Hello.
Which Android OS keyboard software you are using?
And why?
https://github.com/Helium314/HeliBoard
The main problem I have with it, after I installed HeliBoard, is there is
no voice input, by default. Maybe voice input can be added later somehow?
Kirill Ivanov scriveva il 17/06/2024 :
Hello.
Which Android OS keyboard software you are using?
And why?
Heliboard:
https://github.com/Helium314/HeliBoard
Open source, very customizable, possibility to add glyde typing,
respectful of privacy.
The main problem I have with it, after I installed HeliBoard, is there is
no voice input, by default. Maybe voice input can be added later somehow?
You can set voice input icon in toolbar from HeliBoard Settings ->
Toolbar.
Heliboard:
... respectful of privacy.
Any reason why it would need the READ_CONTACTS permission ?
Heliboard:
... respectful of privacy.
Heliboard:
Any reason why it would need the READ_CONTACTS permission ?
Any reason why it would need the READ_CONTACTS permission ?
According to a comment on an issue/question in github
"It's for adding contact names to suggestions and spell check."
Henry,
Heliboard:
... respectful of privacy.
Any reason why it would need the READ_CONTACTS permission ?
"READ_PROFILE allows you to access the device user's personally-identifying data."
( https://developer.android.com/identity/providers/contacts-provider )
That doesn't really sound privacy-friendly ...
Andy Burns wrote on Tue, 18 Jun 2024 21:27:34 +0100 :
Any reason why it would need the READ_CONTACTS permission ?
According to a comment on an issue/question in github
"It's for adding contact names to suggestions and spell check."
Look here: <https://i.postimg.cc/rpJQj8vx/heliboard04.jpg>
1. Mine is turned off, by default, for some reason.
android.permission.READ_CONTACTS = dangerous, revoked
2. When dealing with permissions, it's not what the "purpose" of the
permission is that is worrisome, it's the "capability" of it (e.g.,
maybe *other* apps can make use of the data, e.g., Firebase).
Maybe there's a trick I'm not seeing yet as I already have a microphone
with my OpenBoard keyboard so I know that it works just fine normally.
<https://i.postimg.cc/zvw1MYST/heliboard03.jpg>
But when I set the keyboard to HeliBoard, the microphone disappears.
<https://i.postimg.cc/fyYwN9Zt/heliboard02.jpg>
I opened the HeliBoard app. It brought me to "HeliBoard Settings".
The microphone was already turned on.
But the microphone doesn't show up in the HeliBoard keyboard.
Do I need to set something else to get the HeliBoard mic to show up?
<https://i.postimg.cc/rFLV9QCS/heliboard01.jpg>
Heliboard:
Any reason why it would need the READ_CONTACTS permission ?
According to a comment on an issue/question in github
"It's for adding contact names to suggestions and spell check."
1. Mine is turned off, by default, for some reason.
android.permission.READ_CONTACTS = dangerous, revoked
2. When dealing with permissions, it's not what the "purpose" of the
permission is that is worrisome, it's the "capability" of it
Since Helium keyboard does not use Firebase and also does not
have internet access, this is not an issue.
"READ_PROFILE allows you to access the device user's personally-
identifying data."
You mean READ_CONTACTS?
THe important thing is, that the app can not send data anywhere as it
has no internet access.
Toolbar keys (including microphone icon) are shown pressing on icon ">"
on the left of suggestions row.
In version 2.x beta of Heliboard they add an option to auto-show/hide
toolbar or pin a specific key so it remains always visibile: despite
being a beta it's very stable, so I suggest you to update version.
https://github.com/Helium314/HeliBoard/releases/v2.0-beta2
Heliboard:
... respectful of privacy.
Any reason why it would need the READ_CONTACTS permission ?
The important thing is, that the app can not send data anywhere as it
has no internet access.
"READ_PROFILE allows you to access the device user's personally-identifying >> data."
You mean READ_CONTACTS?
( https://developer.android.com/identity/providers/contacts-provider )
That doesn't really sound privacy-friendly ...
This permission does NOT have to be granted at all. In the app settings
of Android it is listed but disabled.
Also the app does NOT have internet access - therefore it will not send
any data anywhere, even if it would read contact information.
