• Drunemeton@lemmy.world
    link
    fedilink
    English
    arrow-up
    84
    ·
    2 months ago

    One thing I am always aware of are apps that want permission to access Bluetooth and/or Wi-Fi and/or Networks.

    Even though Bluetooth is very short ranged it can still be used to tie you into a location within a database based on other database records that are more detailed.

    Yeah, I love playing you “My Great Dog-sitting Simulator” (not a real app) but you do not need access to my BT. The OS handles sending your audio to my headphones!

    • asbestos@lemmy.world
      link
      fedilink
      English
      arrow-up
      39
      ·
      2 months ago

      Teams is the worst, you can’t join any call if you don’t allow it to scan your local network. I wish the executives a very nice and agonizing death.

      • toynbee@lemmy.world
        link
        fedilink
        English
        arrow-up
        20
        ·
        2 months ago

        I haven’t done an extensive survey or anything, but every modern router I’ve interacted with supports setting up a secondary WiFi network with guest isolation (so anything on that SSID can’t see any network device besides the router and itself). This is useful for apps or hardware that is untrusted and/or demands unjustified permissions.

        • asbestos@lemmy.world
          link
          fedilink
          English
          arrow-up
          6
          ·
          edit-2
          2 months ago

          Correct, using the guest network is better but I think turning off WiFi and just using mobile data is sufficient. I wonder if the permission applies to cellular connectivity as well.

          • toynbee@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            2 months ago

            Sure, removing your network from the equation is definitely a more secure option; just make sure the app isn’t using those granted permissions in the background when you’re done using it and log back into your network.

      • 𝕸𝖔𝖘𝖘@infosec.pub
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        On what device? I have Nearby Devices and Location disallowed on Android, and it still works fine.

        Side note. Teams is the worst. Just, period.

            • asbestos@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              2 months ago

              Oh no, it absolutely isn’t. It’s actually a feature apple implemented to stop apps from scanning and interfacing with the devices on your local network without your approval and Teams has zero explanation on why it needs that permission nor why the calls can’t be made without it while every single other app is able to do so without that permission.
              The only other apps that require it are device specific apps (printer, local smart home stuff, FTP, DLNA, etc) and network scanners.
              Is it possible that Android doesn’t have that permission and therefore Teams is able to scan the network regardless? You could test it out with an SSH or network scanner app for example

    • toynbee@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      arrow-down
      1
      ·
      2 months ago

      I remember when Bluetooth started demanding location permissions. You’ll never convince me that it’s functionally required or provides any benefit other than furthering efforts to spy on the user.

      When it started being rolled out, I avoided any app or hardware that made that demand. Sadly, that’s no longer an option if I want any Bluetooth at all.

      • scrion@lemmy.world
        link
        fedilink
        English
        arrow-up
        21
        ·
        edit-2
        2 months ago

        It’s not like Bluetooth started demanding location permissions, the conceptual model of the permission was revised: having access Bluetooth means an app could determine your location via a form of lateration.

        In earlier versions of smartphone operating systems, this was not transparent to users lacking the technical background, so Bluetooth also requiring location access is actually an attempt at making users aware of that. I’m not an iOS developer, so I can’t comment on iPhones, but on Android versions prior to 11, having access to Bluetooth meant an app would be able to determine your location.

        Today, you can require the permission ACCESS_FINE_LOCATION, which expresses that your app might use Bluetooth to obtain location information on Android. Also, if you’re just scanning for nearby devices to connect your app to, but don’t want users to be confused why your smart fridge app needs to know your precise location, you can declare a permission flag (neverForLocation) and Android will strip beacon information from the scan results, better asserting your intentions.

        So, overall: no, there is nothing nefarious going on, it was always possible to determine your location via Bluetooth, and the update to the permission model was an honest improvement that actually benefits you as user.

        Now, there are still plenty of shady apps around, and apps that are poorly written - don’t use those.

        • toynbee@lemmy.world
          link
          fedilink
          English
          arrow-up
          5
          arrow-down
          1
          ·
          2 months ago

          I knew that someone would try to convince me. You won’t convince me.

          … Though your argument is pretty compelling.

          • llii@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            9
            ·
            2 months ago

            I don’t think he wanted to convince you, he just explained the backgroundon how you can track locations with bluetooth.

        • toynbee@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          I believe it’s only required during the pairing process, but as the other observer pointed out, I don’t know much about it. If you’re able to circumvent the process, more power to you!

