-Droid project:
✅Ads (advertising)
✅tracking
✅NonFreeNet (uses non-free services in the network)
✅NonFreeAdd (recommends non-free add-ons)
✅NonFreeDep (depends on non-free components such as Google Play Services)
✅UpstreamNonFree (missing functionalities because non-free components had to be removed)
✅NonFreeAssets (contains non-free components - mostly multimedia data under non-free license)
A prominent example in which the team of the F-Droid Store became active and removed corresponding antifeatures from the corresponding app was the Telegram Messenger. The team issued a message to this effect:
"Several proprietary parts were removed from the original Telegram client, including Google Play Services for the location services and HockeySDK for self- updates. Push notifications through Google Cloud Messaging and the automatic SMS receiving features were also removed."
The approach of the F-Droid team to do without services or functions that are not exactly conducive to "data protection" or to remove them from the source code has additionally encouraged me in my decision to choose F-Droid as the app source for the article series "Take back control!
3. starting with F-Droid
First you have to download the F-Droid Store as an APK file to your computer. Just open the F-Droid page and click on the button Download F-Droid. https://f-droid.org/FDroid.apk
Download:
First download the latest version of F-Droid directly from the website. Click on the button labeled Download F-Droid.
https://f-droid.org
PGP Signature:
Optionally you can check the PGP signature of the downloaded APK file to make sure that the file has not been corrupted or modified. First you have to import the public F-Droid-Signing-Key:
Main fingerprint =
If the PGP signature matches you can copy the APK file via USB cable to the device. On your device you can tap the file and start the installation. A warning will appear in Android before installing F-Droid. This mechanism should prevent you from accidentally installing apps from "unknown sources" (far away from the Google Play Store) and catching malware. The hint is confirmed with a tap on Next and the installation is completed.
3.1 F-Droid in action
After the first start of the F-Droid app no apps will be displayed. You first have to update the so-called package sources (a list of available apps with their denoscriptions) by wiping the screen from top to bottom with one finger. https://de.wikipedia.org/wiki/Repository
The message "Package sources are being updated" will then appear at the top of the screen. Depending on the Internet connection and the load of the F-Droid servers, the process may take one to two minutes. In order for this process to happen automatically in the future, we select the "Options" menu at the bottom of the screen. Recommended settings:
✅(Optional) Via mobile network:
slider all the way to the left (to conserve data volume)
✅Automatic update interval:
Daily
Under package sources you should additionally select F-Droid archives.
You can then browse for apps using the "Categories" menu at the bottom of the screen. The apps are arranged in different categories like internet, multimedia or navigation.
If you have found an app and want to install it, just click on the blue download arrow next to the app name to start the download. As soon as the app is on your device, the arrow turns into a button labeled Install. You will then be asked again if you really want to install the app and all permissions of an app will be listed. Even if we are not aware of any "abuse" of the permissions of an F-Droid app, you should always check the permissions before each installation.
4. app suggestions
Due to the lack of transparency of the entire data processing of a smartphone, it is extremely time-consuming to determine which data the smartphone (actually) processes or sends. The same applies, of course, to the apps used in the Google Play Store. Most of these apps are closed source as shown above and therefore do not allow (without further technical aids) an insight into the actual data processing or which data is transmitted during use.
The approach of the F-Droid team to do without services or functions that are not exactly conducive to "data protection" or to remove them from the source code has additionally encouraged me in my decision to choose F-Droid as the app source for the article series "Take back control!
3. starting with F-Droid
First you have to download the F-Droid Store as an APK file to your computer. Just open the F-Droid page and click on the button Download F-Droid. https://f-droid.org/FDroid.apk
Download:
First download the latest version of F-Droid directly from the website. Click on the button labeled Download F-Droid.
https://f-droid.org
PGP Signature:
Optionally you can check the PGP signature of the downloaded APK file to make sure that the file has not been corrupted or modified. First you have to import the public F-Droid-Signing-Key:
pg --keyserver pgp.mit.edu --recv-keys 0x41e7044e1dba2e89The fingerprint can then be checked:
gpg --verify FDroid.apk.asc FDroid.apk
Is the main and sub fingerprints identical to those on the F-Droid website?Main fingerprint =
37D2 C987 89D8 3119 4839 4E3E 41E7 044E 1DBA 2E89
Under fingerprint = 802A 9799 0161 1234 6E1F EFF4 7A02 9E54 DD5D CE7A
Installation: If the PGP signature matches you can copy the APK file via USB cable to the device. On your device you can tap the file and start the installation. A warning will appear in Android before installing F-Droid. This mechanism should prevent you from accidentally installing apps from "unknown sources" (far away from the Google Play Store) and catching malware. The hint is confirmed with a tap on Next and the installation is completed.
3.1 F-Droid in action
After the first start of the F-Droid app no apps will be displayed. You first have to update the so-called package sources (a list of available apps with their denoscriptions) by wiping the screen from top to bottom with one finger. https://de.wikipedia.org/wiki/Repository
The message "Package sources are being updated" will then appear at the top of the screen. Depending on the Internet connection and the load of the F-Droid servers, the process may take one to two minutes. In order for this process to happen automatically in the future, we select the "Options" menu at the bottom of the screen. Recommended settings:
✅(Optional) Via mobile network:
slider all the way to the left (to conserve data volume)
✅Automatic update interval:
Daily
Under package sources you should additionally select F-Droid archives.
You can then browse for apps using the "Categories" menu at the bottom of the screen. The apps are arranged in different categories like internet, multimedia or navigation.
If you have found an app and want to install it, just click on the blue download arrow next to the app name to start the download. As soon as the app is on your device, the arrow turns into a button labeled Install. You will then be asked again if you really want to install the app and all permissions of an app will be listed. Even if we are not aware of any "abuse" of the permissions of an F-Droid app, you should always check the permissions before each installation.
4. app suggestions
Due to the lack of transparency of the entire data processing of a smartphone, it is extremely time-consuming to determine which data the smartphone (actually) processes or sends. The same applies, of course, to the apps used in the Google Play Store. Most of these apps are closed source as shown above and therefore do not allow (without further technical aids) an insight into the actual data processing or which data is transmitted during use.
It would be an illusion to believe that app providers always process our data for our own benefit. Rather, anyone who is familiar with the current business models of providers and manufacturers should be aware that the opposite is the case. Very often the "protagonists" exchange the data we collect with each other for commercial purposes without us noticing it, let alone preventing it. In this respect, it is essential and almost a duty for every data protection-conscious user to question for himself whether he might not want to do better without the proprietary apps.
Therefore, our goal should be to replace as many apps as possible with privacy friendly alternatives. To show what I think makes a "privacy friendly" app, I have summarized the main criteria of a privacy friendly app:
✅Ideally, the app will not communicate with the manufacturer or provider (not even for the transmission of "meaningless" telemetry data).
✅Transparency through open source code and, if applicable, corresponding, transparent data protection declaration.
✅Request the (only) necessary access permissions necessary for the app to work for its intended purpose.
✅Data economy (processing as little data as possible or only the data that is really necessary for the functionality of the app).
✅Possibilities to disagree with corresponding data processing.
✅Apps that help prevent us from having to disclose our information to anyone, e.g. by using encryption measures to ensure that providers of other apps do not use these apps to gain unsolicited access to our data.
These are, of course, high standards that I apply here. In this context, however, we should perhaps recall the stated objective of the series of articles: To regain control of our data.
