←back to thread

Samsung embeds IronSource spyware app on phones across WANA

(smex.org)
845 points the-anarchist | 7 comments | 21 Jun 25 03:06 UTC | HN request time: 0.967s | source | bottom
Show context
userbinator ◴[21 Jun 25 04:22 UTC] No.44334486[source]
making it nearly impossible for regular users to uninstall it without root access, which voids warranties and poses security risks

Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.

replies(12): >>44334515 #>>44334549 #>>44334577 #>>44334616 #>>44334661 #>>44334912 #>>44335283 #>>44335463 #>>44335597 #>>44336211 #>>44336257 #>>44336433 #
1. menzoic ◴[21 Jun 25 07:55 UTC] No.44335597[source]
How is the security risk propaganda?
replies(3): >>44335676 #>>44335698 #>>44335873 #
2. ahoka ◴[21 Jun 25 08:13 UTC] No.44335676[source]
It's the hardware vendor's "think of the children".
3. msgodel ◴[21 Jun 25 08:18 UTC] No.44335698[source]
If your security model means me having access to my own hardware is a security risk you're malicious and your security model is bad.
4. flotzam ◴[21 Jun 25 08:54 UTC] No.44335873[source]
It's not (only) propaganda. Rooting disables or bypasses verified boot, allowing exploits to persist across a reboot.
replies(2): >>44335967 #>>44336439 #
5. franga2000 ◴[21 Jun 25 09:13 UTC] No.44335967[source]
Malware van persist across reboots regardless of verified boot. What it can't do is persist through a factory reset.

But if you really want a thorough reset, simply re-lock the bootloader and flash stock firmware from there. Nothing can persist through that without an exploit in the verification chain and if you have that kind of exploit, you don't need the bootloader to be unlocked in the first place.

Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.

replies(1): >>44336023 #
6. flotzam ◴[21 Jun 25 09:24 UTC] No.44336023{3}[source]
> Malware [c]an persist across reboots regardless of verified boot.

Some can, some can't. Even when it can persist, escalating to root after every reboot may be unreliable or noisy (e.g. 70% chance of success, 30% crash) compared to straight persistence as root without verified boot.

> Also, there are devices out there that let you enroll your own keys, like the Google Pixel series.

This still applies to those devices. It's the main reason GrapheneOS (which exclusively runs on Pixels, with the bootloader relocked to a GrapheneOS key) is opposed to building in root access: Verified boot would be "enabled", but effectively bypassed. https://xcancel.com/GrapheneOS/status/1730435135714050560

7. ◴[21 Jun 25 10:52 UTC] No.44336439[source]