Hi !
I have a question. In Google Privacy Policy there is:
When you use our services or view content provided by Google, we may automatically collect and store certain
information in server logs. This may include:
(...)
telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls,
duration of calls, SMS routing information and types of calls.
Let's assume that I have got a phone with Android connected to a Google account. Does Google collect information
about my calls (outgoing or incoming) or SMS/MMS ? In Privacy Policy it's stated that it "may" collect, but that
doesn't mean that it actually does. Maybe Google collects that data only if someone is using Google Voice or
Google Talk, and data about "normal" (GSM/CDMA/3G) connections/SMS/MMS aren't collected.
Lodverider
I'm building an Android application which will allow my sales team to quote projects and I want it to work while they're in remote areas, which means it will download price changes when they get into service areas and also upload any quotes they have done. Since it needs to work offline, I need to authenticate the user login but I'm hesitant to be authenticating them against the database stored locally on the device. Is there a proper way of doing this? I can't authenticate remotely because it has to work offline. Is the local NoSQL database secure? Should I not worry too much about it and just make sure they're authenticated remotely prior to the synchronization when a connection becomes available? Thanks a lot.
I have a situation involving tinder. I managed to get myself banned through their platform by using sarcastic profile details that was violation of their policy. I kind of was playing with fire here as I had continued to see fake accounts make it onto the platform, and wanted to test their security. I basically ****ed myself.
So I've contacted them and they told me that my phone number and Facebook was banned. I used new phone numbers, Facebook accounts, play store account, a VPN, even a new device to see if they were able to ban based on the MAC address of the device. I still manage to get auto banned. So I think it was because tinder communicates with Facebook automatically. I am unable to use my Facebook on the device I use with a tinder account. My question is this: is there a way to block applications from communicating with each other behind the scenes, as in a way for tinder to not be able to see that Facebook is even installed. I know there has to be a way. I'm actually more interested in learning about this way than I am with using tinder. It's quite funny, actually. :laugh:
Are there any devs that know if there's a way to edit the coding of the program and how to do it? I do recall there being an app that allows you to change the structure of an app by altering it's values such as true to false or 000 to 001 etc.
Feel free to move this post or redirect me. I was gonna post this in the Android mods tab, but it says devs only so I figure I'd respect that fwiw.
Hi, I'm not technically minded and hope you can help me with a question about privacy...
if I do not log in to my google account on a new ordinary Android phone will it will have any real privacy benefits? Would it lessen the amount of data that's automatically collected in the background by google?
(I'm careful about permissions and use Netguard, Fdroid and Aurora, and don't use social media apps on my phone)
Thanks.
Edited 21st April: I managed to get a reply from Rob Braxman that I think has answered my question - "all the telemetry of Google (wifi scanning, firebase, etc) still exists and the IMEI is always communicated" with a non-loggedin Android.
So, as far as I can tell, not logging in makes no difference to the background data that is Automatically collected on a normal Android phone. I only have some control over what info is collected through individual apps by using permissions wisely and having Netguard block phone and data usage when apps don't require them.
I don't think it matters. Also, how will you install apps from the Google Play Store without logging into your Google account?
I think that Google is an internet giant company in the world and it has clear privacy policies for its applications and services. It should be reliable.
Just for your reference.
James_Watson said:
I don't think it matters. Also, how will you install apps from the Google Play Store without logging into your Google account?
I think that Google is an internet giant company in the world and it has clear privacy policies for its applications and services. It should be reliable.
Just for your reference.
Click to expand...
Click to collapse
Thanks for your reply, and I appreciate your viewpoint. I'm curious, however, about how much data collection is automatically built in to my normal Android phone's system whether I log into it or not.
Moderator Information, thread closed at OP's request.
Update on 3rd-party MUAs (e.g., K-9 Mail) using OAuth2 on Android after May30th, 2022... which we have been searching for since early March of this year when Google notified us of the demise of the venerable login/password credentials.
PSA: K-9 Mail is (AFAIK) the ONLY 3rd-party MUA on Android working after May 30th, 2022 by using OAuth2 over the web (and not andOTP/FreeOTP or app passwords, etc., all of which require 2FA/2SV/MFA/MSV which results in a loss of privacy!)
1. I am a typical Android user who was badly affected on May 30th 2022, when Google unilaterally stopped supporting login/password authentication for 3rd party Android mail user agents (MUAs).
2. Since then, I've been desperately looking for a 3rd-party MUA which can log into a Google account WITHOUT 2FA/2SV/MFA/MSV and without creating a mothership tracking account on the phone.
