Editors' Note: On June 23, a firmware update was added to the Jethro SC490 to remove the location function. "With this latest addition of firmware, we have officially disabled location and GPS services to preserve the privacy of our users," the company says. The updated firmware will be included on new phones, and the company has provided instructions on how to install it on existing devices. Our original story is below, but with the new firmware, the phone should no longer have the security issue we identified.
A low-cost phone for senior citizens sold in the US and Canada asks to send location and Wi-Fi data to a Chinese internet giant when it boots up, we discovered while reviewing voice phones for PCMag this week.
The Jethro SC490 is sold directly by its maker, as well as on Amazon for $84.99. It has a four-star Amazon rating and purports to work with AT&T, T-Mobile, and Verizon. It also asks to send location data to Baidu—a huge company that's basically the Google of China—to try to get a location fix when GPS isn't available.
The SC490's situation shows one danger of buying low-cost uncertified phones from lesser-known brands in the US. Many of those phones come from China, and the companies involved may cut corners and not properly rewrite their software for American needs.
How Does Your Phone Know Where You Are?
A network location provider (NLP) helps supercharge a phone's GPS capabilities by delivering a location fix based on cell towers or nearby Wi-Fi networks. NLPs have massive databases of network IDs tied to specific locations. In the US, Android phones typically use Google as an NLP. iPhones use Apple. Mozilla has an NLP too, as does independent company Skyhook.
In other words, there are a bunch of non-Baidu options for phones in North America. But Jethro, a Canadian phone company with US subsidiaries, didn't bother to unwire its Chinese hardware's default use of Baidu as its NLP.
Baidu isn't owned by the Chinese government (it's publicly traded on NASDAQ), but it's well known for cooperating with government mandates and restrictions. Within China, I can't fault that; it's in a country, it obeys that country's laws. But those laws and interests tend to be very different from American or European laws and interests.
Why Is a Canadian Phone Sending Data to China?
Jethro is a Canadian mobile-phone company that has been selling unlocked phones for seniors since 2012. Like many smaller phone companies, it doesn't make anything; it orders phones from Chinese manufacturers and customizes them.
Jethro appears to now be a bunch of related companies: Jethro Trading, based in Langley, BC; Jethro Senior Technology, in Bellingham, WA; and Jethro Mobile, in Ferndale, WA. Jethro Trading is the oldest of the entities, and the company's FCC documents give Jethro's contact information and address in British Columbia.
The firm's specialty is big-button phones with clear, large-text interfaces. There are a few of these brands knocking around (Snapfon also comes to mind) and it's a category that the major carriers generally don't sell themselves. It's specifically targeted to seniors and others who need straightforward, easy-to-read phones.
Jethro's FCC filing shows that the phone is made by Ying Tai, a company whose website says it's based in Hong Kong. Many companies have business addresses in Hong Kong but are primarily run from mainland China. Google services are allowed in Hong Kong but not on the mainland, so that could explain why a "Hong Kong–based" company's phones default to Baidu as an NLP.
The SC490 appears to be very similar to the Ying Tai F2-4G. If the SC490 is based on the F2-4G, Jethro ordered some customizations; the keys are labelled differently and it has a different set of frequency bands than the model on Ying Tai's website.
When the SC490 boots up, its OS, which is based on Android 8.1 AOSP, pops up a request to send your location information, device-identifying information, and network information to Baidu. Looking at the logs with the Android developers' kit, I found that the phone uses "com.baidu.map.location" or "BaiduNetworkLocationService" to kickstart its location access on startup.
I emailed Jethro co-founder Angela Zhu to ask about this. At first, she said the Baidu notification I was getting was an error; then she apologized and said the phone clearly wasn’t ready for our review process. I agree, and we'll wait to review the phone until they've shaped up their software.
But in the meantime, this phone is being marketed specifically to American seniors, and is asking for permission to deliver your Wi-Fi details and location to a company that has a habit of saying "yes" to Chinese government requests.
