Arima are logging user location?

I’m an Android Software developer and have just noticed this in my Logcat output:

2021-01-29 15:34:05.534 552-552/? D/Zygote: Forked child process 23301
2021-01-29 15:34:05.539 1424-1524/? I/ActivityManager: Start proc 23301:com.arima.servicemenu/1000
for service {com.arima.servicemenu/com.arima.servicemenu.MyService}
2021-01-29 15:34:05.557 23301-23301/? E/ima.servicemen: Not starting debugger since process cannot load the jdwp agent.
2021-01-29 15:34:05.619 23301-23301/? D/ApplicationLoaders: Returning zygote-cached class loader: /system/framework/android.hidl.base-V1.0-java.jar
2021-01-29 15:34:05.619 23301-23301/? D/ApplicationLoaders: Returning zygote-cached class loader: /system/framework/android.hidl.manager-V1.0-java.jar
2021-01-29 15:34:05.619 23301-23301/? D/ApplicationLoaders: Returning zygote-cached class loader: /system/framework/android.hidl.base-V1.0-java.jar
2021-01-29 15:34:05.622 23301-23301/? I/ima.servicemen: The ClassLoaderContext is a special shared library.
2021-01-29 15:34:05.657 23301-23301/? I/Perf: Connecting to perf service.
2021-01-29 15:34:05.683 23301-23301/? I/MyService: service started
2021-01-29 15:34:05.685 23301-23301/? I/MyService: initData
2021-01-29 15:34:05.692 23301-23301/? W/MyService: add locationListener
2021-01-29 15:34:27.981 23301-23301/? I/tonyzheng: time1611934468000
2021-01-29 15:34:27.982 23301-23301/? I/tonyzheng: LongitudeXXXXXXX
2021-01-29 15:34:27.982 23301-23301/? I/tonyzheng: LatitudeXXXXXXX
2021-01-29 15:34:27.982 23301-23301/? I/tonyzheng: Altitude360.5279541015625
2021-01-29 15:34:28.970 23301-23301/? I/tonyzheng: time1611934469000
2021-01-29 15:34:28.970 23301-23301/? I/tonyzheng: LongitudeXXXXXX
2021-01-29 15:34:28.970 23301-23301/? I/tonyzheng: LatitudeXXXXXX
2021-01-29 15:34:28.970 23301-23301/? I/tonyzheng: Altitude361.7186279296875
2021-01-29 15:34:29.964 23301-23301/? I/tonyzheng: time1611934470000
2021-01-29 15:34:29.964 23301-23301/? I/tonyzheng: LongitudeXXXXXXXX
2021-01-29 15:34:29.964 23301-23301/? I/tonyzheng: LatitudeXXXXXXXX
2021-01-29 15:34:29.964 23301-23301/? I/tonyzheng: Altitude361.7158203125

com.arima.servicemenu is a system process from the manufacturers Fairphone use, it appears one of their developers has left some fairly incriminating debug output. Can anyone shed any light on this - is it as bad as it looks?

1 Like

Hello!

Welcome to the forum and thanks for raising that point.
I am no tech-person and therefore unfortunately can make anything of it.

Could this be connected to what this thread is discussing:

1 Like

Yes, it’s the same process.

package com.arima.servicemenu;

import android.app.Service;
import android.content.Intent;
import android.location.Location;
import android.location.LocationListener;
import android.location.LocationManager;
import android.os.Bundle;
import android.os.Handler;
import android.os.IBinder;
import android.util.Log;

public class MyService extends Service {
    private static final String TAG = "MyService";
    private String locateType;
    /* access modifiers changed from: private */
    public LocationListener locationListener = new LocationListener() {
        public void onLocationChanged(Location location) {
            Log.i("tonyzheng", "time" + location.getTime());
            Log.i("tonyzheng", "Longitude" + location.getLongitude());
            Log.i("tonyzheng", "Latitude" + location.getLatitude());
            Log.i("tonyzheng", "Altitude" + location.getAltitude());
        }

        public void onStatusChanged(String provider, int status, Bundle extras) {
            if (status == 0) {
                Log.i(MyService.TAG, "\t\t\tOUT_OF_SERVICE");
            } else if (status == 1) {
                Log.i(MyService.TAG, "\t\t\tTEMPORARILY_UNAVAILABLE");
            } else if (status == 2) {
                Log.i(MyService.TAG, "\t\t\tAVAILABLE");
            }
        }