4.1 Recommended Apps
At the risk that this part of the article loses its topicality too quickly, I refer to the recommendation corner. There all privacy friendly apps from the F-Droid Store will be listed and constantly updated. https://www.kuketz-blog.de/empfehlungsecke/#android
The app selection should only cover the "basics" to make it easier for you to switch to privacy friendly apps. In F-Droid there are of course many more apps and alternatives to discover. Tastes are different and not every app I recommend will please the individual. So my advice to you is to browse the F-Droid Store and find your own apps that will suit your taste best.
5. further App-Stores
If you buy a large part of your apps exclusively from the F-Droid Store, you will come much closer to the noble goal of having control over your own data on a smartphone.
Admittedly, the transition to the F-Droid Store is not easy. This is less due to the poor usability of this store than to the comparatively small range of apps. We won't find current (blockbuster) games or "trend apps", such as WhatsApp, in the F-Droid Store, because as shown, we only find free and open source apps in the F-Droid Store.
5.1 Yalp Store
The Google Play Store is usually accessed via the "Play Store" app. In F-Droid, however, we find an alternative that avoids Google dependencies and can also be interesting for users of a custom ROM if no Google Services Framework is installed. The Yalp Store app available in the F-Droid allows you to download apps (or APKs) directly from the Google Play Store. However, when using this app, we are in a grey area or an area that has not yet been conclusively clarified in legal terms. This is especially because the Yalp Store is not officially offered by Google or originated by Google, but only the Play Store API is used to access this app / service. This is basically a violation of the terms of use of the Play Store:
Therefore, our goal should be to replace as many apps as possible with privacy friendly alternatives. To show what I think makes a "privacy friendly" app, I have summarized the main criteria of a privacy friendly app:
✅Ideally, the app will not communicate with the manufacturer or provider (not even for the transmission of "meaningless" telemetry data).
✅Transparency through open source code and, if applicable, corresponding, transparent data protection declaration.
✅Request the (only) necessary access permissions necessary for the app to work for its intended purpose.
✅Data economy (processing as little data as possible or only the data that is really necessary for the functionality of the app).
✅Possibilities to disagree with corresponding data processing.
✅Apps that help prevent us from having to disclose our information to anyone, e.g. by using encryption measures to ensure that providers of other apps do not use these apps to gain unsolicited access to our data.
These are, of course, high standards that I apply here. In this context, however, we should perhaps recall the stated objective of the series of articles: To regain control of our data.
4.1 Recommended Apps
At the risk that this part of the article loses its topicality too quickly, I refer to the recommendation corner. There all privacy friendly apps from the F-Droid Store will be listed and constantly updated. https://www.kuketz-blog.de/empfehlungsecke/#android
The app selection should only cover the "basics" to make it easier for you to switch to privacy friendly apps. In F-Droid there are of course many more apps and alternatives to discover. Tastes are different and not every app I recommend will please the individual. So my advice to you is to browse the F-Droid Store and find your own apps that will suit your taste best.
5. further App-Stores
If you buy a large part of your apps exclusively from the F-Droid Store, you will come much closer to the noble goal of having control over your own data on a smartphone.
Admittedly, the transition to the F-Droid Store is not easy. This is less due to the poor usability of this store than to the comparatively small range of apps. We won't find current (blockbuster) games or "trend apps", such as WhatsApp, in the F-Droid Store, because as shown, we only find free and open source apps in the F-Droid Store.
5.1 Yalp Store
The Google Play Store is usually accessed via the "Play Store" app. In F-Droid, however, we find an alternative that avoids Google dependencies and can also be interesting for users of a custom ROM if no Google Services Framework is installed. The Yalp Store app available in the F-Droid allows you to download apps (or APKs) directly from the Google Play Store. However, when using this app, we are in a grey area or an area that has not yet been conclusively clarified in legal terms. This is especially because the Yalp Store is not officially offered by Google or originated by Google, but only the Play Store API is used to access this app / service. This is basically a violation of the terms of use of the Play Store:
"You agree not to access (or attempt to access) Google Play by any means other than through the interface that is provided by Google, unless you have been specifically allowed to do so in a separate agreement with Google. You specifically agree not to access (or attempt to access) Google Play through any automated means (including use of noscripts, crawlers, or similar technologies) and shall ensure that you comply with the instructions set out in any robots.txt file present on the Google Play website."
That we are in a legally highly controversial grey zone when using apps like Yalp or services like APKPure, which download the APKs from the Playstore, becomes clear when we look at an interview with a lawyer and the discussion on areamobile. Without wanting to deal intensively with all the legal implications mentioned there, it is essential, in my opinion, to take a differentiated approach in answering the question of the legality of the use of these services. The first question to be answered is which "copyrights" (by whom) are potentially violated when downloading apps from the Play Store with these services. http://www.areamobile.de/community/news/188457-darf-ich-das-android-ohne-google-apps-ohne-play-store.html
In my opinion, it plays an important role to differentiate between how and under which license conditions the apps were published. If it is "proprietary" software that is offered exclusively in the Google Play Store, an infringement of copyrights may well be obvious. However, the situation is different with FOSS apps, which have been posted in the Play Store as well as in the F-Droid Store or on the developer's website. If you download this app from the Play Store using services such as Yalp, you shouldn't violate the rights of the actual author (the app developer), who actually designed the app "openly" and "freely". Rather, the (alleged) rights of Google, which the author had to grant to Google in order to be allowed to place his apps in the Play Store, are in question.
In order not to expose yourself to this problem in the first place, it would be better to do without the apps in the Google Play Store completely and to use apps from the F-Droid Store. If this is not possible for you - for whatever reason - the Yalp Store can be an alternative to the Play Store and is interesting for all those who use custom ROMs like LineageOS, but prefer not to install the proprietary GAPPS.
5.2 Reality vs. wishful thinking
Personally, I get by completely without apps from the Google Play Store. A few years ago, this was unthinkable for many privacy-sensitive users because the number of apps in F-Droid was still relatively small. In 2019 it improved the situation a bit. Nevertheless, there are still apps that are only offered in the Play Store. It would therefore be unrealistic to simply assume that everyone can get by with the apps offered in the F-Droid.
So if you can't find an alternative in F-Droid for your "favourite app" from the Google Play Store, you won't be able to avoid getting some of your apps from the Play Store. Since the apps from the Play Store are often accompanied by a "loss of control", I will show you in further parts of the article series how you can minimize this with apps like AdAway, Shelter or XPrivacyLua.
6. conclusion
The F-Droid Store gives us access to FOSS apps, which are intended to serve as an alternative to well-known apps. As a critical user, we benefit in particular from the free and open source applications offered in the F-Droid Store. This will enable us to regain a great deal of data dominance on our smartphone.
Ideally, you can completely renounce the Google Play Store. If you don't succeed and prefer to forego the additional installation of GAPPS on your device, you'll find a possible alternative in the Yalp Store - but that's a legal grey area.
That we are in a legally highly controversial grey zone when using apps like Yalp or services like APKPure, which download the APKs from the Playstore, becomes clear when we look at an interview with a lawyer and the discussion on areamobile. Without wanting to deal intensively with all the legal implications mentioned there, it is essential, in my opinion, to take a differentiated approach in answering the question of the legality of the use of these services. The first question to be answered is which "copyrights" (by whom) are potentially violated when downloading apps from the Play Store with these services. http://www.areamobile.de/community/news/188457-darf-ich-das-android-ohne-google-apps-ohne-play-store.html
In my opinion, it plays an important role to differentiate between how and under which license conditions the apps were published. If it is "proprietary" software that is offered exclusively in the Google Play Store, an infringement of copyrights may well be obvious. However, the situation is different with FOSS apps, which have been posted in the Play Store as well as in the F-Droid Store or on the developer's website. If you download this app from the Play Store using services such as Yalp, you shouldn't violate the rights of the actual author (the app developer), who actually designed the app "openly" and "freely". Rather, the (alleged) rights of Google, which the author had to grant to Google in order to be allowed to place his apps in the Play Store, are in question.
