Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.
Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:
http://blog.replicant.us/2016/08/replicant-6-early-work-upst...
We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.
Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.
* CopperheadOS
* OmniROM
* PrivatOS, on Silent Circle Blackphones AFAIK
* The version on Blackberry Priv phones
.
I've also come across these, but don't know much about them:
* Cryptogenmod: I'm not sure this project ever went anywhere
* Chamelephon: http://chamelephon.com/
* GuardianROM: Discontinued?
* KeyROM by Mocana: Seems aimed at businesses that need secure Android. https://www.mocana.com/iot-security/keyrom
* Privacy phone by FreedomPOP: https://www.freedompop.com/theprivacyphone
.
And a couple probably not available to the public:
* OK:Android by General Dynamics: http://gdmissionsystems.com/cyber/products/trusted-computing...
* The OS on Boeing Black smartphones: http://www.boeing.com/defense/boeing-black/index.page
And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...
OS code bases are huge.
How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
Not very, I think.
If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.
But even without such a campaign, evil developers would be in a constant danger that someone may discover a backdoor. It is a very unstable situation: just one person is enough to make a lot of noise, and everyone could be this person. And yes, people do read the sources:
https://www.fsf.org/blogs/community/who-actually-reads-the-c...
It's all about defense in depth:
https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...
Indeed, so it's unfortunate that it doesn't get more discussion in situations such as these.
> How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?
More difficult than it would be with proprietary software, where anyone at any time can add malicious code that may never even be discovered over the lifetime of the device.
Free software doesn't prevent malicious actors from contributing malicious code, but it certainly improves chances. It also makes such a move very risky. Just as laws are a deterrent for many crimes, so is public scrutiny.
> How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?
In a fully free OS, this app would have been built from source. So the same arguments apply.
> If someone puts an Android fork online, who has the time to go through the changes to discover something like this?
Again, it improves changes. Here's a good example from Replicant:
http://redmine.replicant.us/projects/replicant/wiki/SamsungG...
> Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.
Sure, but that's not an excuse to throw our hands up and not worry about the security of the software running on it. The OS might even be able to itself mitigate certain things (e.g. the Samsung backdoor mentioned above).
This issue also exists on PCs:
Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.
Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.
It also has an auto-update (read: backdoor) feature that cannot be disabled.
I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
As a consumer I am very disappointed and feel being deceived by Google. I know about "you are the product" saying but the smartphone is not free. I bought an expensive (two hundred dollars!) device and I had to spend a lot of my time to be able to control its activity. And of course the advertisement never mentioned that a smartphone is going to spy on me.
We need a law against this.
In other words you can use it only on a network you control.
In other words, at home you can use your own router; you can set the gateway as a computer that you control.
Correct?
What if you had a portable gateway, one that could travel with you?
We now have Apple devices, Google/Android devices, Microsoft devices, and the majority of apps all phoning home. It is routine. No one cares. Right.
We may not be able to run the latest device purchased from major retail sources using open source, user-installed OS (UNIX).
But what we can do with UNIX is build our own routers from inexpensive hardware, including older hardware, and use these as our gateways.
To do this, no one needs Apple, Google or Microsoft's assistance. We have what we need.
It is easy to do at home, but what I would like to see is more travel-sized routers which can be driven by user chosen and user installed bootloader and user chosen UNIX-like kernel.
The aim with these efforts is control, not impressive hardware specs.
Proprietary hardware and locked bootloaders will always have the most impressive hardware specs on their side.
But to get those things, the user has to sacrafice some control.
Yes.
> What if you had a portable gateway, one that could travel with you?
I can rent a VPS and connect through it using "Always-on VPN" option (I did it once and it worked). But then I have to pay for a server monthly in addition to the mobile plan. It is not that expensive but I would prefer just having access to iptables and being able to install my firewall on a phone.
I might be wrong but on Windows you can at least install a firewall. At least you could on earlier versions.
Why Google and not the maker of the phone? They're the ones that wrote the backdoor that sent stuff to China. You're not suggesting that Google helped with that, are you?
Or they could not to sell Android license to companies not repecting consumer's privacy.
