➡ This text warns about the risks of using certain apps that can track your location and personal data, such as Waze, Weather Channel, fitness apps, and Google apps. It highlights the dangers of these apps sharing your data with other platforms, even when location permissions are turned off. The text also warns about the risks of using social media apps like Facebook, Instagram, and WhatsApp, which collect extensive personal data. It suggests using safer alternatives from the F-Droid store, limiting app permissions, and being cautious about which apps can send notifications.

➡ While Android firewall apps can help protect your data from new apps, they have limitations and can’t fully prevent data collection by system apps. It’s best to install as few apps as possible and delete unused ones. Be cautious about granting permissions and logging into apps with Google or Facebook on a privacy-focused operating system. Despite the risks, open source operating systems are safe from Google and Apple’s surveillance infrastructure.

A common question among my followers is how to make sure that they only install safe apps on their phone. Some more industrious users actually examine even hidden system apps and disable some if the name sounds suspicious. At other times, users will run protective firewall apps like netguard to actually block Internet access or track the amount of traffic for all apps while manually deciding which app should be given access to the network. Another approach taken by more serious security minded people is to use only apps that come from F Droid. Now to make it clear the most dangerous features of a phone are actually built into the operating system itself, meaning iOS and Google Android.

These do24.7 location tracking, contact tracing, even notification monitoring and the identity of the phone is plainly attached to you. These OSes can track everything you do on the Internet. Today though, we will isolate the problem only to third party apps. If you’re one of the smart few that use a de googled Android phone, then the only realistic risks on your phone come from third party apps. By the way, there’s also the risk of the cell network side with the carriers interacting secretly with the sales based man modem or OEM supply chain attacks. Unfortunately this potential risk applies to all phones, but typically this is something that would be used against high value targets like the Edward Snowden types or international spycraft, so we will skip that as well.

For now though, I will cover that in a separate video. We will talk about things that apply to average everyday people who just want privacy in their lives and teach you about things you can control. Stay right there. Once again I will remind you that the focus of this video will be third party apps. We will assume that neither Google nor Apple nor the OEM has directly inserted malware, spyware or trackers on an open source phone. Let’s look at this chart of the Android architecture and though iPhones are not really part of this explanation, you will find that the architecture of iOS is actually similar just using different nomenclature.

And the very interesting detail about this architecture is that the actual nuts and bolts that operate the devices like displays, touch screens, speakers, microphones, sensors, cell based band modes, Bluetooth, Wi fi, GPS and so on are actually just running on Linux. By the way, on iOS the base OS is using another Unix like OS so very similar to Linux. Linux as used on Android devices requires that the source code be made public. This is why open source operating systems are deemed to be safer because we can examine the code of both the Android framework which gives you the user interface and also the nuts and bolts which are visible on Linux in this chart you will see that the Android code is in the layer called Android Framework in green and Linux is the section colored in yellow.

And there’s an intermediate translation layer in purple which connects communications between Android and Linux called the Hardware Abstraction layer Android Framework. Now let’s just focus on the Android Framework section which is grouped into system apps and third party apps. What is interesting is that apps actually run under a supervisory layer which in this chart is called the Android Runtime Art. The apps cannot run by themselves. They cannot directly access any device drivers. Only the art interacts with the Linux side of things. The other interesting detail is that each app actually runs isolated in their own individual virtual machine, so apps cannot see other apps.

Apps cannot directly interact with other apps. They do not share memory or resources outside of what’s provided to them in the virtual machine. When things have to be shared between apps, Android will be an intermediary and provide a way to pass a resource and Android will announce the request so that any app can respond to provide permissions. Apps that you download from an app store or are included with the OS cannot perform functions outside of what’s in the Android open Source project, and as it is open source, it cannot be hidden. So AOSP provides a limited set of functions and this is further tied to permissions that are built into Linux itself.

There’s a security model called Selinux which is integrated into the access of Linux functions and calls to device drivers. Each Apple declare publicly what devices and features it will use on the device and you, the user will be able to grant that permission or not. One thing that is not possible is for an app to secretly not declare that it needs to use a device like a camera and then without permission or turn it on later. And again this is locked down by the SE Linux security policies and it is available in open source so you can see it.

