OmniTorch Privacy Issues

Status
Not open for further replies.
Search This thread

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
Hello everyone, i saw something weird with omni torch privacy and device access .Have a look at the attachments below .

Now can @XpLoDWilD @pulser_g2 explain this ???

I recommend omni users to disable these access or remove this app until omnirom devs fix this . There MIGHT be more apps like this
 

Attachments

  • Screenshot_2014-06-12-19-33-43.png
    Screenshot_2014-06-12-19-33-43.png
    107 KB · Views: 685
  • Screenshot_2014-06-12-19-33-48.png
    Screenshot_2014-06-12-19-33-48.png
    103.8 KB · Views: 555
  • Screenshot_2014-06-12-19-33-53.png
    Screenshot_2014-06-12-19-33-53.png
    110.6 KB · Views: 470
  • Screenshot_2014-06-12-19-33-57.png
    Screenshot_2014-06-12-19-33-57.png
    106.8 KB · Views: 415
  • Screenshot_2014-06-12-19-34-02.png
    Screenshot_2014-06-12-19-34-02.png
    98.2 KB · Views: 384
  • Screenshot_2014-06-12-19-34-08.png
    Screenshot_2014-06-12-19-34-08.png
    100.3 KB · Views: 364
Last edited:

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
I guess most of these permissions are not need for the app to work. Correct me if I'm wrong.

Sent from my Nexus 4 using Tapatalk
yes .
there hell lot of apps out there take cm torch for exactly it's better than omnitorch in terms of privacy but it also have camera access (images and videos) . below is cm torch permissions .
uploadfromtaptalk1402582781269.jpg

Sent from my Nexus 4 using Tapatalk
 

CallMeAldy

Senior Member
Jan 21, 2012
1,347
5,124
Mumbai
www.aldrinholmes.com
yes .
there hell lot of apps out there take cm torch for exactly it's better than omnitorch in terms of privacy but it also have camera access (images and videos) . below is cm torch permissions .
View attachment 2794271

Sent from my Nexus 4 using Tapatalk
I maybe wrong but i think the camera access is okay cause that's the thing which turns flash on and off, but the omni torch permissions are way beyond acceptance.

Sent from my Nexus 4 using Tapatalk
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
Um, please don't claim that this is OmniTorch. It isn't.

Why?

OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source.

https://github.com/omnirom/android_packages_apps_OmniTorch/blob/android-4.4/AndroidManifest.xml

You will see that OmniTorch is not requesting any of those permissions. The only permissions in the manifest are:
CAMERA (this is needed to control the LED on many devices)
WRITE_SETTINGS
WAKE_LOCK (many devices behave badly if the device suspends when torch is on)
BROADCAST_STICKY

You can also look at the source code to see everything that OmniTorch actually does, and there isn't anything there that could violate your privacy.
 
Last edited:

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
Um, please don't claim that this is OmniTorch. It isn't.

Why?

OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source.

https://github.com/omnirom/android_packages_apps_OmniTorch/blob/android-4.4/AndroidManifest.xml

You will see that OmniTorch is not requesting any of those permissions. The only permissions in the manifest are:
CAMERA (this is needed to control the LED on many devices)
WRITE_SETTINGS
WAKE_LOCK (many devices behave badly if the device suspends when torch is on)
BROADCAST_STICKY

You can also look at the source code to see everything that OmniTorch actually does, and there isn't anything there that could violate your privacy.

first of all i used omnitorch android-4.4 branch from omnirom github .
i have checked the source's and i know what you are trying to say .

"
OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source."

really ???? funny statement . actually you knowm what we can open the omnirom zip and strip out OmniTorch.apk from it .

try your self and i'm done helping out.

and yeah don't tell me that you can't install it in your next post . push it to system/app and rw-r-r .
thank you.

Sent from my Nexus 4 using Tapatalk
 

CallMeAldy

Senior Member
Jan 21, 2012
1,347
5,124
Mumbai
www.aldrinholmes.com
Um, please don't claim that this is OmniTorch. It isn't.

Why?

OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source.

https://github.com/omnirom/android_packages_apps_OmniTorch/blob/android-4.4/AndroidManifest.xml

You will see that OmniTorch is not requesting any of those permissions. The only permissions in the manifest are:
CAMERA (this is needed to control the LED on many devices)
WRITE_SETTINGS
WAKE_LOCK (many devices behave badly if the device suspends when torch is on)
BROADCAST_STICKY

You can also look at the source code to see everything that OmniTorch actually does, and there isn't anything there that could violate your privacy.
APK from the LATEST mako nightly.

ba2a4uga.jpg

a8u2ama5.jpg

yjehehe2.jpg

4yjude7e.jpg



Maybe this should satisfy you, I'll leave everything here now.

