This phone wants to send your location data to China


Low-cost senior phone sold in US and Canada asks to send location data and Wi-Fi to Chinese internet giant when it starts up, we found out by examining voice phones for PCMag this week.

The Jethro SC490 is sold direct from its manufacturer, as well as on Amazon for $ 84.99. It has a four-star Amazon rating and claims to work with AT&T, T-Mobile, and Verizon. It also asks to send location data to Baidu – a huge company which is essentially the Google of China – to try and get a location when GPS is not available.

The SC490 situation shows a danger of buying low-cost uncertified phones from lesser-known brands in the United States. Many of these phones are from China, and the companies involved may be cutting corners and not properly rewriting their software for US needs.


How does your phone know where you are?

A Network Location Provider (NLP) helps supercharge a phone’s GPS capabilities by providing a location pin based on nearby cell towers or Wi-Fi networks. NLPs have massive databases of Network IDs linked to specific locations. In the United States, Android phones generally use Google as their NLP. IPhones use Apple. Mozilla also has NLP, as does independent company Skyhook.

In other words, there are a bunch of non-Baidu options for phones in North America. But Jethro, a Canadian telephone company with American subsidiaries, did not bother to remove the default use of its Chinese Baidu material as NLP.

Baidu is not owned by the Chinese government (it is listed on the NASDAQ), but it is well known for its cooperation with government mandates and restrictions. In China, I can’t fault it at all; it’s in a country, it obeys the laws of that country. But these laws and interests tend to be very different from American or European laws and interests.

At least he asks first.


Why is a Canadian phone sending data to China?

Jethro is a Canadian mobile phone company that has been selling unlocked phones for the elderly since 2012. Like many small phone companies, it does nothing; he orders phones from Chinese manufacturers and customizes them.

Jethro now appears to be a group of related companies: Jethro Trading, based in Langley, BC; Jethro Senior Technology, in Bellingham, WA; and Jethro Mobile, in Ferndale, WA. Jethro Trading is the oldest of the entities, and the company’s FCC documents provide contact details and address for Jethro in British Columbia.

The company’s specialty is big button phones with clean, big text interfaces. There are a few of these brands (Snapfon also comes to mind) and this is a category that the major carriers usually don’t sell. It is aimed specifically at the elderly and people who need simple, easy-to-read phones.

Jethro’s FCC filing shows the phone to be made by Ying Tai, a company whose website says it is based in Hong Kong. Many companies have business addresses in Hong Kong, but are primarily operated from mainland China. Google services are allowed in Hong Kong, but not on the mainland, which could explain why phones from a “Hong Kong-based” company use Baidu as their NLP by default.

The SC490 appears to be very similar to the Ying Tai F2-4G. While the SC490 is based on the F2-4G, Jethro has ordered some customizations; the keys are labeled differently and it has a different set of frequency bands than the model on the Ying Tai website.

When the SC490 starts up, its operating system, based on Android 8.1 AOSP, displays a request to send location information, device credentials and network information to Baidu. Looking at the logs with the Android Developer Kit, I found that the phone uses “com.baidu.map.location” or “BaiduNetworkLocationService” to start its location access on startup.

Screen capture from the newspaper showing a phone communicating with Baidu
On startup, the phone tries to talk to Baidu to get its initial location lock.

I emailed Jethro’s co-founder Angela Zhu to ask about this. At first, she said that the Baidu notification I was getting was an error; then she apologized and said the phone was clearly not ready for our review process. I agree, and we will wait to review the phone until they have finalized their software.

But in the meantime, this phone is being marketed specifically for senior Americans, and is asking permission to provide your Wi-Fi details and location to a company that has a habit of saying “yes” to Chinese government requests.


How did it happen?

I want to make it clear that there is no communist plot to steal your personal data here. What is happening is just laziness and shortcuts.

Most of the inexpensive phones come from mainland China, which has its own ecosystem of replacements for US companies like Google. Using Baidu for tracking is a very appropriate choice for a phone sold in China. US importers must either specifically request replacement of these services or do it themselves.