In order not to expose yourself to this problem in the first place, it would be better to do without the apps in the Google Play Store completely and to use apps from the F-Droid Store. If this is not possible for you - for whatever reason - the Yalp Store can be an alternative to the Play Store and is interesting for all those who use custom ROMs like LineageOS, but prefer not to install the proprietary GAPPS.
5.2 Reality vs. wishful thinking
Personally, I get by completely without apps from the Google Play Store. A few years ago, this was unthinkable for many privacy-sensitive users because the number of apps in F-Droid was still relatively small. In 2019 it improved the situation a bit. Nevertheless, there are still apps that are only offered in the Play Store. It would therefore be unrealistic to simply assume that everyone can get by with the apps offered in the F-Droid.
So if you can't find an alternative in F-Droid for your "favourite app" from the Google Play Store, you won't be able to avoid getting some of your apps from the Play Store. Since the apps from the Play Store are often accompanied by a "loss of control", I will show you in further parts of the article series how you can minimize this with apps like AdAway, Shelter or XPrivacyLua.
6. conclusion
The F-Droid Store gives us access to FOSS apps, which are intended to serve as an alternative to well-known apps. As a critical user, we benefit in particular from the free and open source applications offered in the F-Droid Store. This will enable us to regain a great deal of data dominance on our smartphone.
Ideally, you can completely renounce the Google Play Store. If you don't succeed and prefer to forego the additional installation of GAPPS on your device, you'll find a possible alternative in the Yalp Store - but that's a legal grey area.
In the following article of the article series we will dedicate ourselves to the tracking and advertising blocker AdAway. AdAway is comparable to a local pi-hole that works directly on the device. For all those who continue to purchase apps on the Play Store, AdAway is an effective way to make the integrated tracker and advertising modules "harmless".
Source (german) and more info:
https://www.kuketz-blog.de/f-droid-freie-und-quelloffene-apps-take-back-control-teil5/
#android #NoGoogle #guide #part1 #part2 #part4 #part5 #fdroid #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Source (german) and more info:
https://www.kuketz-blog.de/f-droid-freie-und-quelloffene-apps-take-back-control-teil5/
#android #NoGoogle #guide #part1 #part2 #part4 #part5 #fdroid #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Rethinking digital service design could reduce their environmental impact
Digital technology companies could reduce the carbon footprint of services like You Tube by changing how they are designed, experts say.
Human-Computer Interaction researchers from the University of Bristol looked at how much electric energy was used to provide YouTube videos to people globally in 2016, to enable them to estimate the service’s carbon footprint in that year.
Their analysis showed it was around 10Mt CO2e (Million Metric tons of carbon dioxide equivalent) – approximately that of a city the size of Glasgow.
These carbon emissions result from servers and networking devices streaming about 1bn hours of YouTube video to user devices each day.
They also assessed the reductions that could be gained by eliminating one example of ‘digital waste’ – namely avoiding sending images to users who are only using YouTube to listen to audio. They estimated such a design intervention could reduce the footprint by between 100-500Kt CO2e annually – the carbon footprint of roughly 30,000 UK homes.
While previous academic studies have identified ways in which Interaction Design could reduce the carbon footprint of digital services, this was the first to quantify the benefits of one such intervention.
PDF:
http://delivery.acm.org/10.1145/3310000/3300627/paper397.pdf
https://www.bristol.ac.uk/news/2019/may/rethinking-digital-service-design-.html
#pdf #report #youtube #environmental #impact #research
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Digital technology companies could reduce the carbon footprint of services like You Tube by changing how they are designed, experts say.
Human-Computer Interaction researchers from the University of Bristol looked at how much electric energy was used to provide YouTube videos to people globally in 2016, to enable them to estimate the service’s carbon footprint in that year.
Their analysis showed it was around 10Mt CO2e (Million Metric tons of carbon dioxide equivalent) – approximately that of a city the size of Glasgow.
These carbon emissions result from servers and networking devices streaming about 1bn hours of YouTube video to user devices each day.
They also assessed the reductions that could be gained by eliminating one example of ‘digital waste’ – namely avoiding sending images to users who are only using YouTube to listen to audio. They estimated such a design intervention could reduce the footprint by between 100-500Kt CO2e annually – the carbon footprint of roughly 30,000 UK homes.
While previous academic studies have identified ways in which Interaction Design could reduce the carbon footprint of digital services, this was the first to quantify the benefits of one such intervention.
PDF:
http://delivery.acm.org/10.1145/3310000/3300627/paper397.pdf
https://www.bristol.ac.uk/news/2019/may/rethinking-digital-service-design-.html
#pdf #report #youtube #environmental #impact #research
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
A spam victim hacks back.
"I give you the choice to inherit me. You' re getting $10 million." Who is behind this kind of spam? A hacker went on a search and found what he was looking for.
Everything started with a mail that promised to make me rich - again. Someone is seriously ill, has stashed 10 million US dollars abroad and wants me to participate - I'm lucky. This is of course total nonsense and one of millions of spam mails that probably everyone has ever received. Automatically I move the mouse pointer over the delete button - and pause. I've had enough, I'm fed up! This time I get on the number. I wanted to know how the cheater proceeds - and maybe even arrest him.
Careless impostor
After some mail conversation, the scammer lured me to a fake online banking site. From there I was supposed to transfer the assets to my account. That failed of course and the fraudster claimed to get a valid TAN only against the payment of 2500 US dollars. Of course, I thought and took a closer look at the website. I came across a SQL injection gap. With a few targeted SQL commands I was able to read out a database with details of an admin page for a large-scale spam campaign. Practically there was also the access data for the page - Facepalm.
But it gets even better: The campaign website also had a security problem. By means of a cross-site noscripting attack (stored XSS), I was able to infiltrate the first name database field with the instruction to call a Java noscript stored on a server controlled by me into the administration page. Consequently, I changed the access data and laid out a bait: I informed the fraudster that I had control over the site and that the new login data was only available for money. He bit, called the administration panel and reset the data. He loaded the noscript from my server and I could save his IP address.
From the provider to the router
A Whois query for the recorded IP address revealed that it belongs to the South African provider Hitec Sure. A subsequent scan revealed port 666 of the web interface of a TP Link Router. At this point another facepalm was due: The fraudster did not change the router's default access data and I could log in with the username "admin" and the password "admin".
By adjusting the DNS server configuration in the router, I redirected requests and recorded data: From now on I could watch all internet activities of the fraudster in real time. It turned out that the fraudster was constantly scanning for badly secured mail servers. Within ten days, about 750 MBytes of data were collected. I could read the PPPoE access data from the web interface of the router. Who would have thought that: Practically these data worked also in the customer portal of the provider. After I had registered there, I could see the complete name of the connection owner. Since the provider portal does not reveal any address data, the exact place of residence of the swindler was still unclear at this time.
Address search
I happen to have the same TP-Link model as the spammer. As a result, I was able to create and successfully test a suitable alternative firmware in the form of an OpenWRT image. I then pre-configured this with the provider and WLAN access data I had read out and flashed it via the web interface of the fraud router. By default, however, the device refuses to update the firmware via remote maintenance. However, I could handle this with comparatively little effort: In the corresponding input fields, only an HTML attribute set to Disabled prohibited this process. I was able to remove the attribute without any problems and update it remotely.