Sent from my Nexus 4 using Tapatalk
 

Attachments

  • OmniTorch.apk
    86.1 KB · Views: 48
Last edited:
  • Like
Reactions: percy_g2

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
Below screenshots are from Official Mako nightly omni-4.4.3-20140611-mako-NIGHTLY.zip

my friend says it might be because
omnitorch runs on system user id ,so it has same permissions as any shell logged as system .

Now i'm really surprised with omnirom dev (Entropy512) attitude .

did you guys do it to avoid chmod of sysfs in every device ?
 

Attachments

  • IMG-20140612-WA0019.jpg
    IMG-20140612-WA0019.jpg
    44.5 KB · Views: 158
  • IMG-20140612-WA0020.jpg
    IMG-20140612-WA0020.jpg
    90.3 KB · Views: 163
  • IMG-20140612-WA0021.jpg
    IMG-20140612-WA0021.jpg
    91.4 KB · Views: 147
  • IMG-20140612-WA0022.jpg
    IMG-20140612-WA0022.jpg
    83.4 KB · Views: 142
  • IMG-20140612-WA0023.jpg
    IMG-20140612-WA0023.jpg
    72.2 KB · Views: 134
  • IMG-20140612-WA0024.jpg
    IMG-20140612-WA0024.jpg
    80.5 KB · Views: 134

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
Below screenshots are from Official Mako nightly omni-4.4.3-20140611-mako-NIGHTLY.zip

my friend says it might be because
omnitorch runs on system user id ,so it has same permissions as any shell logged as system .

Now i'm really surprised with omnirom dev (Entropy512) attitude .

did you guys do it to avoid chmod of sysfs in every device ?

Well, you're claiming that we're invading your privacy when if you look at the sources, it's obvious we're not.

You claim there's a privacy problem - show me where in the source we're collecting information. Put your money where your mouth is.

The shared system UID might be causing some weird display issues - but there are lots of system apps with those permissions. If it is your belief that users should disable OmniTorch merely because of the shared system UID even though you can look at the source and see that there is no privacy issue, then you need to remove the kernel, the frameworks, the HALs. Oh wait, you'll have nothing left.
 
Last edited:

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
Well, you're claiming that we're invading your privacy when if you look at the sources, it's obvious we're not.

You claim there's a privacy problem - show me where in the source we're collecting information. Put your money where your mouth is.

The shared system UID might be causing some weird display issues - but there are lots of system apps with those permissions. If it is your belief that users should disable OmniTorch merely because of the shared system UID even though you can look at the source and see that there is no privacy issue, then you need to remove the kernel, the frameworks, the HALs. Oh wait, you'll have nothing left.

looks like you don't deserve to hold SRD .

1. I didn't say/write that omnirom is collecting user data.
2. If you don't have any proper explanation then don't reply
3. Now coming to your point ,in indirect way you are saying every system app should have all permissions which are not needed .

Great explanation and please don't reply now , it's better if someone with more knowledge explain it.

Sent from my Nexus 4 using Tapatalk
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
looks like you don't deserve to hold SRD .

1. I didn't say/write that omnirom is collecting user data.
2. If you don't have any proper explanation then don't reply
3. Now coming to your point ,in indirect way you are saying every system app should have all permissions which are not needed .

Great explanation and please don't reply now , it's better if someone with more knowledge explain it.

Sent from my Nexus 4 using Tapatalk

You said, and continue to maintain, that there is a privacy issue. For there to be a privacy issue, data collection has to be occurring.

Is data collection occurring? NO. Therefore there is not a privacy issue.

Also, for the time being, those permissions are needed, otherwise torch crashes when accessing the sysfs nodes to control torch on devices that need it. (we can't do shared system UID on a per-device basis). https://gerrit.omnirom.org/#/c/3758/ would be the preferred solution if it worked, but it doesn't.

Is there a potential security risk? Maybe, if someone were to somehow "attack" Torch. It's pretty easily to analyze the intent handler to determine if a torch enable/disable broadcast could be used for "other" purposes though.
Is it ideal? No. I would prefer to figure out why the above gerrit commit doesn't work as expected but I haven't had the time.

But you've come here and are claiming there is a privacy issue and that everyone should disable/remove Torch because of some arbitrary privacy issue THAT DOES NOT EXIST.

The whole premise of your thread is that there is a privacy issue, but:
THERE IS NO PRIVACY ISSUE. IF THERE IS ONE, PROVE IT. SHOW WHERE THE DATA COLLECTION OCCURS.
 

