AdUps software installed for OTA?

[silversolver 849]

Just now, Raksura said:

The original report made to the US government for Adups being a spyware is available here. There should be another report that showed how they continued, from what I can tell by skimming articles.

... And you actually made my point moot while I was writing my post by telling us that yes, it's a spyware if either you or they choose it to be. On a over-the-air updating software. Sorry, is that not really blatant malware?

Waxberry clearly believes that the company will honor the terms of their agreement and not spy on the Pro1's customers. The remark "Adups has changed their service since last year and there should not be things under the table" makes me think GDPR forced them to change some things.

[Zamasu 258]

This solidified my intention to install LineageOS. Glad to see that there's already progress for that.

 

[silversolver 849]

27 minutes ago, Zamasu said:

This solidified my intention to install LineageOS. Glad to see that there's already progress for that.

 

It seems like Adups was selected in the effort to find something they could afford that would assure easy, seamless updates for the two users who will actually use the stock firmware. If Waxberry is convinced that the company is going to do the right thing, I see no reason we should doubt that. I will probably add LineageOS myself, but primarily to get rid of the GcrApps and add long press on back button to kill the running app.

[netman 1,424]

18 minutes ago, silversolver said:

It seems like Adups was selected in the effort to find something they could afford that would assure easy, seamless updates for the two users who will actually use the stock firmware. If Waxberry is convinced that the company is going to do the right thing, I see no reason we should doubt that. I will probably add LineageOS myself, but primarily to get rid of the GcrApps and add long press on back button to kill the running app.

There is not too many choices outside Google's updater, Adups and making your own I think (and before certificatio Google's updater is not an option, homebrew solution is not an easy thing). Adups is haunted by it's past but I trust Waxberry knows his stuff 100%, as evidenced by the phone as a whole :). Nevertheless it's good people asked, so that if people question it they find answers.

As a sidenote, the allegations against Adups in that pdf I linked are relatively easy to verify. If people are still concerned by the time I have my phone I'm willing to investigate :-).

Edited November 26, 2019 by netman
typo

[glumreaper 144]

This seems ... worrying. To me it comes down to whether or not I trust FXtec.

To clarify: it seems proven that Adups is on the Pro1, from the response (side note: hey looks like FXtec are watching the forums!)

But I personally don't know the software. I don't know the state of the OTA provider software ecosystem. I don't know (but I guess I could find out) if the Pro1 has been certified. All I know is that Adups is on there, and the rest I will have to research.

Edited November 26, 2019 by glumreaper

[Maplesteel 97]

Fxtec - you all have been quite open, and for that I'm pretty grateful as a recovering long-time lurker. I trust Waxberry at this point to deliver a functioning non-spying device, possibly with future adups removed now that Google Certification means it is no longer needed. I say that not by blind faith, but because I know from a pragmatic standpoint, Fxtec is not going to let anything run in the software that would hamper sales.

That said, is AdUps prevented from spying by contractual obligations, or by technological means?

I will be installing LOS regardless, and was planning on it beforehand.

 

[elvissteinjr 359]

43 minutes ago, glumreaper said:

To clarify: it seems proven that Adups is on the Pro1, from the response (side note: hey looks like FXtec are watching the forums!)

If you don't want to believe anyone, you can find traces of it in the fastboot image posted in the forum as well.

There's also this claim on their website:
"Recently, We have launched the updated version Adups FOTA V 5.5, which has been certified by Google Security Team. We hereby request the relevant partners and users to update to Adups FOTA V 5.5 in time.Thanks!" (how the heck do I quote random text? The quote button does nothing)

Google Security Team... do you trust them?

[EskeRahn 5,427]

49 minutes ago, elvissteinjr said:

If you don't want to believe anyone, you can find traces of it in the fastboot image posted in the forum as well.

There's also this claim on their website:
"Recently, We have launched the updated version Adups FOTA V 5.5, which has been certified by Google Security Team. We hereby request the relevant partners and users to update to Adups FOTA V 5.5 in time.Thanks!" (how the heck do I quote random text? The quote button does nothing)

Google Security Team... do you trust them?

Currently using version 5.26 (And no that is not "5.2.6"), so long AFTER 5.5. Their 5.5 is from late October 2016

[Craig 1,435]

Odd numbering, to me 5.5=5.50=5.5000000000000000000000000000000000000000000000000000

[netman 1,424]

Just now, Craig said:

Odd numbering, to me 5.5=5.50=5.5000000000000000000000000000000000000000000000000000

pretty normal for software versioning though major.minor versions, major number only changing when serious overhaul of the code completed

[Raksura 270]

3 hours ago, Maplesteel said:

That said, is AdUps prevented from spying by contractual obligations, or by technological means?