  • Evil_Shrubbery@lemm.ee
    link
    fedilink
    English
    arrow-up
    51
    arrow-down
    1
    ·
    edit-2
    2 months ago

    Use FOSS as much as possible, pressure your gov to implement laws against tracking (against what Snowden showed us).

    There is no need to know the location and history, and the communication of everyone everywhere.

    • Scolding7300@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 months ago

      I hope Google gets split up, that’ll probably be the beginning of the end for targeted ads (I would hope)

      • Evil_Shrubbery@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 months ago

        I wouldn’t think thats how they are splitting it up … Basically just affecting market shares of some markets (targeted ads being one of them + the ecosystem pushing you into it).

        • Scolding7300@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          2 months ago

          I thought chrome, yt, search, gmail/docs, android, etc. would all be separate entities, making them less willing to share data for financial reasons

          • Evil_Shrubbery@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            2 months ago

            Hm, yes, but their entire goal is to expand advertising - more volume is good for all these same alphabet entities, even if they “lose” (not really) something on pricing.

            Also I hope the search engine somehow gets split up too.

  • magic_smoke@links.hackliberty.org
    link
    fedilink
    English
    arrow-up
    44
    arrow-down
    1
    ·
    edit-2
    2 months ago

    If you have a device that’s actively connected to a cellular network, and has been while in your home or work, then your only option is to leave it behind or turn it off. That includes your car if it was made in the past decade, if nothing else, so it can catch OTA firmware updates, and send telemetry data.

    GPS and location services don’t mean shit when your carrier keeps logs of where you’ve been based on cell-tower triangulation.

    • sunzu2@thebrainbin.org
      link
      fedilink
      arrow-up
      7
      arrow-down
      4
      ·
      2 months ago

      Do we know how carrier shares cell data?

      In another thread, it was suggested thet “cant” just sell it like they isp traffic data for example.

      Obviously the state can get it since is logged. Not sure if they would need s warrant tho

      • The Octonaut@mander.xyz
        link
        fedilink
        English
        arrow-up
        14
        ·
        2 months ago

        I work for a telecom. In my country there is well regulated legislation that specifies how and when the police can ask the telecoms for cell location data, usually used for missing people.

        They also provide large scale, anonymised data for crowd movement analysis. For example it was used to demonstrate how 60,000 people moved into and out of a stadium located for historical reasons in an old-fashioned, dense residential area, in preparation for the arrival of English football fans.

        • magic_smoke@links.hackliberty.org
          link
          fedilink
          English
          arrow-up
          14
          ·
          2 months ago

          You also have to assume that your government has never illegally obtained data it shouldn’t have in a shady manner.

          It also doesn’t bode well for what happens if your country falls into fascism, as all that data will still exist to be systematically, and retroactively used against you.

          • The Octonaut@mander.xyz
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            One of the good things about living in Ireland is that I’m 99% our government is neither competent enough to perpetrate elaborate crimes against its people without being exposed almost instantly, nor powerful enough that even fascists getting into government would have a meaningful impact bar providing a colourful humorous segment of the inevitable documentary on Europe’s second fall to the Axis.

      • turboturtle@lemmy.ca
        link
        fedilink
        English
        arrow-up
        3
        ·
        2 months ago

        This video, where Veritaseum hacks LinusTechTips’ phone, gives a good overview of how it’s possible to track cellphones or hack sms, even without asking a carrier or having physical access to the device: https://m.youtube.com/watch?v=wVyu7NB7W6Y

        TLDW: cellphone networks rely on old, unsecure infrastructure

        • sunzu2@thebrainbin.org
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          2 months ago

          I was talking specifically about how telcos behave within law and corp policy.

          But yeah a threat actor with money can do anything if they really care.

      • magic_smoke@links.hackliberty.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 months ago

        Yeah but it was a luxury, and most likely an RX-only unit that only had a GPS radio. Even if you had a 2g cell radio in the 90’s in your car it’d be incredibly limited, and horrendously expensive for something you could carry in your pocket.

        These days even the cheapest model of Honda Civic will have a modern internet connected network of microcontrollers and computers which all receive OTA updates, many of which handle telemetry.

  • cmnybo@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    41
    ·
    2 months ago

    Don’t just give location access to any app that requests it, especially background location access.

  • Scolding7300@lemmy.world
    link
    fedilink
    English
    arrow-up
    37
    ·
    2 months ago

    I think generally speaking these privacy articles fail to convince the majority of people that there’s a problem, which is crucial to be able to sell the solution.