CallMeAldy

Senior Member
Jan 21, 2012
1,347
5,124
Mumbai
www.aldrinholmes.com
Well, you're claiming that we're invading your privacy when if you look at the sources, it's obvious we're not.

You claim there's a privacy problem - show me where in the source we're collecting information. Put your money where your mouth is.

The shared system UID might be causing some weird display issues - but there are lots of system apps with those permissions. If it is your belief that users should disable OmniTorch merely because of the shared system UID even though you can look at the source and see that there is no privacy issue, then you need to remove the kernel, the frameworks, the HALs. Oh wait, you'll have nothing left.
Please don't waste your 'precious' time here. Somebody else could surely explain things in a better way and not assume that anyone is blaming omni for collecting data.

Cheers.

Sent from my Nexus 4 using Tapatalk
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
Please don't waste your 'precious' time here. Somebody else could surely explain things in a better way and not assume that anyone is blaming omni for collecting data.

Cheers.

Sent from my Nexus 4 using Tapatalk

See the title of this thread. "privacy issue". Also see percy's recommendation that people remove/disable the app because of this "privacy issue"

"privacy issue" means that data is being collected that shouldn't be collected. He has no proof that anything of the sort is happening (because it isn't happening!) but he immediately stated that everyone should be removing this app because of "privacy issues"

If he weren't coming here trying to gain glory as a whistleblower and a name for himself, he would've fixed the commit referenced above, or merely asked what the rationale was for the shared system UID. No, instead, he came here claiming there's a huge privacy issue and everyone should remove the app.
 

percy_g2

Senior Member
Oct 22, 2012
4,475
15,970
Bangalore
sites.google.com
You said, and continue to maintain, that there is a privacy issue. For there to be a privacy issue, data collection has to be occurring.

Is data collection occurring? NO. Therefore there is not a privacy issue.

Also, for the time being, those permissions are needed, otherwise torch crashes when accessing the sysfs nodes to control torch on devices that need it. (we can't do shared system UID on a per-device basis). https://gerrit.omnirom.org/#/c/3758/ would be the preferred solution if it worked, but it doesn't.

Is there a potential security risk? Maybe, if someone were to somehow "attack" Torch. It's pretty easily to analyze the intent handler to determine if a torch enable/disable broadcast could be used for "other" purposes though.
Is it ideal? No. I would prefer to figure out why the above gerrit commit doesn't work as expected but I haven't had the time.

But you've come here and are claiming there is a privacy issue and that everyone should disable/remove Torch because of some arbitrary privacy issue THAT DOES NOT EXIST.

The whole premise of your thread is that there is a privacy issue, but:
THERE IS NO PRIVACY ISSUE. IF THERE IS ONE, PROVE IT. SHOW WHERE THE DATA COLLECTION OCCURS.

thanks for explanation

now some of my points

1. I asked for explanation from omnirom devs instead of posting funny post you could have posted this earlier.
2. I wrote " users please remove those access or remove omnitorch app until omni rom devs fix it" because there are many unofficial ports and someone might take advantage of omnitorch app permission issues . (There are many Way's to take advantage without letting user's know about it as official torch app already have those permissions ).
3. You guy's can learn how cm managed to avoid the issues you are having .
4. For future learn how to explain and post .Someone who hold SRD doesn't reply like this .

" OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source."

This ^
5. I'm not here to bash and claim anything .
learn to accept your mistakes .


THERE IS POTENTIAL RISK and again thank you for explanation



Sent from my Nexus 4 using Tapatalk
 
  • Like
Reactions: Alx31

gigsaw

Senior Member
Jun 22, 2010
223
51
Guys please calm down :) xda is a community, we are here not to fight each other but we are here to learn. So, if you see a problem, why don't you try to fix it? Omnirom is an open source project, so everybody can help. I am not an expert and I only think that omnirom is one of the few projects really carefull about the privacy and security, so would be strange that they collect informations trough the torch app :p I'm not here to argue but I would like to try, from my little point of view, to guess a "solution": If I disable the not needed torch's permissions trough the settings menu, would it be a good idea?
 

Entropy512

Senior Recognized Developer
Aug 31, 2007
14,088
25,086
Owego, NY
thanks for explanation

now some of my points

1. I asked for explanation from omnirom devs instead of posting funny post you could have posted this earlier.
2. I wrote " users please remove those access or remove omnitorch app until omni rom devs fix it" because there are many unofficial ports and someone might take advantage of omnitorch app permission issues . (There are many Way's to take advantage without letting user's know about it as official torch app already have those permissions ).
3. You guy's can learn how cm managed to avoid the issues you are having .
4. For future learn how to explain and post .Someone who hold SRD doesn't reply like this .