Even if I got refunded, what would I buy instead? Free market doesn't work here and all major manufacturers have some form of tracking and preinstalled software built in. It looks like the only way is to buy a backdoored proprietary device and replace a ROM (and then solve all kinds of problems with hardware not working properly or battery getting drained).
How did you set that up? I'd be interested in knowing how to redirect/proxy cellular connections to something local, in a way I could read and monitor the data (is it encrypted?).
Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage? For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
> I ended up making a linux-based whitelist firewall to access the Internet but it is pretty inconvinient because I have to manually enable every new host. And I can use it only at home.
A VPN with a firewall might be easier.
I used Wireshark on Windows to check that everythink is set up correctly and to see what kind of requests the phone makes.
You can use WiFi instead of bluetooth the same way. You only need to use "hotspot" option and provide DHCP to a phone and set your linux machine as a gateway. Probably you can do that with a router too, for example if you connect its WAN port to your linux machine or set up traffic redirection.
On linux I redirected traffic from phone to localhost with ports 53 (DNS), 80/443 (HTTP) and rejected any other traffic (there were some requests to time servers, that were sent by drm component of Android). I also ran a DNS server (dnsmasq) and Squid HTTP proxy that can process redirected traffic (Squid can also generate certificates to decrypt HTTPS traffic which was very useful though it took some time to find correct settings). I set up dnsmasq and squid to serve requests based on white and black lists.
After I did some tests I found another, easier way to capture traffic from Android phone. Android has a useful "Always-on VPN" feature that sends all traffic through specified host (and doesn't allow any network access until VPN connection is set up). You only need to set up ipsec on a linux box (I used strongswan). I used "Always-on VPN" feature to redirect traffic to my VPS while using mobile internet connection.
> Based on what you say, maybe you proxied Internet connections through Bluetooth - do you have a way to know whether there was any leakage?
I physically disconnected a laptop from the Internet and monitored the traffic on a bluetooth interface with Wireshark. The phone did not have a SIM card inside so it could not connect to a mobile network.
> For example, I've read, but can't confirm, that Android makes connections during bootup and before any firewall takes affect.
This can be detected using my setup. But if software is programmed to send some data only via mobile network and not via WiFi/bluetooth then it is more difficult to detect. You would need to set up a fake BTS (using OpenBTS for example) to capture that traffic. You would need special (not very expensive) SDR hardware in this case.
> A VPN with a firewall might be easier.
I ended up with the same idea. I even wrote a simple PHP app to manage black and white lists and view logs.
I was under the impression that US does not allow selling of Android phones from most Chinese brands due to the reasons you mentioned, and for those that all allowed, they have strict vetting procedures to prevent phones with such capabilities from reaching the US market?
It is good to hear that in some countries importing such phones is not allowed.
When the same is sent to China, it's outrage?
Ditto with auto-updates.
I'd be glad if I could control much more of my data exposure. But business.
I also remember there used to be application firewalls in windows that kept track of the connections that each application made and if any of them contacted a new server, they'd ask you for permission. I don't think most folks used them because in the end they kept asking a lot of questions that the users didn't necessarily know how to answer, but I wonder if it wasn't such a bad idea after all, and whether the "default" choice could be mined from other users' settings.
bigdata.adups.com (primary)
bigdata.adsunflower.com
bigdata.adfuture.cn
bigdata.advmob.cn
Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?
Can you share the report yet?
I've got two phones here that were used during my trip there. I was wondering if you had any tips for figuring out of they were compromised or otherwise owned while I was out there.
I suppose you could interpret this "backdoor" as third-party access to the data, rather than to the device.
We can tell the same about Facebook, Google, Yahoo, Twitter, Uber, Microsoft, Visa, AmericanExpress...
Otherwise you accept our Terms of Service.
Thank you for trusting us.
(Is it just me or is it actually very hard to figure out whom I've given consent to do something with something that is mine?)
As example, I'll submit PRISM (while admitting that we're still not 100% clear on that) and the retroactive immunity provided to telecom companies.
Find a phone which has a large community around it, and lots of custom ROMs available. An official Cyanogenmod release is a good sign. It's also a sign that your phone will have a longer usable life than whatever the manufacturer promises you now.
