You cannot have privacy and security without free/libre software. While such doesn't doesn't guarantee privacy or security, operating systems that make an effort to build the system entirely from source without any proprietary components are much less likely to have a problem like this slip through the cracks of a large, active development community.
Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.
Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:
And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...
OS code bases are huge.
How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
Not very, I think.
If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.
I have a chinese Android phone. Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send. There were attempts to connect to Google servers and chinese manufacturer's servers. The data sent to China was supposed to contain sensitive information like phone number or SIM card identifier.
It also has an auto-update (read: backdoor) feature that cannot be disabled.
I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.
In other words you can use it only on a network you control.
In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Correct?
What if you had a portable gateway, one that could travel with you?
We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.
We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).
But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.
To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.
It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.
The aim with these efforts is control, not impressive hardware specs.
Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.
But to get those things, the user has to sacrafice some control.
As a consumer I am very disappointed and feel being deceived by Google.
Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?
> Instead of connecting it to the Internet I connected it to my computer over bluetooth and started monitoring the traffic it tried to send
How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).
Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
Where did you buy that phone from and what brand was it?
I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?
Are there are any consumer protection laws that would help here, for example, to obtain a full refund if it is proven that a manufacturer and retailer sold you a product full of spyware?
You feel deceived by Google for buying a cheap Chinese made phone? What other things do you feel deceived by Google? Buying a car from Ford that always breaks down?
Elephant in the room is of course the amount of data that is sent to the u.s. from phones in the rest of the world. Hardly a surprise that China is getting in on the action too.
I am also a little curious about what the manufacturer (or by extension the PRC government) could do with data from a phone in the US? I actually prefer my backdoors to open to Beijing... they aren't likely to share, and they aren't in a position to do anything to me (I would obviously feel differently if I was a Chinese citizen).
Does anyone regularly audit devices and apps with something similar to a web proxy, to see where they talk to during the course of normal usage? This seems like a decent low-hanging fruit (well, relatively speaking).
I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.
We can do better. Auditable open source and reproducible builds are security and privacy differentiators. They make shenanigans like these more difficult to pull off and easier to investigate.
Hey duked. I just returned from Hong Kong (on vacation) and used two BLU Advance 5.0 phones as burners for use while in-country. I take precautions whenever I travel overseas.
I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.
Slightly off topic: but doesn't backdoor mean that there's a particular party that has control over the backdoored software? Here it sounds like the device is calling home... or is that sufficient to be called backdoor?
I used to analyze mobile malware and the line of what was OK and what wasn't really came down to how big the company was. If it was an unknown firm set up as analytics / advertising, it was fine to block. If it was a mega analytics / advertising it was not malware because it was a massive company.
>Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence.
We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...
Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.
Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.
To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.
If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.
I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.
I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].
Get a phone that supports CyanogenMod. Sure, baseband still remains a blackbox and possibly backdoored, but at least you can get rid of most spyware/adware that comes preinstalled with Android. While we don't have fully open source OS with open drivers for smartphones, you cannot trust any manufacturer.
All of them except phones made/designed/whatever by Google. That leaves you the Nexus and Pixel lines only. There's a fair bit more oversight there and no shady third-party ROM with 'helpful' spying applications shipped by default (and often uninstallable). Nor do carriers get to modify the ROM themselves or install their own apps.
Android is pretty much a wasteland outside of the Nexus/Pixel line. Ignoring security and privacy, you just have a lot of shovelware involved along with a lack of commitment to timely, or if any, updates.
I would feel confident a Nexus/Pixel is a secure and nonsense free as a phone running CyanogenMod. Of course, that's difficult to prove, but historically we haven't seen anything like this on a Nexus/Pixel device.
Maybe phones that support Cyanogenmod or Replicant?
Perhaps device makers that know how to compile source and host the updates themselves are more likely to have more control over the firmware. So we might ask, what the update policy is, do they provide updates?
"Because Adups has not published a list of affected phones, it is not clear how users can determine whether their phones are vulnerable. “People who have some technical skills could,” Mr. Karygiannis, the Kryptowire vice president, said. “But the average consumer? No.”"