    I think the abortion part is the most relatable, but you’ll hear them say they’ve got nothing to hide. I believe getting access to that data and show people what data they have on them would be the most effective. It’s like saying to someone that has nothing to hide “oh yeah? Give me your phone and your documents, let me browse what’s on them”

    • Tire@lemmy.ml
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      1
      ·
      edit-2
      2 months ago

      People can be irrational like that. But I bet if there’s a really successful horror movie where the killer finds the victim’s location then people will care.

      • Scolding7300@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        2 months ago

        I feel like this needs to be real, not a movie. Not someone who gets killed, just someone who sees their own data

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          5
          ·
          2 months ago

          You can take it a step further. If you live in an area with a lot of theft, put some tracking tags on things that tend to get stolen, then see how easily you can track them down. An attacker can track your phone in much the same way as you tracking down that tag, so if you have a particularly motivated stalker, they could figure out exactly where you are.

    • ArcaneSlime@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      2 months ago

      “Don’t worry I’m just gonna do the same thing your spying apps do. Let’s see here, oh these are some interesting texts, hey pictures, ooohhh a nude well let me just “anonymize” this by removing the metadata (close enough) and I’ll just send that to my “server” (it’s my phone)… Why? Well so I can more effectively sell you things of course! It looks like you need clothes, check out these pants from Target and this shirt from H&M, don’t you wanna buy them? No? Well ok, here check out those exact same fucking things but this time from Walmart and Macy’s!”

  • astrsk@fedia.io
    link
    fedilink
    arrow-up
    37
    ·
    2 months ago

    Pretty easy steps; get app you are interested in. Deny it access to things it doesn’t need when asked. If the app proceeds to not work until you enable, delete. Otherwise, enjoy app without the unnecessary permissions.

    • lemmeBe@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      That’s my approach with Rethink DNS. I get FOSS alternatives whenever acceptable for my use case, but isolate even them to only bare working minimum of outside connections.

    • tibi@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      NetGuard just outright blocks network access. Apps can’t send tracking data if they are not able to access the servers. I’m using it in whitelist mode where I only allow access to apps that need it.

    • meneervana@lemm.ee
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      7
      ·
      2 months ago

      Most apps literally don’t work right is you do not enable all location services

      • noodlejetski@lemm.ee
        link
        fedilink
        English
        arrow-up
        15
        ·
        2 months ago

        11 out of 32 apps requesting location on my phone have the permission granted, because I actually need them to use location for one reason or another. the rest works perfectly fine with the permission disabled.

  • xylogx@lemmy.world
    link
    fedilink
    English
    arrow-up
    29
    ·
    2 months ago

    A lot of great comments here. I just wanted to add that even just your ip address is enough to roughly track your location. When your phone checks gmail you are leaving digital breadcrumbs in Google’s logs of your ip address which roughly tracks your location. App permissions will not solve this. We need strong privacy regulations with teeth.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        And this is why my GPS and Bluetooth are disabled 99% of the time unless I’m actually using them. It cuts down on a lot of potential data leakage.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            2 months ago

            Yup, but that would require more effort (I.e. interacting w/ network operator). Tracking someone by Bluetooth can be done passively, as evidenced by services like “Find my Droid” or “Find my iPhone” or whatever.

            Blocking my cell radios eliminates the entire point of the phone for me, so the tradeoff is too steep. That said, airplane mode is right over there if you need it temporarily.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        4
        ·
        2 months ago

        There are still attacks that can get around the VPN. It certainly helps, but it’s not a complete solution on its own like VPN providers would like you to believe.

    • PriorityMotif@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 months ago

      Yes and no, when I check my actual IP address it shows that it’s somewhere pretty far away, I guess that’s where my carrier has their trunk connected.

  • FlashMobOfOne@lemmy.world
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    edit-2
    2 months ago

    I have my location turned off for everything and keep mine in a Faraday bag. That said, there was one tip in this article I wasn’t aware of: deleting my advertising ID, so everyone should read it and see if you can’t improve your own privacy.

    It feels good when I have to use it and, for a moment it says “no service”, like kicking the tech assholes in the dick.

    • ayyy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      edit-2
      2 months ago

      Reverse justification answer: to more securely verify your identity when signing into your Microsoft account

      Real answer: selling ads and building a free database for Microsoft that accurately maps IP address->physical location

      While the first statement really is true, it still doesn’t justify the other things.

