Once my Cosmo arrives, do I actually dare to use it?

[Daniel W]

Glancing [a href=\'index.php?showtopic=36010\']this[/a] Gemini related post about some outgoing IP connections that turned out belonging to the firmware updater, I found the web site of Ash Wolf (Ninji here at OESF), upon which these two blog articles:
https://wuffs.org/blog/pulling-apart-the-c....temfota-updater
https://wuffs.org/blog/digitime-tech-fota-backdoors
picks apart the Cosmo Over-The-Air firmware updater, and finds, well, questionable content.

A firmware updater, reasonably, must have basically every permission, so we're kind of forced to trust whichever firmware distributor Planet Computers chooses. While I do trust Planet Computers not to be malevolent, they seem, to me, somewhat clueless at times, and, it seems, they've picked a firmware distributor whose other business, apparently, is to, via their own updater, distribute malware. Ouch.

Maybe they're only doing that as a paid service, say, on behalf of dirt cheap phone makers, who might want to make up for their low prices by exploiting their customers in any profitable way they can come up with. I'm quite certain Planet Computers isn't involved in or, as it seems, were even aware of, any such capabilities.

Yet, the way this is implemented on the Cosmo, it seems ANY app can silently get ANY Android permission, by knowing how to ask one of the updater interfaces. While nobody might specifically target such an uncommon device type as the Cosmo, probing for that interface would, to me, seem like something any competent malware author would do, in case their code happens to be on any phone where this interface is available.

As far as I understand, that can't happen, lest I'd install a malware-laden app first, but as those, according to media, once in a while, does make it onto Google Play, no matter how reasonable I'm trying to be, this feels a bit too crazy for comfort. I'm at a bit of a loss right now. After waiting over a year for my Cosmo, intending to use it as my only phone, I suddenly don't know if I could, at all, trust this device, once it arrives. Thoughts, anyone?

[vldmr]

These are quite serious accusations that probably do justify a level of paranoia leading to at least postponing using one's device as a primary phone. Until there will be public reaction from PC to shed some light on the issue.

For me cosmo is already my primary device. The only mitigation I can see for myself is installing a firewall and monitoring for any networking suspicious activity. The noroot firewall successfully used by a victim post referenced in blog by itself is of questionable reputation. Thus far I was only able to find a single open source firewall application that does not require rooting - NetGuard. I am going to try to live with that.

Having rooted device would open more possibilities for mitigation. I myself is not prepared to fiddle with rooting my device due to risk of bricking it. I now really look forward anxiously for rooting solution from PC just because of this development.

[Ben10]

I saw that on tweeter ( https://mobile.twitter.com/_Ninji ), and PC has been contacted by this briliant guy on Dec02 about that issue. He also ported TWRP for Cosmo. My Cosmo is in its box waiting for dual boot firmware, so I can boot something else, custom if possible, far away from PC, Google and Shenzen OTA servers... Dogs are friends of mine.

PS: @Daniel W, you are missing r in the end of the first link

[spook]

Hmm my last reply didn't seem to post. Maybe they don't allow links... Anyway, there is a discussion about this in the Gemini thread and over on the Facebook group. Ninji (the guy who found the issue) seems to come here frequesntly too.

In the Facebook group, James Liddle helpfully added:

As this is a system app it is not easy to disable without root but you can do it through ADB:
adb shell pm disable-user --user 0 com.dtinfo.tools
and then
adb shell pm enable com.dtinfo.tools
to re-enable it if you want to do a wireless update

If you're concerned, you could do this without rooting your phone, then apply the updates manually when OC release them.

[Daniel W]

PS: @Daniel W, you are missing r in the end of the first link

Oops. Usually I test every link after posting. Apparently I missed one. Fixed. Thanks for spotting it.

[Ninji]

In the Facebook group, James Liddle helpfully added:

As this is a system app it is not easy to disable without root but you can do it through ADB:
adb shell pm disable-user --user 0 com.dtinfo.tools
and then
adb shell pm enable com.dtinfo.tools
to re-enable it if you want to do a wireless update

If you're concerned, you could do this without rooting your phone, then apply the updates manually when OC release them.

