Month: June 2016

Android 6.0 New Permission Universe Turned Upside Down

User asked runtime permissions, and they got runtime permissions, sort of.

Google “fixed” the sandboxing model in Android 6.0, and one of the “cool” features is that now all Android Apps get access to internet, including mine. Hurray! … Crap, here goes my trustless security and privacy. Thanks Google, you are such a great friend!

But I really do not want Internet Access to my Apps. Which means that now my firewall needs to be extended.

 

Sandbox? What Sandbox?

Google actually went to great lengths to “fix” the sandbox and the permission model in Android 6.0.

“For example, if an app had previously requested and been granted the READ_CONTACTS permission, and it then requests WRITE_CONTACTS, the system immediately grants that permission.”
https://developer.android.com/guide/topics/security/permissions.html

Which means that now malware has a new attack surface. Ask the user for permission to Read files/contacts, and once you have that permission, shamelessly ask for permission to Write files/contacts, which will be granted automatically.

 

What can we learn from this?

Android 6.0, effectively turns the Permission Model upside down. From a universe in which you could trust a local-services only App (like mine) we transitioned into a universe in which the local processing of data must be distrusted by default, unless the phone comes with other services to protect the user:

  • Internet access is granted to all Apps, regardless if they need it or not.
    • Effectively, Internet permission is worthless.
  • Local trust means nothing anymore in your App. The Apps can kindly request Read Access, and the Android 6.0 colludes with anyone that wants to abuse user’s trust, by automatically offering Write Access too, without user’s permission.
    • Effectively, Read-Only permission does not exists in Android 6.0.

 

What can I do?

My business model is not compatible with this new universe, so now I have to integrate NetGuard into my Firewall – which is, BTW, the number 1 reason for which my Firewall was rated with 1 star by users. And if I am at this task, I will integrate BitTorrent and Better by http://ind.ie too.

In Defense Of Google, Really – It’s The Algorithmic Bias, Stupid

By now every one knows about Google’s Search Engine BIAS when it comes to Hillary’s Clinton Crimes, but this bias is not the bias that you expect.

Algorithms Biases are not expressed in forms of “I like Hillary” or “I don’t like Hillary”, although this might be the case, who knows, but it is not THE BIAS.

It is a bias related to how we write and optimize code or use data.

The Search Algorithms biases are there to ensure optimum performance, maximum user satisfaction, relevance, truthfulness and more, as decided by developers and/or AI.

Let’s take the case of “Hillary Clinton cr…” autocomplete.

  • First, how is it implemented?
    • YOU HAVE NO RIGHT TO DEMAND A PRIVATE BUSINESS THESE DETAILS
  • What is it optimizing?
    • It could optimize that the whole autocomplete index fits in memory
    • It could just show top 5 most used searches of last month for each prefix
    • It could apply a quality score and a count for each suffix
    • It could sort on a function of quality/score + quantity of sufixes
    • It could add to score the score of the top 10 results
    • It could add to score the trustfulness of top 10 results
    • It could prune longer sequences because shorter ones already exists (e.g. Drop Hillary Clinton Crimes, because Hillary Crimes is same, better and shorter)
    • It could drop terms deemed problematic
    • It could replace terms with synonyms
    • It could perform any dark magic to prune the list of autocompletes or reorder them to maximize something
    • YOU HAVE NO RIGHT TO DEMAND A PRIVATE BUSINESS THESE DETAILS
  • What data it uses?
    • Could use searched data, in past 1 hour, 1 month, or 1 year
    • It could filter out the last hour to prevent manipulation
    • It could combine search data with data found in web pages
    • YOU HAVE NO RIGHT TO DEMAND A PRIVATE BUSINESS THESE DETAILS

The algorithm has Biases, it discriminates between old data and new data, long sequences and shorter sequences, term used in quality pages or spammy pages, number of times a term it is searched, and much more. It biases between Autocomplete A and B based on complex formulas. And it is NONE OF YOUR DAMN BUSINESS WHY!

You assumed that Google’s Autocomplete shows what People Are Searching For, just like conservatives assumed of Facebook that Trending matches what People Search For. WRONG!

If you DON’T LIKE HOW GOOGLE IMPLEMENTED AUTOCOMPLETE, GO AND USE YAHOO AND BING.

YOU HAVE NO RIGHT TO DEMAND A PRIVATE BUSINESS TO CHANGE HOW ITS SERVICES WORK!

IT’S THE ALGORITHMIC BIAS, STUPID!