This design ensures that each app cannot perform functions outside of what is stated by the developer of the app, and again only if the user grants that permission. Location threat Some apps are very dangerous, as I’ve already revealed in a recent video on Fog Data Science and another on anomaly 6. These companies actually track users on their phones using apps you willingly install. Just like you happily buying your newest iPhone knowing that the iPhone will know your activities and locations 24, 7 but sticking to just apps. The main risk of apps is that they sell the data they collect.

And this is important because it is a monetization method. The app may be free, but you are the product so they will take advantage of that and make money with your data. The primary piece of data tracked is your location and some constant ID they can use that could be created by the app itself or use one allowed by the os, which is typically the advertising id. Fortunately, open source phones do not have an advertising id, so this is one of the biggest benefits. However, the offending app can still create some temporary ID and pass it with the location data.

Someone will always tell me that the location data is anonymous as these apps are not allowed to send data like name of the user or a Google id. But as fog data science has already proven, this is not an issue and this particular service is used heavily by law enforcement. If you go to a protest and your location is then registered by some app running in the background, as long as all your other locations are constantly being captured by the app, then you are easily identified just from seeing where you go home to. So a series of location points attributed to a particular user, even anonymous ones, will yield the actual identity.

All that has to be done is to match the home address to public databases like driver’s licenses, credit reports and property records. And they’ve got you location plus IP Address Threat There’s a second layer of threats tied to the location thread. This is when data is captured in addition to location. This is when the location is sent together with an IP address to the data aggregator company. This was a technique used to create a very common database called the reverse IP lookup. What this does is attach a real find location to an IP address. Normally IP addresses are only up to the level of the ISP center in the area.

In small cities this can be the entire city. In larger areas like Los Angeles, the IP address can be attributed to specific neighborhoods. At least this is what is publicly available using free services like whatismyipaddress.com but if you pay for access to the reverse IP lookup database, then you can possibly get a precise location. Especially if you are using your home Network to to within 6ft. This is important data for financial institutions, for example. Often this service is called Verified location. They’re able to get this more precise location by creating a history of location coordinates tied to an IP address as captured by apps.

This makes the IP address a very dangerous piece of data all of a sudden. How to counter these location threats? Currently the surveillance in location is a huge thing. Likely a big chunk of the population shows up in these location databases if you’re cavalier about the use of apps. So the first thing to do is to go to your phone and check app permissions Depending on the phone, you can even go to settings and look specifically at those that you gave location permissions to. This is the easiest threat to counter since simply blocking location permissions will stop the exfiltration of your data.

Without location data, even the IP address could prove meaningless on an open source phone. Now if you use a vpn, you can obviously protect your IP address from being acquired. This is extremely important when you are at home. It is less important on cell data or Starlink, and the reason is that many people will be sharing the IP address in these cases. So these types of services will not directly tie an IP address to a particular individual. The harder problem is that some apps will not run without you giving them permissions for location. An example here is Yelp, Craigslist, Waze, and another one is the Weather Channel app and the average person will give in.

In my mind these are examples of ultra dangerous apps that will exfiltrate your data to a location database aggregator and will end up on Fog, Data Science and Anomaly 6. Can you still use these apps if you have to use them? I would always disable location permissions when I’m not using them and for better peace of mind I would shut down the apps when not in use so they’re not running in the background. Again, they force you to give your permission. So it is actually your fault that you agree, but correct it now by scanning through all the apps with location permissions.

So mostly they are all off. The clue is that the apps are typically free and require location Fitness Apps Fitness apps are another kind of location risk. Often they’re tied to locations as well because you’re recording things like 10,000 steps or some such. But fitness apps have another risk and that is to combine the location history with gyro sensors. So as I said earlier that knowing your gyro data like every step will actually be enough to roughly gauge your location location even if you turn your location data off. I recall some Russian officer using fitness apps extensively and of course this is common for military personnel.