And finally - it is open source! If you believe the app does bad things, review the code or ask someone you trust to do so:
<https://github.com/Helium314/HeliBoard>
The German "Kuketz IT-Securioty" blog also recommends this keyboard for privacy reasons:
<https://www.kuketz-blog.de/heliboard-android-tastatur-empfehlung/>
Henry The Mole, 2024-06-19 08:25:[...]
https://github.com/Helium314/HeliBoard/releases/v2.0-beta2
Since I'm not very familiar with HeliBoard yet: when long-pressing a
button in the toolbar, it get's a permanent highlight with a green background, but nothing else happens. I can remove the highlight again
by long-pressing the same button again.
What is the meaning of this?
Arno,
Since Helium keyboard does not use Firebase and also does not
have internet access, this is not an issue.
How do you know it doesn't use Firebase ? (how did you figure that out ?)
But do I understand you correctly that if an app uses Firebase it doesn't need the INTERNET permission (and/or alike) to be able "go online" ?
Andrew scriveva il 18/06/2024 :
Maybe there's a trick I'm not seeing yet as I already have a microphone
with my OpenBoard keyboard so I know that it works just fine normally.
<https://i.postimg.cc/zvw1MYST/heliboard03.jpg>
But when I set the keyboard to HeliBoard, the microphone disappears.
<https://i.postimg.cc/fyYwN9Zt/heliboard02.jpg>
I opened the HeliBoard app. It brought me to "HeliBoard Settings".
The microphone was already turned on.
But the microphone doesn't show up in the HeliBoard keyboard.
Do I need to set something else to get the HeliBoard mic to show up?
<https://i.postimg.cc/rFLV9QCS/heliboard01.jpg>
Toolbar keys (including microphone icon) are shown pressing on icon ">"
on the left of suggestions row.
In version 2.x beta of Heliboard they add an option to auto-show/hide
toolbar or pin a specific key so it remains always visibile: despite
being a beta it's very stable, so I suggest you to update version.
https://github.com/Helium314/HeliBoard/releases/v2.0-beta2
Andrew,
1. Mine is turned off, by default, for some reason.
android.permission.READ_CONTACTS = dangerous, revoked
Its not about what *you* currently have, its about what *we* would be getting. Regardless of if our phones have similar protections - or not.
Arno Welzel wrote:
THe important thing is, that the app can not send data anywhere as it
has no internet access.
I thought *all* android apps got INTERNET permission "for free" without having to ask?
HeliBoard:
1. android.permission.READ_CONTACTS
2. android.permission.READ_USER_DICTIONARY
3. android.permission.RECEIVE_BOOT_COMPLETED
4. android.permission.VIBRATE
5. android.permission.WRITE_USER_DICTIONARY
6. helium314.keyboard.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION
OpenBoard:
1. android.permission.POST_NOTIFICATIONS
2. android.permission.READ_USER_DICTIONARY
3. android.permission.RECEIVE_BOOT_COMPLETED
4. android.permission.VIBRATE
5. android.permission.WRITE_USER_DICTIONARY
Does anyone have a logical explanation of why this difference?
Andy Burns, 2024-06-19 08:31:
Arno Welzel wrote:
THe important thing is, that the app can not send data anywhere as it
has no internet access.
I thought *all* android apps got INTERNET permission "for free" without
having to ask?
No, this is not the case.
An app has to ask for the permission android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE before it can connect to and
server on the network.
How do you know it doesn't use Firebase ? (how did you figure that out
?)
Because I checked the code: <https://github.com/Helium314/HeliBoard>
But do I understand you correctly that if an app uses Firebase it doesn't
need the INTERNET permission (and/or alike) to be able "go online" ?
No, but it needs to contain code to use Firebase.
If you don't believe me,
An app has to ask for the permission android.permission.INTERNET and android.permission.ACCESS_NETWORK_STATE before it can connect
to and server on the network.
The contacts permission is off by default in this app and is only needed
when you enable "Suggest Contact names" in the "Text correction" settings.
Before complaining about how insecure an app is you should first check it!
Arno,
The contacts permission is off by default in this app and is only needed
when you enable "Suggest Contact names" in the "Text correction" settings.
