Major privacy alert for Android users.
mastodon.sdf.org/@jack/1139522…
@jack #Privacy #Android #cybersecurity
You remember #Apple scanning all images on your #mobile device?If you have an #Android #phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by #Google. It is called #AndroidSystemSafetyCore and does exactly the same - scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so "to protect your #privacy".
You can uninstall this app safely via System -> Apps.
developers.google.com/android/…
This entry was edited (1 month ago)
like this
reshared this
nullagent
Unknown parent • • •The system definitely scans photos for nudity already. Today they claim the feature only runs on certain apps but as we've seen with Apple and various world governments there's a major tendency for these sorts of features to creep into all of your content whether that's what Google intended in their first release or not.
security.googleblog.com/2024/1…
@TheMNWolf @jack
5 new protections on Google Messages to help keep you safe
Google Online Security BlogRa
in reply to nullagent • • •GrapheneOS
in reply to Ra • • •GrapheneOS
in reply to GrapheneOS • • •@Ra See grapheneos.social/@GrapheneOS/….
GrapheneOS
2025-02-08 17:17:03
霖 リン
in reply to GrapheneOS • • •Noxy 🐾🏳️🌈
in reply to Ra • • •@Ra @GrapheneOS nope.
no such trash has shown up on my Pixel 8 Pro running GrapheneOS.
GrapheneOS
in reply to Noxy 🐾🏳️🌈 • • •GrapheneOS
in reply to GrapheneOS • • •@noxypaws @Ra See grapheneos.social/@GrapheneOS/….
GrapheneOS
2025-02-08 17:17:03
nullagent
in reply to nullagent • • •For folks looking for exactly how the Android client side image scanning works or if it's present see the below. 👇🏿
partyon.xyz/@nullagent/1139663…
nullagent
2025-02-08 04:10:29
reshared this
Cainmark Does Not Comply 🚲 and The Doctor reshared this.
nullagent
in reply to nullagent • • •A few folks are questioning if AI scanning like what Android is doing can be missused. The last time a similar feature was coming to Apple's iOS the media rightly described it as an extremely dangerous warrantless surveillance tool.
Regardless of what Android developers intended this client side scanner to do it will be enlisted by governments of the world to spy on you and break strong encryption.
9to5mac.com/2023/09/01/csam-sc…
#privacy #cybersecurity #apple #android #ai #clientsidescanning
Apple finally admits the CSAM scanning flaw we all pointed out
Ben Lovejoy (9to5Mac)reshared this
Cainmark Does Not Comply 🚲, Rubber Side Down 🇨🇦 and kim_harding ✅ reshared this.
nullagent
in reply to nullagent • • •And if you look at the current reporting on Apple and government requests for your private data...
"The encrypted data of millions of Apple users worldwide could reportedly be handed over to the government.
The Home Office has ordered Apple to let it access encrypted data stored in its cloud service, The Washington Post reported."
Demanding access to every last bit you have in any cloud is normal government stuff these days
metro.co.uk/2025/02/08/privacy…
#UKPol #EU #UK #Apple #Privacy #HomeOffice
Privacy fears for millions after government demands access to messages and photos
Luke Alsford (Metro)kim_harding ✅ reshared this.
Claire, The Ultimate Worrier
in reply to nullagent • • •ℒӱḏɩę
in reply to nullagent • • •Amici Is Me 🇵🇸 🇺🇦 🇳🇴
in reply to nullagent • • •Dave Mason
in reply to nullagent • • •Was the info I'm seeking in the article and I simply didn't see it?
What I'm wondering: should we expect to see Android System Safety Core in AOSP (Android Open Source Project aka 'stock Android')?
leo vriska
in reply to nullagent • • •5 new protections on Google Messages to help keep you safe
Google Online Security Blogleo vriska
in reply to leo vriska • • •leo vriska
Unknown parent • • •Shadow Heart
in reply to nullagent • • •JustSaying
in reply to nullagent • • •Avi
in reply to nullagent • • •glad i left standard android and went back to calyx a few months ago
it doesnt seem to be in the aosp, its something google adds after, possibly thru play services or some other proprietary blob
Noopss 🤓
in reply to nullagent • • •ᔅᑕᕐᐗᓪ
in reply to nullagent • • •SpaceLifeForm
in reply to nullagent • • •^[[200~Michael
in reply to nullagent • • •Xuebit
in reply to nullagent • • •Token Sane Person
in reply to nullagent • • •@TheMNWolf So according to this it warns the user about nudity, but does NOT notify Google.