Custom ROMs have a long history of extending the life of phones. For example the HTC G1 was abandoned by Google at Donut (1.6) but unofficially received up to Gingerbread (2.3). It's a bit of a perverse example, but hopefully enough to make the point. Phones with good community support receive current versions of Android long after both Google and the manufacturer have stopped giving a shit.
To the people who say "you can't trust a random stranger on the internet making a custom ROM to be any more secure than the manufacturer ROM" you're right. If someone wanted to make a custom ROM with malware in it, there's a pretty good chance it may not be noticed.
If your threat model includes a three letter agency, then don't use Android. Full stop. The iPhone is the ecosystem you want.
I recommend to all my friends and family to buy phones with good community support just to receive updates to ROMs like Cyanogen. The first thing I do when they say they're considering "Phone XYZ" is to look on XDA Developers[0] to gauge the level of community around the model. If it looks dead (e.g. look up any tablet based on the NVidia Tegra for what not to buy [1]) then I recommend they keep looking.
I've had really good luck with Chinese phones which are also sold in markets like South East Asia and India. There are millions of users of these phones, so the custom ROM community is quite strong. The hardware is also quite cheap, I have a Xiaomi Redmi 2 I bought last year for $125 USD including shipping, and it runs Android 7 thanks to community developers [2].
[0] http://forum.xda-developers.com
I wouldn't count on that either.. It depends on how "interesting" you are for them, given their reach, I would be really surprised if some of these agencies doesn't have zero-days and/or backdoors stockpiled for high value targets.
All other concerns raised elsewhere here still apply, but the baseband threat is mitigated. Worth it...? Check that threat model again.
Android is pretty much a wasteland outside of the Nexus/Pixel line. Ignoring security and privacy, you just have a lot of shovelware involved along with a lack of commitment to timely, or if any, updates.
I would feel confident a Nexus/Pixel is a secure and nonsense free as a phone running CyanogenMod. Of course, that's difficult to prove, but historically we haven't seen anything like this on a Nexus/Pixel device.
Battery life has actually been slowly and steadily improving after each update by Samsung. I imagine this is a sign of Samsung not liking Google's spyware very much and trying their best to limit background activity.
None of us has solid proof of course, but judging by observable facts (and by the pretty awful battery life of the Nexus 6P and the Pixels -- compared to the Exynos S7 Edge at least), I'd say mine aren't that crazy.
Perhaps device makers that know how to compile source and host the updates themselves are more likely to have more control over the firmware. So we might ask, what the update policy is, do they provide updates?
So this is the threshold I'll have to pass to get a chance for true privacy?
A throw-away phone without ID bound to it would be my way to go then.
Seems to be some work ahead if you want to find out which phone doesn't use this service. And we're only talking about this particular service.
For example, Samsung Galaxy S5 from T-Mobile (SM-G900T) you can put Cyanogenmod on, but Samsumg Galaxy S5 from AT&T (SM-G900A) you can not.
linuxbsdos.com/2016/11/05/the-samsung-android-tablet-that-will-never-access-the-internet/
Google hates it when a program phones home to someplace other than Google.
This whole article is a lot less racist if this paragraph is put on top. You know because every app made by some of the 1.3B people must be a government effort to collect intelligence.
The app is bad because it does the function without consent, not because it's made by Chinese.
For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to the USA every few seconds.
Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The authorities say it is not clear whether this represents secretive data mining for advertising purposes or a government effort to collect intelligence.
[EDIT: Fixed formatting]
>In one of the leaked emails sent by Apple Environment, Policy and Social Initiatives Vice President Lisa Jackson to Podesta, the Apple team clearly stated that the current methods of encryption in place allows the firm to essentially send an unlimited amount of personal and sensitive user data to law enforcement.
>Jackson further emphasized that Apple already has a 24-hour live team established for the sole purpose of handling law enforcement and government requests. “Thousands of times every month, we give governments information about Apple customers and devices, in response to warrants and other forms of legal process,” Jackson stated. “We have a team that responds to those requests 24 hours a day. Strong encryption does not eliminate Apple’s ability to give law enforcement meta-data or any of a number of other very useful categories of data.”
You have to love that 24 hour live team whose sole purpose is to provide customer data to law enforcement and government people.
cough
I do hope Eric Schmidt and Trent Lott have been using one of these phones/devices.