Per one tech forum this week: “Google has quietly installed an app on all Android devices called ‘Android System SafetyCore’. It claims to be a ‘security’ application, but whilst running in the background, it collects call logs, contacts, location, your microphone, and much more making this application ‘spyware’ and a HUGE privacy concern. It is strongly advised to uninstall this program if you can. To do this, navigate to 'Settings’ > 'Apps’, then delete the application.”
Thnx for this, just uninstalled it, google are arseholes
Is there any indication that Apple is truly more secure and privacy conscious over Android? Im kinda tired of Google and their oversteps.
The short answer is: Apple collects much of the same data as any other modern tech composite, but their “walled garden” strategy means that for the most part only THEY have access to that info.
It’s technically lower risk since fewer parties have access to the data, but philosophically just about equally as bad because they aren’t doing this out of any real love for privacy (despite what their marketing department might claim)
For true privacy you’ll want something like GrapheneOS on a Pixel, with no Google apps or anything. Some other ROM with no gApps as a second choice.
Other than that, Apple SEEMS to be mildly better. I’ll give you an example: Apple pulls encryption feature from UK over government spying demands
While it’s a bad thing that they pull the encryption feature, it’s a good sign - they either aren’t willing or able to add a backdoor for the UK security services. Then there was this case. If the article is to be believed, they started working on security as of iOS 8 so they could no longer comply with government requests. Today we’re on iOS 18.
Apple claims their advertising ID is anonymized so third party apps don’t know who you are. That said, they still have the advertising ID service so Apple themselves do know a whoooooole lot about you - but this is the same with Google.
Then regarding photo scanning - Apple received a LOT of backlash for their proposed photo scanning feature. But it was going to be only on-device scans on photos that were going to be uploaded to iCloud (so disabling iCloud would disable it too) and it was only going to report you if you had a LOT of child pornography on your phone - otherwise it was, supposedly, going to do absolutely nothing about the photos. It wasn’t even supposed to be a categorization model, just a “Does this match known CSAM?” filter. Google and Microsoft had already implemented something similar, except they didn’t scan your shit on-device.
At the end of the day, Apple might be a bit more private, but it’s a wash. It’s not transparent and neither is Google. I like using their devices. Sometimes I miss the freedom of custom ROMs, but my damn banking apps stopped working on Lineage and I couldn’t be arsed to start using the banks’ mobile websites again like I’d done in the past. So I moved to iOS, as Oneplus had completely botched their Android experience in the meantime while I’d been using Lineage so I was kinda pissed at what I had considered one of the last remaining decent Android manufacturers (Sonys are overpriced and I will never own a Samsung, I hate them, I didn’t like my Huawei or Xiaomi much either).
So if you want to run custom ROMs, get a Pixel or something. If not, Apple is as good a choice as Android. A couple of years ago it was the better choice even, as you’d get longer software support, but now the others have started catching up due to all the consumer outrage.
Thanks for the detailed reply dude. This is so thorough.
For those that have issues on Samsung devices: see here if you’re getting the “App not installed as package conflicts with an existing package” error :
If you have a Samsung device - uninstall the app also from Knox Secure Folder. Entering to Secure Folder>Settings>Apps
True or not, one can avoid the whole issue by using your phone as a phone, maybe to send texts, with location, mike, and camera switched off permanently, and all the other apps deleted or disabled. Sure, Google will still know you called your SO daily and your Mom once a week (NOT ENOUGH!), and that you were supposed to pick up the dry cleaning last night (did you?). Meh. If that’s what floats the Surveillance Society’s boat, I am not too worried.
People can go further than that and install a ROM for their phone that doesn’t have any Google apps on it. People can even use applications that normally require Google Play Services by using microG, which spoofs things. You can also root your phone with Magisk and use apps to block anything leaking anything else.
More information: It’s been rolling out to Android 9+ users since November 2024 as a high priority update. Some users are reporting it installs when on battery and off wifi, unlike most apps.
App description on Play store: SafetyCore is a Google system service for Android 9+ devices. It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages that helps users protect themselves when receiving potentially unwanted content. While SafetyCore started rolling out last year, the Sensitive Content Warnings feature in Google Messages is a separate, optional feature and will begin its gradual rollout in 2025. The processing for the Sensitive Content Warnings feature is done on-device and all of the images or specific results and warnings are private to the user.
Description by google Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and then prompts with a “speed bump” that contains help-finding resources and options, including to view the content. When the feature is enabled, and an image that may contain nudity is about to be sent or forwarded, it also provides a speed bump to remind users of the risks of sending nude imagery and preventing accidental shares. - https://9to5google.com/android-safetycore-app-what-is-it/
So looks like something that sends pictures from your messages (at least initially) to Google for an AI to check whether they’re “sensitive”. The app is 44mb, so too small to contain a useful ai and I don’t think this could happen on-phone, so it must require sending your on-phone data to Google?
I guess the app then downloads the required models
Kind of weird that they are installing this dependency whether you will enable those planned scanning features or not. Here is an article mentioning that future feature Sensitive Content Warnings. It does sound kind of cool, less chance to accidentally send your dick pic to someone I guess.
Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and then prompts with a “speed bump” that contains help-finding resources and options, including to view the content. When the feature is enabled, and an image that may contain nudity is about to be sent or forwarded, it also provides a speed bump to remind users of the risks of sending nude imagery and preventing accidental shares.
All of this happens on-device to protect your privacy and keep end-to-end encrypted message content private to only sender and recipient. Sensitive Content Warnings doesn’t allow Google access to the contents of your images, nor does Google know that nudity may have been detected. This feature is opt-in for adults, managed via Android Settings, and is opt-out for users under 18 years of age.
Looks like more of a chance of false positives happening and getting the police to raid your home to confiscate your devices. I don’t care what the article says I know Google is getting access to that data because that’s who they are.
Just for verifying accuracy and improving the product.
Per one tech forum this week
Stop spreading misinformation.
If the app did what op is claiming then the EU would have a field day fining google.
To quote the most salient post
The app doesn’t provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.
Which is a sorely needed feature to tackle problems like SMS scams
You don’t need advanced scanning technology running on every device with access to every single bit of data you ever seen to detect scam. You need telco operator to stop forwarding forged messages headers and… that’s it. Cheap, efficient, zero risk related to invasion of privacy through a piece of software you did not need but was put there “for your own good”.
I will perhaps be nitpicking, but… not exactly, not always. People get their shit hacked all the time due to poor practices. And then those hacked things can send emails and texts and other spam all they want, and it’ll not be forged headers, so you still need spam filtering.
Why do you need machine learning for detecting scams?
Is someone in 2025 trying to help you out of the goodness of their heart? No. Move on.
Blaming the victim solves nothing.
Scamming is a rapidly growing industry that is becoming more professional and specialized all the time. Anyone can be scammed.
If you want to talk money then it is in businesses best interest that money from their users is being used on their products, not being scammed through the use of their products.
Secondly machine learning or algorithms can detect patterns in ways a human can’t. In some circles I’ve read that the programmers themselves can’t decipher in the code how the end result is spat out, just that the inputs will guide it. Besides the fact that scammers can circumvent any carefully laid down antispam, antiscam, anti-virus through traditional software, a learning algorithm will be magnitudes harder to bypass. Or easier. Depends on the algorithm
I don’t know the point of the first paragraph…scams are bad? Yes? Does anyone not agree? (I guess scammers)
For the second we are talking in the wild abstract, so I feel comfortable pointing out that every automated system humanity has come up with so far has pulled in our own biases and since ai models are trained by us, this should be no different. Second, if the models are fallible, you cannot talk about success without talking false positives. I don’t care if it blocks every scammer out there if it also blocks a message from my doctor. Until we have data on consensus between these new algorithms and desired outcomes, it’s pointless to claim they are better at X.
if the cellular carriers were forced to verify that caller-ID (or SMS equivalent) was accurate SMS scams would disappear (or at least be weaker). Google shouldn’t have to do the job of the carriers, and if they wanted to implement this anyway they should let the user choose what service they want to perform the task similar to how they let the user choose which “Android system WebView” should be used.
No, that wouldn’t make much difference. I don’t think I’ve seen a real world attack via SMS that even bothered to “forge” the from-field. People are used to getting texts from unknown numbers.
And how would you possibly implement this supposed “caller-id” for a field that doesn’t even have to be set to a number?
caller id is the thing that tells you the number. it isn’t cheap to forge, but it’s the only way a scan could reasonably effect anyone with more than half a brain. there is never a reason to send information to an unknown SMS number, or click on a link from a text message from an unknown number.
Carriers don’t care. They are selling you data. They don’t care how it’s used. Google is selling you a phone. Apple held down the market for a long time for being the phone that has some of the best security. As an android user that makes me want to switch phones. Not carriers.
And what exactly does that have to do with GrapheneOS?
Please, read the links. They are the security and privacy experts when it comes to Android. That’s their explanation of what this Android System SafetyCore actually is.
Have you even read the article you posted? It mentions these posts by GrapheneOS
So is this really just a local AI model? Or is it something bigger? My S25 Ultra has the app but it hasn’t used any battery or data.
I mean the grapheneos devs say it is. Are they going to lie.
Yes, absolutely, and regularly, and without shame.
But not usually about technical stuff.
graphene folks have a real love for the word misinformation (and FUD, and brigading). That’s not you under there👻, Daniel, is it?
After 5 years of his
anticshateful bullshit lies, I think I can genuinely say that word triggers me.
an app on all Android
not my android :)
BTW did anyone reverse engineer it? Or doing rn (I’m HTH)?
The countdown to Android’s slow and painful death is already ticking for a while.
It has become over-engineered and no longer appealing from a developer’s viewpoint.
I still write code for Android because my customers need it - will be needing for a while - but I’ve stopped writng code for Apple’s i-things and I research alternatives for Android. Rolling my own environment with FOSS components on top of Raspbian looks feasible already. On robots and automation, I already use it.