"I give you the choice to inherit me. You' re getting $10 million." Who is behind this kind of spam? A hacker went on a search and found what he was looking for.
Everything started with a mail that promised to make me rich - again. Someone is seriously ill, has stashed 10 million US dollars abroad and wants me to participate - I'm lucky. This is of course total nonsense and one of millions of spam mails that probably everyone has ever received. Automatically I move the mouse pointer over the delete button - and pause. I've had enough, I'm fed up! This time I get on the number. I wanted to know how the cheater proceeds - and maybe even arrest him.
Careless impostor
After some mail conversation, the scammer lured me to a fake online banking site. From there I was supposed to transfer the assets to my account. That failed of course and the fraudster claimed to get a valid TAN only against the payment of 2500 US dollars. Of course, I thought and took a closer look at the website. I came across a SQL injection gap. With a few targeted SQL commands I was able to read out a database with details of an admin page for a large-scale spam campaign. Practically there was also the access data for the page - Facepalm.
But it gets even better: The campaign website also had a security problem. By means of a cross-site noscripting attack (stored XSS), I was able to infiltrate the first name database field with the instruction to call a Java noscript stored on a server controlled by me into the administration page. Consequently, I changed the access data and laid out a bait: I informed the fraudster that I had control over the site and that the new login data was only available for money. He bit, called the administration panel and reset the data. He loaded the noscript from my server and I could save his IP address.
From the provider to the router
A Whois query for the recorded IP address revealed that it belongs to the South African provider Hitec Sure. A subsequent scan revealed port 666 of the web interface of a TP Link Router. At this point another facepalm was due: The fraudster did not change the router's default access data and I could log in with the username "admin" and the password "admin".
By adjusting the DNS server configuration in the router, I redirected requests and recorded data: From now on I could watch all internet activities of the fraudster in real time. It turned out that the fraudster was constantly scanning for badly secured mail servers. Within ten days, about 750 MBytes of data were collected. I could read the PPPoE access data from the web interface of the router. Who would have thought that: Practically these data worked also in the customer portal of the provider. After I had registered there, I could see the complete name of the connection owner. Since the provider portal does not reveal any address data, the exact place of residence of the swindler was still unclear at this time.
Address search
I happen to have the same TP-Link model as the spammer. As a result, I was able to create and successfully test a suitable alternative firmware in the form of an OpenWRT image. I then pre-configured this with the provider and WLAN access data I had read out and flashed it via the web interface of the fraud router. By default, however, the device refuses to update the firmware via remote maintenance. However, I could handle this with comparatively little effort: In the corresponding input fields, only an HTML attribute set to Disabled prohibited this process. I was able to remove the attribute without any problems and update it remotely.
In addition to the provider data and the WLAN configuration, I also added a DynDNS client and a firewall rule for an SSH server to the image. So I had remote access to the device. Afterwards I could read the MAC address of the router as well as three SSIDs from surrounding networks. With a free test account at the geolocation service provider Combain I got the approximate coordinates of these networks. With this information I could finally limit the location of the fraudster to a certain street in Johannesburg, South Africa. That's what I left it at first and didn't contact the spammer anymore.
Now I sat on a gigantic data heap and did not know so correctly, what I should make with the quite explosive information. Go to the police? Difficult. By my acting I made myself certainly punishable. In the end I decided to send the data via the anonymous mailbox ....... editorial office. In consultation with the editors, we then decided to publish the story anonymously.
https://www.heise.de/ct/artikel/Ein-Spam-Opfer-hackt-zurueck-4416729.html
#spam #mail #victim #hacking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Now I sat on a gigantic data heap and did not know so correctly, what I should make with the quite explosive information. Go to the police? Difficult. By my acting I made myself certainly punishable. In the end I decided to send the data via the anonymous mailbox ....... editorial office. In consultation with the editors, we then decided to publish the story anonymously.
https://www.heise.de/ct/artikel/Ein-Spam-Opfer-hackt-zurueck-4416729.html
#spam #mail #victim #hacking
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
This media is not supported in your browser
VIEW IN TELEGRAM
📺 ZombieLoad: Cross Privilege-Boundary Data Leakage
In this scenario, we constantly sample data using ZombieLoad and match leaked values against a list of predefined keywords.
The adversary application prints keywords whenever the victim browser process handles data that matches the list of adversary keywords.
Note that the video shows a browser that runs inside a VM:
ZombieLoad leaks across sibling Hyperthreads regardless of virtual machine boundaries.
📺 https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html
#ZombieLoad #video #podcast #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
In this scenario, we constantly sample data using ZombieLoad and match leaked values against a list of predefined keywords.
The adversary application prints keywords whenever the victim browser process handles data that matches the list of adversary keywords.
Note that the video shows a browser that runs inside a VM:
ZombieLoad leaks across sibling Hyperthreads regardless of virtual machine boundaries.
📺 https://www.cyberus-technology.de/posts/2019-05-14-zombieload.html
#ZombieLoad #video #podcast #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
This media is not supported in your browser
VIEW IN TELEGRAM
📺 San Francisco leaders ban facial recognition tech
San Francisco supervisors today approved a ban on police using facial recognition technology, making it the first city in the U.S. with such a restriction.
📺 https://www.youtube.com/watch?v=2OCR4By38vc
#USA #SanFrancisco #ban #police #facialrecon
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
San Francisco supervisors today approved a ban on police using facial recognition technology, making it the first city in the U.S. with such a restriction.
📺 https://www.youtube.com/watch?v=2OCR4By38vc
#USA #SanFrancisco #ban #police #facialrecon
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Audio
🎧 Elfin APT group targets Middle East energy sector.
Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States - See more at: https://www.thecyberwire.com/podcasts/cw-podcasts-rs-2019-05-18.html#.dpuf
📻 #ResearchSaturday #CyberWire #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-rs-2019-05-18.html
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States - See more at: https://www.thecyberwire.com/podcasts/cw-podcasts-rs-2019-05-18.html#.dpuf
📻 #ResearchSaturday #CyberWire #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-rs-2019-05-18.html
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Data Security - What Google, Facebook and Microsoft really know about you
Google something quickly, then here and there a little like and then order something on the Internet with Cortana: Everyday life for many people, but with every action we willingly reveal our data. How much the internet knows about each of us is frightening.
Google knows everything?
Yes, and much more! And sometimes Google even knows things we don't know ourselves, best example: What Google actually knows about us. Dieter Bohn, editor-in-chief of "The Verge", put it very elegantly: https://twitter.com/backlon/status/1126662189127950336
"Google: our advanced AI algorithms can predict what car you want to rent and then fill out the web form for you. It knows what you want and just does it."
Mark Vang of the World Community Computing Grid, an IBM project where people make their PCs and computing power available to research, added: https://twitter.com/chmod777Mark/status/1127191469880684544
"...also, all that data we have collected and continue to collect will stay right on our servers where we can sell it to anyone... but feel free to "delete" your account at any time..."
If you use a free service, you are the product
But Google is not the only Internet giant that is targeting our data. Microsoft and Facebook, autonomous vehicles and smart homes also collect a lot of data. Why? Because, at least in the case of Facebook, we willingly tell them everything they don't want to know - and because it makes money.
You also want to know what the Internet knows about you? The answer is frightening.
Dylan Curran, privacy advisor for Presearch.org and former advisor to the American Civil Liberties Union (ACLU), has examined the data the big companies have collected about him. These are his findings: https://twitter.com/iamdylancurran/status/977559925680467968
❗️Movement profile
Google keeps track of where you've been in recent weeks, months, and years, when you've been there, and how much time it took you to get from one place to another.