3. Google (seemingly) allows MANY ways to authenticate a MUA onto the Google email servers; but all but one method (AFAIK) requires a "second something" (which is often referred to as 2FA/2SV/MFA/MSV) - which trades privacy for security.
4. The one method of authentication that doesn't require 2FA/2SV/MFA/MSV is OAUth2 (which itself is inherently insecure, but the problems with OAUth2 are not the point of this thread).
5. I have a Google email account, like many others... simply because it's the best free email account that I can find.
6. However, I am one of those Android users who cares a lot about privacy (where privacy is a thousand things, much like health and hygiene is a thousand little things - where people who care about privacy never just give up - just like people who care about hygiene never just give up - but they understand that many others do just give up, and that's OK.
7. One of those privacy little things is I don't have a Google Mothership Tracking Account on my unrooted Android phones, and I never will.
8. Hence, I could never use the Android Google GMail app to log into my Google email account because it CREATES that mothership tracking account.
9. Another of those privacy little things is I don't use 2FA (aka 2SV/MSV/MFA, etc.) which trades privacy for security since a "second something" is always needed in your hands (e.g., freeOTP, andOTP, etc.).
10. Some MUAs (such as Thunderbird on the PC) use OAuth2 over the web, but until this week (AFAIK), there were ZERO 3rd-party MUAs on Android which authorized Google email using OAuth2 over the web (mainly because Google apparently requires an annual security audit costing thousands of dollars for anyone who does).
11. Therefore, AFAIK, every third-party MUA stopped working with login/password on May 30th, 2022, where some of them (e.g., Fair Mail) were forced to switch to some other authentication mechanism, one of which was to authorize via OAuth2 using a Google Mothership Tracking Account (which the app would CREATE for you, whether you wanted it to do so or not). Just like the GMail app does.
12. Apparently, as of this week, the developers of K-9 Mail (teamed up with the resources of Thunderbird), are the first free 3rd-party MUAs on Android that allow OAUth2 authentication over the web with Google email accounts.
13. Last week OAuth2 was added to K-9 Mail for the first time (version 6.200), but it CREATED a Google Mothership Tracking Account in order to authenticate with the Google email servers.
14. This week, I was advised that the K-9 Mail version 6.201 was updated to perform that all important OAuth2 over the web. I tested it just now. It works. Note the K-9 team probably have resources that most Android developers lack now that they've teamed up with the Mozilla Thunderbird folks.
15. This is a PSA, and, a question of whether you know of any other 3rd-party Android MUA which can authorize OAUth2 with Google email servers over the web (WITHOUT creating a Google Mothership Tracking Account on Android).
Disclaimer: I am just a user; I am NOT affiliated in any way with anything.
Spoiler: Where to get the version 6.201 K-9 APK
*K-9 Home Page*
<https://k9mail.app/>
<https://k9mail.app/download>
*Google Play Store* (via the FOSS Aurora Store GPS client)
<https://play.google.com/store/apps/details?id=com.fsck.k9>
Name: com.fsck.k9.apk
Size: 8103422 bytes (7913 KiB)
SHA256: 46F071F989C6A138C2B8835D7FCDFA902AE1697B6B3C1C16581EE34B42E51CC3
*SourceForge*
<https://sourceforge.net/projects/k-9-mail.mirror/>
<https://sourceforge.net/projects/k-9-mail.mirror/files/latest/download>
<https://downloads.sourceforge.net/project/k-9-mail.mirror/6.200/k9-6.200.apk>
<https://master.dl.sourceforge.net/project/k-9-mail.mirror/6.200/k9-6.200.apk>
Name: k9-6.200.apk
Size: 8098357 bytes (7908 KiB)
SHA256: 3D8275705E00C159CD1AE473164B403EDF2A2D24E97D9F34D50FDA0677F8B398
*GitHub*
<https://github.com/thundernest/k-9>
<https://github.com/thundernest/k-9/releases>
<https://github.com/thundernest/k-9/releases/download/6.201/k9-6.201.apk>
Name: k9-6.201.apk
Size: 8103232 bytes (7913 KiB)
SHA256: 53F6678B9CF065B2413A53F70BFBF56E2C9C42454DA1A4F37AEC6AD60AB9D53A
*F-Droid*
<https://f-droid.org/packages/com.fsck.k9/>
<https://f-droid.org/en/packages/com.fsck.k9/>
<https://f-droid.org/repo/com.fsck.k9_32001.apk>
Name: com.fsck.k9_32001.apk
Size: 8102284 bytes (7912 KiB)
SHA256: 53637CC7DCF5B4F16EB167F91797DE06D07E00B30FDDBCAC0AA6CBC79122A42D
In summary, as far as I know, K-9 Mail is the ONLY 3rd-party Android MUA that can connect to Google mail servers after May 30th, 2022 without 2FA/2SV.