"The contacts permission is off by default in this app" ?
That sounds like as if the app is managing its own permissions, and I *hope* that that is not what you ment ...
But maybe you just mean that the permission will only actually be asked for when it tries to access the contacts (and not when installing). But how does that make a difference ? It still wants to access that contacts data.
Before complaining about how insecure an app is you should first check it!
Are you teling me I must be a fullblown Java programmer before I'm allowed
to mention stuff I would never want to give the permission for ? I hope not.
Arno,
How do you know it doesn't use Firebase ? (how did you figure that out
?)
Because I checked the code: <https://github.com/Helium314/HeliBoard>
Ah, yep, that would do it.
Alas, thats not something thats easy to automate.
But do I understand you correctly that if an app uses Firebase it doesn't >>> need the INTERNET permission (and/or alike) to be able "go online" ?
No, but it needs to contain code to use Firebase.
??? I don't get that. Somehow you look to be disagreeing and agreeing with me at the same time.
Simpler question: If an app uses Firebase it can go online, even though the app doesn't request the INTERNET permission. Yes, or no ?
On 20/06/2024 10:14, Arno Welzel wrote:[...]
An app has to ask for the permission android.permission.INTERNET and
android.permission.ACCESS_NETWORK_STATE before it can connect to and
server on the network.
I don't remember being asked to grant internet access since about Froyo/Gingerbread era
"Both the INTERNET and ACCESS_NETWORK_STATE permissions are normal permissions, which means they're granted at install time and don't need
to be requested at runtime."
<https://developer.android.com/develop/connectivity/network-ops/connecting>
An app *must* contain the permission request in the manifest,
regardless if it actually uses it or not.
It will only access contact data, when you enable the setting for it in
the app, otherwise not.
Also see the options in the app - "Suggest Contact names" is a good
hint what the permission for contact reading is used for.
Better than just assuming that the app does not respect your privacy just because of an *optional* permission.
But do I understand you correctly that if an app uses Firebase it
doesn't
need the INTERNET permission (and/or alike) to be able "go online" ?
No, but it needs to contain code to use Firebase.
??? I don't get that. Somehow you look to be disagreeing and agreeing
with me at the same time.
No - I just explained, that an app does need internet to use Firebase,
Simpler question: If an app uses Firebase it can go online, even though
the app doesn't request the INTERNET permission. Yes, or no ?
No.
I agree it's crazy to do that every single time so I appreciate that you
explained that the beta version can pin the microphone to the toolbar.
Just long-press microphone button in the toolbar, so it gets
highlighted. Then it is "pinned" and will stay visible even when the
toolbar is closed.
No. It can only use Firebase. Firebase is not "go online" but a
framework for authentication and using cloud storage:
<https://firebase.google.com/>
So I think there are MULTIPLE things that Google calls "Firebase".
Google Services "Firebase App Indexing" that is on my phone and which
extremely private data which is uploaded periodically to somewhere
by an unknown-to-me process.
Since Helium keyboard does not use Firebase and also does not have
internet access, this is not an issue.
So I think there are MULTIPLE things that Google calls "Firebase".
Too bad you only name one ... Or is it that the one you described is the only one related to android ?
Google Services "Firebase App Indexing" that is on my phone and which
gathers extremely private data which is uploaded periodically to somewhere >> by an unknown-to-me process.
Thanks for that.
It means (to me) that if I see an apk mentioning "Firebase" in its manifest
I should drop it (as the spyware it is) and walk away.
One thing we have to remember is anyone who talks only about "Google Firebase" (cloud services) without also talking about "Google Services Firebase App Indexing (decidedly NOT cloud related),
I too don't understand the difference.But at least I'm aware that there is
a difference.
3. However, notice that the fact that Helium Heliboard does not use
the Internet is meaningless because Google uses the Internet.
Oh yes, there seems to be a difference : the first being the back-end and second the front-end. At least, if I maye take Googles own word for it :
https://firebase.google.com/firebase-and-gcp
3. However, notice that the fact that Helium Heliboard does not use
the Internet is meaningless because Google uses the Internet.
As you said it yourself, "that's a terribly misleading sentence".