What’s over engineered about it?
In my experience, the API has iteratively made it ever harder for applications to automatically perform previously easy jobs, and jobs which are trivial under ordinary Linux (e.g. become an access point, set the SSID, set the IP address, set the PSK, start a VPN connection, go into monitor / inject mode, access an USB device, write files to a directory of your choice, install an APK). Now there’s a literal thicket of API calls and declarations to make, before you can do some of these things (and some are forever gone).
The obvious reason is that Google tries to protect a billion inexperienced people from scammers and malware.
But it kills the ability to do non-standard things, and the concept of your device being your own.
And a big problem is that so many apps rely on advertising for its income stream. Spying a little has been legitimized and turned into a business under Android. To maintain control, the operating system then has to be restrictive of apps. Which pisses off developers who have a trusting relationship with their customer and want their apps to have freedom to operate.
I suppose that’s all true, I’d say more “following apples lead on locking things down” than over engineered, but 🍅🍅.
I find myself avoiding the whole root business, I do want my mobile device to be fairly locked down. But I also use alternative OSs and app stores to avoid 90% of the garbage (stuff I can’t avoid I put in work profile, like I still need google maps).
It works for me, but on the front of this complexity driving away devs I don’t really see a viable alternative. Base Linux isn’t secure enough for what we put on these little computers. I mean you’ve still got tons of influential people arguing you shouldn’t use secureboot or a tpm as if leaving your whole computer unsecured is better than the indignity of using a non-free bios.
laughs in GrapheneOS
Great, it’ll have to plow through ~30GB of 1080p recordings of darkness and my upstairs neighbors living it up in the AMs. And nothing else.
I’ve just given it the boot from my phone.
It doesn’t appear to have been doing anything yet, but whatever.
Yeah no issues here just uninstalling. It hasn’t come back.
Google says that SafetyCore “provides on-device infrastructure for securely and privately performing classification to help users detect unwanted content. Users control SafetyCore, and SafetyCore only classifies specific content when an app requests it through an optionally enabled feature.”
GrapheneOS — an Android security developer — provides some comfort, that SafetyCore “doesn’t provide client-side scanning used to report things to Google or anyone else. It provides on-device machine learning models usable by applications to classify content as being spam, scams, malware, etc. This allows apps to check content locally without sharing it with a service and mark it with warnings for users.”
But GrapheneOS also points out that “it’s unfortunate that it’s not open source and released as part of the Android Open Source Project and the models also aren’t open let alone open source… We’d have no problem with having local neural network features for users, but they’d have to be open source.” Which gets to transparency again.
Graphene could easily allow for open source solutions to emulate the SafetyCore interface. Like how it handles Google’s location services.
There’s plenty of open source libraries and models for running local AI, seems like this is something that could be easily replicated in the FOSS world.
SafetyCore Placeholder so if it ever tries to reinstall itself it will fail due to signature mismatch.
And what exactly does the github App do?
Is suppose it’s not the same as the Google App?
It doesn’t do anything. The only reason to consider installing it is that this is cryptographically signed by another developer, so if Google tries to install safety core again, it will fail because googled signature is different. It also has a super high version number, so that Google hopefully will not think to try to install the software.
I struggle with GitHub sometimes. It says to download the apk but I don’t see it in the file list. Anyone care to point me in the right direction?
At the bottom of the page, it says releases - click on the release that’s there, and that’s where you’ll find the all.
I haven’t been able to install it though due to signature mismatch, I’m not sure why…
Awesome, thanks! You didn’t install a previous version did you? Apparently you can’t update to the current version due to the signature issue.
Click on the “releases” link
Under the end of the readme, the section labelled releases.
Got it, thanks!
There’s an app called obtainium that let’s you link the main page of github apps and manages both the download, the instalation and the updates of those apps.
Great if you want the latest software directly from the source.
I didn’t understand the value of fdroid all since it feels like a web wrapper. Thanks to you finally pulled the trigger on Obtanium. Omg that’s simple af
It’s a web wrapper that points to a non-Google software repo.
The non-Google software repo is the important part, the interface can be bad as long as it can install software.
I use Obtanium too, but fDroid is my first stop when I need an app. Google’s Play store is a last resort.
Droid-ify and Neo-Store are alternative clients for the F-Droid repository (and other repos), that you may like better than the official client. But yeah, Obtainium is indeed simple and it’s powerful if you already know exactly which app you want to install (rather than searching for relevant options in some repositories).
Thanks! Til
Scroll down to releases.
Got it, thanks!
Thank you for sharing!
Amazing, thank you. I have uninstalled this bs twice now and have so far been spared by another force install. I hope this works
Wow that’s actually genius thank you
This is the stupidest shit, moral panic levels of miscomprehension. I mean, I was miffed and promptly removed safetycore because I don’t mind seeing sex organs and don’t want shit using battery for no reason, but wow
Forbes.Edit: ok, the article is not so bad, just the shitty blurb from some forum reproduced here on Lemmy.
