Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Cellphones Privacy

Motorola Is Listening 287

Posted by Soulskill
from the knows-when-you've-been-bad-or-good-but-doesn't-bring-you-presents dept.
New submitter pbritt writes "Ben Lincoln was hooking up to Microsoft ActiveSync at work when he 'made an interesting discovery about the Android phone (a Motorola Droid X2) which [he] was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel.' He found that photos, passwords, and even data about his home screen config were being sent regularly to Motorola's servers. He has screenshots showing much of the data transmission."
This discussion has been archived. No new comments can be posted.

Motorola Is Listening

Comments Filter:
  • It's motoblur... (Score:2, Informative)

    by Anonymous Coward on Tuesday July 02, 2013 @01:43PM (#44168061)

    It's a server side social service from motorola,see

  • Achievement Unlocked (Score:5, Informative)

    by blincoln (592401) on Tuesday July 02, 2013 @01:51PM (#44168163) Homepage Journal

    "An article you wrote for your personal website has appeared on the main page of both Slashdot and Hacker News, and you were not the submitter in either case."

    I haven't logged onto this account in ages, but if anyone has any questions, I'd be happy to try to answer them.

  • by swillden (191260) <> on Tuesday July 02, 2013 @01:55PM (#44168221) Homepage Journal

    This is just Google collecting all of the worlds data, just like they said they were doing to do.

    The Droid X2 was released on May 11, 2011. Google announced their intention to acquire Motorola Mobility on August 15, 2011, and completed the acquisition on May 22, 2012.

  • Re:Don't you know... (Score:5, Informative)

    by Joce640k (829181) on Tuesday July 02, 2013 @01:55PM (#44168227) Homepage

    I think it might be this: []

    Lots of phones/providers sync your personal data for you in case you lose your phone.

    (And I'm sure there's an option somewhere to turn it off, although you never know with big corporations...)

  • by h4rr4r (612664) on Tuesday July 02, 2013 @02:01PM (#44168319)

    You can have a custom rom that is not rooted.
    I do.

    Why do people confuse these?

  • by blincoln (592401) on Tuesday July 02, 2013 @02:38PM (#44168821) Homepage Journal

    In the absence of a better answer, I would go with the model I used for this testing:
    Build a Linux system that acts as the sole gateway between your internal network and the internet (whatever means you are using to connect to the internet). Set it up with an intercepting proxy like Burp Suite or OWASP ZAP, and install the signing cert on your devices. Configure all of your devices to proxy HTTP and HTTPS traffic through that intercepting proxy. This will let you see nearly all HTTP and HTTPS traffic, and optionally to modify that traffic as it passes through.
    That system can either just be a gateway for some other device (e.g. your wireless router), or you can set it up to perform the DHCP and other functions for the other devices on your network.
    It would probably also be helpful to set it up as the DNS server so that if you end up needing to look at something that requires spoofing DNS, you're all set.

    Mode 1 - for everyday use:
    Use iptables to forward all traffic from the internal interface to the external interface.
    Run network captures to see traffic patterns and anything that is unencrypted which is not going through the intercepting proxy.
    When you see something interesting that is non-HTTPS (e.g. via a network capture) but is encrypted, temporarily switch to Mode 2, or if necessary (like it was in the case of the XMPP traffic here) selectively forward it (again, using iptables) to a custom MitM proxy.

    Mode 2 - for special cases:
    Run Mallory on the gateway instead of the regular iptables forward.
    This is only for special cases because Mallory will impose a noticeable slowdown.

    I'm working on a ground-up build doc for this type of system that will go into a lot more detail. It can be run in VirtualBox or another virtualization platform.

    The only thing it may not do is the sandboxing requirement you listed, depending on what you're hoping for. It's also not super-straightforward (especially Mallory and any custom MitM stuff you need to do), but it's a lot easier than it used to be, especially since the intercepting HTTP/HTTPS proxy takes care of nearly all of the traffic these days.

  • by donutello (88309) on Tuesday July 02, 2013 @09:18PM (#44172073) Homepage

    The idfa feature has nothing to do with Apple tracking you. It has everything to do with *others* tracking you - or rather, limiting how others track you.

    Prior to iOS6, third party apps would access your devices UDID and use it to track your device. There was no way for a user to disable or limit this. In iOS6, Apple shut that down and forced advertisers to use the idfa instead. The idfa is something you as a user can reset or turn off to limit how advertisers track you. The feature is a pure win for user privacy and anyone who claims otherwise is either a complete idiot or thinks his audience is.

It is not well to be thought of as one who meekly submits to insolence and intimidation.