Contractual, I believe, since it has a remote root access on your device so that it can install/update any software/firmware it needs/wants to, that's its actual purpose as a FOTA. From what I understand, it is also purposefully meant to also have spyware functions if needed for device manufacturers in countries (or companies) in which regulations either do not forbid or require the presence of this kind of malware. I don't think any of us is actually arguing that this is not potential malware, just that F(x)tec is paying extra for it not to be (or maybe it's the opposite and F(x)tec actually pays less but does not get the spyware option). I really expected them to just tell us that this was a mistake, and am baffled that it is not. Since, by design and purpose, Adups it is in charge of software & firmware on your device, turning itself into a spyware should be trivial, but yes, it would be a breach of contract. If I understood the article I've linked a previous post, that company got caught in such a breach of contract in the past, hence my surprise at seeing it still considered "acceptable". With that kind of power, you shouldn't get a free second chance after that, let alone a third (and yes, this last one is what you call the secure "5.5" version).

Considering the Pro1 is very open, this does not doom what is otherwise a wonderful device in my eyes. I just am going to never use whatever images had this installed on them at some point. But considering that was there, I am also not going to blindly accept images for other OSes from F(x)tec without checking what's on it first, since we apparently strongly disagree on what constitutes a trustworthy source of software. And no, considering the aforementioned nature of this particular software, having one version considered "secure" is not going to do anything to reassure me (guess who chooses which version is currently installed on your device?). I also suspect that the very concept of FOTA is not something I'd ever consider to be sane for critical device (I know for a fact that it is strictly forbidden to use it on the types of critical systems I study. Considering smartphones have access to your emails - and thus most online identities, including medical/shopping/banking websites -, I'd argue smartphones can be critical), considering how frequently companies are revealed to have been breached. But I've also seen how easily basic security gets thrown out the window for the smallest conveniences.

Edited November 26, 2019 by Raksura

[Craig 1,435]

31 minutes ago, netman said:

pretty normal for software versioning though major.minor versions, major number only changing when serious overhaul of the code completed

I'll argue with you about this elsewhere, but I dont recall ever seeing that ever.  So i.e. dos went from 6.2 to 6.21 there were actually 19 versions inbetween, not just a minor bump?  NT 3.5 to 3.51?   Look at linux kernels, same kind thing, everything I can think of.

Edited November 26, 2019 by Craig
edit: I stand corrected. MacOS.

[netman 1,424]

1 minute ago, Craig said:

I'll argue with you about this elsewhere, but I dont recall ever seeing that ever.  So i.e. dos went from 6.2 to 6.21 there were actually 19 versions inbetween, not just a minor bump?  NT 3.5 to 3.51?   Look at linux kernels, same kind thing, everything I can think of.

Windows versions are somewhat arbitrary unless we will argue that XP is a number... This used to be the common way to count back when, but nowadays it seems more popular to just count as per eskes interpretation of the number (which I am sure is correct, there'd be no reason to have an old version). Wikipedia covered this topic here https://en.wikipedia.org/wiki/Software_versioning#Incrementing_sequences

[EskeRahn 5,427]

9 minutes ago, Craig said:

I'll argue with you about this elsewhere, but I dont recall ever seeing that ever.  So i.e. dos went from 6.2 to 6.21 there were actually 19 versions inbetween, not just a minor bump?  NT 3.5 to 3.51?   Look at linux kernels, same kind thing, everything I can think of.

I know this is cursing here, but have you heard about a fruit company and their mAcos? 10.0, 10.1, ....10.15, see e.g. wiki

[ksal95 227]

21 minutes ago, EskeRahn said:

have you heard about a fruit company and their mAcos?

Jesus man, my kids are browsing this forum.  Please spoiler 18+ comments!

 

Lol, I don't have any kids

😁

Edited November 26, 2019 by ksal95

[Raksura 270]

3 hours ago, elvissteinjr said:

There's also this claim on their website:
"Recently, We have launched the updated version Adups FOTA V 5.5, which has been certified by Google Security Team. We hereby request the relevant partners and users to update to Adups FOTA V 5.5 in time.Thanks!" (how the heck do I quote random text? The quote button does nothing)

Google Security Team... do you trust them?

