這則從 Nuzzel 上看到的，國外討論得很凶：「Facebook pays teens to install VPN that spies on them」。
Facebook 付錢給使用者，要他們安裝 VPN (以及 Root CA，看起來是為了聽 HTTPS 內容)，然後從上面蒐集資料，這本身就不是什麼好聽的行為了，但更嚴重的問題在於包括了未成年人：
Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.
這個計畫在 iOS 平台下架了，但 Android 平台看起來還是會繼續：
[Update 11:20pm PT: Facebook now tells TechCrunch it will shut down the iOS version of its Research app in the wake of our report. The rest of this article has been updated to reflect this development.]
Facebook’s Research program will continue to run on Android. We’re still awaiting comment from Apple on whether Facebook officially violated its policy and if it asked Facebook to stop the program. As was the case with Facebook removing Onavo Protect from the App Store last year, Facebook may have been privately told by Apple to voluntarily remove it.
Intra 是 Alphabet (Google 母公司) 旗下 Jigsaw 所開發的 app (目前只有 Android 的，依照說明需要 4.0+)，透過 VPN 的架構換掉 DNS 設定，透過本機的 DNS Proxy 改走到外部的 DNS over HTTPS 服務上。
走 DNS over HTTPS 可以降低 DNS 被干擾 (security issue) 或是被監控 (privacy issue) 的風險。
在軟體內已經先內建了兩個 DNS over HTTPS 清單，一個是 Google 的 Google Public DNS，另外一個是 Cloudflare 的 18.104.22.168，除此之外也可以自己輸入。
由於是 Alphabet 家的軟體，預設是用 Google 的服務。
軟體本身是 open source 專案 (Apache-2.0)，程式碼在 Jigsaw-Code/intra 這邊可以取得。
If a Data Saver user is on a 2G-speed or slower network according to the NetInfo API, Chrome disables scripts and sends an intervention header on every resource request. Users are shown a UI at the bottom of the screen indicating the page has been modified to save data. Users can enable scripts on the page by tapping “Show original” in the UI.
在「Enabled NoScript Preview feature by default on Android」這邊可以看到對應的程式修改。
Telegram 推出新的 client，叫做 Telegram X：「Telegram X: Progress through Competition」。
The Telegram X project features apps written from scratch, with an entirely new code base and without all the legacy components that our older apps have accumulated through the years.
然後包括 iOS 版本與 Android 版本都有對應的版本：
The goal of Telegram X is to reinvent Telegram and explore new frontiers in speed, ease of use, quality of animations and all other aspects. Today we are glad to present two new official apps – Telegram X for Android and iOS.
忘記在哪邊看到的，分析 Android APK 檔的軟體：「Droidefense: Advance Android Malware Analysis Framework」。
Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.
看起來是輔助用的工具... 先記錄下來 XD
在「就算關掉 Google 的定位服務也還是會蒐集位置資訊...」這邊提到的蒐集問題，南韓出手調查了：「Regulators question Google over location data」。
Regulators in South Korea summoned Google (GOOGL, Tech30) representatives this week to question them about a report that claimed the company was collecting data from Android devices even when location services were disabled.
U.K. data protection officials are also looking into the matter.
就如標題所寫的，Quartz 獨家刊出來的新聞，即使你關掉 Google 的定位服務，Google 還是會蒐集你的位置 (而且跟 Google 發言人確認後也證實)：「Google collects Android users’ locations even when location services are disabled」。
而且是全背景作業，在你沒有開定位服務，沒有插 SIM 卡，也沒有跑任何 app，他就會將定位資訊傳出去：
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?
從今年年初開始這樣搞的，Google 發言人只宣稱這個資料並沒有被用來整合到「network sync system」，並且會立即丟掉 (所以你還是不知道被用到什麼地方)：
“In January of this year, we began looking into using Cell ID codes as an additional signal to further improve the speed and performance of message delivery,” the Google spokesperson said in an email. “However, we never incorporated Cell ID into our network sync system, so that data was immediately discarded, and we updated it to no longer request Cell ID.”
這句話的意思其實代表著是丟掉 raw data，改以統計的方式轉移存到其他系統。
另外 John Gruber 在「Google Collects Android Users' Locations Even When Location Services Are Disabled」其實寫的更直接：
If they were “never used or stored”, why did they start collecting them in the first place? This is like a kid caught with their hand in the cookie jar saying they weren’t going to eat any cookies. Sure.
應該會促進 microG 的發展... (參考「microG 的進展...」)
留在 tab 上的東西，忘記在哪看到的... microG 發佈了新的專案：「LineageOS for microG」。
microG 是 Android 上 Google 服務 API 的重新實作 (所以 open source)，不像 Open GApps 還是屬於 proprietary software。
這次的事情是 microG 的人 fork 了 LineageOS 專案，因為 LineageOS 專案拒絕 microG 的 signature spoofing patch：
Why do we need a custom build of LineageOS to have microG? Can't I install microG on the official LineageOS?
MicroG requires a patch called "signature spoofing", which allows the microG's apps to spoof themselves as Google Apps. LineageOS' developers refused (multiple times) to include the patch, forcing us to fork their project.
Wait, on their FAQ page I see that they don't want to include the patch for security reasons. Is this ROM unsafe?
No. LineageOS' developers hide behind the "security reasons" shield, but in reality they don't care enough about the freedom of their users to risk to upset Google by giving them an alternative to the Play Services.
The signature spoofing could be an unsafe feature only if the user blindly gives any permission to any app, as this permission can't be obtained automatically by the apps.
Moreover, to further strengthen the security of our ROM, we modified the signature spoofing permission so that only system privileged apps can obtain it, and no security threat is posed to our users.
於是就 fork 了新的專案... 就觀察看看吧。