I was reading about this yesterday and confirmed that I did not have
gov.ma.covid19.exposurenotifications.v3 nor gov.ma.covid19.exposurenotifications installed. I turned off auto-updates in the Play store (Settings -> Network preferences -> Auto update apps -> Don't auto update apps) and went to sleep. This morning I woke up with a cheerful notification that Google can help with COVID notifications and gov.ma.covid19.exposurenotifications.v3 installed -- the app was pushed overnight over explicit instructions NOT to update (sure, one can say auto-install != auto-update, but it is worrying that forced pushes can happen even with every single relevant UI switch turned off).
adb logcat seems to have the following relevant lines:
06-19 09:27:54.481 1689 1990 I PackageManager: Integrity check passed for file:///data/app/vmdl1074248108.tmp
[..]
06-19 09:27:55.580 1689 5456 D PackageInstallerSession: Ignoring abandon after commit relinquished control
[..]
06-19 09:27:55.649 1689 2530 W BroadcastQueue: Background execution not allowed: receiving Intent { act=android.intent.action.PACKAGE_ADDED dat=package:gov.ma.covid19.exposurenotifications.v3 flg=0x4000010 (has extras) } to com.google.android.packageinstaller/com.android.packageinstaller.PackageInstalledReceiver
(+ lots of other similar intents)
After that the package immediately becomes active:
06-19 09:27:56.539 1689 13571 D ConnectivityService: requestNetwork for uid/pid:10450/30673 NetworkRequest [ TRACK_DEFAULT id=1249, [ Capabilities: INTERNET&NOT_RESTRICTED&TRUSTED Uid: 10450 AdministratorUids: [] RequestorUid: 10450 RequestorPackageName: gov.ma.covid19.exposurenotifications.v3] ]
06-19 09:27:56.540 1689 3625 D ConnectivityService: NetReassign [1249 : null → 102]
[..]
06-19 09:27:56.833 1689 3750 E JobScheduler.Background: App gov.ma.covid19.exposurenotifications.v3 became active but still in NEVER bucket
So no, it is not just "oh those people opted in and just forgot".
Remember when Tim Cook put Bono's album in the iTunes library of everybody? That's when it felt that the smartphones are not our devices. Someone you don't know can and U2 album to your library without you ask for it or being able to do anything about it.
You can understand it with an OS update. It's the new shiny thing that comes with bunch of stuff and this new one has this new app.
However, getting it without action on our own part feels very wrong. Even with games, you would receive a pack or something that you can take action to activate. When it's happening without our action, it messes up with our sense of control and continuity.
Omg are you serious?! I have forever wondered how the heck I somehow managed to get the U2 album on my phone. I used to put a lot of music on my phone and assumed I did it by accident some how even though I didn’t own the U2 album (I used to download a lot of music back then so assumed did by accident). That solves a crazy long lived mystery on my end thank you. I don’t even know how I feel about that now. I don’t like that they can push things to my device. What is next photos? If someone can just insert data into a phone how can we in a court of law accept that it wasn’t false? I really hope some follow up on how this happened comes out.
If they had simply made it free to download for 24 hours, or pay-what-you-want donated to charity, few would have complained, and it would probably have generated a lot of positive rather than negative publicity.
It doesn't "come with" this backdoor. It is this backdoor. Maintaining a connection with the Google mothership is, approximately, Play Service's entire function.
This is why I like installing a firewall in my phone.
I have used Glasswire and am pretty happy with it (no affiliation) because it allows me to block individual apps from having internet connectivity, and can configure it to notify me the first time an app tries to connect.
Of course, the problem is that it's a hassle to have to check and block new stuff, or unblock when I need to use something (e.g. Uber).
Yes, I confirmed last night that Settings -> Google -> COVID-19 Exposure Notifications was off. (Aside, I read somewhere but have not confirmed this myself that manually enabling that setting leads to a flow for installing the gov.ma.covid19.exposurenotifications app, whereas the forced update is gov.ma.covid19.exposurenotifications.v3 -- note the extra v3). By the way, MassNotify app is not visible from Play Store search (both on mobile and on desktop -- https://play.google.com/store/search?q=MassNotify) and does not create an icon -- you can only find it in Play Store via its internal name (e.g. a link like https://play.google.com/store/apps/details?id=gov.ma.covid19...), and would have to specifically look in system dialog for all apps to see if it is installed.
It is obvious that we need better legislation to deal with all the new possibilities that technologies have opened.
The installation of this app, even done with good intent, open a lot of questions on what should be possible or not to be done by government and corporations.
When you get a device with pre-installed, uninstallable, or auto-installed apps. What are the rules?
> "By enabling this service, you can be quickly notified if you’ve likely been exposed to the virus by another MassNotify user, allowing you to reduce risk to your loved ones, seek medical attention, and slow the spread in your community."
In this case it seems that the same goal could have been better achieved by SMS that do not depend on the brand of your phone. The dependency on proprietary app stores and OSs seems a risk for the continuation of a free and reliable communications.
The only thing that is impossible to achieve without an app is to allow the user to select contacts to whom send a notification. Corporations like Google, and Apple know the list of all your contacts. So, it seems that the intention of the app is to reduce friction and send notifications as easy and effortlessly as possible to avoid that procrastination causes people to delay the warning.
But, instead of the silent install the government could have spend money in advertisement campaigns to assure a correct amount of installations. It costs money, but, people pay taxes so the government can engage on this type of initiative at a scale. This could have been a very good alternative, even if it means increasing the budged. Medical emergencies are worth the investing.