Not to do a thorough investigation, clearly. From the more recent presentation made by the team that exposed them on the previous version, 5.5 is still a spyware, it's just a bit more covert about it.

Edited November 26, 2019 by Raksura

[EskeRahn 5,427]

8 minutes ago, Raksura said:

Not to do a thorough investigation, clearly. From the more recent presentation made by the team that exposed them on the previous version, 5.5 is still a spyware, it's just a bit more covert about it.

Your "more recent" is still 2½ YEARS old... Would be nice with something ... eh ... recent on the subject.

[Raksura 270]

10 minutes ago, EskeRahn said:

Your "more recent" is still 2½ YEARS old... Would be nice with something ... eh ... recent on the subject.

Which is the date at which version 5.5, the one that kept being cited as showing how Adups is trustworthy, was relevant. I don't know about their next version. Are you saying that it doesn't matter because despite versions before 5.5 being openly admitted as spywares, and their secure version that is 5.5 being denounced as such, surely version 6, or whatever's the current one, is no longer is a spyware? If so, I have some bridges to sell.

Edited November 27, 2019 by Raksura

[elvissteinjr 359]

19 hours ago, Raksura said:

Not to do a thorough investigation, clearly. From the more recent presentation made by the team that exposed them on the previous version, 5.5 is still a spyware, it's just a bit more covert about it.

I'm not even trying to defend them, but rather check on my own what I can regarding this.
Let's see, though...
"com.adups.fota, com.adups.fota.sysoper, com.data.acquisition, com.fw.upgrade, and com.fw.upgrade.sysoper (bolded apps execute as the system user)"
I can only work with the fastboot images as I don't have a device to check for real, but those images only contain com.adups.fota and none of the other apps. There's no trace of AnalyticsReceiver either except surrounding text that appears to be related the Google Analytics API. dc_app_flow doesn't appear anywhere either, nor does com.msg.analytics.AnalyticsReport.

No, this does not rule out anything by far. Especially since the app's nature is to download and execute code from a remote source. I'm also merely searching the image file with a hex editor, but that worked well enough to find data of AdUps itself (call this unprofessional or foolish, if you want, eh).
What it shows however is that this version of AdUps appears to be different to the one in the report to some extent. Weirdly enough, the parts indicated to be responsible for sending the data are not present in that form anymore. Maybe they're hidden better, maybe they're gone. Somebody needs to control the outgoing traffic of the device to be sure. I'm not 100% trusting this either.

I do not think F(x)tec willingly put spyware on the phones, however. 

Edited November 27, 2019 by elvissteinjr
how does type

[SchattengestaIt 559]

Although I understand your point, Waxberry, but a Google certificate says nothing about privacy and security nowadays.

Google collects all data it can get. Facebook isn't any better but had (as far as I know)many more data leaks. Whatsapp seems to have shared with Facebook partners (not caught yet) which would be highly illegal, but also a justification why Facebook paid 19 billion for it.

These apps are not called spyware, but in my view they really are. They collect data without your permission and sell/use it for their usecase. And that may applies for the named app here, altouth they may have not been caught yet.

[Raksura 270]

8 hours ago, elvissteinjr said:

I'm not even trying to defend them, but rather check own my what I can regarding this.
Let's see, though...
"com.adups.fota, com.adups.fota.sysoper, com.data.acquisition, com.fw.upgrade, and com.fw.upgrade.sysoper (bolded apps execute as the system user)"
I can only work with the fastboot images as I don't have a device to check for real, but those images only contain com.adups.fota and none of the other apps. There's no trace of AnalyticsReceiver either except surrounding text that appears to be related the Google Analytics API. dc_app_flow doesn't appear anywhere either, nor does com.msg.analytics.AnalyticsReport.

No, this does not rule out anything by far. Especially since the app's nature is to download and execute code from a remote source. I'm also merely searching the image file with a hex editor, but that worked well enough to find data of AdUps itself (call this unprofessional or foolish, if you want, eh).
What it shows however is that this version of AdUps appears to be different to the one in the report to some extent. Weirdly enough, the parts indicated to be responsible for sending the data are not present in that form anymore. Maybe they're hidden better, maybe they're gone. Somebody needs to control the outgoing traffic of the device to be sure. I'm not 100% trusting this either.

I do not think F(x)tec willingly put spyware on the phones, however. 