Of course it's possible that Google is lying, but the evidence to support the main claim of surveillance isn't here.
Soatok Dreamseeker reshared this.
Serge Droz
in reply to nullagent • • •To me it's not clear what this app does, in particular if it sends data back somewhere. That is the problem. That an OS regularly installs new components seems normal.
So once again, people complain about the wrong issues, and I feel this doesn't help, even if it is popular. It doesn't help, because Google can now say, all these complaints have nothing to do with reality, which is not wrong. But instead we should ask for more transparent and easily accessible info.
And I'm not saying this App is harmless. I just seem to have difficulties finding info about it.
Xuebit
in reply to nullagent • • •harmone
Unknown parent • • •@nazokiyoubinbou @leo > And with things as they are going right now, they might not even [have to] notify you.
should be:
And with things as they are going right now, they might not even [be allowed to] notify you.
Cainmark Does Not Comply 🚲 reshared this.
Six Grandfathers Mountain
in reply to nullagent • • •RE
Privacy alert for #androidsecurity #android
Maybe this setting is NOT what you are talking about, but... sounds similar
There is a settings to have "take and use images on the screen"
Samsung Tablet #OneUI6 #android14
see the 3 images
arbinslimited
in reply to nullagent • • •Ange des ténèbres 🐈
in reply to nullagent • • •I checked and I confirm it was installed on m'y phone.
Now removed 🐱
@jack
Cainmark Does Not Comply 🚲 reshared this.
KRDL
in reply to nullagent • • •GrapheneOS
in reply to nullagent • • •reshared this
Lunya UwU, Meko #nowar and Thom, United Europe 🇪🇺 reshared this.
jonny (good kind)
in reply to GrapheneOS • • •d@nny mc²
in reply to jonny (good kind) • • •GrapheneOS
in reply to d@nny mc² • • •@hipsterelectron @jonny
Here's a thread on what it is:
grapheneos.social/@GrapheneOS/…
It's tiring going through endless news cycles of fake privacy and security threats and we don't really have the energy to deal with it more than that.
We're dealing with ongoing attacks on GrapheneOS on X by several different charlatans/scammers and we've been focused on dealing with that rather than writing about something like this. Threw together a quick thread about what it is though.
GrapheneOS
2025-02-08 17:17:03
The Doctor reshared this.
Bitslingers-R-Us
in reply to GrapheneOS • • •"The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc."
Forgive me if I'm not understanding correctly, but to clarify:
That statement could be misconstrued to suggest that "on-device machine learning models usable by applications to classify content" is different and distinct from "client-side scanning". To clarify, those're two ways of saying the same thing, with one being more specific. Do you really intend to just point out that it doesn't report things to Google or anyone else by default, and/or that the "client side scanning" is a scan-on-request thing, and not a let's-scan-the-whole-device-by-default thing?
What's stopping any app from using the output of the "on-device machine learning models" to report to third parties?
GrapheneOS
in reply to Bitslingers-R-Us • • •GrapheneOS
in reply to GrapheneOS • • •jonny (good kind)
in reply to GrapheneOS • • •I've said it before and I'll say it again, really appreciate what you do.
Travis Southard
in reply to GrapheneOS • • •Tom Walker
in reply to nullagent • • •Gytis Repečka
in reply to Tom Walker • • •Tom Walker
in reply to Gytis Repečka • • •Gytis Repečka
in reply to Tom Walker • • •Anne at Millrace
in reply to nullagent • • •WvOostveen
in reply to nullagent • • •Chewie
in reply to nullagent • • •Right now, in the January patch of Android 13, I don't seem to have it
Simon Brooke
in reply to nullagent • • •thanks, removed. At the same time I disabled (you can't remove) 'Android System Intelligence', which I presume is
a: what's giving all the annoying 'google assistant' stuff, and
b: what's burning up my battery so fast since the last update.