> In this case it seems that the same goal could have been better achieved by SMS that do not depend on the brand of your phone. The dependency on proprietary app stores and OSs seems a risk for the continuation of a free and reliable communications.
While installing an app without users consent can be as questionable as you want, the point about these apps are not the notifications itself but about the contact tracing which is achieved through the bluetooth functionality.
also, sending sms messages has other privacy concerns that the tracing apps have tried to avoid from the very beginning. having a person phone number can lead to eventually identify that person while that internal trace id it might use, won't.
This sounds worse to me? Rather than violation of a relatively small privacy (phone number), you instead get timestamp social graph interactions in the physical world. This seems like fat more extreme an invasion than the former.
> having a person phone number can lead to eventually identify that person while that internal trace id it might use, won't.
What? Many many bad people seem to somehow have my number. Practically daily I get an SMSs saying "I've been transferred $5000 to the please login to confirm your transaction .." or some such. I block but they keep on coming. Now, I think I'd rather the person who was responsible for these SMSs to have my phone number than a freaking app running on my phone, especially an app that was basically snuck on without consent.
Would it not be possible to send everyone currently in the state an SMS? I personally would be okay with the government having access to this type of PSA.
“ When you get a device with pre-installed, uninstallable, or auto-installed apps.”
We’ve never had televisions in the house, but I finally broke down and bought a television so my kids could watch Disney+ on the big TV. The first television I purchased was a Samsung, and it came with these apps that I could not uninstall, did not what, and in fact used storage space that I couldn’t do anything about. I put it back in the box and took it back to the store, and got an LG. Very frustrating experience.
If people don't want to install the app, then that should be the end of it. The government's inability to convince people to install the application should not justify the application being installing it anyway. Just the contrary.
I'm not from NL, but I am someone that did not install the COVID tracing app that our government provided (for voluntary installation).
My reason was that I was not convinced by the PR that it is actually privacy safe. Just repeating "it uses a safe API, trust us/Google/Apple" was not enough for me.
The subcontractor that made the app did dump some source code on GitHub saying "see, we have nothing to hide". However it was very obviously not the same code as the app published on the Play store (for start, it had a different version number), it had a cleared out commit log, etc. Questions about that went unanswered as far as I know.
I try my best to prevent COVID spread, wear a mask, got vaccinated as soon as possible, etc. I think it's more likely that the thing with the app was just developers not wanting to bother too much with things they were not paid for than anything nefarious going on. However it raised enough red flags for me that I was not comfortable installing the app on my phone.
It's smart. The result of using these apps is that lots of people have to quarantine, even though these policies have not resulted in any impact on the virus in any way, and even though there can be test false positives (which is officially denied, so there is no way to appeal any positive test result). Why would people want to sign up for that?
If you think legislation is the answer, I’ve got a bridge to sell you. Who do you think writes the legislation and hands it to X representative? How niave...
HN crowd has fallen pretty far. Used to be WE build the things that make our lives better and now the top comment is calling for some ethemeral they to come up with legislation?
That’s BS. And, antithetical to any builder/havker ethic.
That was viable when computers were a tiny part of the world, but not when our power to change things became to great to be ignored.
Even back in the day when you could convince a public payphone to work for free by whistling the right way, that kind of interference in a public communications channel was enough for the powers that be to get worried. Now? Now phones are effectively universal, and every government can afford to pay developers to insert obfuscated backdoors in open source code, while the richest could do the same with the hardware from the silicon wafer up to the finished product. And they do, because they want to keep their power.
Just as you go to war with the army you have rather than the army you want, if you seek to improve our security and freedom you have to use the political power structures that exist rather than the ones you want to exist.
Or how about people just use GNU instead of GAFAM crapware? Turn "silently installing things in the background" off by default and maintain user control over all their hardware.
It's not like Richard Stallman hasn't been warning of this sort of thing happening for decades - the GNU project exists for a reason, and we should use their code for general purpose computing.
I think covid has shown that when the world is faced with a pandemic, not everyone agrees on what's common sense is in terms of how to respond as a society/government.
The difficulty of taking a government-sponsored and government-accessible substantial privacy risk (at a minimum) is something that some will find utterly unacceptable and others will think might be concerning or unacceptable in general but is righteously justified in this specific situation.
The first group’s common sense says “don’t install”; the second group’s common sense says “install via subterfuge if necessary”.
Fellow humans, there are alternatives! Your neck need not be under FAANG's boot! You don't even need to give up any functionality:
CalyxOS: https://calyxos.org/
Privacy-respecting Android distribution that replaces Google spyware with MicroG, so you can have your cake and eat it too. Most everything will work as you're used to, but it does still talk to Google to make that happen.
GrapheneOS: https://grapheneos.org/
Very much like Calyx, but extra-hardened and with no MicroG. No involvement with Google at all.
LineageOS: https://lineageos.org/
The successor to CyanogenMod, will work with many different phones. More privacy and control than stock Android.
There are also many others: Sailfish, Replicant, e
Hardware-wise: CalyxOS and GrapheneOS run best on Pixel 3, 3a, 3XL, 4, 4a, 4XL, 5. The path of least resistance is to get one of these phones and run CalyxOS (if there is an app you need to use that needs Google services like Firebase Cloud Messaging...note that many that can use FCM will run fine without), otherwise run GrapheneOS.
I feel like that perhaps calls for an asterisk to be added to your statement:
Fellow humans, there are alternatives*!
*As long as your device is one of the supported pieces of flagship hardware and/or you get a device specifically for it.