Are you able to disable it without rooting? I was under the impression that doing this via adb still required root - but I couldn't confirm since I was already rooted... I do have some code I could clean up and release which uses the backdoor to disable the FOTA app, although this will only work on Cosmo and not on the Gemini as the Gemini doesn't have that backdoor.

-

I was hesitant to post about this stuff too much because I was trying to give Planet (and originally Digitime) the benefit of the doubt, but my patience is running thin over time. I don't use my Cosmo as a main phone - my trusty jailbroken iPhone 8+ gets that, as it's usable with one hand and has a camera that isn't a joke.

But even as a side device the Cosmo still manages to disappoint - the stock firmware is buggier than most of the slapdash unofficial backported Android ROMs I've used on other devices, and performance is dire (I was simply chatting on Telegram yesterday and every few messages I would have to retype a word as the device lagged out and one keypress turned into 5-6 repeated keypresses).

What a poor way to honour the legacy of the Psion and its highly-optimised software.

I'm still amazed at the outright brazenness involved in Digitime using their OTA service as a malware distribution platform, and the fact that somehow nobody had discovered this and connected the dots before I did. Hopefully with some more attention we can get some kind of statement out of PC on this, although I am not highly optimistic.

It is also worth noting that PC and Digitime are not the only folk involved in this game - there is also EastAeon, the ODM that built the Gemini and Cosmo. Although PC downplays their involvement in most of the Indiegogo updates by referring to them as "the factory" - with the exception of the Week 19 update, where they say this:[blockquote]We also discussed how we are splitting the work between the factory and our UK/European team. Our in-house team is taking ownership of most of the high level functions such as look and feel, whilst the lower level firmware elements will be implemented by our factory partner. We agreed the exact split of work on the external screen during our visit.[/blockquote]...it is obvious from firmware analysis that they are responsible for most of the Android code and not just for manufacturing as PC would like to have you think. Even elements like the clamshell/keyboard shortcuts (which I analysed in this thread) appear to have been implemented by EastAeon judging by names and debug log messages in the responsible code.

I hope that the Cosmo will be redeemed for me once we get the ability to run Linux on it. The hardware has immense potential but it's held back by EastAeon/PC's inability to deliver a decent OS.

[vldmr]

Are you able to disable it without rooting? I was under the impression that doing this via adb still required root - but I couldn't confirm since I was already rooted...

Yes, worked on my unrooted device:

Code: [Select]

$ adb shell pm disable-user --user 0 com.dtinfo.tools
Package com.dtinfo.tools new state: disabled-userProof:
 [ Invalid Attachment ]

[Daniel W]

Question: Would disabling the FOTA via ADB, also disable that interface, via which any app could get any Android permission?

Currently, I'm more concerned by that interface, than getting malware from Digitime. For reference, both Samsung and Google can, and sometimes does, push anything they want onto my Note, even though I've turned of automatic updates. Certain "frameworks" and such just updates themselves anyway. What Ninji found, I suppose, is, purely technically speaking, the equivalent capabilities, however shadily implemented. I'm guessing Digitime regards these "features" as a service for sale to the phone brand, rather than something they'd go about (ab)using at their own leisure. My thinking is that if Digitime did push something actively malevolent, without it being requested, and paid for, by the phone brand, or government, wouldn't they'd be found out and get sued or at least lose that brand as a customer forever?

Or am I just being naïve and/or plain wrong?

[Ninji]

Nope, the fo_service backdoor is baked into the Android services framework and any app can access it. The chances seem fairly low - I've yet to find any other device it's deployed on - but it's still there...

What's particularly insidious about it is that even though the Digitime FOTA updater doesn't use it (unless the malware-like Lua worker is activated from their end), it still refuses to install updates if the backdoor is not present. Presumably this is to ensure that OEMs keep the backdoor code in their Android builds.

[spook]

At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/

[Daniel W]

Nope, the fo_service backdoor is baked into the Android services framework and any app can access it.

As I kind of guessed then.

The chances seem fairly low - I've yet to find any other device it's deployed on - but it's still there...

Yeah, a bit like swimming in the ocean. Sharks are rare, but still there...