        public void onProviderEnabled(String provider) {
            Log.i(MyService.TAG, "\t\t\tonProviderEnabled");
        }

        public void onProviderDisabled(String provider) {
            Log.i(MyService.TAG, "\t\t\tonProviderDisabled");
        }
    };
    /* access modifiers changed from: private */
    public LocationManager locationManager;

    public IBinder onBind(Intent intent) {
        return null;
    }

    public void onCreate() {
        super.onCreate();
        Log.i(TAG, "\t\t\tservice started");
        initData();
        getLocation();
        new Handler().postDelayed(new Runnable() {
            public void run() {
                MyService.this.locationManager.removeUpdates(MyService.this.locationListener);
                Log.w(MyService.TAG, "\t\t\tremove locationListener");
            }
        }, 180000);
    }

    public void onStart(Intent intent, int startId) {
        super.onStart(intent, startId);
    }

    public void onDestroy() {
        super.onDestroy();
    }

    private void initData() {
        this.locationManager = (LocationManager) getSystemService("location");
        LocationManager locationManager2 = this.locationManager;
        this.locateType = "gps";
        Log.i(TAG, "\t\t\tinitData");
    }

    private void getLocation() {
        Location lastKnownLocation = this.locationManager.getLastKnownLocation(this.locateType);
        this.locationManager.requestLocationUpdates(this.locateType, 100, 0.0f, this.locationListener);
        Log.w(TAG, "\t\t\tadd locationListener");
    }
}

Looks innocent enough - just shoddily been left in, it doesn’t do anything, it’s not even part of any startup diagnostic, it does nothing other than ouput to Logcat.

2 Likes

Out of interest: where did you find that code?

via adb, we know the process is by arima so:

adb shell pm list packages | grep arima

returns:

package:com.arima.servicemenu
package:com.android.arima

then adb shell pm path com.arima.servicemenu gives you the path to the apk on-device package:/system/priv-app/ServiceMenu/ServiceMenu.apk with that you can pull the file to your computer: adb pull /system/priv-app/ServiceMenu/ServiceMenu.apk upload to: APK decompiler - decompile Android .apk ✓ ONLINE ✓ to decompile.

4 Likes

Yeah, absolutely useless though. And making people crazy (see my thread).
Did anyone report that to Fairphone yet, so they can remove that?

1 Like

First of all, I am glad, that it’s no security issue.

And I notified someone from Fairphone Tech Support of this thread, so they might look into it.

Even if it’s rather a nuisance than a threat, it should be taken care of in my opinion.

2 Likes

It’s making me want to return to LineageOS to be honest. I switched back to stock Android in case there were any issues when I swapped in the camera upgrade.

The security of code with these system level privileges should be extremely tight. If this got left in it must be easy for a bad actor at Arima to insert something more nefarious unnoticed.

1 Like

Isn’t that the service test menu available when you dial *#*#66#*#*? Just wondering, I actually have no idea.

Also, the fact that a package name contains arima doesn’t necessarily mean that arima included it in the Fairphone without the will or knowledge of FP. You seem to assume this is necessarily someone from Arima who inserted malware at a deep system level, which we can’t affirm. We would need an official voice.

Yes it is the service utility accessed via that code from the dialler. I didn’t say they included it without the will or knowledge of FP - you just did. Don’t say I said things that I didn’t. Nor did I say someone from Arima inserted malware - again, that’s something you’ve incorrectly projected.

What I do state is that the useless location implementation should not be there - and that raises questions about the integrity of all apps with system privilidges in the FP ROM.Any user who sees the tonyzheng log output showing their precise location should be concerned.

If it was normal I wouldn’t have gone to the trouble of extracting the apk and decompiling it.

2 Likes

I wonder, if that topic could be connected to this stuff as well, though the phone is running on /e/ in that case:

3 Likes

Ok, sorry. I had misinterpreted or badly understood your post, which is why I reacted like this.
My intention was to interrogate the uselessness of this code.
But thanks for explaining!

Hi everyone,

This point has been raised with our development team who are looking into it. Thanks for flagging this! :slight_smile:

7 Likes

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.