Breaking Free from Google: Renati Revolutionizes Mobile Security

ChatMail   |   May 15, 2023

customization of photo by Rawpixel @envato (Firebase is a trademark of Google LLC.)

Breaking Free from Google: Renati Revolutionizes Mobile Security

The trend towards having a secure and private phone has gained momentum in part because consumers have grown weary of being tracked, online and through apps, with their data being stored by Google.

Google’s Firebase is a reporting tool app developers use for various functions including app testing, analytics, authentication, crash reports, databases, performance monitoring, and pushing notifications. Google Analytics is at the heart of Firebase. Anything with external reporting goes against our philosophy.

We needed to replace Firebase Cloud Messaging, which is part of the Firebase platform made available to app developers at no cost and sends messages to the app on users’ devices. FCM is a cross-platform service for Android™, Apple, and web apps. Google notes, “Using FCM, you can notify a client app that new email or other data is available to sync. You can send notification messages to drive user re-engagement and retention.” This massive undertaking involved a redesign of our infrastructure.

De-Googled is More Than a Buzzword

Tom’s Guide notes, “De-Googled Android basically means that the OS is just the raw elements of Android itself without any of the Google flavorings thrown in. That means no Play Store, Play Services, or Pixel-specific features. It's actually the purest form of Android. De‑Googled Android is the raw OS without any of Google's additional influence. But the Android Open Source Project still has lingering Google effects in it, as you might expect for an operating system built by the search giant.”

The Android Open Source Project refers to the people who oversee the project and develop the source code, tools and procedures used to manage the software development, and the resulting source code that makes up Android.

If you can download third-party apps that use Firebase, as most do, it is not a completely De-Googled device. No matter how secure or private you are told the phone, or its service, is—it isn’t.

Recognizing the pervasive integration of Google services within the AOSP system, we took a different approach. Renati is meticulously crafted from scratch, forking and customizing the individual AOSP projects to create our own operating system. We proudly proclaim ChatMail® reborn with Renati is our preferred mobile security solution.

Renati runs on Pixel devices, selected for their industry-leading hardware and chip technology. It also allows for signing Android Verified Boot with custom encryption keys for Renati. Google may have made a great phone, but many of these devices can be compromised without adding further device hardening. We fortify the Kernel, remove all Google services (including Firebase) and tracking code, and disable all vulnerable hardware to provide our clients with the privacy and security they seek. To appreciate why this is so important, let’s take a closer look at Google.

Google’s Impact on Society and the Perils of Data Monetization

Consider that Google began as a search engine company. When you look at how its technology has permeated our culture (even the brand name is used as a verb) it brings to mind the famous quote by Canadian philosopher Marshall McLuhan, “The Medium is the Message”. The quote is “meant to emphasize the implications of any new technology (or medium) beyond the specific context of its use (or content of its message).” McLuhan argued modern media would have far-reaching consequences, reshaping the way we would experience the world. Google’s internet domination affirms this viewpoint.

Google states, “Our mission is to organize the world’s information and make it universally accessible.” While the media giant says it doesn’t sell your personal information, that doesn’t mean Google isn’t monetizing it. Therefore, you should carefully consider what content you share through any of its’ 120+ products and services that contributed to its 2022 revenue of $280 billion US.

Tech guru Arun Maini, known on YouTube as Mrwhosetheboss, explained just how much Google learns about you after you consent to give your data to Google Play Services. “Google knows exactly who you are. They know which smartphone you've commented from. They know your real name... They know where you live... Google keeps track of every town, city, and country you've been to, how long you spent there, and exactly which places you end up visiting.”

Maini pinpointed the concerns most privacy-conscious consumers have about data over-collection; “First and foremost, Google is an advertising company... but there are bigger implications because we know that this data is not always just kept within Google. There are plenty of governments around the world who want to control and censor their populations, and Google has been shown to have willingly handed over user data when asked for it by those governments.”

This is why we are so adamant about removing Google Services from our OS and why Firebase had to go. Billions of messages are sent every day via FCM. What could possibly go wrong? Apparently, a lot, as several FCM vulnerabilities have been exposed over the years.

Vulnerabilities and Breaches with Google Firebase

We took unprecedented steps to ensure Renati would keep ChatMail clients safe from any manner of breaches, cyber threats, data collection, hackers, location trackers, malicious actors, and unauthorized access through Universal Forensic Extraction Devices.

We created Renati Mobile Device Management as a proprietary service—instead of relying on Firebase. Here’s one of the reasons why. Google notes, “Firebase Authentication keeps logged IP addresses for a few weeks. It retains other authentication (passwords, email addresses, phone numbers, user agents) information until the Firebase customer initiates deletion of the associated user, after which data is removed from live and backup systems within 180 days.” Users should be very concerned about this.

The top three Firebase vulnerabilities to date

A Firebase Realtime Database vulnerability caused a major breach. To put the scope of this security failure into perspective, 100 million sensitive records were leaked from 2,300 separate Firebase databases, affecting 3,000 iOS and Android apps. The records revealed personally identifiable information with everything from vehicle license and registration numbers to private access tokens, including:

  • 50 thousand financial records detailing banking, payment, and Bitcoin transactions
  • 2.6 million plain text passwords and user IDs
  • 4 million Protected Health Information records containing chat messages and prescriptions
  • 4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens
  • 25 million GPS location records

Subsequently, a $30,000 bug bounty was paid to a security researcher who discovered a flaw in Firebase while casually “fiddling around” with Android applications. Charlie Osborne of The Daily Swig reported, “The bug, which impacted mobile applications that were developed on Google’s Firebase platform, enabled attackers to send push notifications to all app users, regardless of whether they were subscribed or not.”

CyberNews analyzed over 1,000 top apps in the Play Store, where it found 14 Android apps, collectively downloaded by at least 142.5 million users, had unsecured Firebase real-time databases. This left users’ data exposed. After informing Google, the researchers received no reply, so they contacted the developers individually. One of these apps was designed to track your child’s cell phone to know their location. However, a company representative said they don’t use the Firebase real-time database. During testing, it is assumed the feature was enabled and that no private data was stored. It is now turned off.

Google turned a blind eye to 30+ million users’ data still being leaked. This misconfiguration issue has been slow to fix for nine of the 14 developers' databases despite multiple warnings to alert them.

Security Takes Center Stage in Our Overhauled Back End

We designed Renati Mobile Device Management using microservices to act as gateways, automating our system's communications with ChatMail on Renati. We had to create our own secure socket tunnel since we weren’t using Firebase Cloud Messaging.

We developed a universally unique identifier-based token system that allows our users to generate a unique ID on initial activation with our server. We don't need any of the proprietary information from the phone. This makes ChatMail on Renati even more discreet.

We Continue to Offer ChatMail on BlackBerry® Unified Endpoint Management

Since its inception, ChatMail has been firmly supported by UEM on our own private instance, which is located inside our strictly controlled on-site data center. UEM unlocks the capability of Android For Work, which allows us to manage and secure ChatMail on supported Android devices and lets us maximize the security potential of select Android phones.

Although UEM and AFW utilize Firebase, it is done privately through our own hosted servers. Therefore, these notifications are containerized and never at risk of becoming public. There is no interaction between our clients and BlackBerry. Instead of using a virtual machine on the UEM Cloud, we fully control our ecosystem. This gives us a wide selection of Android devices for ChatMail on UEM.

ChatMail. Engineered for Security. Designed for Privacy.