Cainmark Does Not Comply 🚲 reshared this.
Kaito
in reply to nullagent • • •Cainmark Does Not Comply 🚲 reshared this.
Anthropy
in reply to nullagent • • •I'm not sure if that app specifically scans photos, AFAIK it only scans for malicious apps- although if they broadened the scope that wouldn't be surprising to me either.
I however do know that the EU and USA both mandate running CSAM scanners on any cloud platform, so if you upload anything to Google Drive, OneDrive, Dropbox, iCloud, etc, you will definitely get screened for CSAM and alike.
As much as I hate that, the only way around that is to run your own infra from scratch.
joene 🏴🍉
in reply to nullagent • • •Travis Southard
in reply to nullagent • • •01micko
in reply to nullagent • • •Wim Turnhout 🇺🇦 🍉 🇵🇸
in reply to nullagent • • •Oud Zeikwijf
in reply to nullagent • • •Mahesh Rijal
in reply to nullagent • • •Arlindo Fragoso
in reply to nullagent • • •Ken
in reply to nullagent • • •Paperpad
Unknown parent • • •Emil 🇵🇸
in reply to Token Sane Person • • •@tokensane @TheMNWolf This!
Without any result of the scanning leaving the device I do not see the privacy implications at all.
nullagent
in reply to Paperpad • • •Exactly. Right at a time when SMS(RCS) end-to-end security is improving isn't it odd that suddenly there's so much helpful client side AI that wants to read your messages. 🤔
Is -accidently- sending a nude really this big of a problem that ALL android users need this feature turned on by default without warning over night?
Cainmark Does Not Comply 🚲 reshared this.
Paperpad
in reply to nullagent • • •Iwillyeah
in reply to leo vriska • • •@leo @nazokiyoubinbou then why is it installing itself? 'we don't do anything, we just LOOK' does not make me any happier to have a Peeping Tom invite themselves into my garden.
I'm not disagreeing with the info you're sharing, and thank you for it, it just feels like it's maybe not the whole story.
Panicz Maciej Godek
Unknown parent • • •the fact that some company can install an app without your consent means that no, it wasn't ;]
@nullagent @jack
Ash_Crow
in reply to nullagent • • •Lady Errant
in reply to nullagent • • •seyon
in reply to nullagent • • •SekhmetDesign
in reply to nullagent • • •privacy_guru
in reply to nullagent • • •It looks like this app was released a few months ago. Here is a video I found explaining how it blurs pictures and how this will eventually be a part of the messenger app as well. youtube.com/watch?v=1rdlTveD8F…
I found many reviews on Google Play complaining about this app just being installed without notice but that it can be deleted. At least for now. A humorous review said Gemini told them the app was unsafe and to delete it, so they did.
- YouTube
www.youtube.comkwayk42
in reply to nullagent • • •nullagent
Unknown parent • • •@shannonpersists
In the narrow case of the android feature it claims to only scan content in the default SMS/RCS messaging app.
It's not clear how easily this could be applied to other apps(or if it already has that capability).
Pieter
in reply to nullagent • • •DaveKaz
in reply to nullagent • • •2. It was not on device only in iCloud
Emil 🇵🇸
in reply to Paperpad • • •BrambleBearGrrrauling
in reply to Emil 🇵🇸 • • •Anyone have any thoughts on or experience with Linux phones?
GrapheneOS
in reply to nullagent • • •See grapheneos.social/@GrapheneOS/….
GrapheneOS
2025-02-08 17:17:03
GrapheneOS
Unknown parent • • •@jinx See grapheneos.social/@GrapheneOS/….
GrapheneOS
2025-02-08 17:17:03
Karpour
in reply to nullagent • • •nullagent reshared this.