Which is unfortunate, because a lot of those devices won't be as affordable. I bought my phone for just over 100 euros, in part because it has a recent enough OS version and is pretty tough.
I feel like this situation won't improve until manufacturers get their crap together and make devices based on more open standards which may or may not ever happen. I still dream about the same level of hardware support that GNU/Linux has (with proprietary drivers), where most distros just run on most hardware.
The alternatives are just that - alternatives. Don't want to make compromises needed for them? Then don't and stay in Google / Apple candyland. Or, make a sacrifice yourself and develop the missing support for the phone you fancy. Manufacturers don't have incentives to help out here, with a precious few like Librem and Pine. I for one am happy they exist and will be glad to shell out 8-9x as much money for a promise of better privacy. And when many do so, the prices will come down too. There is no reason for having a load of tracking on your phone, it is there just because its OS was developed by an advertising agency. And the alternative is worse in freedom-to-fix view because Apple.
That just seems like bad luck -- if your phone is even somewhat popular, there's going to be a XDA forum dedicated to it. I used to have a LG L90, a low-end phone bought for ~€120 that was by no means "flagship hardware". The phone shipped with Android 4.2, which was then OTA-updated to Android 5. Thanks to Cyanogenmod and later LineageOS, I managed to install Android 6, 7, and 8 as they came out, and only stopped using the phone after it physically broke down.
Ulefone doesn't seem to be that popular -- it's not even listed among phone brands on the XDA forums (https://forum.xda-developers.com/all-forums-by-manufacturer). If you want to have a €100 phone with LineageOS support, you definitely can (and do note that the LineageOS website lists only the "officially" supported models, not the community ports).
Yay can choose a alternative phone next time… just because you have a poorly supported phone doesn’t mean these options aren’t alternatives for you. Just that they aren’t free (as in beer).
I've been thinking about getting away from proprietary Google Services and their backdoors, but the one thing that's holding me back is Google Pay (NFC payments). It's way too convenient and I'm unwilling to give it up. Is there an open-source replacement/reimplementation maybe, or something like a way to run the original proprietary app with MicroG? What about other apps that require SafetyNet?
(Important note: I'm not from US)
(Google's data collection isn't much of a concern for me anyway because I block all ads and analytics — so even if they do collect something, they have no way of showing me ads)
There are some banking apps that use their own NFC implementation instead of Google Pay -- my bank used to do this before they caved and switched to Google Pay.
As an alternative, you may get a Curve card (https://www.curve.com/) to regain some of that convenience -- it can connect to several physical cards just like Google Pay does, but itself is a physical card.
Have you thought about looking in to the problem yourself, or maybe just throwing some coffee money at the devs who are?
I'd argue you should still be concerned about data collection even if you're successfully blocking ads. It doesn't worry you that some super-powerful faceless corporation tracks your every move in the real world? It's one of those things...it won't be a problem until it is ;-)
I think of a prepurchase from Purism as something halfway between a purchase and a donation. They're truly doing the work that needs to be done, and I'm happy for them to take my money.
Even with Graphene OS you’re still using a phone that has a proprietary modem which has its own hidden CPU that acts like a black box. Who knows what it does or if it can read main memory.
I emailed massnotifyhelp@mass.gov to ask why the app was on my phone, and I got the following response:
Hi [my name],
In order for MassNotify to be available to users in their phone’s settings, an update was made by Google that resulted in some users seeing MassNotify appear in their app list in the Google Play Store. Apologies if this caused any confusion.
The appearance of MassNotify in the app list does not mean that MassNotify is enabled on your phone. The presence of the app merely means that MassNotify has been made available as an option in your phone's settings if you wish to enable it. For more information about this, please see this help center article from Google: https://support.google.com/android/answer/10775533
You can see whether MassNotify is active by going to Settings -> Google -> COVID-19 Exposure Notifications. The “Use Exposure Notifications” toggle at the top of the page will show you whether MassNotify is active or not. From this screen, you can also enable or disable MassNotify at any time.
If you have any further questions about this, or anything else related to MassNotify, please don’t hesitate to reach out and we’ll be happy to help.
Regards,
[name]
MassNotify Help Desk Team
www.mass.gov/massnotify
For information about MA COVID-19 resources
visit www.mass.gov/isolate
This raises an interesting point. Android subdivides much of its core functionality into various hidden "apps". Everyone's all up in arms about this, but I don't remember a similar outcry when the Covid-19 exposure API was "forcibly" added to the Google Services Framework. This isn't really any different from that, or any other OS update. I naturally agree that Google's remote-root is creepy and weird, but why is this the thing that's put a bee in everyone's bonnet? Is it just that an app in the app list is more visible? Won't this outcry merely encourage them to do things the less-visible way?
Likely because it's being perceived as a third party app that was just arbitrarily installed. At least it can be presented that way, which is enough to get the story to spread.
It's honestly not that far off from the truth. Just because google uses your phone as a personal playground all the time doesn't make this instance any more or less outrageous. If this is what it takes for it to be perceived as outrageous as it is, then fine.
Also because there's a substantial portion of our population that is radically opposed to anything that acknowledges the virus as anything but business as usual.
I think the real question is what mechanism allows them to push a random app to some phones? google play services is actively listening for remote installation requests?
that's essentially a remote-code-execution backdoor to all android phones?
>google play services is actively listening for remote installation requests?
Uh, yes? That is and always has been core functionality. You can click "install" on the Google Play website on your laptop and the app will magically appear on your phone, if both devices are signed in to Google. I triggered this behavior accidentally a good 10 years ago when I got my first Android phone, and it gave me the shivers - it really drove home the point that Google had root on my phone, not me.
