Can Google read my Signal messages on stock Android?
I recently asked the /c/Android community what information Google has access to on stock Android, assuming the user is not using any Google apps, and was told Google has full "unstoppable" access to the entire device, including Signal messages, the microphone, duckduckgo search history and anything displayed on the screen at all times.
Does this mean that encrypted messaging is essentially pointless to use on Android? I'm a newb here so go easy on me.
PiraHxCx
in reply to Jediwan • • •Android Open Source Project
Android Open Source ProjectJediwan
in reply to PiraHxCx • • •Ŝan • 𐑖ƨɤ
in reply to Jediwan • • •I would not expect any privacy from any Android, alþough if þere is any to be had, it'll be from a deGoogled image.
I have not heard anyone claim to have done a complete audit of Android, but even if it has been done on e.g. Graphene, what Google installs on Google phones is anyone's guess, and it's not paranoia to assume Google has backdoors.
cygnus
in reply to Jediwan • • •Shadow
in reply to cygnus • • •jenesaisquoi
in reply to Shadow • • •Jediwan
in reply to cygnus • • •N0t_5ure
in reply to Jediwan • • •Why Google Play Services Has More Access Than Any App on Your Phone
Faisal Rasool (How-To Geek)N0t_5ure
in reply to cygnus • • •FWIW, they're not sandboxed from google play services:
Accordingly, google would have access to the Signal data on your phone. However, I don't know whether the encryption would provide a measure of protection against google. GrapheneOS by default does not use google play services, and provides a sandboxed version for people who need the functionality.
Why Google Play Services Has More Access Than Any App on Your Phone
Faisal Rasool (How-To Geek)Natanael
in reply to N0t_5ure • • •It's possible but complicated.
Since apps have access to the TPM API they can encrypt their own data in such a way that only the app's own authorized processes can retrieve the decryption key from the TPM chip
vrighter
in reply to Natanael • • •Thorned_Rose
in reply to N0t_5ure • • •anon5621
in reply to cygnus • • •I will leave just this info here
Technical Data
Subject of Investigation: Google Play Services
Number of Permissions: 277
Operating System: Android 4.4.2 and above
List of Permissions
3.1. Automotive Systems Control
Access to data and control of vehicle components via Android Auto/CarPlay:
- Power windows
- Tire pressure monitoring system
- Rearview mirrors
- Power system
- Mileage data
- Central door locking
- Driving mode management
- Seat adjustment
- Vehicle speed data
- Lighting system (headlights)
- Battery
- Climate control
3.2. User Interface Manipulation
3.3. "Chimera" Component
System component of undetermined purpose.
3.4. SMS Management
... Show more...Complete control of text messaging functions:
- Sending messages
- Receiving messages
I will leave just this info here
Technical Data
Subject of Investigation: Google Play Services
Number of Permissions: 277
Operating System: Android 4.4.2 and above
List of Permissions
3.1. Automotive Systems Control
Access to data and control of vehicle components via Android Auto/CarPlay:
- Power windows
- Tire pressure monitoring system
- Rearview mirrors
- Power system
- Mileage data
- Central door locking
- Driving mode management
- Seat adjustment
- Vehicle speed data
- Lighting system (headlights)
- Battery
- Climate control
3.2. User Interface Manipulation
3.3. "Chimera" Component
System component of undetermined purpose.
3.4. SMS Management
Complete control of text messaging functions:
- Sending messages
- Receiving messages
- Reading messages
- Creating messages
3.5. Root-Level System Privileges
Complete device control at root-access level.
3.6. Application Data Access
3.7. USB Management
Control of USB connections and data transfer.
3.8. Identifier Access
Access to all system and user device identifiers.
3.9. Screen Lock Management
Disabling keyguard (screen lock system).
3.10. Mail Services Access
3.11. Network Function Management
3.12. Wi-Fi Management
3.13. Audio Recording
3.14. Geolocation
Complete control of location functions:
- Location determination by all available methods
- Independent enabling/disabling of geolocation services
- "Allocate aggressive" mode (aggressive resource allocation for location determination)
3.15. Payment Information Transmission
Sending payment data without specified recipient restrictions.
3.16. Camera Control
Access to device camera.