" OmniTorch is preinstalled with Omni, if you're installing it, then obviously you got it from some unofficial source."

This ^
5. I'm not here to bash and claim anything .
learn to accept your mistakes .


THERE IS POTENTIAL RISK and again thank you for explanation



Sent from my Nexus 4 using Tapatalk
It makes no sense that someone would install an APK that is already there. The only sensible explanation for someone "installing" OmniTorch is that they're trying to replace it with something.

And you didn't ask for an explanation, you came out and said there was a privacy issue and people should remove/disable the app.

Your comment about unofficial ports is nonsensical - There's no way to take advantage of the permissions issues without modifying the app. If they're modifying the app, they're either distributing it as a standalone APK - in which case the user should be proceeding with care, or they're distributing it as part of a prebuilt firmware package - and there are plenty of far better ways to violate someone's privacy (like adding hooks to the frameworks themselves) if someone is distributing a complete package.

Or another way of saying it is: When it comes to privacy/whatever, all bets are off if you're flashing a complete system firmware package, since that includes a kernel (e.g. whoever provided you the package can obtain kernel-level access to do whatever they wish with your device). If you don't trust whomever provided the package, you shouldn't be using ANY component of it. There is no way that OmniTorch can be used to invade privacy that can't be more easily done in another way by someone with nefarious intent.
 
  • Like
Reactions: Phyrene
Status
Not open for further replies.

Top Liked Posts

  • There are no posts matching your filters.
  • 4
    Just to cut this crap short.

    He just said to disable the permissions not to disable the app.

    He wanted a clear explanation from someone with good knowledge, unfortunately he got a reply from you which made things even more complicated cause of your assumptions.

    His point was if not OMNI then somebody else could exploit this and get access to everything with a bad intent and hence he posted everything here so incase OMNI developers ain't aware of it they could take necessary actions.

    Cheers ;)

    I'm not sure if either of you two are understanding Entropy512's point.

    There's two points to consider:
    1. Would people be able to exploit this prebuilt app directly? No because of the way Android permissions/framework works, no other app would be able to access/exploit these permissions.
    2. OK suppose we disable the permissions. Would sort of barrier would that put up to stop other from distributing bad APKs? Absolutely none because it would be one line of code to add back in.

    So in either case it's meaningless to talk about removing the sharedSysteUid. If we do that, we lose access to sysfs which would break torch which is obviously bad news for a torch app. Either that or we can ask for root in which case we could do a lot worse than even these permissions.

    EDIT: BTW this is the commit which you might want to look at https://github.com/omnirom/android_...mmit/c09f5b47ddaec430b9d0e0d11131301935110203
    4
    Oh how I missed all of those "XDA drama queens" :)

    Sent from my N1 using Tapatalk
    4
    1. I didn't mention to disable . I wrote remove app or disable not needed permissions .
    2. I don't wanna make any name for myself . You really have something wrong in your brain , I asked for explanation .
    3. I don't wanna commit to OmniROM ( Personal Reasons ) , i posted this for an explanation and i think OmniROM user's must know about.
    4. Look at your posts again what you replied to me first.

    Now Stop posting your assumptions about me as i made myself clear in above points .

    1) Still, you are telling people to remove the app when there is no justification for doing so.
    2) BS. If your intent was to ask for an explanation, your post would have been, "Why does the package have a shared system UID? Could this be abused?" - But you didn't. What you did is come out and say there was a privacy issue and everyone should remove the app - even though there is no privacy issue and no reason for people to remove the app. Since you refuse to commit to Omni, it's clear that you don't want to have a positive role in improving it and came here to stir up trouble/drama.
    3) Must know about what? Nothing? You have yet to indicate any way in which this can have any negative effect on a user, except if someone takes our source and modifies it. If they do that, they can modify it to do whatever they want - even if we removed the shared system UID, someone could readd it and add privacy-invading features to OmniTorch in an unofficial build, although that would be a poor/inefficient way of doing it - easier to just modify the frameworks or an APK that already has (and requires) access to the data in question like the dialer (plenty of ways someone could abuse privacy with a hacked dialer...)
    3
    Hello everyone, i saw something weird with omni torch privacy and device access .Have a look at the attachments below .

    Now can @XpLoDWilD @pulser_g2 explain this ???

    I recommend omni users to disable these access or remove this app until omnirom devs fix this . There MIGHT be more apps like this
    2
    Can't be nice or respectful to each in replies and posts + have to be childish in replies and make XDA look like it is a playground with all this verbal judo + even after warning from moderating staff about said unneeded drama = Thread closed.


    Be nice, or get out of XDA...pretty easy rules to follow.