In fact, this entire behavior is so normalized on phones we now have a special word for the process of downloading an app and installing it manually, the way we do on PCs: "sideloading".
That's not the behaviour of what happened here, where an app was downloaded without user initiation or intervention. There was no authorization from the user of the actions that were taken by Google or the app's vendor.
A corollary of your question. If Google can lawfully install arbitrary apps on ordinary users' phones, can it also run arbitrary code on the personal devices of government officials investigating it for price fixing in the ad market?
"Arbitrary" is doing a lot of sneaky work here. You're implying that the law would somehow allow Google to manipulate investigators. But the law has broad allowances and exceptions in lots of areas, and competing permissions/denials that together weave specific allowances. There's little reason to think that the law couldn't allow app installation in general and also disallow either targeting of individuals or collection/manipulation of certain kinds of data.
> If Google can lawfully install arbitrary apps on ordinary users' phones
Of the partners in this, I think that the source of authority waa almost certainly the other one. It’s not Google, but the State of Massachusetts, whose authority is likely involved.
I thought this was well-known, Android is not private at all until you degoogle. Unlock your bootloader then install a ROM without Google Play Services such as GrapheneOS, CalyxOS or LineageOS.
You can consider installing microG also as an open-source minimal implementation of Google Play Services if some of it's functionality is absolutely necessary for you to keep.
A core issue is that building Android ROMs is very difficult to do so in a simple and accessible manner. The build systems generally all require enterprise server level of memory and a build can easily take hours. Every device has a unique configuration, imagine if every brand of laptop ran their own variant of Ubuntu. For most "ROMs" that you find on obscure places like XDA, the builds by random people across the globe are a much greater security risk than good first-party updates.
The entire "updates" culture is essentially RCE backdoor (botnet) functionality for "trusted" tech companies.
Consent, where it is actually explicitly obtained, never rises to the level of "informed". That's because even if a user "consents", she still cannot see what is in each update.
WU allows hardware manufacturers to silently install literally anything based on hardware ID matching and the only way to prevent that is to disable WU driver updates entirely (via GPC/registry).
In my case the maker of my motherboard installed a persistent “self-repairing” (i.e. difficult to uninstall) from yet another third party. Naturally, I will not buy a product from them (MSI) again.
Another way to put this is: windows update will install malware w/o user approval in the background.
How does the thing know you're a Massachusetts resident?
People who have the contact tracing setting disabled are reporting they still got the app, so the obvious answer seems not to apply.
Is it just getting installed on any device that enters MA? New England states are pretty small, and there's a lot of crossover, especially with states like Maine and New Hampshire, which wouldn't take this very well.
Or, if you have a layover at Boston's Logan airport, do you now end up with its contact tracing app?
Not a resident. I just found it installed due to HN. I am in MA at this time.... and have no idea when it was installed. (Of course I uninstalled it immediately)
If they're also hitting phones that were only in the state temporarily it must be using cell tower locations right? I use an always on VPN and it still auto installed (without opting in) but I have my E911 address set here so I'd have guessed that otherwise.
Not exactly. On the Android store you can choose exactly which device to install an application on.
For Apple as far as I know the most you can do is buy the app on desktop and, if the device is configured that way, it will receive the new app. This means it’s limited to new purchases and by the device’s settings.
Thank you, I've even used this functionality some years ago but didn't remember it existed.
I've since de-googled my phone and sacrificed some apps that require google services, but this whole thing shows (to me) that it was the right decision.
My guess is that it's the Play Store app itself that does this (con.android.vending). That app is responsible for both updating itself regularly and installing/updating other apps.
One possible way: There is a daily job run in the Play Store called "daily hygiene" that performs various configured tasks based on device state and device targeting. It would not be difficult to add some code to install this app for MA users, then push it with the next Play Store update. I am very unpleasantly surprised that this app was installed from a policy perspective, however.
They don't have to add any code or push a Play Store update or wait for a daily cronjob. Listening for remote installation requests is a core feature of Google Play Services. It is not a mystery how this was done.
Google and apple install tons of software basically without consent (os updates) , so an app being pushed like that is not surprising. It is worrying however that tech people dont seem to realize how great their tools are for totalitarian states , which push apps and spying much worse than this to their subjects. We really need to talk about users owning their devices and their software rather than leasing them. There is no device that allows users to control what it does , that's scary
You are explicitly allowing to install updates in phone's settings. It is made painfully clear.
The question here is about what mechanism Google used to install an app, can it be disabled, and what other kind of apps Google is capable of installing silently on the devices?
Most of the comments on that app as well as here are probably wrong. I'd suspect that everyone who had the app "installed without their permission" opted into the Android COVID-19 Exposure Notification program. This was deployed by Google as part of an update to Google Play Services.
When you go to your phone's settings with this update, there's an option to enable COVID-19 Exposure Notifications. When you turn it on, it prompts you for your location and will download your region's app that uses your phone's new capabilities to connect to the appropriate health authorities.
Massachusetts just opted into this program in the last couple of weeks. I'm honestly not sure why they did it so late - this would have been helpful earlier. Apple iPhones also have this capability, including interoperability with Android phones, and iPhone users in Massachusetts are also able to turn on this setting.
Now, if someone can actually prove that they didn't opt into the COVID-19 Exposure Notifications, then I'd be concerned. But my guess is they opted in when it came out, but there was no app for their region, so nothing was downloaded and the feature did nothing. Then, Massachusetts rolled out the app now and lots of people who configured their phones earlier in the pandemic got a new app. They granted permission for it, perhaps months ago.