Even if you've disabled geolocalization, Google stores location data from other sources. This includes information such as which W-LAN network you use and search queries on Google Maps.
At https://www.google.com/maps/timeline?pb you can retrieve your own motion profile.
❗️Google knows everything you have ever searched for - and deleted
In addition to your motion profile, Google creates a cross-device personal search profile from all your search queries. This means that even if you delete your search history on a device, the data is still there.
At https://myactivity.google.com/myactivity you can check your activity log and change your activity settings.
❗️Advertisement
Google does not only store data, but also combines them in different ways. You never searched for "How do I lose 10 kg in 2 weeks"? You don't need it either. Google will tell you that you are a woman in your early thirties and have been looking for organic shops in your area.
The combination of location data, gender, age, hobbies (search queries), career, interests, relationship status and approximate weight as well as income leads to a unique marketing profile on the basis of which you receive advertising.
At https://www.google.com/settings/ads/ you can view your advertising profile.
❗️App usage
You use an ad blocker? Google knows. Do you often translate texts? Google knows. You use a Doodle list to plan an international business meeting. Google knows, because it stores all data about apps and extensions you use.
This information includes what apps you use, when and where you use them, how often, how long and with whom you communicate, including who they chat to on Facebook, where that person lives and when you go to sleep.
At https://myaccount.google.com/permissions you can access the apps with access to your account.
❗️Google knows all the YouTube videos you've ever watched
Google stores all the videos you've ever searched and watched on YouTube - even if you closed it after seconds.
Google something quickly, then here and there a little like and then order something on the Internet with Cortana: Everyday life for many people, but with every action we willingly reveal our data. How much the internet knows about each of us is frightening.
Google knows everything?
Yes, and much more! And sometimes Google even knows things we don't know ourselves, best example: What Google actually knows about us. Dieter Bohn, editor-in-chief of "The Verge", put it very elegantly: https://twitter.com/backlon/status/1126662189127950336
"Google: our advanced AI algorithms can predict what car you want to rent and then fill out the web form for you. It knows what you want and just does it."
Mark Vang of the World Community Computing Grid, an IBM project where people make their PCs and computing power available to research, added: https://twitter.com/chmod777Mark/status/1127191469880684544
"...also, all that data we have collected and continue to collect will stay right on our servers where we can sell it to anyone... but feel free to "delete" your account at any time..."
If you use a free service, you are the product
But Google is not the only Internet giant that is targeting our data. Microsoft and Facebook, autonomous vehicles and smart homes also collect a lot of data. Why? Because, at least in the case of Facebook, we willingly tell them everything they don't want to know - and because it makes money.
You also want to know what the Internet knows about you? The answer is frightening.
Dylan Curran, privacy advisor for Presearch.org and former advisor to the American Civil Liberties Union (ACLU), has examined the data the big companies have collected about him. These are his findings: https://twitter.com/iamdylancurran/status/977559925680467968
❗️Movement profile
Google keeps track of where you've been in recent weeks, months, and years, when you've been there, and how much time it took you to get from one place to another.
Even if you've disabled geolocalization, Google stores location data from other sources. This includes information such as which W-LAN network you use and search queries on Google Maps.
At https://www.google.com/maps/timeline?pb you can retrieve your own motion profile.
❗️Google knows everything you have ever searched for - and deleted
In addition to your motion profile, Google creates a cross-device personal search profile from all your search queries. This means that even if you delete your search history on a device, the data is still there.
At https://myactivity.google.com/myactivity you can check your activity log and change your activity settings.
❗️Advertisement
Google does not only store data, but also combines them in different ways. You never searched for "How do I lose 10 kg in 2 weeks"? You don't need it either. Google will tell you that you are a woman in your early thirties and have been looking for organic shops in your area.
The combination of location data, gender, age, hobbies (search queries), career, interests, relationship status and approximate weight as well as income leads to a unique marketing profile on the basis of which you receive advertising.
At https://www.google.com/settings/ads/ you can view your advertising profile.
❗️App usage
You use an ad blocker? Google knows. Do you often translate texts? Google knows. You use a Doodle list to plan an international business meeting. Google knows, because it stores all data about apps and extensions you use.
This information includes what apps you use, when and where you use them, how often, how long and with whom you communicate, including who they chat to on Facebook, where that person lives and when you go to sleep.
At https://myaccount.google.com/permissions you can access the apps with access to your account.
❗️Google knows all the YouTube videos you've ever watched
Google stores all the videos you've ever searched and watched on YouTube - even if you closed it after seconds.
Accordingly, Google knows whether you're about to become a parent, what your political views are, what your religion is, whether you're depressed or even suicidal.
More: https://www.youtube.com/feed/history/search_history
❗️ Three million Word documents data
The good thing about Google is that you can request and view all this data. Dylan Curran did just that and received an archive file of 5.5 GB. That's about three million pages of continuous text.
If you are curious: Under the motto "Your account, your data", at https://takeout.google.com/settings/takeout you can "export a copy of the content from your Google Account if you want to back it up or use it with a service from another provider," says Google.
This data includes all the above information, plus bookmarks, email, contacts, Google Drive files, photos taken with your phone, stores where you bought something, and products you bought on Google.
Plus your calendar, hangout conversations, music, books, groups, websites they created, phones they owned, shared pages, how many steps you took a day - a nearly endless list.
❗️How Google gets your data
Even though you probably don't like that answer: You give your data voluntarily. The Google archive of collected data will show you how.
👉🏼 1. search history
Dylan Curran's search history included more than 90,000 entries, including images he downloaded and websites he visited. Of course, the search history also offers all search queries for websites for the illegal downloading of programs, movies and music, so that these data can be used against you in a court hearing and cause great damage.
👉🏼 2nd calendar
Your calendar reveals more about you than you might want to admit and shows all the appointments you've ever added. It doesn't matter if you finally noticed it or not.
In combination with your location data, Google knows if they were there, when they arrived - and in case of an interview - how your appointment went. If you're on your way back very quickly, you probably didn't get the new dream job.
👉🏼 3rd Google Drive
The Google archive of collected data also includes the entire Google Drive, including any data you deleted a long time ago. Among other things, Dylan found his resume, monthly financial overviews, website program code, and a "permanently deleted" PGP security key he used to lock his emails.
👉🏼 4th Google Fit
Even the small wearables like Smartwatch or Fitnesstracker make a contribution to the data collection frenzy of the big corporations. Although Dylan Curran deleted this data months ago and withdrew all permissions from the apps, he found, in the truest sense of the word, a list of all his steps.
Google Fit had diligently counted all the steps he ever took and when and where he went. Of course also all times of relaxation, yoga or fitness exercises.
👉🏼 5. photos
If you accidentally deleted all your photos, don't worry, Google still has them all - including metadata about when, where, and with what device you took them. Well sorted by year and date, of course.
👉🏼 6. e-mails
If you use Google Mail or Gmail, Google also has all the emails you've ever sent or received. The same applies to all emails you have deleted and those you have never received (because they have been categorized as spam).
👉🏼 7. activity protocol
The activity log again contains thousands of files and could probably tell you exactly how you felt day and second. Due to the abundance of this data, Dylan Curran could only present a brief selection:
Google stores all the ads you've ever seen or clicked on, every app you've opened, installed or searched for, and every webpage you've ever visited.
Every image you searched or saved, every place you searched or clicked, every news item and newspaper article, every video you clicked on, and every search query you've made since your first Google search - whether you have a Google Account or not!
❗️ Data security on Facebook
Facebook also offers the option to download his private data. For Dylan Curran, this file was "only" 600 MB or about 400,000 pages of text.
