Hundreds of smartphone apps are monitoring users through their microphones : hackernews

[–] henfredemars@infosec.pub 34 points 1 month ago* (last edited 1 month ago) (5 children)

FUD. Apps cannot listen to the microphone without going through the OS first. I call FUD or share with me this magical OS-bypassing code. Compromising the OS at such a fundamental level on a recent Android version is almost certainly beyond their capabilities. I am more likely to believe the content that inspired this article is more aimed at investors and is blatantly making false claims, and that such claims from the privacy policy are generic disclaimers.

Further, have you ever tried to get an app to consistently run in the background on purpose? It's an enormous PITA when you actually want this to happen. Android apps do not typically run in the background at all unless they have again special permissions to bypass background restrictions. The OS strongly prefers to pause and eventually kill apps to save battery rather than permit background activities to occur unless they fall into specific categories and then only at specific times to optimize the battery usage.

If an app asks to run in the background all the time, bypass battery restrictions, and you grant it microphone access explicitly, the problem is no longer Android. The problem is the user being stupid by granting access against their own interests. And even then, it'll still trip the microphone indicator.

[–] Sylvartas@lemmy.dbzer0.com 10 points 1 month ago* (last edited 1 month ago) (2 children)

No one said they were bypassing the OS. Have you seen the permissions some apps ask for ? Messenger used to straight up refuse to work if it couldn't access your contacts and what your screen is showing at all times (allegedly to allow their shitty app widget to always display on top of whatever you're doing). Don't need a microphone to spy on anyone with that.

[–] Lichtblitz@discuss.tchncs.de 2 points 1 month ago

To be fair, the Android permission system is crap. I have an app to automate certain things. It requests only the exact permissions required for the actions I have configured. All I want to do is enable auto-rotate if a certain app is in the foreground and set portrait mode otherwise. In order to do that, the app needs full screen reader access and can theoretically see everything that's on the screen. That said, I personally don't believe the Messenger app was well intentioned. But if it were, it may not have a choice but to request these permissisions for legitimate use cases.

[–] henfredemars@infosec.pub 1 points 1 month ago

True, and the applications are targeting children. Perhaps they’re praying on a user who will grant permissions without asking questions, of which there are many.

[–] troed@fedia.io 10 points 1 month ago

100% correct. There's a whole field of mobile cybersecurity researchers who would be able to name names and show code if this was true.

The rest of the comment field here saddens me immensely.

[–] MudMan@fedia.io 5 points 1 month ago

Man, I hear you on the persistent background operation. I can't get my third party watch to stay connected to its home app for a day at a time and at this point I've given it all the permissions I'm allowed to give. If it asked for nudes I'd have sent them a portfolio. Doesn't matter, you need to manually reopen it and resync it multiple times a day.

[–] unexposedhazard@discuss.tchncs.de 3 points 1 month ago (1 children)

Problem is that lots of kids have smartphones and dont understand what they are allowing by enabling those permissions.

[–] wobfan@lemmy.zip 3 points 1 month ago

All recent OSes even visually make it obvious that the microphone is used, after asking the user if they should allow it at all. I don’t think they can actually to more far than this. Maybe regularly ask the user if they really want the microphone to be used all the time.

[–] ddash@lemmy.dbzer0.com 3 points 1 month ago

Agreed on all of that. But, see it from a different perspective, maybe the news need to misinform this way to get people to finally be privacy conscious on their phones. I mean, probably not and it is certainly a terrible way to do so, but maybe it might help that a broader population reevaluates how much they want to share online.

[–] NickwithaC@lemmy.world 17 points 1 month ago (1 children)

While Alphonso hasn’t revealed the names of these apps, Pool 3D, Beer Pong: Trickshot, Real Bowling Strike 10 Pin and Honey Quest all feature the technology.

Oh look, they're all shitty games that hook people like gambling sites. Whoever would have thought!

[–] thefluffiest@feddit.nl 15 points 1 month ago

Article from 2018. Not worth recycling. Mostly FUD.

[–] raltoid@lemmy.world 10 points 1 month ago* (last edited 1 month ago)

PLEASE SKIM THE ARTICLE BEFORE COMMENTING

Here's the part that most people seemed to miss:

With your permission provided at the time of downloading the app, the ACR software receives short duration audio samples from the microphone on your device.

[–] kalipixel@reddthat.com 7 points 1 month ago* (last edited 1 month ago)

The apps need permission to the microphone for that and in background it would drain the battery and constantly show the microphone is accessed unless you are using an old android version. It is likely easy though to eavesdrop when the app is opened and using microphone is an expected functionality, and to pick up keywords and the sounds emitted from other sources to better know location and social graphs without GPS access.

[–] Rusty@lemmy.ca 4 points 1 month ago

Help, I installed a microphone app on my phone and it's working as a microphone, what should I do?