I don't know what kind of proof you want, but I just looked at my phone settings after reading your comment. The exposure notification option is there and it's off. The region selection is grayed out because of it. Yet I got the app (uninstalled it after I saw this on hacker news).
I did get a notification when it got installed but I thought it was just a push similar to amber alerts. I didn't realize it installed something at the time.
I'm in Boston and it wasn't installed on my phone (exposure notifications have always been off AFAIK). I'm on old iphone 5s, not sure if that makes a difference or maybe just specific areas? According to this, https://thesomervillenewsweekly.blog/2021/04/05/massnotify-a..., different cities were piloting at different times, although it all seems opt in.
Same here. Never opted in, just checked and that hasn't changed. I hadn't even selected a region, so it shouldn't even know which invasive app to install, but I still got it.
I'm a MA resident and this app was on my (Android) phone...until a few minutes ago when I read about it on Hacker News, found it, and deleted it.
I have no memory of ever opting into the program you describe, and it isn't the type of thing I would normally do. It's possible I guess.
In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".
> In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".
This incident and your comment reminded me of a story Bezos mentioned in his interview about the time Amazon deleted 1984 from kindle. The analogy he made makes me wonder how can we compare what happened here to what Amazon did..
“Without any notice or warning just electronically go into everybody’s Kindle, who had downloaded the book and just disappear it…so it would be as if we walked into your bedroom in the middle of the night, found your bookshelf, and just took that book away”
MA resident as well, what worries me more is that someone thought that this method of installation was a good idea and even more worrying is that they were also able to execute on it. It feels rather shady and nefarious the lack of public announcement on it. Shenanigans like this how you get the populace to trust the local government less, which is the last thing this country needs.
Wow, I thought I was someone who didn't get the app when I checked the icons but once I went into settings, there it was. I even have a NH phone number but live in MA.
Did you get vaccinated? If so, did you supply your email address related to your Google account on the form or enough other information to link the two? Did you read all of the related documentation? I wouldn't be surprised if they slipped somewhere on the form that you were agreeing to it.
I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.
Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.
Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.
Can one use pinephones to collect these blobs, and then try to run them on Android simulator or whatever for more specific knowledge about operators' practices?
I was about to say it might be through the carriers. I put a Verizon sim in my phone and I got a bunch of BS apps installed on my phone a few days later.
I just went through the Exposure Notifications flow on Android, and selected a region where it's not currently available (Arkansas). It displayed a message saying it wasn't supported in my region, and left the setting disabled. While it's still possible that your theory is correct, I certainly don't think it's the intended flow as of now.
I have no memory of opting in, I checked under Settings -> Google and "COVID-19 Exposure Notifications" was set to "Off", and the MassNotify app was still installed on my phone. It has no icon and the only way to find it is going to Settings -> Apps & notifications -> See all apps and it comes up under "Massachusetts Department of Public Health". Then when you go to the Google Play Store and search "MassNotify" or "mass notify" or even "Massachusetts Department of Public Health" (the exact name of the app), it doesn't come up in the search results. You have to go to "Manage apps & device" on the Google Play Store then scroll down to "MassNotify" which doesn't even match the name of the app in the other settings menu. This is pretty shady.
I just found this app and removed it. And I definitely did not opt into any kind of covid tracking earlier.
This app seems to use Bluetooth to track potential violations of 6ft personal space and notify people if someone from that list later gets a covid positive test. Whatever the noble goal is I do not want it on my phone, this is creepy!
Virtually every non-trivial Android application has these permissions, none of which are even important enough for the system to prompt you for permission. The only interesting one is "pair with Bluetooth devices" which is how the Exposure Notifications system works.
I have no memory of opting in to this, but it was installed on my phone.
Updated to add: well I'll be, an hour after this comment and seeing the link show me that Mass Notification was installed, I was prompted to opt-in appropos of nothing.
Another MA resident here. Never opted in and it still shows I'm not. The app was silently installed on my Android. There's no icon so I thought it didn't install at first, until I looked at my app list in settings.
I'm curious to know if there's any MA Android users that previously removed Google Play, and if they still have the app or not. My guess is no?
This speculation is 100% wrong. I checked for this app after seeing this and had it listed under updates available (it was installed already)
So I decided to check if I was in fact opted in and I was not opted in. Everything was off and this app was still installed without my consent. I do have automatic UPDATES turned on, but that shouldn't tell Google to just push whatever they want to me. You should probably edit your post saying your speculation is wrong.
I don't know what kind of proof you want, but I 100% never opted in.
"These phones being affected COULD BE all Carrier Locked phones which have specific terms to allow such behavior."
I use a unlocked Pixel 4a on Google Fi and still got the app.
I can only speak for myself, but I checked my settings and the COVID-19 Exposure Notifications setting is set to "Off" and I still had this app pushed silently to my phone. What's even worse is there's no app icon for it on the device and it doesn't show up under your app list. I only knew it was on my device at all because I have auto updates turned off and it was in the queue waiting to be updated in the Play Store.
I wasn't opted in. I have recently moved to Massachusetts, the app was probably installed during the last system update. I remember seeing a prompt after rebooting my phone to finish the update (this week, Pixel 3a) to enable contact tracing. I said no, but obviously the app had already been installed automatically, and apparently stayed.
To clarify: It's in your Google Account settings, not a separately broken-out setting that you see when you first bring up your phone settings, or at least it's that way on my phone.