You might want to explain what, to you, that "google" in the above sentence is, and how it "uses the Internet" without given permission to - and
ofcourse how that that "google" gets hold of data generated by other apps*
Yes, I can make an (educated) guess or two to what you might mean there, but I rather hear it from you.
* an OS sandboxing apps is a thing. And on my phone an app can access files it created itself, but not other apps files - simply by denying it READ/WRITE_EXTERNAL_STORAGE permissions.
hint: not everyone thinks that his lifes enjoyment is directly dependant on having something like "google play store" installed.
And again: be carefull when you post pertinent stuff like "Firebase App Indexing (decidedly NOT cloud related)" as you do not really seem to understand the issue yourself - as you mentioned it, you have no idea where the "Firebase Indexing Service" is sending its data to, other than 'to google'.
"Firebase cloud services" is definitily Google, though for some reason you discarded it (without an explanation) as a possibility of being the target
if your phones uploading. I still have no idea why.
Arno Welzel wrote on Thu, 20 Jun 2024 11:08:45 +0200 :
I agree it's crazy to do that every single time so I appreciate that you >>> explained that the beta version can pin the microphone to the toolbar.
Just long-press microphone button in the toolbar, so it gets
highlighted. Then it is "pinned" and will stay visible even when the
toolbar is closed.
Thanks for responding to my issues, where I just pinned it and it works.
Now the microphone is pinned to HeliBoard KB just as it is to OpenBoard.
If the app does not use the Internet, how does it do the Speech-to-Text?
Android 13 Galaxy:
Settings > General Management > Text-to-speech > Preferred engine >
(o) Samsung TTS settings
(_) Speech Recognition and Synthesis from Google
The privacy question is whether either of those uses the Internet?
Does anyone know?
Arno Welzel wrote on Wed, 19 Jun 2024 08:25:01 +0200 :
Since Helium keyboard does not use Firebase and also does not have
internet access, this is not an issue.
That's a terribly misleading sentence, unfortunately; but I know you're trying to help - so please take what I say below purely constructively.
That sentence is dangerous - because it's so non detailed as to be able to
be interpreted in two completely different ways - one good - the other bad.
I do not think anyone on this newsgroup understands the difference between Google Firebase (cloud stuff) and Google Services Firebase App Indexing
(non cloud stuff); so your sentence above is meaningless until you can show that you understand that they're completely different - and not having one doesn't negate having the other.
1. Firebase is (apparently) not the same as Firebase App Indexing.
One uses the cloud. The other does not use the cloud (AFAIK).
The one that does not use the cloud is called "Google Services
Firebase App Indexing" and it _does_ send "statistics" to Google!
2. I installed and used Helium HeliBoard and I subsequently checked
the Google Services Firebase App Indexing data location, which
you can only see if you turn Developer options on, and I did not
see anything in there from Helium - so even though you didn't
distinguish between Google Firebase (cloud related stuff) and
Google Services Firebase App Indexing (not related to the cloud),
I think that you're correct that Helium doesn't collect that data
(which then Google says it grabs "statistics" from).
3. However, notice that the fact that Helium Heliboard does not use
the Internet is meaningless because Google uses the Internet.
Arno,
I stand corrrected, yes, you're right. On current android versions, apps
don't have to ask for that permission, but you still need to add this in
the app manifest as developer, so people can check wether the app
uses network connections at all.
Have you ever considered the possibility that all that has changed is the popping up of the confirmation dialog for those particular permissions ?
IOW, if the permission request is NOT in the manifest its NOT given, but if it is there its given without confirmation.
Hey, maybe you have knowledge and the tools to create a small testing app, test it and tell us the results ?
Arno,
An app *must* contain the permission request in the manifest,
regardless if it actually uses it or not.
I take that as "regardless if it *directly* uses it or not."
But do you recognise that way of doing stuff might be problematic ? If you lend your phone to someone a friend or your kid(s) get a hold of it (wanting to play a game perhaps) they might cause the permission to be asked for, and than it won't be you answering the question.
Time will tell if my phone uses the same "late binding" mechanism. I hope not though.
It will only access contact data, when you enable the setting for it in
the app, otherwise not.
