←back to thread

Samsung embeds IronSource spyware app on phones across WANA

(smex.org)
845 points the-anarchist | 1 comments | 21 Jun 25 03:06 UTC | HN request time: 0.414s | source
Show context
userbinator ◴[21 Jun 25 04:22 UTC] No.44334486[source]
making it nearly impossible for regular users to uninstall it without root access, which voids warranties and poses security risks

Stop parroting the corporate propaganda that put us into this stupid situation in the first place. Having root access on devices you own should be a fundamental right, as otherwise it's not ownership.

replies(12): >>44334515 #>>44334549 #>>44334577 #>>44334616 #>>44334661 #>>44334912 #>>44335283 #>>44335463 #>>44335597 #>>44336211 #>>44336257 #>>44336433 #
ulrikrasmussen ◴[21 Jun 25 07:05 UTC] No.44335283[source]
We need regulation which defines that any hardware device capable of running software developed by a third party different from the hardware manufacturer qualifies as a general purpose computing device, and that any such device is disallowed to put cryptographic or other restrictions on what software the user wants to execute. This pertains to all programmable components on the device, including low-level hardware controllers.

These restrictions extend outside the particular device. It must also be illegal as a commercial entity to enforce security schemes which involve remote attestation of the software stack on the client device such that service providers can refuse to service clients based on failing attestation. Service providers have other means of protecting themselves, taking away users control of their own devices is a heavy handed and unnecessarily draconian approach which ultimately only benefits the ad company that happens to make the software stack since they also benefit from restricting what software users can run. Hypothetically, they might be interested in making it impossible to modify video players to skip ads.

replies(3): >>44335513 #>>44335681 #>>44335780 #
miki123211 ◴[21 Jun 25 08:14 UTC] No.44335681[source]
I agree, but I think three extra conditions would need to be added here.

1. Devices should be allowed to display a different logo at boot time depending on whether the software is manufacturer-approved or not. That way, if somebody sells you an used device with a flashed firmware that steals all your financial data, you have a way to know.

2. Going from approved to unapproved firmware should result in a full device wipe, Chromebook style. Possibly with a three-day cooldown. Those aren't too much of an obstacle for a true tinkerer who knows what they're doing, but they make it harder to social engineer people into installing a firmware of the attackers' choosing.

3. Users should have the ability to opt themselves into cryptographic protection, either on the original or modified firmware, for anti-theft reasons. Otherwise, devices become extremely attractive to steal.

replies(3): >>44336140 #>>44336325 #>>44337094 #
gmueckl ◴[21 Jun 25 09:48 UTC] No.44336140[source]
4. Apps with special security needs are allowed to detect whether a device is unlocked and can either disable themselves or go into a mode that shifts ALL related liability onto the user. It's not the bank's fault if the user disabled protections and some spyware logs the online banking password or something like that.
replies(5): >>44336299 #>>44336371 #>>44336372 #>>44338111 #>>44338723 #
ulrikrasmussen ◴[21 Jun 25 15:00 UTC] No.44338111[source]
My bank app refuses to work on LineageOS, but I can use the web interface just fine which has the exact same UI and functionality as the app. In both the native app and the web app I have to authorize any transactions using my national ID, which for me is a hardware token (the app for my national ID also refuses to run). Why is it somehow insecure to initiate this flow from a native app on LineageOS while it is not insecure to do the exact same via a browser on LineageOS? If the app can be compromised, so can the browser - the bank cannot trust all its browser based clients anyway.

The web app has been running with this security model for decades on PCs, and it has been fine. The whole narrative about remote attestation being necessary to protect users is an evil lie in my opinion, but it is an effective lie which has convinced even knowledgeable IT professionals that taking away device ownership from users is somehow justified.

replies(1): >>44339315 #
1. gmueckl ◴[21 Jun 25 17:43 UTC] No.44339315[source]
A hardware device that doesn't confirm transaction details on its own locked down display enables man in the middle attacks. I have to use such devices with my bank card when banking online.