Most active commenters
  • charcircuit(4)

←back to thread

Samsung embeds IronSource spyware app on phones across WANA

(smex.org)
845 points the-anarchist | 13 comments | 21 Jun 25 03:06 UTC | HN request time: 1.14s | source | bottom
Show context
userbinator ◴[21 Jun 25 04:22 UTC] No.44334486[source]
making it nearly impossible for regular users to uninstall it without root access, which voids warranties and poses security risks

Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.

replies(12): >>44334515 #>>44334549 #>>44334577 #>>44334616 #>>44334661 #>>44334912 #>>44335283 #>>44335463 #>>44335597 #>>44336211 #>>44336257 #>>44336433 #
1. charcircuit ◴[21 Jun 25 04:37 UTC] No.44334549[source]
Root access is an outdated security concept from the previous century. Trying to mandate such a concept is parroting UNIX propaganda. Users can be given control of devices without them having a "root" account.
replies(4): >>44334825 #>>44334851 #>>44334883 #>>44336446 #
2. mrusme ◴[21 Jun 25 05:39 UTC] No.44334825[source]
How?
replies(2): >>44334848 #>>44335565 #
3. burnt-resistor ◴[21 Jun 25 05:43 UTC] No.44334848[source]
By having a "maintenance mode" that can be entered and left.
replies(1): >>44334929 #
4. WarOnPrivacy ◴[21 Jun 25 05:44 UTC] No.44334851[source]
> Users can be given control of devices without them having a "root" account.

Can be given control [by handset manufacturers] is an unfulfilled potential. And it will always be unfulfilled - because otherwise, users could protect themselves from manufacturers/providers foistware.

Given their reality, users root.

5. realusername ◴[21 Jun 25 05:50 UTC] No.44334883[source]
Well maybe in theory but in practice they don't. How do I restrict or inspect what the Play Store is doing on my device at the moment without root?
6. peterbraden ◴[21 Jun 25 06:00 UTC] No.44334929{3}[source]
Maintenance mode == root
replies(1): >>44334968 #
7. burnt-resistor ◴[21 Jun 25 06:09 UTC] No.44334968{4}[source]
You're projecting your meaning of it, not mine. Not if it can't be undone in a way other than reinstalling everything. A mode that allows changing things with a temporary reduction of security system-wide and restoring them later, but putting all of the upgrade and support liability on the user without sacrificing functionality. Think VMware ESXi. If tech support wants to not support it, that's fine, but payments and such should still work.
8. charcircuit ◴[21 Jun 25 07:48 UTC] No.44335565[source]
By following the principle of least privilege. Like with apps the user should only have privileges for what they are allowed to control and nothing more. So if the user should have privilege to disable apps, then the settings app could expose a way for the user to do so.

Yes, this is kind of approach of coming up with a design to security instead of going with the easy route of everything being allowed is harder to do and takes more time, but it leads to better security.

replies(2): >>44335906 #>>44336176 #
9. tsegers ◴[21 Jun 25 08:59 UTC] No.44335906{3}[source]
I believe that the top-level comment you replied to is making the point that there should not be any authority that either allows or disallows what a user can do with the device they own. Purchasing a device should make one that authority, free to decide how much security to trade for how much privilege.
replies(1): >>44339827 #
10. arendtio ◴[21 Jun 25 09:56 UTC] No.44336176{3}[source]
Okay, and how am I going to give the user the right to wipe all software from the device and use a completely custom software?

I mean, we all agree that such permissions are not required during everyday operations, but there should be a way for the consumer to have control over the software being used. And I mean all aspects of the software: firmware should be updatable, the OS should be replaceable, and the security concepts within the OS should be customizable by the user as well. I have no problem with hiding such functionality and requiring users to read the documentation to find out how it can be done, but it should still be possible.

replies(1): >>44339835 #
11. Zak ◴[21 Jun 25 10:53 UTC] No.44336446[source]
I agree. I would love to have an "advanced permissions manager" that lets me specify that AccA can write to the /sys devices for the charge controller and AdAway can write to /etc/hosts, but not the reverse.

That doesn't give me any less power than root, but does give those apps less power and limits the potential impact if one gets compromised. I think when most people say the device owner should be able to get root, they mean that the owner, rather than the manufacturer or OS vendor should have the final say in all cases, not that it has to literally work just like root on Unix.

12. charcircuit ◴[21 Jun 25 18:52 UTC] No.44339827{4}[source]
But really it's all about framing. For example on desktop computers it's not possible for people to create new instructions for their CPU to handle. At some layer there will be an API that user needs to use to interact with the device. As times goes on I think it's natural for that layer that users are expected to interact with their device with to become higher level. I believe the top level comment is framing this issue such that current phones don't have an API that matched how it worked for UNIX computers and that is a bad thing. The commenter is too focused on how things worked in the past and doesn't want to allow for things to change.
13. charcircuit ◴[21 Jun 25 18:53 UTC] No.44339835{4}[source]
Sure, but such a product requirement can be made to be legally required without legally requiring root access.