As things about the NSA and their partner agencies continue to trickle out from various newspapers like Der Spiegel, The Guardian and the New York Times we have learned about how the NSA and GCHQ are spying on people utilizing the weaknesses of mobile apps. Documents have leaked from The Guardian talk about how the GCHQ and NSA were able to easily get data from one of the most popular applications, Angry Birds. They did this by monitoring ‘leaky’ apps on Android and iOS in order to catch any data that isn’t securely transmitted.
At that point, Rovio’s CEO stated that they were not complicit in the spying on Angry Birds users and that they will have to rethink their ad partnerships. It appears that this vulnerability was primarily in the free version of the application since more personal user data was collected in that version of the app. What this means again is that there are even more risks in using ad-supported free applications that constantly ping user data to advertisers looking to monetize on that application’s userbase. It seems quite obvious that this was the ‘leaky’ part of the app and it will be interesting to see how application developers adjust to prevent against such incursions of privacy.
What’s even more interesting is to see how GCHQ spies on Android and iOS users using their Smurf codenamed programs and what kind of data they are able to gain from these applications.
Here we see that their Warrior Pride program had been ported to the iPhone and that they had key tools, many named after smurfs (I don’t know why) that enabled them to do things like control power management, microphone, GPS location, file retrieval, self-protection (keep from being removed) and kernel stealth which would imply that they are actively hiding from any sort of anti-spyware, anti-virus applications that might be installed on a device.
Here with the Android version, we can tell that they weren’t entirely finished with the Android version of the application, but they essentially had the exact same functionality. What’s both funny and sad is that someone noted that even the application developers for the GCHQ and NSA ship on iOS first, Android second and don’t even bother with Windows Phone. Which, would actually make the Windows Phone platform the safest in theory because so few people use it and it isn’t really widely used enough to be worth the effort to the spy agencies.
Then, we heard about how the NSA uses applications like Google Maps, Facebook Apps and many photo applications to pull data from users’ devices.
They are able to intercept these images’ metadata as they are taken, with Geotags and device metadata and grab all of the useful information off of them before they get uploaded to the servers of the service.
They are able to then take the image data and create fingerprints in XKeyscore in order to make a unique identifier for a certain person. XKeyscore is the NSA’s program that allows them to easily and quickly identify users and their fingerprints are a way that they are able to collect uniquely identifying user data and then combine it into a single fingerprint so that whenever that fingerprint shows up somewhere in their filters they are able to quickly gain access to it. That fingerprint could include things like EXIF data from photos, IMEI data from a person’s cellphone or a multitude of things like a user’s user IDs and passwords.
This then leads to what they call the Golden Nugget as we described earlier, a mobile device uploading a geotagged photo on a mobile network.
As you can see, through the NSA’s monitoring of applications and specifically social media applications, they are able to get more precise information about their target. They can get a better idea of that target’s location, what kind of technology they are using (and whether or not they can exploit it) and figure out what the primary medium of use is.
All in all, this seems like a terrifyingly logical progression from the other programs the NSA and GCHQ have implemented and only explains the scope of the spying on people. They want to leave no stone unturned and no cellphone untapped.