Infrapink (he/his/him)
in reply to Karpour • • •@karpour
Because it isn't happening:
grapheneos.social/@GrapheneOS/…
GrapheneOS
2025-02-08 17:17:03
nullagent
in reply to Infrapink (he/his/him) • • •@Infrapink @karpour
The way Graphene handled releasing this feature (opt in, not installed by default, thorough risk analysis) is exactly the opposite of how Android released it(opt-out, installed OTA by default, limited explaintion)
While I agree with the Graphene team's analysis(client side AI can work in the user's best interest, some people might want & like this one) I think the style of rollout on Android alone is enough for many privacy minded folks to not trust this new feature
Gerbrand van Dieyen
in reply to nullagent • • •play.google.com/store/apps/det… no idea how it ended up on my phone. No description either although you can enter the beta program ?
Android System SafetyCore - Apps on Google Play
play.google.comXoa Gray
in reply to nullagent • • •Honestly at this point we should just function under the assumption that any internet connected device, especially smartphones, is going to do something like this. If it's not doing it already.
It also wouldn't shock me if just removing them wasn't enough, as I'm assuming they'll reinstall themselves.
Erik van Straten
in reply to nullagent • • •: it was on my Google Pixel 6 Pro smartphone.
I installed it less than 2 hours ago (infosec.exchange/@ErikvanStrat…) after reading Tuta's (@Tutanota ) toot in mastodon.social/@Tutanota/1139….
@jack
#CameraInYourBathroom #ClientSideScanning #AndroidSystemSafetyCore #CSS #ChatControl #Privacy #BigBrother #BigTechIsEvil #GoogleIsEvil #WhatAreTheySmoking
Erik van Straten
2025-02-08 17:38:14
Kenner reshared this.
Eduard T
in reply to nullagent • • •as per the linked docs:
> These APKs power the Sensitive Content Warnings and cryptographic key verification feature **in Google Messages** respectively. The transparency log we published to verify the claims that we make with regards to these APKs.
So, it's just for Google Messages...
gmoore
in reply to nullagent • • •gmoore
in reply to nullagent • • •soup :)
in reply to nullagent • • •Tea 🍵 💙🎶🌻
in reply to nullagent • • •author_is_ShrikeTron🔠💉x7
in reply to nullagent • • •Or it's this, scanning for #CSAM
actionnetwork.org/petitions/go…
You should get rid of it if you have something to hide.
Google: Scan Android Devices for CSAM
actionnetwork.orgRoyal Sefton
in reply to nullagent • • •Mysturji
in reply to nullagent • • •Stefan
in reply to nullagent • • •If you have an #Android #phone, a new app that doesn't appear in your menu has been automatically and silently installed (or soon will be) by #Google. It is called #AndroidSystemSafetyCore and does exactly the same -scan all images on your device as well as all incoming ones (via messaging). The new spin is that it does so "to protect your #privacy".
You can uninstall this app safely via System -> Apps.
@KainEAhnung
Stefan
in reply to nullagent • • •HOLY SHIT, I had no clue!‼️
THANK YOU, for reminding the public about this privacy incident. 👍
#Privacy #Android #Cybersecurity
@jack @KainEAhnung
elpolacodesplegado
in reply to nullagent • • •@jack
GeoWend
in reply to nullagent • • •Hyperbolix Prudens 🎹🖌️⌨️
in reply to leo vriska • • •The wording of this paragraph is very specific and we should not paraphrase this.
m04
in reply to Hyperbolix Prudens 🎹🖌️⌨️ • • •> All of this happens on-device to protect your privacy and keep end-to-end encrypted message content private to only sender and recipient.
which i think would imply it doesn't get sent to someone else either? it sounds like they're using an on device machine learning model to classify images then only use that result locally
Hyperbolix Prudens 🎹🖌️⌨️
in reply to m04 • • •I'm sorry but this refers only to the recognition process.
It is absolutely unclear how the recognition actually works and where the data or procedure comes from, that is used for this purpose and what happens with data, that is not explicitly mentioned in this text.
Krispijn Beek
in reply to nullagent • • •