Readit News
gov.ma.covid19.exposurenotifications.v3 nor gov.ma.covid19.exposurenotifications installed. I turned off auto-updates in the Play store (Settings -> Network preferences -> Auto update apps -> Don't auto update apps) and went to sleep. This morning I woke up with a cheerful notification that Google can help with COVID notifications and gov.ma.covid19.exposurenotifications.v3 installed -- the app was pushed overnight over explicit instructions NOT to update (sure, one can say auto-install != auto-update, but it is worrying that forced pushes can happen even with every single relevant UI switch turned off).
adb logcat seems to have the following relevant lines:
After that the package immediately becomes active: So no, it is not just "oh those people opted in and just forgot".You can understand it with an OS update. It's the new shiny thing that comes with bunch of stuff and this new one has this new app.
However, getting it without action on our own part feels very wrong. Even with games, you would receive a pack or something that you can take action to activate. When it's happening without our action, it messes up with our sense of control and continuity.
If they had simply made it free to download for 24 hours, or pay-what-you-want donated to charity, few would have complained, and it would probably have generated a lot of positive rather than negative publicity.
I have used Glasswire and am pretty happy with it (no affiliation) because it allows me to block individual apps from having internet connectivity, and can configure it to notify me the first time an app tries to connect.
Of course, the problem is that it's a hassle to have to check and block new stuff, or unblock when I need to use something (e.g. Uber).
That setting could be what caused the install
The installation of this app, even done with good intent, open a lot of questions on what should be possible or not to be done by government and corporations.
When you get a device with pre-installed, uninstallable, or auto-installed apps. What are the rules?
> "By enabling this service, you can be quickly notified if you’ve likely been exposed to the virus by another MassNotify user, allowing you to reduce risk to your loved ones, seek medical attention, and slow the spread in your community."
In this case it seems that the same goal could have been better achieved by SMS that do not depend on the brand of your phone. The dependency on proprietary app stores and OSs seems a risk for the continuation of a free and reliable communications.
The only thing that is impossible to achieve without an app is to allow the user to select contacts to whom send a notification. Corporations like Google, and Apple know the list of all your contacts. So, it seems that the intention of the app is to reduce friction and send notifications as easy and effortlessly as possible to avoid that procrastination causes people to delay the warning.
But, instead of the silent install the government could have spend money in advertisement campaigns to assure a correct amount of installations. It costs money, but, people pay taxes so the government can engage on this type of initiative at a scale. This could have been a very good alternative, even if it means increasing the budged. Medical emergencies are worth the investing.
While installing an app without users consent can be as questionable as you want, the point about these apps are not the notifications itself but about the contact tracing which is achieved through the bluetooth functionality. also, sending sms messages has other privacy concerns that the tracing apps have tried to avoid from the very beginning. having a person phone number can lead to eventually identify that person while that internal trace id it might use, won't.
What? Many many bad people seem to somehow have my number. Practically daily I get an SMSs saying "I've been transferred $5000 to the please login to confirm your transaction .." or some such. I block but they keep on coming. Now, I think I'd rather the person who was responsible for these SMSs to have my phone number than a freaking app running on my phone, especially an app that was basically snuck on without consent.
We’ve never had televisions in the house, but I finally broke down and bought a television so my kids could watch Disney+ on the big TV. The first television I purchased was a Samsung, and it came with these apps that I could not uninstall, did not what, and in fact used storage space that I couldn’t do anything about. I put it back in the box and took it back to the store, and got an LG. Very frustrating experience.
This absolutely does not work. Here, the NL gov tried this and almost nobody installed the app, despite it using the privacy-safe google/apple API.
My reason was that I was not convinced by the PR that it is actually privacy safe. Just repeating "it uses a safe API, trust us/Google/Apple" was not enough for me.
The subcontractor that made the app did dump some source code on GitHub saying "see, we have nothing to hide". However it was very obviously not the same code as the app published on the Play store (for start, it had a different version number), it had a cleared out commit log, etc. Questions about that went unanswered as far as I know.
I try my best to prevent COVID spread, wear a mask, got vaccinated as soon as possible, etc. I think it's more likely that the thing with the app was just developers not wanting to bother too much with things they were not paid for than anything nefarious going on. However it raised enough red flags for me that I was not comfortable installing the app on my phone.
Deleted Comment
It is not a new technology at all. It is the same old one that looks new and shiny, but is complete shit because the software doesn't behave.
HN crowd has fallen pretty far. Used to be WE build the things that make our lives better and now the top comment is calling for some ethemeral they to come up with legislation?
That’s BS. And, antithetical to any builder/havker ethic.
We build the world we want.
Even back in the day when you could convince a public payphone to work for free by whistling the right way, that kind of interference in a public communications channel was enough for the powers that be to get worried. Now? Now phones are effectively universal, and every government can afford to pay developers to insert obfuscated backdoors in open source code, while the richest could do the same with the hardware from the silicon wafer up to the finished product. And they do, because they want to keep their power.
Just as you go to war with the army you have rather than the army you want, if you seek to improve our security and freedom you have to use the political power structures that exist rather than the ones you want to exist.
Deleted Comment
How about applying common sense?
It's not like Richard Stallman hasn't been warning of this sort of thing happening for decades - the GNU project exists for a reason, and we should use their code for general purpose computing.
https://news.ycombinator.com/item?id=25402024
The first group’s common sense says “don’t install”; the second group’s common sense says “install via subterfuge if necessary”.