3.17. Telephony Function Management
3.18. Permission Management
Manipulation of other applications' permissions:
- Permission backup
- Permission sharing
- Permission revocation
- Permission restoration
3.19. Device Lock Management
3.20. Biometric Authentication
Complete control of biometric identification systems:
- Fingerprint scanner
- Facial recognition (Face ID)
3.21. Notification Management
Manipulation of system notifications:
- SMS notification substitution
- Call notification modification
- Messenger notification modification
3.22. Telephony Function Access
3.23. Bluetooth Management
Control of Bluetooth connections.
3.24. Security Key Management
Google Play Services is one of many pre-installed Google system components. A standard Android installation contains 30-50 additional Google applications with similar or complementary permission sets.
vrighter
in reply to cygnus • • •Doomerang
in reply to Jediwan • • •this is the response from the president of the Signal Foundation to the question around push notifications and if google/apple can access your messages via this method.
Meredith Whittaker (@Mer__edith@mastodon.world)
Meredith Whittaker (Mastodon)Jediwan
in reply to Doomerang • • •sik0fewl
in reply to Jediwan • • •passepartout
in reply to Jediwan • • •Google only pings your phone via FCM, the Signal App then polls the message itself.
Edit: oops, you meant the pop-up. You can disable them from showing the message.
Natanael
in reply to Jediwan • • •birdwing
in reply to Natanael • • •Jediwan
in reply to Natanael • • •FauxLiving
in reply to Jediwan • • •Screenshot protection doesn't protect you from the system seeing your screen. They're running software with kernel-level access to your system, anything that they want is available to them.
As to what they do with this level of access, I could only speculate.
Natanael
in reply to Jediwan • • •vrighter
in reply to Natanael • • •zqps
in reply to Jediwan • • •who
in reply to Jediwan • • •Google has the capability to read everything that you can read on an Android phone, unless you have taken steps to remove all Google-controlled components that have system-level privileges. Last time I checked, this included Google Play Services, which are installed by default on most Android phones.
Note that messengers with end-to-end encryption, like Signal, cannot protect against an adversary with full access to your device.
This is part of why people de-Google their phones, which usually means replacing the entire OS with something like LineageOS or GrapheneOS.
Jediwan
in reply to who • • •Autonomous User
in reply to Jediwan • • •who
in reply to Jediwan • • •Of course not. End-to-end encrypted messaging protects against eavesdroppers in transit. It's an opaque envelope.
(Edit: Keep in mind that Google is not the only potential eavesdropper out there.)
What it cannot do is protect a message from someone reading over your shoulder when you write a message or open an envelope. On mainstream Android, that could be Google, if they choose to abuse their system-level access. On iOS, it could be Apple. And so on.
Those companies might be eavesdropping on sent/received messages already, either at a large scale or in a minority of cases, or regionally, or they might not be doing it at all... yet. But they have the capability. You'll have to decide for yourself whether that risk is acceptable.
James R Kirk
in reply to who • • •But if the ENDS are both compromised... I wish there were more/better custom ROMS out there. Hopefully Linux Phone gets some love.
tehmics
in reply to James R Kirk • • •James R Kirk
in reply to tehmics • • •Me personally I don't have a Pixel but I looked into Graphene and I'm told banking apps don't work and also tap to pay.
Linux works on pretty much every PC ever and every app can be installed. It would be nice to have that for phones!
pmk
in reply to James R Kirk • • •James R Kirk
in reply to pmk • • •who
in reply to James R Kirk • • •If either end is compromised, then there is someone reading over the proverbial shoulder, and the conversation should be considered compromised.
That would be a welcome step in the right direction, as would open hardware.
corvus
in reply to Jediwan • • •ragas
in reply to Jediwan • • •It is not pointless.
atrielienz
in reply to Jediwan • • •People in the field would love to bust Google for this so it's a safe bet that they are actively looking for Google to log or transmit what you type in the keyboard in every app. The fact that the news hasn't broken that Google is logging this info is important. It means in the realm of possibility it's not impossible but it is unlikely.
Still it's safer to assume all of your communications on stock android are being tracked or spied on.
The same way you assume a weapon is loaded. Better safe than sorry.
Jediwan
in reply to atrielienz • • •MangoPenguin
in reply to Jediwan • • •Autonomous User
in reply to Jediwan • • •The system controls its apps. When the system's not libre software, they control it, not you!
