[Replicant] Proprietary blob found in all Replicant 6.0 builds

Denis 'GNUtoo' Carikli GNUtoo at cyberdimension.org
Tue Nov 3 15:48:33 UTC 2020


Hi,

Thanks a lot for the report.

On Mon, 02 Nov 2020 10:50:44 -0500
Tad <tad at spotco.us> wrote:
> Years ago, before CyanogenMod imploded:
> Cyanogen, the VC-backed company, had created an SDK called Ambient
> meant for use in Cyanogen.
Do you know if there are (still) some details about it, like what this
library is supposed to do, why it was made nonfree, etc.

> However at some point it ended up included in the CyanogenMod 13.0
> branch. Along with its hooks into many apps such as the Launcher,
> Dialer, Messenger, AudioFX, and Contacts. This proprietary library
> even contains code (presumably) developed by/with Uber. Yes, the app
> Uber, Uber.
We found a huge issue recently in the Dialer code, where it would send
the phone numbers that you call or that calls you to third party
services (that tries to geolocalize the phone number).

This code seem to have been added by CyanogenMod or LineageOS. 
Did you hear of something like that already? If so, could it be related
to this Ambient SDK?

> A few months after LineageOS forked, some bits of Ambient's
> integration were removed. However a lot still remains in the
> currently available today trees.
> https://github.com/LineageOS/android_vendor_cm/blob/cm-13.0/ambientsdk/Android.mk
>
> Due to Replicant being a fork of LineageOS, it too contains Ambient.
> 
> All 6.0 Replicant builds contain the proprietary AmbientSDK Java
> library blob. I have verified this by decompilation.
Do you have more details on that?
More precisely:
- Is there a file name or set of file names?
- Do you know the location of the binaries in the source code
  repositories?

After trying to remove it, it might be a good idea to test if it is
really removed.
 
> I link my old sources which contain patches, checkout commits, and
> revert commits. It allows building without AmbientSDK.
> It is however quite old by now and will likely need rework.
> 
> You'll want the lines marked with 'ambientsdk' and 'analytics'.
> 
> https://gitlab.com/divested-mobile/divestos-build/-/blob/65df475ccc996a3de4eaa2264c86f4f85f980951/Scripts/CM-13.0_Patches.sh
> https://gitlab.com/divested-mobile/divestos-build/-/tree/65df475ccc996a3de4eaa2264c86f4f85f980951/Patches/CyanogenMod-13.0

I've looked rapidly at some patches to remove 'analytics' from
CM-13.0_Patches.sh, and by comparing it with our versions of these
repositories, the 'analytics' seem to have been removed by Wolfgang
(the previous Replicant maintainer) already, however I didn't have the
time yet to check that extensively. In any case it might be interesting
to document it too. Do you have any infos or pointers on that
anti-feature?

Grepping for 'ambient' in the repositories you patched still finds
things.

> I kind of always assumed that Replicant had removed this, it wasn't
> until recently where I took the time to verify. Hence why I reach out
> now.
We didn't realize how bad the situation was until very recently.

In parallel we're also porting Replicant to Android >= 9, and we're
thinking of moving to ASOP again, and backporting the LineageOS
features we need (like building Linux from within the Android build
system, root access, advanced reboot, etc) instead of the other way
around (which would be to cleanup LineageOS, adding the devices we
support, etc).

There are also addition reasons for us to do that:
- One of the big advantages of LineageOS is the big amount of devices
  supported, but this became less useful for us for Android >=9 as
  we're doing the port with a kernel closely based on upstream
  Linux, so we can't reuse the device support code of LineageOS.
  In addition, with LineageOS 17.1, only all the smartphones with
  removable batteries but one use a Qualcomm SOC, and for the 
  one that doesn't (Galaxy J7 2015) it has shared memory between the
  modem and the SOC[1].
- AOSP has better documentation and code quality and has git tags for
  releases.

In any case, it's not done yet, and if it doesn't work out and that we
need to keep using LineageOS we'll be happy to collaborate with
DivestOS on removing the issues that are found in LineageOS.

References:
-----------
[1]https://github.com/LineageOS/android_kernel_samsung_universal7580/blob/lineage-17.1/arch/arm64/configs/lineageos_j7elte_defconfig

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/replicant/attachments/20201103/b0f3235a/attachment.asc>


More information about the Replicant mailing list