On Sun, 22 Dec 2019 07:47:45 +0100 (GMT+01:00), Libor Striz wrote:
> Before one starts using the 3rd party keyboards
> for "do not touch anything from Google" reason,
> one should answer oneself the question,
> why one should trust the 3rd party more than Google ?
Hi Poutnik,
THANK YOU for adding value, which only about 1 in 1,000 do on Usenet.
o And, you provided URLs, which only about 1 in 1,000 do on Usenet.
o And only one in 10,000 provides screenshots to help people out.
Like this: <
https://i.postimg.cc/fT4vTWQH/keyboard.jpg>
I appreciate that you are, like I am, well educated, so you're quite used
to simple questions having both complex and simple answers concurrently.
The complex answer is that you can't trust "anyone" unless/until you (or
someone you trust), does "exhaustive" research (perhaps requiring extensive
resources like a man on the inside) to determine not only their
motivations, but their entire security structure (e.g., how many banks get
hacked, for example, even as you may "trust" them to not be motivated to
sell your private data?).
The _simple_ answer is that breaking your private data across scores of
companies, "may" provide what we might term "privacy by dispersement".
For example, let's take the supposed "google FBI closet" where, basically,
the government reputedly tapped Google's trunks from right inside Google HQ
(as I recall - but just take this as a metaphor so I don't have to look up
the exact details).
Notice all the government would need to do is tap one line (figuritively
speaking), and they get everything, whereas with dispersial techniques,
they have to tap "more things".
Now, they likely tap "everything" anyway, which is where that complexity
comes in, but keeping things simple to answer your question, the choice for
you is, as I see it, only one of two options:
o Put all your data in one basket (e.g., the Google basket), or,
o Disperse your data among scores of baskets.
> Is it because one knows the company/product to be trustful (good),
> or, is it because one does not know the company/product at all,
> thinking anything is better than Google(not so good)?
See above.
o Your point, Poutnik, is perfectly valid; I do not disagree.
We know "something" about Google; and yet we likely really know nothing
about them since they're complex as all hell; and yet, we know even less
about the scores of companies in which we're putting our data...
HOWEVER... there is a fallacy in your argument ... when we dive deeper.
o There is far less chance my "stuff" is going on the net, sans Google.
*1. Take contacts.*
My phone is set up so that the contacts stay in a vcard file in a "vcd"
file (and on my local network), which is manually imported into my
non-Google contacts app (Simple Mobile Contacts Pro). As far as I know,
that's as far as my contacts go. <
https://www.simplemobiletools.com/>
*Do you have _any_ evidence that the contacts go farther than my phone?*
*2. Take calendaring.*
My phone is set up so that my calendar stays in an "ics" file on the phone
(and on my local network), which is manually imported into my non-Google
calendaring app (Simple Mobile Tools Calendar). As far as I know, that's as
far as my calendars go. <
https://www.simplemobiletools.com/>
*Do you have _any_ evidence that the calendar goes farther than my phone?*
*3. Take passwords.*
My phone is set up so that my passwords stay in a "kdbx" file on the phone
(and on my local network), which is manually imported into my non-Google
calendaring app (Keepass2Android). As far as I know, that's as far as my
password databases go. <
https://github.com/PhilippC/keepass2android>
*Do you have _any_ evidence that the calendar goes farther than my phone?*
> As they will put their hands on all the data you would type via it.
Maybe. My hope is that Simple Mobile Tools does what they say they do.
o And, if they didn't, my hope is that someone will test it out for us.
> Noname small companies or individuals would be less monitored
> than big fishes, could be less scrupulous with aggressive data mining
> and less worried about the loss of reputation and lawsuit actions.
Notice, by _design_, I keep my personal data _off_ the Internet.
o That, alone, will make a good start toward privacy, don't you think?
Yet, you bring up a point, particularly on 3rd-party keyboards, that they
'can' capture your data to send it surreptitiously over the air (or to
another app, which subsequently sends it over the air).
On the desktop, I could use WireShark or tcpdump/kismet or some other
similar ad hoc man-in-the-middle solution (e.g., setting up a personal VPN
server or setting up the phone as an access point) to see what's heading
out when I run any given app; I need to look up what we use for Android to
sniff the air...
o 6 Best Wireshark Alternatives for Android
<
https://techwiser.com/wireshark-alternatives-for-android/>
1. zAnti [Root]
2. cSploit [Root]
3. Packet Capture
4. Debug Proxy
5. WiFinspect [Root]
6. tPacketCapture
o 7 best Wireshark solutions for Android
<
https://techonation.com/best-wireshark-alternatives-android/>
1. CSPLOIT
2. Zanti
3. Debug Proxy
4. Packet Capture
5. TPacketCapture
6. Android TCPDump
7. NMap
Note there are plenty of ad hoc man-in-the-middle innovative solutions:
o Capturing mobile phone traffic on Wireshark
<
https://stackoverflow.com/questions/9555403/capturing-mobile-phone-traffic-on-wireshark>
<
https://ask.wireshark.org/question/3821/how-can-i-see-the-traffic-of-an-android-app/>
<
https://www.linuxjournal.com/content/monitoring-android-traffic-wireshark>
etc.
> I would e.g. hesitate typing sensitive new passwords via them,
> OTOH some are useful for offering full keyboard like Hacker's
> keyboard.
You bring up two good points, which is that most of these non-Google
3rd-party apps don't ask for a password (e.g., my calendar, my contacts)
but some do (e.g., Keepass2Android), where it's especially important to use
a well-vetted app where we can "assume" that security researchers have been
looking at them for privacy leaks (let's hope).
The main point is that we choose apps that don't inherently have our
password, and that don't _need_ our password, and then we can "assume" our
passwords are "safer" (since they're never needed or asked for by the app).
The second good point is that there is the "hackers keyboard", which I
didn't cover in this thread, which we should cover at some point, I think.
<
https://code.google.com/p/hackerskeyboard/wiki/UsersGuide>
<
https://code.google.com/p/hackerskeyboard/wiki/FrequentlyAskedQuestions>
<
https://code.google.com/p/hackerskeyboard/wiki/ReleaseNotes>
<
https://code.google.com/p/hackerskeyboard/>
> In fact, I do not use Google keyboard for passwords either,
> but the keyboard of the password manager,
> that already has/will have access to them.
Again, this is a _great_ point Poutnik, which I, for one, appreciate that
you're sharing with the users.
I don't know if most users will understand the significance of what you
just said, so I'll show this screenshot of my Moto G7 showing that, if I
wanted to, I could use, for my Keepass2Android password manager, a
"special" keyboard just for that purpose.
o Settings > System > Languages & input > Virtual Keyboard
<
https://i.postimg.cc/fT4vTWQH/keyboard.jpg>
Poutnik knows this, but for the others on Usenet who don't, notice there's
the choice of "Keepass2Android" in that list, which is what Poutnik is
speaking about.
I'm not quite sure myself "what" privacy magic the Keepass2Android keyboard
does, (as I don't use it); so maybe Poutnik can expound on what the
advantage is of using that specific "Keepass2Android" keyboard for all to
benefit.
--
Usenet works best when adults purposefully share meaningful knowledge.