:-) You talk as if you are smart enough, but at the same time you seem to blindly trust an apps honesty in obeying a setting it manages it itself.
I don't.
Also see the options in the app - "Suggest Contact names" is a good
hint what the permission for contact reading is used for.
You're sounding rather gullible there. :-(
They *tell you* that they will /just/ take the contact names, and leave everything else (you know, phone numbers, adresses, etc.) alone, and you believe them ? Again, I don't.
Its not about what they /tell you/ what they are going to do, its about *whats possible* they could do.
Also, there is a reason why some phone OS-es offer you to provide apps
asking for such a permission a fake list.
Better than just assuming that the app does not respect your privacy just
because of an *optional* permission.
You sound like you will have no problem with handing off your wallet (containing money, bank cards and passport) to a random stranger when he
asks for it.
What ? You would not trust a random stranger like that ? But you still expect me to (blindly) trust a random app ? Really ?
Hey, maybe you have knowledge and the tools to create a small testing app, >> test it and tell us the results ?
There are already many apps out there which can do this, for example:
<https://f-droid.org/de/packages/com.mirfatif.permissionmanagerx/>
adb connect 192.168.0.2:36295
adb pair 192.168.0.2:43145 016983
scrcpy -s 192.168.0.2
It depends on the device. Newer devices have a "TPU" which can handle
speech recognition offline. However older devices may not be as powerful
to do this and always rely on a server.
Simple test: enable airplane mode to disable any kind of network
connection and see, if speech recognition still works. In my case, on a Google Pixel 6a, this is the case - Google speech recognition even works without any active network connection at all.
An app *must* contain the permission request in the manifest,
regardless if it actually uses it or not.
I take that as "regardless if it *directly* uses it or not."
There is no "direct use". Either an app does use an system API
which requires a permission or not.
"Late binding" is required for *all* permissions in newer Android
versions. I am not sure when Google changed this, but as far I
remember, Android 6 introduced that.
:-) You talk as if you are smart enough, but at the same time you seem
to blindly trust an apps honesty in obeying a setting it manages it
itself.
I don't.
I don't either - but I can read and understand source code:
And yes, I also develop Android software myself:
They *tell you* that they will /just/ take the contact names, and leave
everything else (you know, phone numbers, adresses, etc.) alone, and
you believe them ? Again, I don't.
Who is "they"?
Heliboard is not sold by a company but provided by a bunch of
contributors (at the moment 26 - see <https://github.com/Helium314/HeliBoard/graphs/contributors>) who
spend their free time to maintain a keyboard app you can use for free.
So you believe all these guys work on that app to spy on you?
Then don't use the app or better don't use smartphones at all - and
yes, I am really serious!
Also, there is a reason why some phone OS-es offer you to provide
apps asking for such a permission a fake list.
Which does not solve the issue, that you still have to trust the OS that
it works as intended.
Yes - everything is possible! Even if an app has *no* permissions at
all it still can be harmful since there may be a security bug in Android which a malicous app can exploit. And yes, I am really serious!
No, I have no problem trusting an open source app I can check of myself.
No I don't expect anything except not being paranoid and trying
to understand *why* I told you that about Heliboard.
Oh yes, there seems to be a difference : the first being the back-end and
second the front-end. At least, if I maye take Googles own word for it :
https://firebase.google.com/firebase-and-gcp
Thank you for noticing that there's a difference between "Google Firebase" and "Google Services Firebase App Indexing",
While I will freely admit to not knowing what either one truly is, I don't think one is just the back end of the other - simply because the whole purpose of "Google Services Firebase App Indexing" is for the app to get
its data in the users' search results ON THE PHONE (as far as I can tell), while the whole purpose of "Google Firebase" is for the app to link in
access to Google's cloud.
As far as I can tell, those are two completely different endeavors.
"A note about privacy: The personal content index only exists
on the user's device. None of the user's personal content is
uploaded to Google servers and it only remains on the device
while the app is installed. However, aggregated statistics
about apps' usage of App Indexing and other system health
information may be uploaded to Google servers."
Notice that means it doesn't matter one bit if an application has
no Internet access... Because Google does.
