Google’s ‘Secret’ Update Scans All Your Photos
-
To quote the most salient post
The app doesn't provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.
Which is a sorely needed feature to tackle problems like SMS scams
You don't need advanced scanning technology running on every device with access to every single bit of data you ever seen to detect scam. You need telco operator to stop forwarding forged messages headers and… that's it. Cheap, efficient, zero risk related to invasion of privacy through a piece of software you did not need but was put there "for your own good".
-
Whether the people at Google who did this knows they are evil or thinks they are not evil doesn't really even matter. Having a phone app that automatically scans all your photos should scare the shit out of you. At the very least it wastes your battery and slows down your phone.
If it provided a feature to automatically block incoming dick pics, which Google claims it's for, was fully local, and only scanned incoming messages, not my own gallery, which is what Google claims, I would likely find it useful. There is nothing wrong with the idea in general.
At the very least it wastes your battery
Again, if it's an optional feature that you can choose to turn on or off, there is nothing wrong with that.
-
What's over engineered about it?
In my experience, the API has iteratively made it ever harder for applications to automatically perform previously easy jobs, and jobs which are trivial under ordinary Linux (e.g. become an access point, set the IP address, set the PSK, start a VPN connection, go into monitor / inject mode, access an USB device, write files to a directory of your choice, install an APK). Now there's a literal thicket of API calls and declarations to make, before you can do some of these things (and some are forever gone).
The obvious reason is that there are a billion fools whom Google tries to protect them from scamers.
But it kills the ability to do non-standard things, and the concept of your device being your own.
-
You don't need advanced scanning technology running on every device with access to every single bit of data you ever seen to detect scam. You need telco operator to stop forwarding forged messages headers and… that's it. Cheap, efficient, zero risk related to invasion of privacy through a piece of software you did not need but was put there "for your own good".
I will perhaps be nitpicking, but... not exactly, not always. People get their shit hacked all the time due to poor practices. And then those hacked things can send emails and texts and other spam all they want, and it'll not be forged headers, so you still need spam filtering.
-
Waydroid?
To be clear, I haven't used it at all and have no idea how well it works.
Tried it on my laptop. Doesn't work at all
-
Here's a link to it in PlayStore. It mentions some of the features it is a dependency for.
I saw that, that's what I meant by "it sounds like it has the capabilities to spy", something that can do all those things must have lots of access and could provide perfect cover for any number of undesirable processes.
-
In my experience, the API has iteratively made it ever harder for applications to automatically perform previously easy jobs, and jobs which are trivial under ordinary Linux (e.g. become an access point, set the IP address, set the PSK, start a VPN connection, go into monitor / inject mode, access an USB device, write files to a directory of your choice, install an APK). Now there's a literal thicket of API calls and declarations to make, before you can do some of these things (and some are forever gone).
The obvious reason is that there are a billion fools whom Google tries to protect them from scamers.
But it kills the ability to do non-standard things, and the concept of your device being your own.
I suppose that's all true, I'd say more "following apples lead on locking things down" than over engineered, but
.I find myself avoiding the whole root business, I do want my mobile device to be fairly locked down. But I also use alternative OSs and app stores to avoid 90% of the garbage (stuff I can't avoid I put in work profile, like I still need google maps).
It works for me, but on the front of this complexity driving away devs I don't really see a viable alternative. Base Linux isn't secure enough for what we put on these little computers. I mean you've still got tons of influential people arguing you shouldn't use secureboot or a tpm as if leaving your whole computer unsecured is better than the indignity of using a non-free bios.
-
There's an app called obtainium that let's you link the main page of github apps and manages both the download, the instalation and the updates of those apps.
Great if you want the latest software directly from the source.
Love me some Obtainium. Did my first PR this week (adding cross-device sync via SxncD)
-
Per one tech forum this week: “Google has quietly installed an app on all Android devices called ‘Android System SafetyCore’. It claims to be a ‘security’ application, but whilst running in the background, it collects call logs, contacts, location, your microphone, and much more making this application ‘spyware’ and a HUGE privacy concern. It is strongly advised to uninstall this program if you can. To do this, navigate to 'Settings’ > 'Apps’, then delete the application.”
I didn't see it anywhere on my phone but ill look into it more after work. Thanks for the heads up.
-
The app can be found here: https://play.google.com/store/apps/details?id=com.google.android.safetycore
The app reviews are a good read.
Apparently I'm a beta tester for it, don't recall signing up for beta tests with it
-
Why do you need machine learning for detecting scams?
Is someone in 2025 trying to help you out of the goodness of their heart? No. Move on.
Blaming the victim solves nothing.
Scamming is a rapidly growing industry that is becoming more professional and specialized all the time. Anyone can be scammed.
-
if the cellular carriers were forced to verify that caller-ID (or SMS equivalent) was accurate SMS scams would disappear (or at least be weaker). Google shouldn't have to do the job of the carriers, and if they wanted to implement this anyway they should let the user choose what service they want to perform the task similar to how they let the user choose which "Android system WebView" should be used.
No, that wouldn't make much difference. I don't think I've seen a real world attack via SMS that even bothered to "forge" the from-field. People are used to getting texts from unknown numbers.
And how would you possibly implement this supposed "caller-id" for a field that doesn't even have to be set to a number?
-
There's another one mentioned in the comments
....but Safetycore is the main point, and you linked about that again. How about you just...say the fucking name. Now. Here.
-
No, that wouldn't make much difference. I don't think I've seen a real world attack via SMS that even bothered to "forge" the from-field. People are used to getting texts from unknown numbers.
And how would you possibly implement this supposed "caller-id" for a field that doesn't even have to be set to a number?
caller id is the thing that tells you the number. it isn't cheap to forge, but it's the only way a scan could reasonably effect anyone with more than half a brain. there is never a reason to send information to an unknown SMS number, or click on a link from a text message from an unknown number.
-
I've got a Pixel 8 Pro and I'm currently using the stock OS. Anything in particular that you miss with Graphene OS?
I still use a stock pixel for work related and daily usage, but the alternatives I've found between F-Droid and Aurora store I've never felt lacking.
Maybe I'll finish the switch fully in the coming months.
-
Uber works on GrapheneOS
I'll give it another try then! Last attempt it wouldn't open.
-
On my settings screen I have a search bar at the top
-
you can look it up on your app managment settings too, search for it there.
-
....but Safetycore is the main point, and you linked about that again. How about you just...say the fucking name. Now. Here.
Should I do a little dance for you as well? Do you want some hot tea maybe?
Who the fuck do you think you are?
-
Should I do a little dance for you as well? Do you want some hot tea maybe?
Who the fuck do you think you are?
No. Just TYPE THE NAME OF THE APP. Why is this so difficult? You know how you just used letters to form those sentences? This time arrange those letters into the name instead of not the name.