CalyxOS: https://calyxos.org/ Privacy-respecting Android distribution that replaces Google spyware with MicroG, so you can have your cake and eat it too. Most everything will work as you're used to, but it does still talk to Google to make that happen.
GrapheneOS: https://grapheneos.org/ Very much like Calyx, but extra-hardened and with no MicroG. No involvement with Google at all.
LineageOS: https://lineageos.org/ The successor to CyanogenMod, will work with many different phones. More privacy and control than stock Android.
There are also many others: Sailfish, Replicant, e
Hardware-wise: CalyxOS and GrapheneOS run best on Pixel 3, 3a, 3XL, 4, 4a, 4XL, 5. The path of least resistance is to get one of these phones and run CalyxOS (if there is an app you need to use that needs Google services like Firebase Cloud Messaging...note that many that can use FCM will run fine without), otherwise run GrapheneOS.
You can also buy a Librem 5 https://puri.sm/products/librem-5/ If privacy and security and hacking are really important to you.
Or a pinephone: https://www.pine64.org/pinephone/
It's not supported by CalyxOS: https://calyxos.org/get/
It's not supported by GrapheneOS: https://grapheneos.org/faq#supported-devices
It's not supported by LineageOS: https://download.lineageos.org/
It's not supported by Sailfish: https://shop.jolla.com/
It's not supported by Replicant: https://www.replicant.us/supported-devices.php
Librem 5 is 8-9x more expensive than my current device: https://shop.puri.sm/shop/librem-5/
PinePhone seems more promising, but the battery capacity is lower, as well as the other specifications are (slighty) worse: https://pine64.com/product-category/pinephone/?v=0446c16e2e6...
I feel like that perhaps calls for an asterisk to be added to your statement:
Which is unfortunate, because a lot of those devices won't be as affordable. I bought my phone for just over 100 euros, in part because it has a recent enough OS version and is pretty tough.I feel like this situation won't improve until manufacturers get their crap together and make devices based on more open standards which may or may not ever happen. I still dream about the same level of hardware support that GNU/Linux has (with proprietary drivers), where most distros just run on most hardware.
Ulefone doesn't seem to be that popular -- it's not even listed among phone brands on the XDA forums (https://forum.xda-developers.com/all-forums-by-manufacturer). If you want to have a €100 phone with LineageOS support, you definitely can (and do note that the LineageOS website lists only the "officially" supported models, not the community ports).
(this is US ebay, but I assume prices are similar)
I think Calyx still supports Pixel 2, but you've got to trade off the likely length of continuing support against price, of course.
(Important note: I'm not from US)
(Google's data collection isn't much of a concern for me anyway because I block all ads and analytics — so even if they do collect something, they have no way of showing me ads)
As an alternative, you may get a Curve card (https://www.curve.com/) to regain some of that convenience -- it can connect to several physical cards just like Google Pay does, but itself is a physical card.
I'd argue you should still be concerned about data collection even if you're successfully blocking ads. It doesn't worry you that some super-powerful faceless corporation tracks your every move in the real world? It's one of those things...it won't be a problem until it is ;-)
I ordered (and paid for) one in October, 2017. It might ship in October or November of this year.
https://grapheneos.org/faq#baseband-isolation
Hi [my name],
In order for MassNotify to be available to users in their phone’s settings, an update was made by Google that resulted in some users seeing MassNotify appear in their app list in the Google Play Store. Apologies if this caused any confusion.
The appearance of MassNotify in the app list does not mean that MassNotify is enabled on your phone. The presence of the app merely means that MassNotify has been made available as an option in your phone's settings if you wish to enable it. For more information about this, please see this help center article from Google: https://support.google.com/android/answer/10775533
You can see whether MassNotify is active by going to Settings -> Google -> COVID-19 Exposure Notifications. The “Use Exposure Notifications” toggle at the top of the page will show you whether MassNotify is active or not. From this screen, you can also enable or disable MassNotify at any time.
If you have any further questions about this, or anything else related to MassNotify, please don’t hesitate to reach out and we’ll be happy to help.
Regards,
[name]
MassNotify Help Desk Team
www.mass.gov/massnotify
For information about MA COVID-19 resources visit www.mass.gov/isolate
It's honestly not that far off from the truth. Just because google uses your phone as a personal playground all the time doesn't make this instance any more or less outrageous. If this is what it takes for it to be perceived as outrageous as it is, then fine.
that's essentially a remote-code-execution backdoor to all android phones?
Uh, yes? That is and always has been core functionality. You can click "install" on the Google Play website on your laptop and the app will magically appear on your phone, if both devices are signed in to Google. I triggered this behavior accidentally a good 10 years ago when I got my first Android phone, and it gave me the shivers - it really drove home the point that Google had root on my phone, not me.
In fact, this entire behavior is so normalized on phones we now have a special word for the process of downloading an app and installing it manually, the way we do on PCs: "sideloading".
Deleted Comment
Of the partners in this, I think that the source of authority waa almost certainly the other one. It’s not Google, but the State of Massachusetts, whose authority is likely involved.
Anything in the name of "improving our services".
You can consider installing microG also as an open-source minimal implementation of Google Play Services if some of it's functionality is absolutely necessary for you to keep.
ISPs mandate certain capabilities of the cellular modem + the simcards (remember java cards? that ran java? they still exist as simcards!)
Government RCE is still 100% on the table regardless of whatever software your phone is running
The entire "updates" culture is essentially RCE backdoor (botnet) functionality for "trusted" tech companies.
Consent, where it is actually explicitly obtained, never rises to the level of "informed". That's because even if a user "consents", she still cannot see what is in each update.