Keep Signal. You're helping others escape WhatsApp.
Ardens
in reply to Jediwan • • •plz1
in reply to Jediwan • • •They own your device keyboard, so they can technically read whatever you type. Whether they send that to the mother ship, I don't know, but it's a risk. That's one example, but same holds true for anything low level, like mic, camera, etc.
pHr34kY
in reply to Jediwan • • •Google Keyboard has network access, so it can theoretically log every keystroke and send it somewhere.
Personally, I installed GrapheneOS which lets me deny network access to the keyboard.
Zerush
in reply to Jediwan • • •jenesaisquoi
in reply to Jediwan • • •MTK
in reply to Jediwan • • •Simple answer is no but...
Stock android, like all commercial OS is inherently spyware. Google does have access to it and in theory could do anything, but that is only "in theory" because as far as we know stock android does not come with keyloggers and data exfiltration tools, it spies on you in the way of "telemetry" meaning that Google decided that certain data is useful and so they "anonymize" it and collect it, this data can be: wifi networks, location, phone usage, and more.
So in theory it is possible that stock android either already has spyware to collect personal app data that no one ever noticed (very unlikely) or that google will push an update with such software (somewhat unlikely)
Now if you use other Google apps, especially gboard and google assistant, you are definitely sharing SOME amount of peesonal text with google.
The reality is that you should consider your threat model, which means to consider what kind of risk you are willing to take and what kind you are willing to make a change to avoid. It is perfectly reasonable to say that you a
... Show more...Simple answer is no but...
Stock android, like all commercial OS is inherently spyware. Google does have access to it and in theory could do anything, but that is only "in theory" because as far as we know stock android does not come with keyloggers and data exfiltration tools, it spies on you in the way of "telemetry" meaning that Google decided that certain data is useful and so they "anonymize" it and collect it, this data can be: wifi networks, location, phone usage, and more.
So in theory it is possible that stock android either already has spyware to collect personal app data that no one ever noticed (very unlikely) or that google will push an update with such software (somewhat unlikely)
Now if you use other Google apps, especially gboard and google assistant, you are definitely sharing SOME amount of peesonal text with google.
The reality is that you should consider your threat model, which means to consider what kind of risk you are willing to take and what kind you are willing to make a change to avoid. It is perfectly reasonable to say that you are not willing to use gboard or google assistant, but you are willing to use the stock android, understanding that you are sharing some data with Google, but most likely no app data (such as your texts in Signal)
Same thing about choosing a messenger. WhatsApp is made and managed by Meta, a company that lives off of user data. So even though WhatsApp claims (and seems to really be) end to end encrypted, you can still be sure that Meta is collecting everything they can, which probably means: who you are texting, how much, at what time, how much you use the app, location, and much more. Signal is open source and managed by a non-profit that does have a good track record, and because ut is open source you can also choose a different client (like Molly) which further reduces the Signal Foundation's hold on your chats (if you fear that) So you could say that because all of your friends use WhatsApp you are willing to accept that Meta will collect a bunch of data on you, or you could decide that you are not okay with that data collection and therefore choose Signal. It is up to you. In any case, E2EE is a must as it protects you from unauthorized access from hackers.
eldavi
Unknown parent • • •pHr34kY
Unknown parent • • •I denied play store network access too 😆.
Seriously, some apps just check if it's installed or not. I use Aurora for actually downloading apps.
mistermodal
in reply to Jediwan • • •Is the most sophisticated surveillance apparatus in history going to ignore you just because you're a little guy and it has a legal corporate frontend? Google has guys who planted bombs in the pagers of Lebanese doctors to get at Hezbollah working in their offices. They are one of the most important business partners of the organizational umbrella Guantanamo Bay falls under. Security by obscurity? I don't think so man. Being a blurred image in the corner doesn't mean you won't be counted as an illegal combatant by the glorious Pentagon battle computers. There's this misconception people have that there is a rational limit to the surveillance even while they see articles about how many nuclear reactors would be needed to scale the US AI griftdustry. This is the country that famously put little children on the no-fly list because they were automatically marked as relatives of citizens of concern.
Signal is not trustworthy. Firebase notifications is not trustworthy. Google, ditto. Your phone's hardware itself...