<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=805153362943600&amp;ev=PageView&amp;noscript=1">

Google Services and privacy don't mix: How we removed them from Secure Phone

[fa icon="calendar"] Feb 13, 2017 6:59:43 PM

No matter what kind of Android phone you use, it is hard to escape Google’s presence. It is embedded in the OS your phone runs, and through it in every app you use. Google Services provide supplemental functionality to the various third-party apps running on your phone. And while there are plenty of cool and useful features Google Services make possible, they are undoubtedly a plague for one thing – privacy.

Google Services make some cool stuff work but not privacy. That’s why we uprooted them from our Secure Phone.

Google Services allow app developers to utilize the company’s latest technology through a set of APIs. They are part of the operating system’s application framework and make things such as maps, location tracking, and push notifications available as functionality. Those Google-powered features use the same Android Application Package (APK), which is updated automatically – and silently – through the Google Play store.

So far, nothing to make you put your tinfoil hat on. Most people are not worried about what their network provider knows about them – and the same goes about the information they send to Google.

It's not what Google knows. It is what Google shares

Location tracking is one of a dozen fundamental Google Services, but probably makes the best example regarding privacy. As long as a phone is switched on, its location can be precisely calculated due to the amount of time it takes signals from and to it to be transmitted by the nearest cell tower. The Google location service utilizes this information to make apps like Google Maps work – but also shares it with other apps like Facebook, which uses it to put a geolocation stamp on user posts.

But then again, when all kinds of apps have permission to use your geolocation, the fact that it gets stamped on all kinds of posts, tweets, pics and whatnot is not your primary problem. (Although you can probably see the potential trouble in alerting everyone on social media you are not home right now.) It is that apps can also send all the data they have anywhere they are programmed to (yes, this happens).

Geolocation is one example. What else is up for grabs in a similar manner?

  • Your Google search results
  • Your Google calendar with scheduled events
  • Your photos
  • Google maps you created
  • Your contact information
  • Your profile data
  • Your Gmail contacts
  • Your G+ posts
  • Google analytics

How we uprooted Google Services from an Android device

Let’s put it this way: Google and privacy don’t mix well. If you are concerned with the latter, you might want to have Google Services turned off. It is not an easy thing to do, though. It takes opening the Android code and surgically removing all traces of them from the OS. Which is part of what we did developing Secure Phone and the custom OS on which it runs. Besides purging the system’s kernel, libraries and Android Runtime, we also went in and customized the application framework.

It is the part of the OS which provides the skeletal structure to support the development of apps – different managers that apps use to make features work. Our developers removed and customized a handful of them:

  • Removed location manager to disable GPS tracking due to the concerns explained above.
  • Removed the notification manager, because it might potentially be used by hackers to infiltrate the device.
  • Removed the telephony manager, because it creates a possible attack surface – it holds the phone’s IMEI number, which serves to identify the handset, but can be used by impostors. Secure Phone allows calls to be made only through our encrypted voice over IP app Secure Voice.
  • Customized the package manager, which retrieves information about application packages that are currently installed on the device. It is connected with our Policy Manager app, which informs the user what policy changes have been enforced on the device via the Secure Administration System (SAS).
  • Modified the Android content provider so every app can access only its own APK. This way all the data one app holds, stays locked inside of it – for example, a third-party app cannot use the contacts stored in Secure Email.
  • Introduced full network log traceability so that all the apps on the device show what network they are using – so you can be sure you are transmitting data over a safe connection.

As you might have guessed, this means that most regular Android apps can’t work on the device. We did away with them as well, as they bring privacy risks of their own too (if you’re concerned about privacy, you are probably not Facebook’s biggest fan). Instead, we installed our proprietary apps to offer secure encrypted communications, file transfer and storage, password management, backup management and wiping capabilities for your phone. This way, security comes first without sacrificing functionality.

 

 

 

[fa icon="twitter-square"]

Topics: Android, Secure Phone, Online privacy, Google Services

Stefan Topuzov

Written by
Stefan Topuzov

Security Expert

Subscribe for updates

Recent Posts