Major Chinese phone makers such as Foxconn are used to these demands. But small businesses, like Ying Tai, may not be.

Verizon has confirmed that its certification process involves ensuring that a phone does not use Baidu as an NLP. The SC490 is not certified by Verizon.


Will a cheap phone have security issues?

Since I’m in the process of reviewing a number of Chinese made voice phones, I’ve reached out to a few smaller phone companies to see how they handle these issues.

Recommended by our editors

Nuu

Nuu, a Chinese phone maker that sells cheap Android phones in the US, told me their F4L flip phone doesn’t use NLP. However, the F4L uses Adups, a popular Chinese over-the-air firmware provider (FOTA) that provides firmware upgrades to phones. Like network location, this is another service that Google often provides in the United States but cannot do in China. Adups works on Android phones without Google services, and I found it to work on the Nuu F4L flip phone, sold by US Mobile and certified by Verizon.

Adups found itself in a big mess in 2016 as a version of its FOTA software continued to text in China, which led to its being discontinued by low-cost phone maker Blu for US devices.

We reached out to Nuu and they provided a response, which I’ll reproduce in full here:

1. Since Android 8, Google’s GMS has been pretty strict on security, patching quarterly and testing preinstalled apps for malware. This then serves as an endorsement for Adups and its inclusion in today’s devices to receive Google’s blessing when requesting from GMS. Although our F4L does not include GMS, all of our other Android devices use GMS, and many use Adups for FOTA purposes. (We’re already moving this year to GOTA, now that he’s able to handle everything we’ve done with FOTA.)

2. We also believe that Adups is listed as a partner on Google’s enterprise mobility management site.

3. Adups posted a notice clarifying the limitations of their data collection, I believe in response to your post on BLU in 2016, 4 days after posting – which may help.

4. Adups has also accepted GDPR compliance, which is detailed in our contract with them.

Some security companies, such as Malwarebytes, still refer to Adups as “malware” because their FOTA software allows them to automatically and remotely install applications on phones. All FOTA software can do this; this is not automatically a sign of malware. But a malicious FOTA provider can use their privileges to mess up phones.

It will depend on how much trust you place in Adups. Their GDPR compliance and partnership with Google suggests that they have come a long way since 2016. I find Nuu’s response satisfactory, and I’m not going to pit Adups’ presence against F4L.

Punkt

Punkt runs “internal version tests … to BlackBerry Secure requirements” for any firmware update, and has “no tracking, no tracking, no sharing,” spokesperson Adam told me. Thomas. I did not encounter any red safety flags when testing the Punkt MP02.

Ray of sun

Sterling Martin, the founder of American start-up Sunbeam Wireless, told me that when he received the original versions of what became the Sunbeam F1 from China, these phones included the Baidu location package; Sunbeam must have pulled it. F1 doesn’t include NLP because Sunbeam couldn’t find one that meets its privacy standards, Martin said. Sunbeam also runs its own FOTA server.

Sunbeam’s F1 voice phone costs $ 195 and Punkt’s MP02 costs $ 349; the Nuu F4L and the Jethro SC490 both cost less than $ 100. When it comes to security, you don’t get what you don’t pay for.

But there are cheaper voice phones with higher standards than Jethro’s. Buying something certified by the carrier is essential, as carriers check for some obvious security holes. Turning to a bigger, more established manufacturer like Nokia or Kyocera can also help, as those companies have more experience with US requirements. The bottom line: If you need a cheap phone, do your due diligence before you buy.

Get our best stories!

Register for What’s up now to get our best stories delivered to your inbox every morning

This newsletter may contain advertisements, offers or affiliate links. Subscribing to a newsletter indicates your consent to our terms of use and our privacy policy. You can unsubscribe from newsletters at any time.


About Anne Wurtsbach

Check Also

Clear your Android phone’s cookies and cache to get rid of excess junk files

Like on a PConce in a while, it is good to delete unnecessary files on …