I am guessing that this is due to the Pro1 being

11 hours ago, EskeRahn said:

Currently using version 5.26 (And no that is not "5.2.6"), so long AFTER 5.5. Their 5.5 is from late October 2016

From what I understand, the "Adups FOTA V 5.5, which has been certified by Google Security Team" would actually trigger alarms from current anti-viruses.

But sure, if people are convinced that now that it's at version 5.26, there's no way it's going to be yet another spyware, go ahead. I'd just feel compelled to warn you against any offers to buy the Brooklyn bridge, is all.

Edited November 27, 2019 by Raksura

[Krzysieq 55]

So how are LineageOS and SailfishOS coming along? :) Any known ETAs on these being ready to work on a "daily driver" device?

Edited November 27, 2019 by Krzysieq

[SteffenWi 139]

10 hours ago, Craig said:

I'll argue with you about this elsewhere, but I dont recall ever seeing that ever.[...]   Look at linux kernels, same kind thing, everything I can think of.

Uhm, what? Linux Kernel does it the same way as described above. We are currently at version 5.3.13, before that was 5.3.12. Current longterm kernel is 4.19.86 and before that was 4.19.85 and you will find there also exists a 4.18.2 version, for example. The numbering is completely continouus, the only 'arbitrary' thing is when Linus decides to jump from one major to the next (so 2.* to 3.* to 4.* to 5.*). By his own words he decides to jump when the minor gets 'too big'. That is different from most software projects where a jump in the major version indicates an overhaul or a massive influx of new features.

 

You can read more about all of that over here -> https://en.wikipedia.org/wiki/Software_versioning

[_DW_ 628]

If you are security minded you won't use OTA and only use images that you make your self so you know what is compiled in. 

But FXTEC are making a consumer device and need to provide standard services that all other providers give and OTA updates is EXPECTED.  When you get it wipe it simple!

[Noob 158]

19 hours ago, abielins said:

I'm super disappointing if this is really being used. Installing secret spyware feels like a slap in the face to paying customers.

Overreactions like this don't really help the discussion.  I posted this late last night, and on reflection I wondered if I should have quietly emailed support instead.  In the end I still feel justified raising it in the forum, but let's be sensible.  I'm not surprised @Waxberry took offense to this.

18 hours ago, Waxberry said:

This is not secret spyware. This is our OTA server partner. Also GDPR comply. 

Adups has been used by multiple OEMs and their record is reliable. 

I don't know why you called those spyware but if there is any problem you found or issues discovered, we can certainly resolve together with them. But if you think in that bad way simply because you don't know or don't heard about it that is not very responsible accusation and it did hurt our team. If you don't trust us DON'T buy it!

Please don't get me wrong; I don't think for a second that F(x)tec is doing something untoward or can't be trusted.  I totally support this company's products and everyone's hard work.   @Waxberry your passion for KB phones is very evident from your posts on TMO and the old IGG comments, and I appreciate you're not a "PR guy", but the above response is a bit tone-deaf in my opinion.  I don't know the reason why AdUps was chosen instead of Google, but I'm guessing there were commercial necessities that dictated this choice and I'm sympathetic.   But as others have pointed out, you can't say "their record is reliable" when it's clearly not.  

18 hours ago, Waxberry said:

As OEM perspective, there is different way working with FOTA suppliers and there is an option paying for no tracking and tracing. 

Adups has changed their service since last year and there should not be things under the table. If anyone has found any we will definitely raise the issue to them as this is not what we intended and not as on agreement.

Yeah it should be above board, but this is something outside of your control, it's really up to AdUps to do the right thing.  And while I appreciate that there are contractual obligations, GDPR, Google certification, etc, that doesn't stop them from breaching those things and grabbing data they shouldn't if they have the technical means.  Given this is a root application that can change its behaviour in future it's matter of trust in the end, and I don't trust a company that has been caught out once, let alone twice (again, I'm not referring to f(x)tec here).  Certainly not with a device that has so much of my life on it.

I understand this is, to some extent, subjective, and I know I'm in the minority.  I'm sure many (most?) people are comfortable with a company that has "reformed" and no longer steals your data, else no one would be on Facebook.  I'm not going to judge f(x)tec for choosing AdUps for OTA because I don't know the factors in the decision and even though I would have thought Google was a better option I trust you had compelling reasons.  In my case though, choosing Google for OTA is a moot point given I was trying to scrub GApps from my phone anyway. 

So, back to my opening question, will there be another way to update apart from OTA?  

Edited November 27, 2019 by Noob