And then some intelligence operatives were able to track his jogging path and he was assassinated on that route. I know so many people using fitness apps, it’s likely better to use a Garmin watch that has fitness data but not connected to the Internet and not connected to your phone. I’m sure these watches can connect to phone apps, but see if you can use it without connecting to a phone. Google Apps There’s a category of apps, primarily those from Google, that can monitor your activities and IP addresses and connect it to what you are doing on another device like a desktop computer.

This is even with location off. The biggest identifier here is the Google ID. Examples of these apps are Gmail, YouTube, Google Maps, Waze Again, Google Drive, Google Photos and even Chrome. These apps will send a constant telemetry of your IP address and Google ID to Google. Then this can be matched to other devices you are logged onto. This is called cross device tracking. These apps can also store a cookie of the Google ID on your mobile browser and this is the main instrument used to track everything you do on any other platform. Actually, the idea of having a Google ID tracking your every move on the Internet is a big issue I frequently discuss and is the main threat of big tech on the Internet.

However, what is interesting is that an open source or d Google Phone has no Google id. Thus the risk comes only if you actually log into a Google app and put in your credentials. Fortunately, it is not often necessary to do that. I have a Brax 3 font which is open source running EODOs and on this I installed the Google app which has search and voice search, YouTube, Google Translate, Google Maps and Waze. Now I specifically chose these apps as examples because none of these apps require me to be logged in to Google. If you do the exact same steps of denying location permissions and not logging in, then these apps are not really as dangerous as they sound.

I actually can’t think of too many threats with their use. Perhaps in this set the biggest threat potentially comes from voice signatures or voice prints. And when you use Waze to take you home, it will learn where home is and then sell that data to Fog Data Science. But otherwise they’re not that risky. In this particular use, and especially if you use a VPN at home, this is even less of an issue. Now, Google apps that require you to log in are automatically dangerous as they provide a constant telemetry of IP addresses even if you block location permission.

This include apps like Gmail, Google Docs, Google Drive and so on. Since these are impossible to run without logging in, just understand that their use opens you up to tracking dangers. Foreign apps, meaning specifically Facebook, Instagram and WhatsApp are very dangerous apps. And that is because unlike in other apps, Meta knows precisely who you are and this is crowd verified by your friends. It also knows all your location, retrieves your contact list daily and creates a dynamic relationship map from this that establishes who you know and who you circulate with, including specific activities you participate in.

Meta does not hide that, it does this intense collection of data and unlike The Google apps I mentioned earlier, it is not possible to use Meta without logging in. Meta also clearly states that it combines the information about you from all its apps, so you cannot really use WhatsApp anonymously. And just like Google, the Facebook ID is an Internet identifier that is recognized by any site that embeds a Facebook login, Facebook ad or Facebook like button. This means a lot of websites can track you simply by using Meta. This is a case where I can’t really find any safe solutions for so for privacy reasons I cannot ever recommend to anyone that you use any of these apps.

Once you join one, then anyone you connect to is part of the surveillance algorithm. Contactless Dangers While Facebook is number one when it comes to taking contactless information Daily, others include TikTok, LinkedIn and many social media apps. Contact lists collection allow the establishing of these relationship maps and it can be used to connect people by phone number. Just in general, I always ban apps that will send my contact list to some external database, like what most social media apps do. However, some apps like your contactless app or your phone app does not connect to the Internet per se and thus there is no danger to giving it contactless permissions.

Remember that contactless are downloaded daily. Once I installed TikTok and did not give it contactless permissions, but TikTok is so suspiciously aggressive with contact list that it asks you for permission each time you launch it. One time I accidentally accepted the permission and it immediately uploaded my contact list. At that moment I closed the account. For those of you with the Google phones, you will find that you have the choice of using the F Droid Store. I will tell you now that these F Droid apps are going to be very safe and no secret data collection can occur.

The reason is that to be listed in the F Droid store you must submit your app source code to F Droid itself and F Droid independently builds your app from the source code and that’s what’s made available in the store. And these apps must not connect secretly to Google. F Droid can examine source code and see if there’s some hanky panky going on with your data. So this is a case where you can just automatically trust this source. F Droid apps may not have similar versions on the Google Play Store, but if they do, I would use the F Droid version as much as possible.