  • Imhotep@lemmy.world
    link
    fedilink
    English
    arrow-up
    17
    ·
    edit-2
    2 months ago

    I loved xprivacy_lua

    You could hide almost everything.
    No app knew the other apps I used.
    No app had clipboard access. when I needed to paste something I used Xposed Edge.
    You could spoof a lot of info, GPS coordinates, IMEI … The list goes on.

    support stopped. I should check if there’s a fork.

    edit: AOSP permissions have improved and I now use almost exclusively FOSS apps, so I’m not worried, but I still miss the app.

    edit2: there’s a fork: https://xdaforums.com/t/xpl-ex-xprivacylua-ex-android-privacy-manager-hooking-manager-extended.4652573/

  • VintageTech@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    17
    ·
    2 months ago

    I don’t think enough people have mentioned that Auto manufacturers have been able to locate vehicles since the 90’s.

      • VintageTech@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        1
        ·
        2 months ago

        Originally the D.A.I.R. project (Driver Aid, Information and Routing) was conceptualized in the 60’s. It wasn’t until Hughes assisted EDS in the 90’s that they were able to create a beacon that could communicate via Satellite and Cellular.

        I myself didn’t realize this was a thing until about a decade ago when I was trying to create an automation for my lights to turn on when I pulled into my driveway. I kept getting a ping about 5min after my phone connected to my WiFi. The MAC matched nothing I had in the house, I just blew it off.

        When an associate stopped by to work on a HoneyPot project we started seeing a bunch of random MACs attempt to connect to the open wifi, we wrote that noise off as people walking by my house and their cell phones were just trying to connect. It wasn’t until the garbage man showed up and stopped to talk to me that I was able to find his truck listed with an address connected to the open wifi, sent a few packets, then left. We made the correlation that the MAC’s could be from cars so we started researching the manufacturer of those device MAC’s

        That pretty much opened a weird rabbit hole leading us to find out that almost every car has been tracked since the mid-90’s.

        Joking aside, I would move to Amish country if it weren’t for the whiskey and bitches. But in all honesty; my family lives a much more comfortable life than I ever imagined I would with working in the IT field.

      • AA5B@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        Same as today, but slower.

        GM’s OnStar was notorious for this. I think the first version had a 2G cell modem

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 months ago

      I’m pretty sure my car doesn’t have tracking, and it’s from the mid 2000s. Phoning home wasn’t standard until relatively recent car models. I could absolutely be wrong though, but my understanding is that any wireless capabilities it has are limited to close proximity (i.e. tire pressure sensors and the like).

      • VintageTech@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        2 months ago

        Standard in 2008 If the auto manufacturer offered OnStar or Sirius, earlier.

        I wish it wasn’t true, and I definitely feel like a nut job when I bring it up.

        • napoleonsdumbcousin@feddit.org
          link
          fedilink
          English
          arrow-up
          9
          ·
          edit-2
          2 months ago

          Pegasus spies on all the data on a phone. If a phone is really infected with that, then location access is the least of your worries. But this is not relevant to this post anyway, because 99,9% of people will never be a valid target for such high-level spyware.

          • humblebun@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            4
            ·
            2 months ago

            Do you know what unlimited license means? 400 Russian journalists who fled to the Baltic states were compromised by Pegasus. This cancer is growing fast and if yesterday it wasn’t your business, today it is

            • K4mpfie@feddit.org
              link
              fedilink
              English
              arrow-up
              5
              arrow-down
              2
              ·
              2 months ago

              Just make a proper threat level analysis. Are you a journalist or politically exposed person in a non-democratic or semi democratic system?
              No?
              Are you in a key position of a company or agency providing (for) critical infrastructure?
              No?
              Are you just a little shit, trolling on the internet?*
              Yes? Maybe just dial that back.

              Verdict: You are of no interest for a state sponsored Spy Software or some script kiddy trying to wreck your day.

              *Hypothetical situation. Does not necessarily apply to the OP.

              • magic_smoke@links.hackliberty.org
                link
                fedilink
                English
                arrow-up
                2
                ·
                edit-2
                2 months ago

                The former is true, however anyone who’s ever looked at firewall logs will tell you plenty of skids are trying to get free domestic US IP addresses off of vulnerable home networks using automated means.

                That being said that has really has jack shit to do with personal privacy/security against state-scale dragnet surveillance.

              • humblebun@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                non-democratic or semi democratic system?

                Am I right that you just called Estonia, Latvia, and Lithuania semi-democratic countries?

                • K4mpfie@feddit.org
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  2 months ago

                  I would classify them as full democracies but if you want hard numbers I would check your countries score here