Seems to be some work ahead if you want to find out which phone doesn't use this service. And we're only talking about this particular service.
If you are in the US, the same phone has different submodels for each US operator, and some of these submodels (likely from AT&T and Verizon) may have a locked bootloader, preventing you from installing custom ROMs.
For example, Samsung Galaxy S5 from T-Mobile (SM-G900T) you can put Cyanogenmod on, but Samsumg Galaxy S5 from AT&T (SM-G900A) you can not.
This is why some users are going real paranoid. So somebody decided that their first and only Android device will not have access to the Internet. Instead, it's sole role is to function as a camera.
From the article: "A Google official said the company had told Adups to remove the surveillance ability from phones that run services like the Google Play store."
Google hates it when a program phones home to someplace other than Google.
> Ms. Lim said the software was intended to help the Chinese client identify junk text messages and calls. She did not identify the company that requested it and said she did not know how many phones were affected. She said phone companies, not Adups, were responsible for disclosing privacy policies to users. “Adups was just there to provide functionality that the phone distributor asked for,” she said.
This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.
The app is bad because it does the function without consent, not because it's made by Chinese.
This can also be read outside the states as follows:
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.
Huawei routers used in Indian govt offices were found to be sending data to China. They were banned after the discovery. Wont be surprised if cellular components that are made in China send back data quietly.
Don't assume malice. This would be considered completely normal in China, both legally and culturally. You would a have hard time explaining the concept of privacy to them. This is likely not some big conspiracy.
What's the big deal? Google does this on a much bigger scale and of course shares its data with the US government when asked. Why is it suddenly scary when a Chinese company does the same?
That's cute. You make it sound as if Apple doesn't share your data with the US government when asked. Oh, look what do we have here:
>In one of the leaked emails sent by Apple Environment, Policy and Social Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly stated that the current methods of encryption in place allows the firm to essentially send an unlimited amount of personal and sensitive user data to law enforcement.
>Jackson further emphasized that Apple already has a 24-hour live team established for the sole purpose of handling law enforcement and government requests.
“Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process,” Jackson stated. “We have a team that responds to those requests 24 hours a day. Strong encryption does not eliminate Apple’s ability to give law enforcement meta-data or any of a number of other very useful categories of data.”
You have to love that 24 hour live team whose sole purpose is to provide customer data to law enforcement and government people.
Either Google or an unknown company in another country could do something unwelcome with my data. However the type of thing either entity may do with it differs. For instance, unknown actors controlling malware on your phone might misuse banking or social media credentials to steal my money or post spam. Google is unlikely to do that.
Because you agreed to it of course, after reading EULA of the OS, provider and your Google account very diligently, deciphering the lawyer speak and considering the implications.
mikegerwitz|9 years ago
Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.
Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:
http://blog.replicant.us/2016/08/replicant-6-early-work-upst...
We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.
Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.
hackuser|9 years ago
* CopperheadOS
* OmniROM
* PrivatOS, on Silent Circle Blackphones AFAIK
* The version on Blackberry Priv phones
.
I've also come across these, but don't know much about them:
* Cryptogenmod: I'm not sure this project ever went anywhere
* Chamelephon: http://chamelephon.com/
* GuardianROM: Discontinued?
* KeyROM by Mocana: Seems aimed at businesses that need secure Android. https://www.mocana.com/iot-security/keyrom
* Privacy phone by FreedomPOP: https://www.freedompop.com/theprivacyphone
.
And a couple probably not available to the public:
* OK:Android by General Dynamics: http://gdmissionsystems.com/cyber/products/trusted-computing...
* The OS on Boeing Black smartphones: http://www.boeing.com/defense/boeing-black/index.page
the_duke|9 years ago
And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...
OS code bases are huge.
How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
Not very, I think.
If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.
codedokode|9 years ago
It also has an auto-update (read: backdoor) feature that cannot be disabled.
I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.
We need a law against this.
gwu78|9 years ago
In other words you can use it only on a network you control.
In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Correct?
What if you had a portable gateway, one that could travel with you?
We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.
We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).
But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.
To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.
It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.
The aim with these efforts is control, not impressive hardware specs.
Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.
But to get those things, the user has to sacrafice some control.
e40|9 years ago
Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?
hackuser|9 years ago
How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).
Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
A VPN with a firewall might be easier.
paradite|9 years ago
I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?
mbgaxyz|9 years ago
BEEdwards|9 years ago
bitmapbrother|9 years ago
freddref|9 years ago
acqq|9 years ago
When the same is sent to China, it's outrage?
Ditto with auto-updates.
I'd be glad if I could control much more of my data exposure. But business.
blacksmith_tb|9 years ago
finid|9 years ago
makmanalp|9 years ago
I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.
nommm-nommm|9 years ago
rectang|9 years ago
77pt77|9 years ago
duked|9 years ago
ohashi|9 years ago
csoghoian|9 years ago
Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?
McKayDavis|9 years ago
Can you share the report yet?
Nrsolis|9 years ago
I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.
ff10|9 years ago
sesqu|9 years ago
I suppose you could interpret this "backdoor" as third-party access to the data, rather than to the device.
TACIXAT|9 years ago
lost_my_pwd|9 years ago
akerro|9 years ago
We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...
bluetwo|9 years ago
static_noise|9 years ago
ralfn|9 years ago
freddref|9 years ago
code_duck|9 years ago
Tarrosion|9 years ago
kogepathic|9 years ago
Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.
Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.
To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.
If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.
I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.
I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].
[0] http://forum.xda-developers.com
[1] http://forum.xda-developers.com/mi-pad
[2] http://forum.xda-developers.com/redmi-2
kbart|9 years ago
drzaiusapelord|9 years ago
Android is pretty much a wasteland outside of the Nexus/Pixel line. Ignoring security and privacy, you just have a lot of shovelware involved along with a lack of commitment to timely, or if any, updates.
I would feel confident a Nexus/Pixel is a secure and nonsense free as a phone running CyanogenMod. Of course, that's difficult to prove, but historically we haven't seen anything like this on a Nexus/Pixel device.
luke-stanley|9 years ago
Perhaps device makers that know how to compile source and host the updates themselves are more likely to have more control over the firmware. So we might ask, what the update policy is, do they provide updates?
dandelion_lover|9 years ago
ff10|9 years ago
Seems to be some work ahead if you want to find out which phone doesn't use this service. And we're only talking about this particular service.
sampo|9 years ago
For example, Samsung Galaxy S5 from T-Mobile (SM-G900T) you can put Cyanogenmod on, but Samsumg Galaxy S5 from AT&T (SM-G900A) you can not.
unknown|9 years ago
[deleted]
finid|9 years ago
linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-the-internet/
Animats|9 years ago
Google hates it when a program phones home to someplace other than Google.
est|9 years ago
This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.
The app is bad because it does the function without consent, not because it's made by Chinese.
agumonkey|9 years ago
thogenhaven|9 years ago
softwarelimits|9 years ago
MrTrapy|9 years ago
abhianet|9 years ago
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.
[EDIT: Fixed formatting]
mirimir|9 years ago
paradite|9 years ago
andrewvijay|9 years ago
dandelion_lover|9 years ago
ralfn|9 years ago
kutkloon7|9 years ago
bitmapbrother|9 years ago
>In one of the leaked emails sent by Apple Environment, Policy and Social Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly stated that the current methods of encryption in place allows the firm to essentially send an unlimited amount of personal and sensitive user data to law enforcement.
>Jackson further emphasized that Apple already has a 24-hour live team established for the sole purpose of handling law enforcement and government requests. “Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process,” Jackson stated. “We have a team that responds to those requests 24 hours a day. Strong encryption does not eliminate Apple’s ability to give law enforcement meta-data or any of a number of other very useful categories of data.”
You have to love that 24 hour live team whose sole purpose is to provide customer data to law enforcement and government people.
asdfologist|9 years ago
code_duck|9 years ago
the_duke|9 years ago
cough
mSparks|9 years ago
I do hope Eric Schmidt and Trent Lott have been using one of these phones/devices.
raverbashing|9 years ago
aluhut|9 years ago
LyalinDotCom|9 years ago