What's particularly insidious about it is that even though the Digitime FOTA updater doesn't use it (unless the malware-like Lua worker is activated from their end), it still refuses to install updates if the backdoor is not present. Presumably this is to ensure that OEMs keep the backdoor code in their Android builds.

Yes, I read that on your blog. As I understood it, they check that the backdoor is there by calling a method that returns its version number. Unless that changes, could it be possible to just leave that method and remove all the other sneaky ones, or leave them in there, but patch them to do nothing, like { return null; } or similar? But, well... the odds of Planet pulling off something like that might be slim, if it would even be feasible.

As I actually do want to use a bit of google-ware, striving to go Linux-only would seem counterproductive for me, and I'm wary of rooting (in both cases, I want a daily driver that kind of just works - and has a nice keyboard). That seems to limit my options quite a bit. Is there really anything I could do, except hoping that neither Digitime nor (other) malware authors will bother, be picky about what I install, and try not to worry too much?

At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/

Oh boy, great... my other phone is a (fairly recent) Samsung. Not that I'm using Device Care, since it, apparently, considers my local HTML files to be junk... but this seems to be another reason not to touch it.

[Ben10]

At least we're not the only ones with these kind of problems: https://www.reddit.com/r/Android/comments/e...on_all_samsung/

Samsung top devices can cost a fortune. This is so sad...

[Zarhan]

If you root the device, I suppose you can get rid of the API. What would be the steps to do that?

[Ninji]

This morning I’ve been emailed by Davide Guidi (Planet’s CTO) about this situation. Their response confirms many of my suspicions: Planet was entirely unaware about the presence of this code in the Cosmo, and their use of Digitime’s software was entirely guided by advice and reassurance from their ODM.

Despite my misgivings I’m very glad to see that Planet is taking this seriously — he says that Digitime have agreed to remove the IOrgX/Y/Z backdoor services from the Cosmo and that PC is investigating alternatives to their OTA service.

This does not fully resolve my doubts - there is still a substantial amount of subterfuge involved in the system even when discounting that; see, for example, this XDA thread (linked from my second blog post): https://forum.xda-developers.com/general/se...rooted-t3863704 - although the Gemini did not include the IOrg backdoor it still included the Lua C&C system demonstrated to be installing apps in that thread.

I however feel much more relieved about this knowing that Planet are willing to make changes and listen to feedback about this. I will be writing back to him with further information on that and why I don’t feel that simply removing the IOrg services will solve all the issues involved.

[Daniel W]

That was very relieving news. Thank you Ninji. I'm not too surprised Digitime is willing to remove offending code. I think there may be fairly little malevolent intent involved here, and more of what different cultures regards as acceptable or even desirable.

Many "westerners" seems to be somewhat okay with, or not care too much about, extensive surveillance capitalism, as long as it doesn't get too obviously creepy. If it provides enough convenience in return, it might even be desirable. Google Assistant, Alexa, Siri and Bixby have to know you pretty well to work (no, I don't use them). A friend of mine used to ship cable cabinets to Japan. ONE oily fingerprint on, or inside, a cabinet and it would be returned to Sweden, even if it worked perfectly. The view seemed to be that if the Swedes couldn't even keep a thing clean, you just couldn't trust that it was made with enough care.

Every culture seems to have their set of things people will or won't care about, so the acceptable trade offs are different. If you can only get apps from dodgy third parties, so what if your brand can also install crap, especially if that made the phone so cheap, it's almost still theirs anyway? Heck, some users may even want plausible deniability, when something objectionable is found on their phone, "uh, yeah, they keep installing such stuff and I just haven't been able to remove it yet...", a bit like some folks may "forget" to delete certain spam, with "interesting" pictures.

Still, and for similar reasons, I'd guess this is just a first step. Digitime will likely only delete exactly what Planet tells them to, and won't necessarily do it carefully either, not because they are "bad", but more because it's something they just can't be bothered to take too seriously, a bit like when identical cable cabinets were shipped elsewhere, no way anyone could be bothered to wipe off every single fingerprint. Without pointing fingers, I'd guess these kinds of differing views on what goes, may explain some of the many quality issues Planet has kept running into. If one, somewhat clueless party, wants to produce quality stuff as cheaply as they can, but their partner is more into an appearance of quality, to boost sales, there may be... issues.