How Did This Happen?
I want to make extremely clear that there is no Communist conspiracy to steal your personal data here. What's happening is just laziness and cutting corners.
Most cheap phones come from mainland China, which has its own ecosystem of replacements for US companies such as Google. Using Baidu for location is a completely appropriate choice for a phone sold in China. US importers need to either specifically request that those services be replaced or do it themselves.
Major Chinese phone makers such as Foxconn are used to these requests. But smaller companies, such as Ying Tai, may not be.
Verizon confirmed that its certification process includes making sure that a phone does not use Baidu as its NLP. The SC490 isn't certified by Verizon.
Will Any Low-Cost Phone Have Security Problems?
Since I'm in the middle of reviewing a number of voice phones that are manufactured in China, I reached out to a few smaller phone companies to see how they handle these issues.
Nuu
Nuu, a Chinese phone maker that sells low-cost Android phones in the US, told me its F4L flip phone does not use an NLP. However, the F4L does use Adups, a popular Chinese firmware-over-the-air (FOTA) provider that delivers firmware upgrades to phones. Like network location, that’s another service Google often provides in the US but can't do in China. Adups works on Android phones without Google services, and I found it running on the Nuu F4L flip phone, which is sold by US Mobile and certified by Verizon.
Adups got into a big mess in 2016 because a version of its FOTA software kept sending texts to China, which led to it being cut loose by low-cost phone maker Blu for US devices.
We reached out to Nuu and they provided a response, which I'll reproduce in full here:
1. Since Android 8, Google’s GMS has been quite tough on security, enforcing quarterly patches, and testing for malware on preinstalled applications. It then serves as something of an endorsement for Adups and their inclusion in devices today to receive Google’s blessing when applying for GMS. While our F4L doesn’t include GMS, all of our other Android devices do feature GMS, and many use Adups for FOTA purposes. (We’re already transitioning this year to GOTA, now that it’s capable of handling everything we did with FOTA.)
2. Also compellingly, we feel, Adups is listed as a partner on Google’s own Enterprise Mobility Management site.
3. Adups posted a notice clarifying the boundaries of their data collection, I believe in response to your article on BLU back in 2016, 4 days after publication - which may help.
4. Adups have also agreed to GDPR compliancy, which is detailed within our contract with them.
Some security companies, such as Malwarebytes, still call Adups "malware" because its FOTA software lets it automatically, remotely install apps on phones. All FOTA software can do this; that's not automatically a sign of malware. But a malicious FOTA provider can use its privileges to mess up phones.
This ends up coming down to how much you trust Adups. Their GDPR compliance and Google partnership suggest they've come a long way since 2016. I find Nuu's response satisfactory, and I'm not going to hold the presence of Adups against the F4L.
Punkt
Punkt runs "internal release testing…according to BlackBerry Secure requirements" for any firmware upgrade, and has "no tracking, no location services, no sharing," spokesman Adam Thomas told me. I didn't encounter any security red flags while testing the Punkt MP02.
Sunbeam
Sterling Martin, the founder of US phone startup Sunbeam Wireless, told me that when he received the original versions of what became the Sunbeam F1 from China, those phones included the Baidu location package; Sunbeam had to yank it. The F1 doesn't include any NLP because Sunbeam couldn't find one that came up to its privacy standards, Martin said. Sunbeam also runs its own FOTA server.
Sunbeam's F1 voice phone costs $195 and Punkt's MP02 costs $349; the Nuu F4L and Jethro SC490 both cost less than $100. When it comes to security, you don't get what you don't pay for.
But there are less-expensive voice phones with higher standards than Jethro's. Buying something carrier-certified is key, as the carriers check for some obvious security flaws. Turning to a bigger, more established manufacturer such as Nokia or Kyocera can also help, as those companies have more experience with US requirements. The bottom line: If you need an inexpensive phone, do your due diligence before you buy.
Like What You're Reading?
Sign up for Fully Mobilized newsletter to get our top mobile tech stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
