幹壞事是進步最大的原動力
剛剛在「How to Android without Google」這邊的文章裡看到「How to Android without Google [easy way]」這篇指南,說明如何弄出一個沒有 Google 專屬套件的 Android 環境。
主要是 LineageOS 當作底層基礎 (作業系統),然後用 microG 提供 API 相容層,並且用 F-Droid 安裝 Open Source 軟體。
裡面有兩個方案以前沒看過,一個是 XPosedFramework,提供框架讓使用者有更強的控制力,更完整的說明可以參考「Xposed Framework + App Settings 為每個 App 設定不同的運行模式」這篇。
另外一個是 Yalp Store,當軟體只在 Google Play 平台上提供安裝的時候,就需要透過這個套件了 XD
主要是記錄下來,完全不靠 Google 目前還是有點難度:「De-Googling my phone」。
主要是刷機成 LineageOS (還是 Android),然後上面不裝 OpenGApps,而是靠其他軟體來補足... 在英文版維基百科的「List of free and open-source Android applications」也有不少資訊可以看。
另外一個蠻重要的應該是 microG Project,不過在文章裡沒提到...
Telegram 推出新的 client,叫做 Telegram X:「Telegram X: Progress through Competition」。
全新打造:
The Telegram X project features apps written from scratch, with an entirely new code base and without all the legacy components that our older apps have accumulated through the years.
然後包括 iOS 版本與 Android 版本都有對應的版本:
The goal of Telegram X is to reinvent Telegram and explore new frontiers in speed, ease of use, quality of animations and all other aspects. Today we are glad to present two new official apps – Telegram X for Android and iOS.
就裝起來玩看看,不知道實際的感覺會有什麼差異...
忘記在哪邊看到的,分析 Android APK 檔的軟體:「Droidefense: Advance Android Malware Analysis Framework」。
Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.
看起來是輔助用的工具... 先記錄下來 XD
在「就算關掉 Google 的定位服務也還是會蒐集位置資訊...」這邊提到的蒐集問題,南韓出手調查了:「Regulators question Google over location data」。
Regulators in South Korea summoned Google (GOOGL, Tech30) representatives this week to question them about a report that claimed the company was collecting data from Android devices even when location services were disabled.
英國也在看情況:
U.K. data protection officials are also looking into the matter.
美國與歐盟其他國家反而還沒看到消息... (不過美國有可能是以訴訟的方式進行)
就如標題所寫的,Quartz 獨家刊出來的新聞,即使你關掉 Google 的定位服務,Google 還是會蒐集你的位置 (而且跟 Google 發言人確認後也證實):「Google collects Android users’ locations even when location services are disabled」。
而且是全背景作業,在你沒有開定位服務,沒有插 SIM 卡,也沒有跑任何 app,他就會將定位資訊傳出去:
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
從今年年初開始這樣搞的,Google 發言人只宣稱這個資料並沒有被用來整合到「network sync system」,並且會立即丟掉 (所以你還是不知道被用到什麼地方):
“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said in an email. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”
這句話的意思其實代表著是丟掉 raw data,改以統計的方式轉移存到其他系統。
另外 John Gruber 在「Google Collects Android Users' Locations Even When Location Services Are Disabled」其實寫的更直接:
If they were “never used or stored”, why did they start collecting them in the first place? This is like a kid caught with their hand in the cookie jar saying they weren’t going to eat any cookies. Sure.
白話一點就是「你當我傻逼啊」。
應該會促進 microG 的發展... (參考「microG 的進展...」)
留在 tab 上的東西,忘記在哪看到的... microG 發佈了新的專案:「LineageOS for microG」。
microG 是 Android 上 Google 服務 API 的重新實作 (所以 open source),不像 Open GApps 還是屬於 proprietary software。
這次的事情是 microG 的人 fork 了 LineageOS 專案,因為 LineageOS 專案拒絕 microG 的 signature spoofing patch:
Why do we need a custom build of LineageOS to have microG? Can't I install microG on the official LineageOS?
MicroG requires a patch called "signature spoofing", which allows the microG's apps to spoof themselves as Google Apps. LineageOS' developers refused (multiple times) to include the patch, forcing us to fork their project.
另外也提到了他們覺得拒絕的原因很鳥:
Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?
No. LineageOS' developers hide behind the "security reasons" shield, but in reality they don't care enough about the freedom of their users to risk to upset Google by giving them an alternative to the Play Services.
The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps.Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.
於是就 fork 了新的專案... 就觀察看看吧。
在「大家在吵漢堡的 Unicode 呈現...」這邊在吵漢堡,然後有人就開始找事了 XDDD
Hmmmm, Google, this is not how beer works pic.twitter.com/rLsmThcLKM
— Thomas Fuchs (@thomasfuchs) October 29, 2017
然後有點煩 XDDD
Fixed. pic.twitter.com/FwIJXe7IaA
— svbl (@svblxyz) October 30, 2017
最近應該會有一波熱潮 XDDD
從「Android getting "DNS over TLS" to prevent ISPs from knowing what websites you visit」這邊看到的報導,原
文在「Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit」這邊可以看到。
It appears that “DNS over TLS” support is being added to Android, according to several commits added to the Android Open Source Project (AOSP). The addition in the Android repository shows that a new setting will be added under Developer Options allowing users to turn on or off DNS over TLS. Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1.
這邊用的應該是 RFC 7858 的「Specification for DNS over Transport Layer Security (TLS)」,已經是 Standards Track 了。預設使用 TCP port 853:
By default, a DNS client desiring privacy from DNS over TLS from a particular server MUST establish a TCP connection to port 853 on the server, unless it has mutual agreement with its server to use a port other than port 853 for DNS over TLS.
而且建議如果另外定義的話,不要用 port 53:
This recommendation against use of port 53 for DNS over TLS is to avoid complication in selecting use or non-use of TLS and to reduce risk of downgrade attacks.
另外也說明了在 port 853 上禁用明文傳輸:
DNS clients and servers MUST NOT use port 853 to transport cleartext DNS messages.
另外一個還在發展的標準是 Cisco 的人推出的「DNS over Datagram Transport Layer Security (DTLS)」,走的是 UDP port 853,不過看起來因為 stateless 的特性,需要考慮比較多問題... (尤其這類服務常配合 anycast)
不過即使將 DNS query 保護起來,TLS 本身還是會透漏 hostname 的部份 (因為 SNI 的關係),所以就 privacy 面向考量的話,沒有實質的意義... 主要還是考慮被竄改的問題?但如果是這樣的話,目前 TLS 連線本身就已經有這樣的保護了?暫時沒想到可以解什麼實際的問題...
還好用的人應該不會太多 (?)
微軟宣佈在 iOS、Android 以及微軟自家的系統上都推出 Microsoft Edge:「Announcing Microsoft Edge for iOS and Android, Microsoft Launcher」,另外也很「貼心」的整理了一篇不同平台上的差異 (尤其是 iOS 與 Android):「Microsoft Edge for iOS and Android: What developers need to know」。
不過 Twitter 上微軟自家人 Kyle Pflug 講的比較簡單:
Tl;dr: Microsoft Edge is built on Chromium on Android, WKWebView on iOS, EdgeHTML on Windows. UA string has "EdgiOS" or "EdgA" tokens. https://t.co/dauZNETTdJ
— Kyle Pflug (@kylealden) October 5, 2017
把重點講的超清楚,然後順建讓人有種 WTF 的感覺 XDDD (等於是一次推出三個不同行為的 browser 啊!)
設計師鐵定會詛咒他不要流行起來 XDDD