And what's your experience with the native Samsung E-Mail app?
Until recently, I assumed that account authorization was done by the Samsung server, not Google. However, last year I got a shock when it turned out that Samsung was being queried by Google about my age, because there was a mismatch between the settings in my Google account and my Samsung account.
Without explaining exactly what the issue was, Samsung sent me reminders that it would remove my access to its account if I didn't correct it. After my repeated interventions, Samsung finally realized its mistake, but did not apologize.
ze7zez said:
And what's your experience with the native Samsung E-Mail app?
Click to expand...
Click to collapse
Thanks for that question, but, unfortunately, I don't have a Samsung Mothership Tracking Account for the same reasons I don't have a Google Mothership Tracking Account on any of my phones (unfortunately, I also own iOS devices which not only REQUIRE Apple mothership tracking accounts just to download software but if you set up 2FA, it's PERMANENT (as in forever!)).
In addition, one of the first things I did when I got my phone was wipe out (or disable) every app I didn't want (e.g., I replaced Chrome with Ungoogled Chromium, and I replaced YouTube with NewPipe, and I replaced the Google Play Store with the Aurora Store & Aurora Droid, and I replaced Google Search with DuckDuckGo Search, and I replaced the default Samsung launcher with Nova free, etc.).
I just ran a search for "Samsung" in my app drawer app and there's nothing that isn't either deleted or disabled. (Of course, when I search for "samsung" in my MuntashirAkon App Manager, it finds a lot of apps with names such as "com.samsung.android.whatever", but I don't have the Samsung Mail app you are speaking about. However, if it accesses the Google Mail servers, I suspect it would be subject to the same rules that Google foisted upon all 3rd-party MUAs.
Spoiler: These are Google & Thundernest/K-9 references on this topic
*Less secure apps & your Google Account*
<https://support.google.com/accounts/answer/6010255?hl=en>
Here is the official Google announcement (afaik).
<https://support.google.com/accounts/answer/6010255>
Google says you can use app passwords here.
<https://support.google.com/accounts/answer/6010255>
And here is Google help on "signing in with app passwords".
<https://support.google.com/accounts/answer/185833>
*K-9 Mail (future Thunderbird for Android) adds OAuth 2.0 support*
<https://www.ghacks.net/2022/07/08/k-9-mail-future-thunderbird-for-android-adds-oauth-2-0-support/>
*Add OAuth 2.0 configuration for Office 365 / Outlook #6094*
<https://github.com/thundernest/k-9/pull/6094>
NOTE: AFAIK
Thundernest belongs to Thunderbird.
K9 moved their repo there I assume.
Thunderbird is not Mozilla any more.
Eran Hammer:
*OAuth 2.0 leader resigns, says OAuth2 standard is 'bad'*
<https://www.cnet.com/tech/services-and-software/oauth-2-0-leader-resigns-says-standard-is-bad/>
"The standard grew too far away from its roots as a simple Web
authentication technology, author Eran Hammer-Lahav says,
and now is insecure and overly broad."
*Eran Hammer's last conference on why OAUth2 is "Death by a million cuts"*
<https://hustoknow.blogspot.com/2012/12/oauth2-road-to-hell.html>
*Thunderbird & GMail*
<https://support.mozilla.org/en-US/kb/thunderbird-and-gmail>
Since some people may be confused, Google equates 2SV with 2FA:
<https://support.google.com/accounts/answer/185839>
"With 2-Step Verification (also known as two-factor authentication),
you add an extra layer of security to your account in case your
password is stolen. After you set up 2-Step Verification,
you'll sign in to your account in two steps using:
1. Something you know, like your password
2. Something you have, like your phone"
Note that Apple's 2FA/2SV is PERMANENT!
*Apple 2FA Case Dismissed by California Federal Court*
<https://securitycurrent.com/no-good-deed-apple-2fa-case-dismissed-by-california-federal-court/>
Here's a list I came up with searching for a list of what our choices might be.
1. OAuth2 (usually using an on-device Google Account), or
2. Autoforward Google mail to a non-Google account, or,
3. 2FA/2SV/MSV/MFA via a variety of authenticators, such as...
a. app passwords
b. Some kind of "2FA/2SV/MSV/MFA authenticator" app, such as...
FreeOTP Authenticator, Google Authenticator, Authy, FreeOTP+, etc.
c. USB tokens
d. Time-based one-time passwords (TOTP)
e. SMS 2FA
f. Use the phone's built-in security key
g. Use a physical "security key"
h. Get a one-time security code from another device
i. Enter one of your 8-digit backup codes
j. Sign in using QR codes
k. Set up a "trusted computer" for sign in
l. Sign in with "google prompts"
Any others?