In my case the maker of my motherboard installed a persistent “self-repairing” (i.e. difficult to uninstall) from yet another third party. Naturally, I will not buy a product from them (MSI) again.
Another way to put this is: windows update will install malware w/o user approval in the background.
In this case nobody actually installed this app by choice!
How does the thing know you're a Massachusetts resident?
People who have the contact tracing setting disabled are reporting they still got the app, so the obvious answer seems not to apply.
Is it just getting installed on any device that enters MA? New England states are pretty small, and there's a lot of crossover, especially with states like Maine and New Hampshire, which wouldn't take this very well.
Or, if you have a layover at Boston's Logan airport, do you now end up with its contact tracing app?
For Apple as far as I know the most you can do is buy the app on desktop and, if the device is configured that way, it will receive the new app. This means it’s limited to new purchases and by the device’s settings.
I've since de-googled my phone and sacrificed some apps that require google services, but this whole thing shows (to me) that it was the right decision.
One possible way: There is a daily job run in the Play Store called "daily hygiene" that performs various configured tasks based on device state and device targeting. It would not be difficult to add some code to install this app for MA users, then push it with the next Play Store update. I am very unpleasantly surprised that this app was installed from a policy perspective, however.
Deleted Comment
It’s the scarier version of the free U2 album.
The question here is about what mechanism Google used to install an app, can it be disabled, and what other kind of apps Google is capable of installing silently on the devices?
Deleted Comment
When you go to your phone's settings with this update, there's an option to enable COVID-19 Exposure Notifications. When you turn it on, it prompts you for your location and will download your region's app that uses your phone's new capabilities to connect to the appropriate health authorities.
Massachusetts just opted into this program in the last couple of weeks. I'm honestly not sure why they did it so late - this would have been helpful earlier. Apple iPhones also have this capability, including interoperability with Android phones, and iPhone users in Massachusetts are also able to turn on this setting.
Now, if someone can actually prove that they didn't opt into the COVID-19 Exposure Notifications, then I'd be concerned. But my guess is they opted in when it came out, but there was no app for their region, so nothing was downloaded and the feature did nothing. Then, Massachusetts rolled out the app now and lots of people who configured their phones earlier in the pandemic got a new app. They granted permission for it, perhaps months ago.
I did get a notification when it got installed but I thought it was just a push similar to amber alerts. I didn't realize it installed something at the time.
Still, exposure notification was never turned on.
I have no memory of ever opting into the program you describe, and it isn't the type of thing I would normally do. It's possible I guess.
In any case, the way they did this is creepy. There was no icon for the app; I had to look in Settings/Apps & Notifications to find it. And neither the official state press releases nor the few local news stories about it mention that the app was installed without notice. They use vague, lawyerly language about how it can be "enabled".
This incident and your comment reminded me of a story Bezos mentioned in his interview about the time Amazon deleted 1984 from kindle. The analogy he made makes me wonder how can we compare what happened here to what Amazon did..
“Without any notice or warning just electronically go into everybody’s Kindle, who had downloaded the book and just disappear it…so it would be as if we walked into your bedroom in the middle of the night, found your bookshelf, and just took that book away”
19:48 https://youtu.be/SCpgKvZB_VQ
I reverse engineered what this does in practice on pinephone modem (Quectel EG25G), for example, and there are pre-compiled binaries there for tmobile and vodafone that process their particular OMA DM flavors, download some configuration and code from internet and run it under root on the modem's SoC ARM CPU. (that's still isolated over USB from the main pinephone SoC, but obviously not good) It's also thankfully disabled by default, but if you google for oma dm android, you get reports of this protocol being used still.
Whatever it does on regular Android phone depends on how well it is implemented on android. Regular phones don't have two almost-isolated SoCs like pinephone, so oma dm client would probably run on the main SoC, and all depends on how secure that binary blob is or what it does/allows the operator to do.
Quectel software is a bit of a turd, so I woudln't take from this that operators can run random code they make the device download under root user, using this protocol. Most proprietary software like this is pretty shit, so I wouldn't feel warm and fuzzy safe on random Android device either.
This app seems to use Bluetooth to track potential violations of 6ft personal space and notify people if someone from that list later gets a covid positive test. Whatever the noble goal is I do not want it on my phone, this is creepy!
- view network connections
- pair with Bluetooth devices
- full network access
- run at startup
- prevent device from sleeping
Updated to add: well I'll be, an hour after this comment and seeing the link show me that Mass Notification was installed, I was prompted to opt-in appropos of nothing.
I'm curious to know if there's any MA Android users that previously removed Google Play, and if they still have the app or not. My guess is no?
You can only disable it
So I decided to check if I was in fact opted in and I was not opted in. Everything was off and this app was still installed without my consent. I do have automatic UPDATES turned on, but that shouldn't tell Google to just push whatever they want to me. You should probably edit your post saying your speculation is wrong.
I don't know what kind of proof you want, but I 100% never opted in.
So far what I guess is:
- This is likely a government action via telco and not something done via Google* (*Unless they've opted into a program like the one you stated)
- These phones being affected COULD BE all Carrier Locked phones which have specific terms to allow such behavior.
To me, this is pretty clear cut violation of Google's Device update policy and could be considered Malware or stalkerware (by their definition): https://support.google.com/googleplay/android-developer/answ...
https://support.google.com/googleplay/android-developer/answ...
-----
I think we should all slow down on putting Google for full blame here and focus on Government abuse and overstep of powers.
Deleted Comment