The problem is that when everyone is talking about stuff they don't know
much about (including me), then everything any one person says tends to >confuse any other person - because they're not starting from the same >knowledge level.
And F-Droid also shows the permission of any app which you can download
there - and Heliboard doesnot have internet access:
Arno,
No I don't expect anything except not being paranoid and trying
to understand *why* I told you that about Heliboard.
Ask yourself how I could possibly *know* why you mentioned that app. You might be fully above board, but you could as easly be someone who's trying goading people into installing (trojaned) malware. (don't worry, I'm leaning to the former).
You already mentioned that data gathered on your phone by that Firebase framework gets send off too somewhere you don't know, but you still refuse
to consider the possibility that a same-named software "in the cloud", also from Google, could be the recipient of it.
Are you gullible or what ?
Ask yourself: if Google doesn't want to upload that "personal content" to itself, than why are they gathering it in the first place ?
And F-Droid also shows the permission of any app which you can download
there - and Heliboard doesnot have internet access:
confirmed by dumping the manifest from the apk
See here:
<https://firebase.google.com/docs/projects/learn-more?hl=en>
Google Services Firebase App Indexing (search related):
<https://medium.com/android-news/firebase-app-indexing-for-personal-content-getting-personal-content-into-search-c52bfe45b3ac>
"A note about privacy: The personal content index only exists
on the user's device. None of the user's personal content is
uploaded to Google servers and it only remains on the device
while the app is installed. However, aggregated statistics
about apps' usage of App Indexing and other system health
information may be uploaded to Google servers."
PMX and Muntashirakon App Manager will dump the permissions of any given app.
I did not mention the app, that was "Henry The Mole" <henrythemole@mckenziesfarm.old> in his post on June 17, 2024.
I just tried explained how I came to the conclusion that it does not
abuse private data
I also repeatetly suggested *not* to trust me blindly but to ask someone
else
who is able to understand the source code of Heliboard
and maybe even compile your own version based on that code to be sure what you get!
You already mentioned that data gathered on your phone by that Firebase
framework gets send off too somewhere you don't know, but you still
refuse
to consider the possibility that a same-named software "in the cloud",
also
from Google, could be the recipient of it.
If I didn't say it directly, Google is *definitely* the recipient of the Firebase App Index statistics which are uploaded periodically.
Ask yourself: if Google doesn't want to upload that "personal content" to
itself, than why are they gathering it in the first place ?
a. Google isn't gathering the data.
b. The app is gathering the data.
c. But the app isn't uploading that data.
d. The app is storing the data on your device.
e. Google says they only upload "statistics" about that data.
f. Not the data itself.
Andrew wrote:
PMX and Muntashirakon App Manager will dump the permissions of any given app.
Do their lists of dumped permissions correspond with f-droid's list or
the list from aapt2?
Andy Burns wrote:
Do their lists of dumped permissions correspond with f-droid's list or
the list from aapt2?
Yes - see for yourself:
<https://f-droid.org/en/packages/helium314.keyboard/>
The goal is to understand things. To that end, I am far less concerned with >Firebase Cloud Services than with Firebase App Indexing, which is explained >rather clearly below in this cite:
From that alone, it's clear Google is *definitely* the recipient of the >Firebase App Index aggregated statistics which are uploaded periodically.
The simplest way I can summarize what that cite clearly states, is this:
a. Google isn't gathering the data (which is to be found in a local search) >b. The app is gathering the data (to be found in a local search)
c. But the app isn't uploading that data (which it stored on the device)
d. The app is just storing the data (making it available to the search)
e. Google says they only upload "aggregate statistics" about that data.
f. Not the data itself.
In summary, of three things, we only fully know two of them:
a. We know what data each app is storing in the Firebase App Indexing db
b. We know who is uploading that index (google) and to where (google)
c. But we do not know how much of that index google is uploading
Certainly the Firebase App Indexing contains extremely detailed accounts of >your activities, down to every contact you've connected with and every app >you've used and every location you've searched for and which songs and
movies you've viewed, etc.
But Google says they only upload to their servers an "aggregate index". >Whatever that is.
Does anyone know more about what this "aggregate index" actually contains?
