UserPrivacyPolicy
Those of you who may have read the issue post can guess that I'm not happy about having to do this. It's not that users should not be guaranteed privacy by using this application via play store. Rather I continue to be disgusted at the way Google chooses to operate their collection of private user data. This app collects no data, personally identifying information, nor does any private data go from this application to a central source with the consent of this developer. There is a plethora of device specific information available through the developer console which I have access to, but I did not put it there. Instead this is a built-in "feature" of the Android API which gets integrated into anything you run by the system. We have now been informed that a unique advertising ID associated with the Android phone and that the analytics devil is unusually sensitive about the possibility of developers employing this essential build item to the point that this notice, and a rebuild, and a painful upgrade of the recently obsolete Gradle config files are required to keep the app from being blacklisted on the Play Store. Make what you will of this.
Any reasonable person who is using this application is probably technically able, code savvy, and intelligent enough to understand an appeal that this nonsense is all Google. A hacker ethic and pride in the open source tinkering I work on as a hobby. I do not put malware nor spyware like the Google FireBase API into my code and it's a little insulting to suggest that I would do this to supportive users of a "hacker punk" app which I am happy to say as a math major that I developed from scratch. This is not to say that I do not have a short list of pentesters who probably use the app that I would like to hack, just that this is not the venue.
Let's give an overview of what limited subset of Android permissions are required for the Chameleon Mini Live Debugger app to provide any functionality that is worth using. In other words, as any casual Android developer is introduced to on coding session one has gotten used to, the Android API plays fast and loose with its choices of groupings of permissions which apps must accept as a whole. The following permissions are about as negligible as you can ask for from any modern Droid...
-
Photos/Media/Files (read the contents of your USB storage) This is necessary for the app to perform XModem uploads. We require a source for the bits which are pushed to your Chameleon device, unless you are exclusively using the stock card images provided in four flavors by the Android RAW resources bundled with the app, this means data must be taken off the phone.
-
Photos/Media/Files (modify or delete the contents of your USB storage) Similarly, when a card image is downloaded via XModem from your Chameleon device, these important bits cannot be directly pushed into the Google cloud ether. We require that your phone is the intermediary which requires storage before Google assumes your files as a part of their archiving process to protect the sanctity of your virtual data. In so much as this permission is also required to run the app:
-
Storage (read the contents of your USB storage) Yes. XModem uploads sourced from the file system do require this functionality.
-
Storage (modify or delete the contents of your USB storage) This assertion is only partially true. Distinct applications have their own work space and permissions (the Droid is a Linux after all). The app could potentially overwrite files on your device. However, this concern is over a logic error which would be promptly addressed by the developer if it were to arise. Sorry Google.
-
Other (full network access) This is the only possibility which should be vaguely concerning. Unfortunatley, Google has chosen to structure their API such that the same "download manager" which is used to slap your XModem card binary off to disk gets bundled in with the same web browser download rights so to use one, one must necessarily open up access to the other. I guess that the use of the download manager could be replaced by something else with less animation value for the user, but it's going to take a persistent user with a really good set of concerns to make me get around to changing that code. So yes, Google, we have internet access put no programmatic means built-in to exploit it.
I would estimate that at least some non-negligible percentage of the populaqtions who keep an NFC sniffer / crasker interface at hand on their phones are concerned about privacy, let's estimate, for practical reasons. Now as long as I'm not the target here, I don't have a problem with people who have developed technical skills. In fact, based on this which has just royally pissed me off and set me over the teetering edge with Google, I will finally just advise any user: DO NOT INSTALL THIS APP WITH THE GOOGLE PLAY STORE! It's not difficult to custom build the app from source, and there's no tampering of the binary which Google modifies when it is uploaded. Those who are not comfortable enough fixing a Java line or two between builds can safely install the signed binary APKs provided on the releases page linked above. These have not been repackaged by a second source and can be considered as good as from my box to yours.
This is BS from the perspective of someone who maintains software where one can just go look at what it does! And I have to say the lines of Java don't really do all that much. The time that really required effort was spent on the GUI and it looks nice. Fu@k you Google, my most sincere regards on this matter back up yours.
=====
The righteous ol' Ben symbol is a powerful expression which cannot be appreciated by some. I have decided to place his likeness on this page to watch over our privacy and rights, and to make me feel better about this just bad feeling I have in my stomach about compromising my better judgement to keep this app online. This may seem like a small inconvenience but it's actually acutely disturbing if you really think about what they are doing on a large scale. This (or hundreds of) apps today, then tomorrow and no one can ever really complain or do anything about it. I have had my email hacked, as in cracked illegally accessed mauled, and I became aware of it. The location records which Google keeps on its security site are insufficient to move enough ground to get a federal judge to force Google to investigate what would have been telling logs. This happens all of the time, to me and to others. Google is aware of it, but has yet to be compeled into taking appropriate accountable action to prevent it. Small beans, some might say.
I had my previous cell phone unbelievably mauled by the scourge of an all invasive piece of spyware marketed as mSpy. I was able to verify it had been installed, obtain IP addresses API keys which uniquely identify the purpetator of this attack, and more by the developer options I had running on my phone. I unlike many would have perhaps made an appointment with the local Atlanta police. The officer met with me, listened to my concerns, and informed me that he had obtained his engineering degree from a rival university. The reality was not that I didn't get listened to, but that it would take an act of a British ambassador, after the approval of some US ones, to compel the source company that profits from this offshore convenience to reveal (by court order only) the identify to the user associated with the unique keys off the phone to this detective, much less to me. I don't feel that we can logically associate how my devices were hacked with what happened today. But the same basic principles apply here.
Whether others will choose to recognize this or not, what happened today is 1) legally binding; 2) will never be adequately responded to by Google without an act of God; and 3) Compromises the integrity of my accounts as well as others. What's worse about this is that for all legal arguments that a lawyer could ever throw at this, I have incriminated myself and admitted to being complicit for this privacy violation that they suddenly alleged this week, but not last or six months ago when it would have been relevant. It also cheapens my experience of at least informally to others I know get to brag about my hacking eliteness with no questions being asked there. I will probably not be able to drop this tomorrow, or next week. What can one do in this situation. While I implore some intelligent individuals to thoughtfully respond to this, I leave ol' Ben dead, unrevived but I'd like to believe still capable of getting pissed off in spirit about this sort of thing.
Please tell me that this isn't going to be like my inheriting a distaste for reading the 2600's. That was disappointing then, as it killed an enjoyment for being included in a secret society of zine readers due to some other four letter word who chose to hack me then because I didn't want him then, and because an actual attempt on a female who could best him at summability methods then as now, and could do this instead. To remain nameless and since otherwise Googled into obscurity. It's not OK that this happened on my hacker app today. Nmap, cannot be touched with the exception of by it's creator and of course RedHat -- or else -- tcpdump, only to source installs -- or else. (What else have I missed which is a sacred cow to the zine editor crowd?) Why is this morally acceptable here? Perhaps it's my choice of user icons which some men must suffer -- or something else less tangible to the hardware hacking experience that we all must let slip in this case. I'm going to try to ignore this for a few days, but if I don't start accepting this eventuality of the Google software, ALL of the user icons will have bitch tits -- and ALL of my themes will become pink and pretty. Because this binding legal document is sufficient notice that the open source license is hereby restricted until further notice. The app will become a chick app and users will have to use it in this way. Little boys who know who they are -- and none of them live in Germany, let's point out -- really ought be more principled in their hacker ethics -- little ol' me thinks. I wouldn't take away your right to live, but I think I'd like it better if you existence were made bright pink, ...