For example, if you want an ultra safe map app instead of using Google Maps or even Magic Earth, you can find some app like Osmand on F Droid and it will be the safer option. An example application of this is is with weather apps since location data is frequently sold by weather apps. This is a case where I would go to F Droid itself and find some app like Breezy Weather. Other Possible Threats Other potential threats that scare people are apps that will just turn on the camera or microphone. While these are legitimate features when the app captures photos and videos, these are real possibilities.

So I would rarely grant access to camera photos and videos. But be careful here as these permissions are often forgotten on the browser. If you screw this part up you have to blame yourself since the cause of this is bad permissions. Another real threat is some third party app acquiring device identifiers like Mac addresses, imei, MZ and so on. These are identifiers that actually are unique to your phone and thus can be used to track particular users. These identifiers reside in the Linux layer, so a Linux executable code could read these values. But this is no longer a threat nowadays because for many years now this information is now locked down by permissions and not available to third party apps.

On a de googled phone, no Google system app can read it either because they don’t exist. A threat that was recently identified was the government starting monitoring notifications. Notifications are not encrypted and if your device can be identified then it is possible that some can read your notifications. My response to this is to limit which apps can send notifications. One particular conspiracy theory is that apps will interact with your body using w ban using nanobots injected via vaccine. This one I do not buy as risk. If such a radio transmission exists it should be easily detected using common digital radio tools and hidden communications should not be possible on a third party app.

Not sure why people worry about this when the tracking of all your activities is done in a more obvious manner using simpler methods. Firewalls Is it necessary to use an Android firewall app like netguard and can this even catch anything? Unfortunately, I don’t think firewall apps are useful at tracking Linux level traffic since that is beyond the control of Android apps. So things happening at the OS level in Linux may not be visible. Meaning don’t expect a framework level app to record things happening outside of the Android framework. This is a big giant hole. However, if you are experimenting with some new app, you can make sure it will not reach out with your data by activating a firewall to stop it from communicating.

Let me just warn you of limitations though. While you may be able to stop your data from being exfiltrated while using the firewall. The problem is that if you allow the app to transmit eventually there’s always the risk that the data has been accumulated and sent in batch. So it’s okay to use these, but they have limitations. Summary in summary, although there are many risky apps, you can control them so they stay within their lane. But as a matter of habit I would recommend that you install as few apps as possible and if you’re not using an app then delete it.

And be careful about logging apps to Google or Facebook on a privacy focused os. I really wouldn’t worry about the system apps. Those developers will have already curated what can be found there. The reality is that the biggest threats have always been more inside Google and Apple itself. Google for example, deliberately collects constant location and other telemetry and you cannot stop it with permissions. They store it in what is publicly called the Google Sensor Vault. In case you think I made this up, this is really an important element. System apps installed by Google itself can evade permission requirements.

They can talk to HQ and hidden channels and have encrypted traffic. And likely you will see more of this with AI companion type apps. But Google and Apple successfully limited the risk of third party apps and open source OSs are immune from Google and Apple surveillance infrastructure. So the risk left is often just at the level of permissions. So that’s where you need to raise your awareness, granting permissions and making sure no one has installed a ROG app on your device. Folks While other channels sustain themselves via sponsorships, we are actively sustained solely by this community.

Thank you to those who provide financial support directly to us through patreon locals and YouTube memberships. We have also taken the approach of actually creating an organization you can trust by creating products that support your goal and ours of achieving privacy and offering it with the best possible service at a reasonable price. And this is how we chose to sustain this channel. For those Interested in the Braxton 3 project that is handled by the site braxtech.net and you can see the current status of the project there which currently started shipping. We have other products that you will find on our community area.

On Braxme There are over 120,000 users that are part of our community that discuss security and privacy issues in a safe environment. Many of you believe in us and so this community is growing. Some of you have been involved for more than 10 years. In our store you will find products like Pixel Phones, Brax Virtual Phone, braxmail and Vice vpn. These are an essential base to build your personal privacy and, of course, support the creation of content on this channel. Thank you for watching and see you next time.
[tr:tra].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.