The new home of /r/Android on Lemmy and the Fediverse!
Android news, reviews, tips, and discussions about rooting, tutorials, and apps.
πUniversal Link: !android@lemdro.id
π‘Content Philosophy:
Content which benefits the community (news, rumours, and discussions) is generally allowed and is valued over content which benefits only the individual (technical questions, help buying/selling, rants, self-promotion, etc.) which will be removed if it's in violation of the rules.
Support, technical, or app related questions belong in: !askandroid@lemdro.id
For fresh communities, lemmy apps, and instance updates: !lemdroid@lemdro.id
π¬Matrix Chat
π°Our communities below
Stay on topic: All posts should be related to the Android OS or ecosystem.
No support questions, recommendation requests, rants, or bug reports: Posts must benefit the community rather than the individual. Please post to !askandroid@lemdro.id.
Describe images/videos, no memes: Please include a text description when sharing images or videos. Post memes to !androidmemes@lemdro.id.
No self-promotion spam: Active community members can post their apps if they answer any questions in the comments. Please do not post links to your own website, YouTube, blog content, or communities.
No reposts or rehosted content: Share only the original source of an article, unless it's not available in English or requires logging in (like Twitter). Avoid reposting the same topic from other sources.
No editorializing titles: You can add the author or website's name if helpful, but keep article titles unchanged.
No piracy or unverified APKs: Do not share links or direct people to pirated content or unverified APKs, which may contain malicious code.
No unauthorized polls, bots, or giveaways: Do not create polls, use bots, or organize giveaways without first contacting mods for approval.
No offensive or low-effort content: Don't post offensive or unhelpful content. Keep it civil and friendly!
No affiliate links: Posting affiliate links is not allowed.
Our Communities
Lemmy App List
Chat and More
In all cases involving work devices, the default assumption should be that the company can see anything you're doing on it at any time.
This is why I carry two phones.
With the same consequence, you should also assume location, audio and video to be not be private when carrying these devices
This is why I leave my work phone at work.
I only have a personal phone, but I even refuse to connect it to work's wifi. I don't trust them hoes.
I run a VPN on my personal phone while at work.
Just make sure any sites you goto are https and you should be fine.
If you don't want them knowing what sites you go to, you could put a VPN client on your phone.
Otherwise if you have lots of data then that's all moot.
I have a vpn, can't promise they're all https, and unlimited data so it's cool, I just don't trust them lol.
Years ago, almost two decades, I setup a Screensaver which basically took any image passed over the network and made a collage. Almost everything was like website banners and such.
One day I was in the server room doing something un-related and in the corner of my eye I saw some horrible images on the other screen. I immediately went to the cto who called the police.
Long story short he was immediately fired(and taken into custody) after being found in the bathroom... The images were kids between 3-7...
Before people ask, we could find out which access point he was using to determine approximate area. A quick walk around showed it wasn't someone at there desk. Obviously they wouldn't be in a meeting and there was only 1 set of bathrooms in that area. Female officer went into women's room and reported it empty. Male officer went into men's room and found 1 person, court case revealed history on his phone and yeah... Hopefully he's still rotting in jail.
Well that's horrifying.
Glad you guys caught the bastard.
What I don't get is why do it at work? Like ok, sure you may not be able to control what you enjoy but it was a credit union... "oh yeah this annual financial report got me so horny I got to go commit a federal crime in the bathroom"... Wtf???
Some people can't control themselves. Personally, I think having CSAM on a work device is a pretty good indicator of that.
The default assumption everyone had was E2EE message data like RCS would be private.
Even apple does not share imessage data unless the Apple ID belongs to the employer.
Why would google do such stupidity is beyond me. But, yes on android assume everything is tracked 24/7. Trust your personal phone only.
The default assumption everyone had was E2EE message data like RCS would be private.
It is. It can't be snooped on by third parties. The person that owns and controls your device is not a third party. In this case, that is your employer.
An E2E Encrypted message should not be readable by anyone but the recipient and the sender.
If it can be read and shared without your explicit consent and approval with anyone even your employer. It's no better than regular TLS encryption.
On a company device the owner (the company) is the end, and you're just given the task of operating it.
It varies between jurisdictions, but in general, you better believe they have every right to investigate any suspicions regarding how company assets (work devices) are used and whether their agents may appear unprofessional when using official company communication channels (literally your work phone number, which is used in RCS messages).