*Email client K-9 Mail will become Thunderbird for Android*
<https://arstechnica.com/gadgets/2022/06/email-client-k-9-mail-will-become-thunderbird-for-android/>
*Frequently Asked Questions: Thunderbird Mobile and K-9 Mail*
<https://blog.thunderbird.net/2022/06/faq-thunderbird-mobile-and-k-9-mail/>
*Revealed: Our Plans For Thunderbird On Android*
<https://blog.thunderbird.net/2022/06/revealed-thunderbird-on-android-plans-k9/>
*K-9 Mail (future Thunderbird for Android) adds OAuth 2.0 support*
<https://www.ghacks.net/2022/07/08/k-9-mail-future-thunderbird-for-android-adds-oauth-2-0-support/>
*The OAuth 2.0 Authorization Framework*
<https://datatracker.ietf.org/doc/html/rfc6749>
App Manager blocks XDA App by default, even though logging into XDA calls up the web browser to log in through it. So it's not the best on the planet. Yes, I disconnected everything for it, then it stopped clinging to the XDA App.
ze7zez said:
App Manager blocks XDA App by default, even though logging into XDA calls up the web browser to log in through it.
Click to expand...
Click to collapse
We should take that issue up privately (or in another thread) as it's off topic here, but what I want to say for the topic is that, today, I just found out from the developer of the Fair Mail app that the K-9 development team worked with him to add the same web-OAuth2 libraries as they were using to enable Fair Mail to ALSO authenticate GMail via web-OAUth2.
This means for both Fair Mail and for K-9 Mail...
a. No mothership tracking account is necessary as of this week!
b. No app passwords (which requires 2FA/2SV) are needed!
c. That means we don't have to trade privacy for security!
This is great news for those of us whose 3rd-party MUA died on May 30th 2022 because Google prioritized security over privacy.
Spoiler: Where to get MUAs that use web OAUth2 with Google email accounts
Given trading privacy for security is a bad bargain for most of us., it's great to know this week there are now at least two 3rd-party MUAs to recover from Google May 30th 2022 unilateral loss of privacy (due to deprecation of login/passwords)...
1. Fair Mail
2. K-9 Mail
Today I was notified by the developer of Fair Mail that the developer of K-9 Mail worked with him so that _both_ of them now authorize OAuth2 over the web on Android (much like TB does on the PC).
Apparently Google loosened the annual audit requirement, but I'm not wholly sure what changed in the interim between last week & this week's changes.
To be sure, there are a huge number of issues still outstanding (e.g.,
Google is limiting their token counts to such a low number as to be anti competitive, which is affecting Fair Mail far more than K-9 Mail due to the huge number of Google email users on Fair Mail compared to K-9 Mail), but the PSA here is that Google "apparently" loosened the annual security audit requirements for MUA developers so that Android can again authorize Google email accounts WITHOUT creating a mothership tracking account on the device.
This means that you don't need a mothership tracking account for OAuth2.
And it means that you don't need "app passwords" (which requires 2SV/2FA).
Best to get the 3rd-party MUAs from GitHub due to F-droid lagging behind.
*K-9 Mail* by K-9 Dog Walkers
Free, ad free, rated 3.1 stars, 96.3K reviews, 5M+ Downloads
<https://play.google.com/store/apps/details?id=com.fsck.k9>
Name: com.fsck.k9.apk
Size: 8103422 bytes (7913 KiB)
SHA256: 46F071F989C6A138C2B8835D7FCDFA902AE1697B6B3C1C16581EE34B42E51CC3
*GitHub*
<https://github.com/thundernest/k-9>
<https://github.com/thundernest/k-9/releases>
<https://github.com/thundernest/k-9/releases/download/6.201/k9-6.201.apk>
Name: k9-6.201.apk
Size: 8103232 bytes (7913 KiB)
SHA256: 53F6678B9CF065B2413A53F70BFBF56E2C9C42454DA1A4F37AEC6AD60AB9D53A
*Fair Mail* by Faircode.eu
<https://email.faircode.eu/>
<https://github.com/M66B/FairEmail>
<https://github.com/M66B/FairEmail/releases>
<https://github.com/M66B/FairEmail/releases/download/1.1940/FairEmail-v1.1940a-github-release.apk>
Name: FairEmail-v1.1940a-github-release.apk
Size: 26750634 bytes (25 MiB)
SHA256: DF1B41DD912B90F8F3B57E014C1EDA436FF0D0C89232E007E6DCDBB8B6800E6D
See also:
<https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-content-faq173>
<https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-content-faq147>
<https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-content-faq111>