More: https://www.youtube.com/feed/history/search_history
❗️ Three million Word documents data
The good thing about Google is that you can request and view all this data. Dylan Curran did just that and received an archive file of 5.5 GB. That's about three million pages of continuous text.
If you are curious: Under the motto "Your account, your data", at https://takeout.google.com/settings/takeout you can "export a copy of the content from your Google Account if you want to back it up or use it with a service from another provider," says Google.
This data includes all the above information, plus bookmarks, email, contacts, Google Drive files, photos taken with your phone, stores where you bought something, and products you bought on Google.
Plus your calendar, hangout conversations, music, books, groups, websites they created, phones they owned, shared pages, how many steps you took a day - a nearly endless list.
❗️How Google gets your data
Even though you probably don't like that answer: You give your data voluntarily. The Google archive of collected data will show you how.
👉🏼 1. search history
Dylan Curran's search history included more than 90,000 entries, including images he downloaded and websites he visited. Of course, the search history also offers all search queries for websites for the illegal downloading of programs, movies and music, so that these data can be used against you in a court hearing and cause great damage.
👉🏼 2nd calendar
Your calendar reveals more about you than you might want to admit and shows all the appointments you've ever added. It doesn't matter if you finally noticed it or not.
In combination with your location data, Google knows if they were there, when they arrived - and in case of an interview - how your appointment went. If you're on your way back very quickly, you probably didn't get the new dream job.
👉🏼 3rd Google Drive
The Google archive of collected data also includes the entire Google Drive, including any data you deleted a long time ago. Among other things, Dylan found his resume, monthly financial overviews, website program code, and a "permanently deleted" PGP security key he used to lock his emails.
👉🏼 4th Google Fit
Even the small wearables like Smartwatch or Fitnesstracker make a contribution to the data collection frenzy of the big corporations. Although Dylan Curran deleted this data months ago and withdrew all permissions from the apps, he found, in the truest sense of the word, a list of all his steps.
Google Fit had diligently counted all the steps he ever took and when and where he went. Of course also all times of relaxation, yoga or fitness exercises.
👉🏼 5. photos
If you accidentally deleted all your photos, don't worry, Google still has them all - including metadata about when, where, and with what device you took them. Well sorted by year and date, of course.
👉🏼 6. e-mails
If you use Google Mail or Gmail, Google also has all the emails you've ever sent or received. The same applies to all emails you have deleted and those you have never received (because they have been categorized as spam).
👉🏼 7. activity protocol
The activity log again contains thousands of files and could probably tell you exactly how you felt day and second. Due to the abundance of this data, Dylan Curran could only present a brief selection:
Google stores all the ads you've ever seen or clicked on, every app you've opened, installed or searched for, and every webpage you've ever visited.
Every image you searched or saved, every place you searched or clicked, every news item and newspaper article, every video you clicked on, and every search query you've made since your first Google search - whether you have a Google Account or not!
❗️ Data security on Facebook
Facebook also offers the option to download his private data. For Dylan Curran, this file was "only" 600 MB or about 400,000 pages of text.
It contained all the messages he had ever sent or received, all his phone contacts, and all his voice messages.
In addition, Facebook stores all your (possible) interests based on the posts you have clicked or hidden and - rather pointless to the privacy officer - all the stickers you have ever sent or received.
👉🏼 log
In addition, Facebook - similar to Google - stores all your activity data when you log in. This includes the from where and which device was currently used.
The company also stores data from all apps ever connected to Facebook, so Facebook knows your political views and interests. Facebook may also know that you were single (because you installed/uninstalled Tinder) and had a new smartphone in November.
❗️ Data security is a top priority for Windows 😉
In principle yes, because those who use Windows 10 have countless possibilities to "protect" their privacy. In fact, there are so many that it becomes confusing. Very few people actually take the time to read through all 16 (!) menu items and their respective options and further settings and decide individually. Categorically deactivating all switches neither provides the optimal protection nor the optimal user experience.
Google's new security concept works in a very similar way under the motto: "You have the choice" - except that nobody explains to you what you can actually choose there.
👉🏼 External control of webcam and microphone
The data that Windows stores by default again includes location data, what programs you have installed, when you installed them, and how you use them. In addition: Contacts, email, calendar, call history, text messages, favorite recipes, games, downloads, photos, videos, music, on and offline search history, and even what radio station you're listening to. Plus, Windows has constant access to your cameras and microphones.
But it's also one of the biggest paradoxes of modern society. We would never allow the government to place cameras or microphones in our homes or movement trackers in our clothes in the life of the government, instead we do it voluntarily, because - let's face it - we really want to see this sweet cat video.
Source (german) and more info:
https://www.epochtimes.de/genial/tech/datensicherheit-das-wissen-google-facebook-und-microsoft-wirklich-ueber-sie-a2885439.html
#google #facebook #microsoft #data #privacy #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
In addition, Facebook stores all your (possible) interests based on the posts you have clicked or hidden and - rather pointless to the privacy officer - all the stickers you have ever sent or received.
👉🏼 log
In addition, Facebook - similar to Google - stores all your activity data when you log in. This includes the from where and which device was currently used.
The company also stores data from all apps ever connected to Facebook, so Facebook knows your political views and interests. Facebook may also know that you were single (because you installed/uninstalled Tinder) and had a new smartphone in November.
❗️ Data security is a top priority for Windows 😉
In principle yes, because those who use Windows 10 have countless possibilities to "protect" their privacy. In fact, there are so many that it becomes confusing. Very few people actually take the time to read through all 16 (!) menu items and their respective options and further settings and decide individually. Categorically deactivating all switches neither provides the optimal protection nor the optimal user experience.
Google's new security concept works in a very similar way under the motto: "You have the choice" - except that nobody explains to you what you can actually choose there.
👉🏼 External control of webcam and microphone
The data that Windows stores by default again includes location data, what programs you have installed, when you installed them, and how you use them. In addition: Contacts, email, calendar, call history, text messages, favorite recipes, games, downloads, photos, videos, music, on and offline search history, and even what radio station you're listening to. Plus, Windows has constant access to your cameras and microphones.
But it's also one of the biggest paradoxes of modern society. We would never allow the government to place cameras or microphones in our homes or movement trackers in our clothes in the life of the government, instead we do it voluntarily, because - let's face it - we really want to see this sweet cat video.
Source (german) and more info:
https://www.epochtimes.de/genial/tech/datensicherheit-das-wissen-google-facebook-und-microsoft-wirklich-ueber-sie-a2885439.html
#google #facebook #microsoft #data #privacy #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
CMOinfographic.pdf
25.8 MB
A Look Back At 25 Years Of Digital Advertising
Advertising has always found a way to adapt to the medium. But the introduction of the “World Wide Web” in 1991 truly changed everything—providing advertisers with an unprecedented opportunity to flex their creative chops. Within a few years, new and entirely different types of ads began to, quite literally, pop up.
PDF:
https://www.cmo.com/content/dam/CMO_Other/articles/CMOinfographic.pdf
Article:
https://www.cmo.com/features/articles/2019/3/19/25-years-of-digital.html#gs.cig5lu
German:
https://news.1rj.ru/str/cRyPtHoN_INFOSEC_DE/3032
#advertising #ads #history #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Advertising has always found a way to adapt to the medium. But the introduction of the “World Wide Web” in 1991 truly changed everything—providing advertisers with an unprecedented opportunity to flex their creative chops. Within a few years, new and entirely different types of ads began to, quite literally, pop up.