I did look, which is why I asked ... the f-droid list is not identical to
the aapt2 list.
Andy Burns wrote:
I did look, which is why I asked ... the f-droid list is not identical to
the aapt2 list.
It would have been nice if you would have mentioned the differences.
Is it possible those are BIND_INPUT_METHOD and BIND_TEXT_SERVICE ?
those are not under "uses-permission", but under "service" -> "permission"
d. The app is storing the data on your device.
Do tell what "the app" is and where I claimed otherwise.
Being the ludite that I am, I had never heard of Firebase, so I turned to Wikipedia (https://en.wikipedia.org/wiki/Firebase). There I found this
among the weeds:
*****
User privacy controversies
Firebase has been claimed to be used by Google to track users without their knowledge. On July 14, 2020, a lawsuit was filed accusing Google of
violating federal wire tap law and California privacy law. It stated that through Firebase, Google collected and stored user data, logging what the user was looking at in many types of apps, despite the user following Google's own instructions to turn off the web and app activity collected by the company.[17] The lawsuit was dismissed in January 2022, with Chief US District Judge Richard Seeborg ruling that a promise to avoid collecting
user data did not amount to a contract.[18]
[17] "Google faces lawsuit over tracking in apps even when users opted
out". Reuters. July 14, 2020. Retrieved July 14, 2020.
[18] "US federal judge dismisses breach of contract claims in privacy
class action against Google". www.jurist.org. January 27, 2022. Retrieved May 18, 2022.
*****
That seems like a very odd decision to me, but there's not really much
detail in that blurb. But it sure adds bulk to the general cloud (no pun intended) of opinion that, "Google is evil". And I would be interested to hear the judge's reasoning in that decision.
Is it possible those are BIND_INPUT_METHOD and BIND_TEXT_SERVICE ?
Yes those are not listed by f-droid
those are not under "uses-permission", but under "service" ->
"permission"
Thanks, wasn't aware of the distinction, but it's still "a permission"
run at startup (why not use the proper name android.permission RECEIVE_BOOT_COMPLETED?
Is it possible those are BIND_INPUT_METHOD and BIND_TEXT_SERVICE ?
Yes those are not listed by f-droid
those are not under "uses-permission", but under "service" ->
"permission"
Thanks, wasn't aware of the distinction, but it's still "a permission"
Also there's no mention of android.permission.READ_CONTACTS
Regarding the DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION, I found this[snip]
Also there's no mention of android.permission.READ_CONTACTS
Although the apk in question doesn't seem to have any way to send the data anywhere, forgetting to mention such a privacy related permission is not good. Luckily the phone itself will still ask for it.
[snip]d. The app is storing the data on your device.
Do tell what "the app" is and where I claimed otherwise.
There are many apps doing it,
The only question that remains unanswered is what is contained in
that index which Google says they may upload to their servers,
If you can answer that question, that would add value for the team.
Not sure why, but when I granted contact access to HeliBoard,
it still didn't show up in the Contacts permission tab though.
Not sure why, but when I granted contact access to HeliBoard,
it still didn't show up in the Contacts permission tab though.
Assuming your phones OS works correctly and should have displayed it, whats your conclusion ?
what I do not see any need for and can be done differently. Which, for this case, I explained that several days back.
I also repeatetly suggested *not* to trust me blindly but to ask someone
else
who is able to understand the source code of Heliboard
I do not have anyone in my neighbourhood who could, or even wanted to do that. They just install the stuff and trust it into high-heaven.
Arno Welzel wrote:
Andy Burns wrote:
Do their lists of dumped permissions correspond with f-droid's list or
the list from aapt2?
Yes - see for yourself:
<https://f-droid.org/en/packages/helium314.keyboard/>
I did look, which is why I asked ... the f-droid list is not identical
to the aapt2 list.
Don't get confused by the naming of the permissions.
Well - if a keyboard app offers to use the names of your contacts
as word suggestion, this can not be done differently.
But feel free to ask someone to fork the app and create a version which
does not have the contact name integration and thus doesn't need contact access either.
Then don't use the app and look for something else since you don't
believe anyone anyway.