[+] Geetnerd@lemmy.world 0 points 1 month ago* (last edited 1 month ago) (4 children)

[deleted]

[–] Ep1cFac3pa1m@lemmy.world 7 points 1 month ago (2 children)

My wife and I were driving down the highway and I saw an old Cadillac, and I said, “hey, I like that old Cadillac.” Not even an hour later I got a facebook marketplace notification about a Cadillac for sale near me. I have NEVER searched for Cadillacs for sale.

[–] Tikiporch@lemmy.world 6 points 1 month ago

Yeah, crazy thing is it's never things I just think about but never tell anyone. Ads don't come until I mention it out loud near my phone.

[–] NotMyOldRedditName@lemmy.world 4 points 1 month ago* (last edited 1 month ago)

I've had things like this happen, and I always suspected it was Facebook itself doing it, but now I think it's also likely its something else feeding info into an ad system that then shows the ad on Facebook.

Every now and then I'll just blurt out random things I want that I'd never want to see if I can trigger getting ads for it. Hasn't happened in quite awhile now, probably because restrictions on doing it are getting better.

[–] ddash@lemmy.dbzer0.com 7 points 1 month ago (1 children)

However: https://m.independent.ie/business/technology/your-phone-isnt-listening-to-you-but-the-truth-is-scarier/42345949.html

[–] corsicanguppy@lemmy.ca 4 points 1 month ago (1 children)

The news should have called it Confirmation Bias.

[+] Geetnerd@lemmy.world 1 points 1 month ago (2 children)

[deleted]

[–] wobfan@lemmy.zip 2 points 1 month ago (1 children)

Bro, they don’t. The OS manages microphone access. If you allow it, yes, they may spy. But even then, the OS visible tells you via an icon that the microphone is used. It is the plain written truth, that we can not argue around. There has been a lot security research around this, stuff has been audited, Android is even open source, and no one has ever found even a hint of this being possible.

Echos and Google Homes are an entirely different story because they operate their microphones by design, their entire system works on always listening, and they don’t hide that.

[–] scytale@lemm.ee 2 points 1 month ago

Can’t say about Amazon and Google because I don’t have their devices, but if you read up on how Siri’s cue word works, you’ll see how it doesn’t “listen” to you all the time. It has 2 mechanisms in play, one that’s always ready to hear you call it, and the other that actually transmits the data it collects. Those 2 are decoupled to ensure the one waiting for the trigger/cue word is isolated and only works locally and does not collect or transmit what it’s hearing. Once you trigger it, the second mechanism comes in and then it’s fair game as whatever it hears can be collected and shared.

Having your phone listen to you all the time and transmit the info will cause an obvious drain on your battery and data. If that truly was the case, mobile security professionals would’ve sounded the alarm by now.

[–] pinball_wizard@lemmy.zip 3 points 1 month ago (2 children)

All of the discourse around "we can't prove they are listening" feels like gaslighting, to me.

I don't need proof. We have all have had this experience, and "it's just tracking absolutely everything else so well that it guesses really accurately" isn't in any way better, anyway.

[–] wobfan@lemmy.zip 7 points 1 month ago

It isn’t better, it’s even worse IMO. But it’s just the truth. It is verifiable enough that apps cannot just spy via your microphone in any reasonably modern OS, not even the old versions. What has never been verified though is that there are non-zero-day-exploit-ways to spy through your microphone.

[–] gofsckyourself@lemmy.world 4 points 1 month ago (1 children)

It can be proven, very easily. All it takes is a little bit of IT skills and a basic understanding of networking. There are also immense amounts of incentive to prove it. Your information would be spread across every news network, and you'd be able to use it to sue any business that does it.

So, the only reason it can't be proven is because it's not happening.

[–] pinball_wizard@lemmy.zip 2 points 1 month ago* (last edited 1 month ago) (1 children)

Your information would be spread across every news network, and you'd be able to use it to sue any business that does it.

Oh, I wish that were so.

Any data breaches in the news, today? Of course there is..

The odds are good that whenever you (or anyone) read this comment, there's a verified data breach that hit the news this week and isn't getting any serious national coverage, or any television coverage at all. Even odds are that it's actually from today, regardless of when someone reads this.

I don't know what your pocketbooks look like, but I don't have the finances to hold any of these companies accountable.

I do have a half-dozen different legal settlements worth of (3 years each of) identity fraud protection service offers.

Edit: Oh, you maybe mean specifically if a voice recording was leaked. If so, you're right, that would be huge news.

My legal recourse would remain exactly what it currently is, though. Three more years of low quality identify theft insurance.

[–] gofsckyourself@lemmy.world 3 points 1 month ago

Data breaches are already commonplace, though. People don't really care about that, so news outlets don't care to cover it.

This is vastly different and would be a new thing that everyone would be interested in hearing about. So many people think that this is happening, but have no proof. They would love to be able to say "See! There's finally proof! I told everyone!"

Hacker News