PDF:
https://www.cmo.com/content/dam/CMO_Other/articles/CMOinfographic.pdf
Article:
https://www.cmo.com/features/articles/2019/3/19/25-years-of-digital.html#gs.cig5lu
German:
https://news.1rj.ru/str/cRyPtHoN_INFOSEC_DE/3032
#advertising #ads #history #pdf
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
Audio
🎧 The CyberWire Daily Podcast - May 20, 2019
Huawei is on the US Entity List, and US exporters have been quick to notice and cut the Shenzhen company off.
Security concerns are now expected to shift to the undersea cable market.
Hacktivism seems to have gone into eclipse. T
he EU enacts a sanctions regime to deter election hacking.
Facebook shutters inauthentic accounts targeting African politics.
Salesforce is restoring service after an unhappy upgrade.
OGuser forum hacked. And don’t worry about a hacker draft.
Jonathan Katz from UMD on encryption for better security at border crossings.
Tamika Smith reports on the Baltimore City government ransomware situation.
📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-05-20.html
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
Huawei is on the US Entity List, and US exporters have been quick to notice and cut the Shenzhen company off.
Security concerns are now expected to shift to the undersea cable market.
Hacktivism seems to have gone into eclipse. T
he EU enacts a sanctions regime to deter election hacking.
Facebook shutters inauthentic accounts targeting African politics.
Salesforce is restoring service after an unhappy upgrade.
OGuser forum hacked. And don’t worry about a hacker draft.
Jonathan Katz from UMD on encryption for better security at border crossings.
Tamika Smith reports on the Baltimore City government ransomware situation.
📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-05-20.html
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
AdAway: Advertising and tracking blocker - Take back control! (Part 6)
1. data collection frenzy
In the last part of the article series I introduced you to the F-Droid Store, where you can get free and open source apps that don't track you or display advertisements. A general recommendation of the article series "Take back control! is therefore:
💡Get apps only from the F-Droid Store.
However, this advice cannot always be put into practice 1:1. Many users are still dependent on apps from the Play Store or cannot find a viable alternative in the F-Droid Store. Unfortunately, apps from the Google Play Store are not exactly known for their data economy - but rather the opposite. Most apps from the Google Play Store contain third-party software components that display advertisements to the user or track his activity every step of the way. As a normal user, however, you don't have any insight into the app or can't "see" from the outside whether this poses a risk to security and privacy.
Since the apps from the Play Store are often accompanied by a "loss of control", I will introduce you to the AdAway app from the F-Droid Store in this article. With this app, the loss of control can be minimized by putting a stop to the delivery of (harmful) advertising and the outflow of personal data to dubious third-party providers.
2nd AdAway
AdAway is an open source advertising and tracking blocker for Android, which was originally developed by Dominik Schürmann - currently AdAway is developed by Bruce Bujon. Based on filter lists, connections to advertising and tracking networks are redirected to the local device IP address. This redirection prevents the reloading of advertisements or the transmission of (sensitive) data to third parties.
By the way, AdAway cannot be found in the Play Store because Google no longer allows ad blockers - they simply violate Google's business model. Or to put it another way: Google will not tolerate an app that effectively protects your privacy and security by preventing the reloading of (harmful) advertisements and the outflow of personal data.
💡There are several advantages to using AdAway:
Reduction in data consumption:
Opening, connecting and closing (app) connections to servers on the Internet inevitably means that data is sent and received. While this is likely to be a problem for most people in their home WLAN due to a flat rate, the use of mobile data often presents a different picture. AdAway blocks the reloading of advertisements, tracking code and other resources. This saves valuable bandwidth and your mobile data plan is not unnecessarily burdened.
Faster device:
The display of advertisements, the execution of reloaded tracking code and basically every (unnecessary) connection setup costs CPU power. However, if these resources are not recharged or blocked by AdAway, not only will your battery last longer, but your device will also respond faster to your input.
Protection of privacy:
A major disadvantage of the predominantly proprietary apps located in the Google Play Store is the lack of transparency of data processing associated with their proprietary nature. Because with these proprietary apps we don't know and often can't check what they actually do (without our knowledge). However, if AdAway is able to block the majority of (app) connections to trackers and advertising networks, this can have a positive impact on our privacy.
AdAway not only blocks advertisements and trackers in your browser, but also in all apps you have installed on your device.
2.1 Concept | Technical background
Using the example of in-app advertising, I would like to briefly explain how AdAway works technically. Suppose an app developer has integrated an advertising module into his app. The app or the integrated module contacts the address each time the app is started or during runtime:
1. data collection frenzy
In the last part of the article series I introduced you to the F-Droid Store, where you can get free and open source apps that don't track you or display advertisements. A general recommendation of the article series "Take back control! is therefore:
💡Get apps only from the F-Droid Store.
However, this advice cannot always be put into practice 1:1. Many users are still dependent on apps from the Play Store or cannot find a viable alternative in the F-Droid Store. Unfortunately, apps from the Google Play Store are not exactly known for their data economy - but rather the opposite. Most apps from the Google Play Store contain third-party software components that display advertisements to the user or track his activity every step of the way. As a normal user, however, you don't have any insight into the app or can't "see" from the outside whether this poses a risk to security and privacy.
Since the apps from the Play Store are often accompanied by a "loss of control", I will introduce you to the AdAway app from the F-Droid Store in this article. With this app, the loss of control can be minimized by putting a stop to the delivery of (harmful) advertising and the outflow of personal data to dubious third-party providers.
2nd AdAway
AdAway is an open source advertising and tracking blocker for Android, which was originally developed by Dominik Schürmann - currently AdAway is developed by Bruce Bujon. Based on filter lists, connections to advertising and tracking networks are redirected to the local device IP address. This redirection prevents the reloading of advertisements or the transmission of (sensitive) data to third parties.
By the way, AdAway cannot be found in the Play Store because Google no longer allows ad blockers - they simply violate Google's business model. Or to put it another way: Google will not tolerate an app that effectively protects your privacy and security by preventing the reloading of (harmful) advertisements and the outflow of personal data.
💡There are several advantages to using AdAway:
Reduction in data consumption:
Opening, connecting and closing (app) connections to servers on the Internet inevitably means that data is sent and received. While this is likely to be a problem for most people in their home WLAN due to a flat rate, the use of mobile data often presents a different picture. AdAway blocks the reloading of advertisements, tracking code and other resources. This saves valuable bandwidth and your mobile data plan is not unnecessarily burdened.
Faster device:
The display of advertisements, the execution of reloaded tracking code and basically every (unnecessary) connection setup costs CPU power. However, if these resources are not recharged or blocked by AdAway, not only will your battery last longer, but your device will also respond faster to your input.
Protection of privacy:
A major disadvantage of the predominantly proprietary apps located in the Google Play Store is the lack of transparency of data processing associated with their proprietary nature. Because with these proprietary apps we don't know and often can't check what they actually do (without our knowledge). However, if AdAway is able to block the majority of (app) connections to trackers and advertising networks, this can have a positive impact on our privacy.
AdAway not only blocks advertisements and trackers in your browser, but also in all apps you have installed on your device.
