|
Listen to this story
|
The common theme around privacy in Google’s ecosystem is ‘trust’. And while the company has provided plausible explanations for its user data collection methods, users still need to trust that Google is operating within the purview of its self-imposed rules.
But as any cybersecurity expert worth their salt will tell you, a system that requires trust to function is not secure. This seems to be the reason why more privacy-focused users have begun shifting to an alternative known as GrapheneOS.
A Trustless OS for Android
This non-profit open source fork of the Android Open Source project comes with no Google apps preinstalled, and is built with the intention of being a secure operating system. It also aims to challenge Google’s hold over OEMs and their misuse of consumer devices as data-harvesting platforms.
Graphene takes pride in being trustless, even offering a command line interface-based installation service if the user doesn’t trust WebUSB or prepackaged installers. Users can even build, modify, and contribute to the project if they have the technical know-how.
One shortcoming is that the project is currently only deployable on Google devices due to hardware limitations, but the lead developer, Daniel Micay, provides a compelling reason to justify that. He says, “Broad device support is not a goal of the project. It would be harmful. The existing device support is already substantially holding back development, i.e. the actual work on privacy and security research and engineering that the project is all about.”
The operating system is built with a focus on eliminating insecure features and building privacy and security into the fabric of the OS itself. It also does not come with any Google apps bundled. However, to preserve privacy while ensuring functionality, Graphene has a separate sandbox for Google Play, which instals them without the special permissions included in a standard deployment.
The OS has a host of security-focused improvements over AOSP. From cutting down the amount of unnecessary code in the project to reducing attack surface, to building fine-grained sandboxes at every level, GrapheneOS protects against zero-day vulnerabilities. Other security features include PIN scrambling, support for longer passwords, more secure fingerprint unlocks, and Vanadium, a hardened WebView and default browser.
Graphene also supports native over-the-air (NOTA) for seamless security updates, discrete toggles for network and the phones’ integrated sensors, and indicators for when camera, microphone, or location is being used.
The sudden demand for switching from a trust platform like Google to a trustless open source system is based on the continuous breach of users’ trust by the tech giant.
Sucking Life Out of Your Phone
Reports recently emerged that Facebook and Instagram are draining users’ phone batteries on purpose through a process called ‘negative testing’. Now, users are complaining of a similar issue with the Google app. A variety of online forums, from Reddit to Google’s own forums, have been filled with reports of the Google app draining battery.
These complaints have long gone unaddressed by Google, but users have found various ways to workaround this issue, like disabling hotword activation on the Google app. This feature, which keeps the microphone on for listening to the ‘Okay Google’ hotword, has been found to be the main culprit behind Google’s battery drain.
In 2014, Google signed contracts with prominent phone manufacturers Samsung, Huawei, and HTC that required manufacturers to ship devices with Google apps pre-installed if they wanted Google Play Store on the device. Other conditions included keeping Google search as the default search provider, and enabling Google’s Network Location provider service.
Termed the mobile application distribution agreement (MADA), these contracts attracted a lot of regulatory flak in the days following its announcement but has since been relegated to the history books. However, the impact of the agreement can still be felt today, more likely because both existing and new manufacturers are forced to sign this contract to distribute Android with the Google Play Store installed.
While all Google applications gather different kinds of user information, one stands out in particular as the worst offender – the Google Search application. Dating back to 2014, users have not only found that the Google Search app drains battery when installed, but also pings the Google Network Location Provider service when the phone is asleep. This then results in further battery drain, as the phone is woken up from sleep to send location information to Google.
‘Okay Google’ Eats Up Your Battery
More recently, there was a spate of reports in 2022 that claimed that Google was topping the list of battery-consuming applications. After research by the community, multiple users concluded that it was mainly the ‘Okay Google’ hotword activation that woke the application up from sleep.
For the privacy conscious, Google has a portal under the accounts section that keeps a record of whenever the app was activated with the ‘Okay Google’ hotword. However, perusing the recorded audio snippets, we discovered that Google is listening in whenever it thinks that the hotword has been spoken. This means that if the user says something remotely similar to the words ‘Okay Google’, the application gives itself permission to record and upload the audio sample to check if the activation phrase has been spoken.
While Google’s spying on users or battery drain has not been acknowledged or addressed by the company, complaints from users show that this issue is widespread. Trusting a big tech company with sensitive information such as location data, audio recordings, and a host of other data points is not a secure approach to preserving sensitive information. However, the rise of alternatives like GrapheneOS might challenge Google’s unwarranted dominance in the ‘open’ mobile OS landscape.