In plenty of places there's still privacy rights for employees, but their main purpose is generally preventing overbearing surveillance and protecting your personal data contents in personal communication channels (like if you're using personal webmail on a work device).
The sending and receiving ends are the devices, not the humans. If you don't want the device to see it, you'll need to do the encryption and decryption in your head.
Not sure if you are intentionally being obtuse. But, this is not a hard problem. It has already been solved.
We have Signal, OMEMO in XMPP which already do that. You don't need to do any encryption in your head..
And how do those apps prevent device management from accessing the messages when they're decrypted?
By not storing decrypted message on device? You can also block screenshots if you have a reasonable suspicious your screen can be used to capture the text shown on the device.
The apps run at less privileges than device management apps. They can't do any of that
Apps using Flag_Secure and Secure_display can block screencapture. While user apps stay below MDM apps in privilege. The MDN app themselves reside below the android system.
Do you have a source of MDM apps bypassing secure display and having the ability to capture the display?
My dude.
Google maintains both the Pixel device management and Google Messages. Do you really think they would have locked their own MDM out of their own messaging app?
I was talking about signal. Did you miss that?
No, I saw, but the initial post is about RCS and Google's MDM API. You're fighting real hard over something Google has total control over. Signal might be fine, but if you're not the device owner, you should always assume security is compromised in favor of the actual owner. With MDM, the company can install whatever they want on the device.
I won't accept an MDM device for personal use. I was just replying about signal being compromised with regular MDM in work profile on a non-rooted phone.
Everything would still be monitored. But, messages in signal should not be.
I wonβt accept an MDM device for personal use.
This is why I carry two phones. My work phone is an iPhone managed by Intune. It does work stuff and only work stuff. My personal phone is a Pixel 9 Pro XL. It goes on a VPN when on work wifi.
I do not, nor will I ever, understand those who use their work-issued phone for personal things.
If the app has decrypted messages, device management can see them.
How? The decrypted messages would have to be stored in plan text to be read. Unless, it can be read from RAM..
If you can read it, they can read it. They have root on the company device.
If it's rooted sure. But, regular work profile phones with MDM software are not.
Messaging apps often implement various APIs for better Android integration. But even if they don't, any management service can implement certain APIs, like the accessibility API, that gives them access to everything each app is doing. In that case, it can't necessarily read the messages as data, but it can record your screen as image or video.
True, but Accessibility API cannot bypass secure display, and secure flag I had replied that in another comment so I did not mention that here.
MDM has far more privileges than Accessibility will grant.
Exact same problem it is unencrypted on the device. You know you have to be able to read the message.
It is stored encrypted last I checked the signal website..
No end to end the device is the end that is where the encryption ends.
End to End Encryption protects the messages *between the ends". If an "end" is compromised the best E2EE technology isn't going to protect confidentiality.
Just ask Pete Hegseth, who invited a journalist into an E2EE signal chat. The journalist was an authorized "end" and could therefore read the conversation.
This change is about employers who already have full access to the "end" of the Android phone itself when that phone is in an enterprise managed state. Perfect encryption between that phone and other parties doesn't change anything because the employer has full access to the phone itself.
Only really a concern for those who mix work and personal on the same device. If the boss insists on having management software they can pay for the device, it's not touching my personal one.
If it's a work device it contains no privacy
The one time I had a job with a company phone, they already could see everything I was doing on the phone. They could even remotely control it if they wanted to. And if I wanted to use mine, I had to give the same permissions just to log into Salesforce or even have my company Outlook email go to my main inbox.
I just kept their shit off my phone, and didn't do anything personal on the company phone.
I hate misleading nothingburger headlines like this.
Google is rolling out Android RCS Archival on Pixel (and other Android) phones, allowing employers to intercept and archive RCS chats on work-managed devices
What's surprising to me is that a work-managed-device couldn't already do this!
the headline seems to be implying that Google will let your boss hack into your personal phone!
Work managed device can sometimes be "install the work app on your personal phone because we are cheap, also enable all the permissions or you can't use the work app we assigned you to use"
no fucking way i would work somewhere like that⦠if you just give away your freedoms do you really deserve them?
if i was desperate id buy a separate burner phone for work then.
Same, I have some laying around if they decide to go all weird with the MS authenticator.