We'd need more data which is why the best way to answer your question
is for you (or anyone else who is curious to obtain that answer) to
install
the app & test it and then let us know what it reported.
Arno,[...]
Then don't use the app and look for something else since you don't
believe anyone anyway.
I *thought* we had a discussion about a permission and how its easily a privacy risk. I guess I was wrong.
I think we should end this thread.
We'd need more data which is why the best way to answer your question
is for you (or anyone else who is curious to obtain that answer) to
install
the app & test it and then let us know what it reported.
Kiddo, its really you. *You* do not understand something, and than *we*
need more data.
Don't get confused by the naming of the permissions.
A good reason for f-droid to be consistent in providing them *all* in recognisable android.permission.XXXXX_YYYYY_ZZZZZ format, as well as
their "cuddly" interpretation ...
It's simpler to use permission-reporting tools AFTER the APK is installed.
Andrew wrote:
It's simpler to use permission-reporting tools AFTER the APK is installed.
There's a problem with that approach (though not applicable in this
instance)
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your
entire contact list is already circulating in
China/Russia/Somethingistan ...
Andy Burns, 2024-06-28 10:54:
Andrew wrote:
It's simpler to use permission-reporting tools AFTER the APK is installed. >>There's a problem with that approach (though not applicable in this
instance)
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your
entire contact list is already circulating in
China/Russia/Somethingistan ...
No, since the app has to be started first. An app will not get started automatically just because you have installed it.
On 29/06/2024 10:23, Arno Welzel wrote:
Andy Burns, 2024-06-28 10:54:
Andrew wrote:
It's simpler to use permission-reporting tools AFTER the APK is installed. >>>There's a problem with that approach (though not applicable in this
instance)
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your
entire contact list is already circulating in
China/Russia/Somethingistan ...
No, since the app has to be started first. An app will not get started
automatically just because you have installed it.
if it installs a service it will ...
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your
entire contact list is already circulating in
China/Russia/Somethingistan ...
No, since the app has to be started first. An app will not get started
automatically just because you have installed it.
if it installs a service it will ...
No, not even a service will start automatically. The app must be invoked
by the user once in any case.
Only when the app has a android.intent.action.BOOT_COMPLETED intent
filter (and the respective permission to recieve this event), it may use
this to start a service automatically when you *reboot* your device. But
just installing something will *never* automatically start it.
It's simpler to use permission-reporting tools AFTER the APK is installed.
There's a problem with that approach (though not applicable in this
instance)
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your
entire contact list is already circulating in
China/Russia/Somethingistan ...
Arno Welzel wrote on Sun, 30 Jun 2024 10:03:41 +0200 :
if you install an app which has both READ_CONTACTS permission and
INTERNET permission, by the time you've checked the permissions, your >>>>> entire contact list is already circulating in
China/Russia/Somethingistan ...
No, since the app has to be started first. An app will not get started >>>> automatically just because you have installed it.
if it installs a service it will ...
No, not even a service will start automatically. The app must be invoked
by the user once in any case.
Only when the app has a android.intent.action.BOOT_COMPLETED intent
filter (and the respective permission to recieve this event), it may use
this to start a service automatically when you *reboot* your device. But
just installing something will *never* automatically start it.
I defer to Arno's and Andy's experience (the "A's" on this ng are stellar!) however - I will state a test I ran which shocked me when I ran it.
1. Make sure you know EXACTLY what is in your contacts database
(e.g., put a test entry that is unambiguously brand new).
2. Make sure you do NOT have a Google Account (or any account) set up
on the phone (where the Google Account is the culprit here).
3. Then, install the Google GMail app, and simply run it the first time
(i.e., log into the GMail app to get your IMAP-stored email messages).
Guess what just happened.
Exactly what Andy said would happen.
By default, you got NO SAY in what would happen to your contacts.
You can *change* the default after the fact - but the damage is done.
Google, by default, did two very lousy things in my tests of this.
1. Google unilaterally *created* an account on the Android phone!
2. Google unilaterally *uploaded* your sqlite contacts db to that account!
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 468 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 35:27:09 |
| Calls: | 9,444 |
| Calls today: | 1 |
| Files: | 13,594 |
| Messages: | 6,111,298 |
