Submitted via IRC for SoyCow8963
Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code."
Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.
[...] Within the app description, the developers say:
PRIVACY and security
We will never collect your personal info including credit card information. In fact, we cares for privacy of what you type and who you type! [sic]But Adguard points out that this is contradicted by the company's privacy policy. In addition to this, GO Keyboard shares personal information right after installation, communicates with dozens of tracking servers, and has access to sensitive data on phone. Adguard concedes that this is fairly typical for modern apps, but goes on to say that the app violates Google Play policies.
The apps in question are:
- GO Keyboard - Emoji keyboard, Swipe input, GIFs has a user rating of 4.5 stars
- GO Keyboard - Emoticon keyboard, Free Theme, GIF has a rating of 4.4 stars.
Source: https://betanews.com/2017/09/21/go-keyboard-spying-warning/
(Score: 2) by MostCynical on Sunday September 24 2017, @09:09AM (3 children)
installing most apps on android requires "accepting" terms and conditions, and granting "permissions"
Most people don't even look what is in the list.
Chances are, is one said "access to contacts, calls, call state, location, keyboard entries, text, speach, etc etc."
And people installed it anyway.
Is it even "spying", when people just "give up information" ?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Sunday September 24 2017, @09:21AM
Of course it's spying. Spying legalized by EULAs and enabled by idiots.
(Score: 2) by stretch611 on Sunday September 24 2017, @07:31PM (1 child)
I agree with you, people do blindly give permissions to everything they download without a second thought.
The problem is in this case, it is a keyboard... It is something used by the system in many places. If you don't let it have access to your contacts, call history, etc, there are many usefull things that it can not do, like verify or autofill an email address from your contacts when writing an email or pre-fill digits of a phone number you called before (from history, or even the pizza place in your contacts.)
How useful would a keyboard be if you had to type a 10 digit phone number from memory every time you wanted to send a text message?
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by quacking duck on Monday September 25 2017, @01:55PM
Auto-fill in this context should be the responsibility of the app that's being typed into, not the keyboard being typed on.
To verify this (on iOS anyway), I went into the default Mail.app and, using Google's Gboard (which does NOT have permission to access to my contacts), typed the first few letters into the "To" field of someone in my Contacts app that I've never actually emailed before, and it autofilled their name just fine. I then tested it in the Messages app, with the first few digits of a phone number this time (for a contact I've never called or texted before, the police non-emergency number), and again it autofilled fine.
(Score: 4, Informative) by c0lo on Sunday September 24 2017, @09:45AM (9 children)
TFA actually provide an important info, you may want to insert it into TFS:
That is: it spies to you now, it may do other nastinies to you at any time the authors (or their masters) want.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by MostCynical on Sunday September 24 2017, @10:34AM (7 children)
But other apps do that, too. They call it an "update"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by c0lo on Sunday September 24 2017, @11:33AM (6 children)
Should we blame Google then for allowing "prohibited technique"s in their playground?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by MostCynical on Sunday September 24 2017, @11:44AM (5 children)
Onły if they claim to vet every app on their platform.
I can't find any poof tbey do claim that. They "review" apps (likely after the app borked someone's phone or tablet), but I fan't find evidence they check every app.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by c0lo on Sunday September 24 2017, @11:57AM (4 children)
So how they "prohibit technique"s?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Wootery on Monday September 25 2017, @12:09PM (3 children)
There's no contradiction here. It might be a policy to ban an app if it turns out to be using this hack, even if they don't make a proactive effort to check for apps that do it.
(Score: 2) by c0lo on Monday September 25 2017, @12:46PM (2 children)
Exactly... what hack? How's this hack different from a normal app update?
Where's the definition that makes a distinction between "normal update" and "hackish prohibited technique"?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Wootery on Monday September 25 2017, @01:01PM (1 child)
TFA says
So whether they're breaking Google's rules (on properly informing the user, say) or exploiting a 'proper' security flaw in the Android codebase, I don't think we can definitively say, though I suspect from the phrasing that it's the latter.
If it's the former, then the definition is a matter of policy. If the latter, it's something that could be detected with dynamic program analysis.
(Score: 2) by c0lo on Monday September 25 2017, @01:15PM
You see, this thread-end is set in the context of MostCynical's
With me asking for further details ('cause assumption and guesses... I can generate myself aplenty)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by martyb on Monday September 25 2017, @12:09AM
Ooooops! Right you are... and... fixed!
Wit is intellect, dancing.
(Score: 2, Interesting) by Anonymous Coward on Sunday September 24 2017, @09:52AM (2 children)
Since Google wants to have a walled garden to control what people put on their phones, shouldn't Google be liable for anything distributed through their app store? EULA's notwithstanding?
(Score: 2) by RamiK on Sunday September 24 2017, @11:41AM
Android doesn't prevent you from sideloading APKs. There's even a FOSS app store: https://f-droid.org/ [f-droid.org]
compiling...
(Score: 1, Interesting) by Anonymous Coward on Sunday September 24 2017, @04:34PM
Google (thanks to Fiber and Project Fi) is a common carrier subject to Net Neutrality rules. They don't get to decide what content people have access to anymore.
This is the case that Gab is going to make in court. And they will win.
(Score: 2) by stretch611 on Sunday September 24 2017, @08:10PM
When companies create privacy problems and do not follow them, I believe the FTC has jurisdiction to take action.
This is one of the actions that the FTC seems to take even with the current political administration's lax enforcement of rules on companies.
Now with 5 covid vaccine shots/boosters altering my DNA :P