2.1 Concept | Technical background
Using the example of in-app advertising, I would like to briefly explain how AdAway works technically. Suppose an app developer has integrated an advertising module into his app. The app or the integrated module contacts the address each time the app is started or during runtime:
werbung.server1.de
However, this domain name must first be translated into an IP address so that the advertisement can then be reloaded from there. This service is provided by the Domain Name System (DNS) - one of the most important services on the Internet that converts domain names into their IP address. Everyone knows the principle behind this: You enter a URI (the domain name) in the browser and this is then translated into the corresponding IP address by a DNS server. Names are easier to remember than IP addresses. Your router therefore usually contains DNS servers from your provider or you have entered your own manually, which then translate the address "werbung.server1.de" into an IP address.AdAway now makes use of this DNS principle. In its memory, AdAway maintains a list of domain names that can either deliver advertisements, track users, or otherwise have a negative impact on security and privacy. Once you have installed AdAway, the DNS query is first compared with the internally stored list. If the address is...
werbung.server1.de
...in the list or if there is a hit, the IP address is not resolved as usual, but your device or app receives the answer: "Not reachable" - the translation into the correct IP address is suppressed by AdAway. The result: The advertisement cannot be reloaded from the actual source or IP address. Instead of the advertisement, the user sees a placeholder or simply nothing. A simple principle that blocks the advertisement before it is delivered - even before it is translated into the IP address.2.2 Installation
The installation of AdAway is done conveniently via the F-Droid Store - where the app does not violate questionable business models, as is the case with Google. With a tap on Install the installation of AdAway is done within seconds.
2.3 Adjustment via Magisk
Due to the read-only system partition of the Aquaris X Pro, the Hosts file cannot simply be modified by AdAway. However, this is necessary so that all domains that should not be accessible later can be stored there. Magisk offers a solution for this. Opens the Magisk Manager and calls up the settings. There you tap once on Activate system-less Hosts file.
3. configuration
The configuration of AdAway is done within a few minutes. Many advertising and tracking domains are already blocked in the delivery state. By adding more filter lists we can improve the result even more.
3.1 Initial Start
Immediately after the start AdAway will ask you if you want to send telemetry data (via sentry) to the developer. This is the following information:
Crash report and application failures,
Application usage.
Both kinds of report does not contains any personal data.
Then you can start AdAway directly with a tip on ACTIVATE ADMINISTRATIVE BLOCKS. AdAway will then download the current (block) lists and update the Hosts file.
3.2 Settings
Via the menu item Settings you can configure various options of AdAway. Among other things, you can specify that the (block) lists should be updated daily. The download and installation can be done automatically in the background.
By default, AdAway redirects all blocked hostnames to the IP address 127.0.0.1. For speed reasons, you should change this, as redirecting to 127.0.0.1 (localhost) actually causes network traffic. Tap on the Redirection IP entry and configure the address there:
0.0.0.0
3.3 Blacklists | Add filter listsVia the menu item Hosts-sources you can add further filter lists. Three (block) lists are active in AdAway by default. You can use the plus sign to add additional lists that are not included in AdAway. My suggestion would be to add the following to the existing lists:
https://github.com/StevenBlack/hosts
💡AdviceIn the AdAway Wiki you will find further suggestions and filter lists.
https://github.com/AdAway/AdAway/wiki/HostsSources
Of course you can also activate other filter lists or (block) lists. Possible overlaps are automatically removed by AdAway - duplicate entries would be too inefficient to process the filter lists. After adding the filter lists, AdAway will first download them from the sources and merge them into one big list - so you'll have to wait a moment.Activating the filter lists can lead to so-called "overblocking". This means that domains that are necessary for the functionality of an app are filtered incorrectly. You will then have to decide on a case-by-case basis whether you want to release the domain in AdAway or put it on the whitelist. Further information on this topic can be found in Section 4.2.
4th AdAway in action
The configuration of AdAway is finished or you can customize it to your needs. Unfortunately AdAway does not offer the possibility to display the number of blocked domains - it should be more than 100.000 domains.
4.1 Blocked Domains
As already mentioned, the phenomenon of overblocking can occur, which can under certain circumstances lead to an app or certain function no longer functioning correctly. Personally, I have not been able to observe this so far - however, I am not the appropriate yardstick in this respect either, as I deliberately do without the services of Google, Facebook and Co.
So if an app doesn't work as usual, you should first activate DNS recording via the menu item Record DNS Requests and then open the app that doesn't work. Then open the menu item Record DNS Queries again and tap on the button Display RESULTS. All logged DNS queries will then be listed. As an example I allow the domain "media.kuketz.de" by tapping on the tick in the middle. AdAway will then remember this selection and put the domain on the whitelist:
4.2 Whitelist of a domain | App
Via the menu item Your Lists you can view the domains you have added yourself. AdAway distinguishes between three different variants:
Negative list:
You can add your own domains to block AdAway. In a way, this is a supplement to the existing (block) lists, which you can influence yourself.
Positive list:
As already mentioned, the overblocking effect may occur under certain circumstances. If this happens, you can make a domain accessible again via the positive list. The positive list is always before the filter lists - so the domain is reachable again, even if it is listed in one of the filter lists.
Redirections:
If necessary, you can activate IP redirects for certain domains. The domain "facebook.com" could be pointed to the IP address
193.99.144.80 (heise.de). If you call the domain "facebook.com" in your browser, you will be redirected to heise.de.5. final note
The integration of advertising or the transmission of data to tracking companies is not necessary for the pure function provision of an app. These third-party software components do not simply end up in an app by magic, but are deliberately or actively integrated by the developers. Unfortunately, the developers themselves often do not know which data these building blocks or modules (also known as SDK in technical jargon) actually capture. Thus providers and developers sacrifice their users frivolously on the altar of boundless data collection frenzy, regardless of the associated risks for the security and privacy of their users.
With AdAway, you can minimize this unwanted data transfer. In practice, the principle of DNS blocking works extremely well - the vast majority of unwanted tracking and advertising domains are filtered, which of course has a positive effect on both security and privacy.
Nevertheless, you should not lull yourself into security and now believe that you are solving all tracker and privacy problems. Under certain circumstances it may happen that a tracking or advertising domain is still so unknown or new that it has not yet found its way to one of the (block) lists. In this case, there is a high probability that unwanted data will flow out to questionable third parties. The best long-term protection against unwanted data leakage is to do without most of the apps offered in the Google Play Store. Fortunately, the F-Droid Store is an alternative app store that addresses critical users who value free and open source applications. In the recommendation corner you will find data protection-friendly apps for a wide variety of applications.
6. conclusion
In the Google Play Store there is a whole arsenal of "pseudo-security apps" like virus scanners, which lull the user into false security. AdAway, on the other hand, can effectively protect security and privacy. The paradox is that AdAway is excluded from the Google Play Store because blocking trackers and advertising is against Google's business model. An app that blocks the delivery of Google advertising and tracking is understandably a thorn in Google's side.
In the following article of the article series "Take back control!" I will show you how to block "Big Brother Apps" from the Google Play Store into a kind of closed environment or prison - this is possible with Shelter. This way you can avoid that these apps access sensitive data (contacts etc.).
Source (🇩🇪) and more info:
https://www.kuketz-blog.de/adaway-werbe-und-trackingblocker-take-back-control-teil6/
#android #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #AdAway #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN
6. conclusion
In the Google Play Store there is a whole arsenal of "pseudo-security apps" like virus scanners, which lull the user into false security. AdAway, on the other hand, can effectively protect security and privacy. The paradox is that AdAway is excluded from the Google Play Store because blocking trackers and advertising is against Google's business model. An app that blocks the delivery of Google advertising and tracking is understandably a thorn in Google's side.
In the following article of the article series "Take back control!" I will show you how to block "Big Brother Apps" from the Google Play Store into a kind of closed environment or prison - this is possible with Shelter. This way you can avoid that these apps access sensitive data (contacts etc.).
Source (🇩🇪) and more info:
https://www.kuketz-blog.de/adaway-werbe-und-trackingblocker-take-back-control-teil6/
#android #NoGoogle #guide #part1 #part2 #part4 #part5 #part6 #AdAway #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN