{"id":53291,"date":"2015-02-02T12:00:36","date_gmt":"2015-02-02T12:00:36","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=53291"},"modified":"2015-05-05T21:26:09","modified_gmt":"2015-05-05T20:26:09","slug":"secret-badass-intelligence-program-spied-on-smartphones","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/02\/secret-badass-intelligence-program-spied-on-smartphones\/","title":{"rendered":"Secret \u2018BADASS\u2019 Intelligence Program Spied on Smartphones"},"content":{"rendered":"

\"GCHQ-feature-hero-b<\/a><\/p>\n

26 Jan 2015 – <\/em>British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden.<\/p>\n

The document<\/a>, included in a trove of Snowden material released\u00a0by Der Spiegel<\/em>\u00a0on January 17, outlines a secret program run by the intelligence\u00a0agencies called BADASS. The German newsweekly did not write about the BADASS document, attaching it to a broader article<\/a>\u00a0on cyberwarfare. According to The Intercept<\/em>\u2018s analysis of the document, intelligence agents applied\u00a0BADASS software filters to\u00a0streams\u00a0of\u00a0intercepted\u00a0internet traffic, plucking from that traffic\u00a0unencrypted uploads from smartphones to servers run by advertising and analytics companies.<\/p>\n

Programmers\u00a0frequently embed code from a handful of such\u00a0companies into their smartphone apps because it helps them answer a variety of questions: How often does a particular user open the app, and at what time of day? Where does the user\u00a0live? Where does\u00a0the user\u00a0work? Where is\u00a0the user\u00a0right now? What\u2019s the phone\u2019s unique identifier? What version of Android or iOS is the device running? What\u2019s the user\u2019s IP address? Answers to those questions guide app upgrades and help target advertisements, benefits that\u00a0help explain why tracking users is not only routine in the tech industry but also considered a best practice.<\/p>\n

For users, however, the smartphone data routinely provided to ad and analytics companies represents a major privacy threat. When combined together, the information fragments can be used to identify specific users, and when concentrated in the hands of a small number of companies, they have proven to be irresistibly convenient targets for those engaged in mass surveillance. Although the BADASS presentation appears to be roughly four years old, at least one player in the mobile advertising and analytics space, Google, acknowledges that its servers still routinely receive unencrypted uploads from Google code embedded in\u00a0apps.<\/p>\n

For spy agencies, this smartphone\u00a0monitoring data represented a new, convenient way of learning more about surveillance targets, including information about their physical movements and digital activities. It also would have made it possible to design more focused cyberattacks against those people, for example by exploiting a weakness in a particular app known to be used by a particular person. Such scenarios are strongly hinted at in a 2010 NSA presentation<\/a>, provided by agency\u00a0whistleblower Edward Snowden and published last year in The New York Times<\/em>, Pro Publica<\/em>, and The Guardian.\u00a0<\/em>That presentation\u00a0stated that smartphone monitoring would be useful because it could\u00a0lead to \u201cadditional exploitation\u201d and the unearthing of \u201ctarget knowledge\/leads, location, [and] target technology.\u201d<\/p>\n

The 2010\u00a0presentation, along with additional documents from Britain\u2019s intelligence service Government Communications Headquarters, or GCHQ, showed that the intelligence agencies were aggressively ramping up their efforts to see into the world of mobile apps. But the specifics of how they might distill useful information from the torrent of internet packets to and from smartphones remained unclear.<\/p>\n

Encrypting Data in Transit<\/strong><\/p>\n

The BADASS slides fill in some of these blanks. They appear to have been presented in 2011 at the highly secretive SIGDEV intelligence community conference. The presentation states that \u201canalytics firm Flurry estimates that 250,000 Motorola Droid phones were sold in the United States during the phone\u2019s first week in stores,\u201d and asks, \u201chow do they know that?\u201d<\/p>\n

\"badass1-1000x750<\/a><\/p>\n

The answer is that during the week in question, Flurry uploaded to its own servers\u00a0analytics from Droid phones on behalf of app developers, one phone at a time, and stored the analytics\u00a0in their own databases. Analytics includes any information that\u00a0is available to the app and that can conceivably help improve it, including, in certain instances with Flurry, the user\u2019s age and gender, physical location, how long they left the app open, and a unique identifier for the phone, according to Flurry materials included in the BADASS document.<\/p>\n

By searching these databases, the company\u00a0was\u00a0able to get a count of Droid phones running Flurry-enabled apps and, by extrapolating, estimate the total number of Droids in circulation. The company can find similar information about any smartphone that their analytics product supports.<\/p>\n

Not only was Flurry\u00a0vacuuming sensitive data up to its servers, it was doing so insecurely.\u00a0When a smartphone app collects data about the device it\u2019s running on and sends it back to a tracking company, it generally uses\u00a0the HTTP protocol,\u00a0and Flurry-enabled apps were no exception. But HTTP is inherently insecure\u2014eavesdroppers can easily spy on the entire digital conversation.<\/p>\n

If the tracking data was always phoned home using the HTTPS protocol\u2014the same as the HTTP protocol, except that the stream of traffic between the phone and the server is encrypted\u2014then the ability for spy agencies to collect tracking data with programs like BADASS would be severely impeded.<\/p>\n

Yahoo, which acquired the analytics firm Flurry in late 2014, says that since acquiring the company they have \u201cimplemented default encryption between Flurry-enabled applications and Flurry servers. The 2010 report in question does not apply to current versions of Flurry\u2019s analytics product.\u201d Given that Yahoo acquired Flurry so recently, it\u2019s unclear how many apps still use\u00a0Flurry\u2019s\u00a0older tracking code that sends\u00a0unencrypted data back to Yahoo\u2019s servers. (Yahoo declined to elaborate specifically\u00a0on that topic.)<\/p>\n

\"badass10-1000x750<\/a><\/p>\n

The BADASS slides also use\u00a0Google\u2019s advertisement network\u00a0AdMob as an example of intercepted, unencrypted data. Free smartphone apps are often supported by ads, and if the app uses AdMob then it sends some identifying\u00a0information to AdMob\u2019s servers while loading the ad. Google currently supports the ability for app developers to turn on HTTPS for ad requests<\/a>, however it\u2019s clear that only some AdMob users actually do this.<\/p>\n

When asked about HTTPS support for AdMob,\u00a0a Google spokesperson said, \u201cWe continue our ongoing efforts to encrypt all Google products and services.\u201d<\/p>\n

In addition to Yahoo\u2019s Flurry and Google\u2019s AdMob, the BADASS presentation also shows that British and Canadian intelligence were\u00a0targeting Mobclix, Mydas, Medialets, and MSN Mobile Advertising. But it\u2019s clear that any mobile-related plaintext traffic from any company is a potential target. While the BADASS presentation focuses on traffic from analytics and ad companies, it also shows spying on Google Maps heartbeat traffic, and capturing \u201cbeacons\u201d sent out when apps are first opened (listing Qriously, Com2Us, Fluentmobile, and Papayamobile as examples). The BADASS presentation also mentions capturing GPS coordinates that get leaked when opening BlackBerry\u2019s app store.<\/p>\n

In a boilerplate statement, GCHQ said, \u201cIt is longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ\u2019s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.\u201d Its Canadian counterpart, Communications Security Establishment Canada, or CSEC, responded with a statement that read, in part, \u201cFor reasons of national security, CSE cannot comment on its methods, techniques or capabilities. CSE conducts foreign intelligence and cyber defence activities in compliance with Canadian law.\u201d<\/p>\n

Julia Angwin,\u00a0who has doggedly investigated online privacy issues as a journalist and author, most recently of the book \u201cDragnet Nation<\/a>,\u201d\u00a0explains that \u201cevery type of unique identifier that passes [over the internet] unencrypted is giving away information about users to anyone who wants it,\u201d and that \u201cthe evidence is clear that it\u2019s very risky to be throwing unique identifiers out there in the clear. Anyone can grab them. This is more evidence that no one should be doing that.\u201d<\/p>\n

Building Haystacks to Search for Needles<\/strong><\/p>\n

The BADASS program was\u00a0created not merely to track advertising and analytic data but to solve a much bigger problem:\u00a0There is an overwhelming amount of smartphone tracking data being collected by intelligence agencies, and it\u2019s difficult to make sense of.<\/p>\n

First there are the major platforms: iOS, Android, Windows Phone, and BlackBerry. On each\u00a0platform, a range\u00a0of hardware and platform\u00a0versions are in use. Additionally, app stores are overflowing; new apps that track people get released every day. Old apps constantly get updated to track people in different ways, and people use different versions of apps for different platforms all at once. Adding to the diversity, there are\u00a0several different ad and analytics companies that app developers use, and when\u00a0those companies\u00a0send tracking data back to their servers, they use\u00a0a wide variety of\u00a0formats.<\/p>\n

With such an unwieldy haystack of data, GCHQ and CSEC, started\u00a0the BADASS program, according to the presentation, to find the needles: information that can uniquely identify people and their devices, such as smartphone identifiers, tracking cookies, and other unique strings, as well as personally identifying information like GPS coordinates and email addresses.<\/p>\n

BADASS is an an acryonym that stands for BEGAL Automated Deployment And Survey System. (It is not clear what \u201cBEGAL\u201d stands for, in turn.)\u00a0The slideshow presentation is called \u201cMobile apps doubleheader: BADASS Angry Birds,\u201d and promises \u201cprotocols exploitation in a rapidly changing world.\u201d<\/p>\n

\"badass2-1000x750<\/a><\/p>\n

Exploiting Protocols in a Rapidly Changing World<\/strong><\/p>\n

Analysts are able to write BADASS \u201crules\u201d that look for specific types of tracking information as it travels across the internet.<\/p>\n

For example, when someone opens an app that loads an ad, their phone normally sends an unencrypted web request (called an HTTP request) to the ad network\u2019s servers. If this request gets intercepted by spy agencies and fed into the\u00a0BADASS program, it then gets filtered through each rule to see if one applies to the request. If it finds a match, BADASS\u00a0can then automatically pull out the juicy information.<\/p>\n

In the following slide, the information that is potentially available in a single HTTP request to load an ad includes which platform the ad is being loaded on (Android, iOS, etc.), the unique identifier of the device, the IMEI<\/a> number which cell towers use to identify phones that try to connect to them, the name and version of the operating system that\u2019s running, the model of the device, and latitude and longitude location data.<\/p>\n

\"badass3-1000x750<\/a><\/p>\n

Similar\u00a0information is sent across the internet in HTTP requests in several different formats depending on what company it\u2019s being sent to, what device it\u2019s running on, and what version of the ad or analytics software is being used. Because this is constantly changing, analysts can write their own BADASS rules to capture all of the permutations they can find.<\/p>\n

The following slide shows part of the BADASS user interface, and a partial list of rules.<\/p>\n

\"badass4-1000x750<\/a><\/p>\n

The slideshow includes a section called \u201cAb<\/span>using BADASS for Fun and Profit\u201d which goes into detail about the methodology analysts use to write new BADASS rules.<\/p>\n

\"badass5-1000x750<\/a><\/p>\n

\"badass6-1000x750<\/a><\/p>\n

By looking at intercepted HTTP traffic and writing rules to parse it, analysts can quickly gather as much information as possibly from leaky smartphone apps. One slide states: \u201cCreativity, iterative testing, domain knowledge, and the right tools can help us target multiple platforms in a very short time period.\u201d<\/p>\n

Privacy Policies That Don\u2019t Deliver<\/strong><\/p>\n

The slides also appear to mock the privacy promises of ad and analytics companies.<\/p>\n

Companies that collect usage statistics about software often insist that the data is anonymous because they don\u2019t include identifying information such as names, phone numbers, and email addresses of the users that they\u2019re tracking.\u00a0But in reality, sending unique device identifiers, IP addresses, IMEI numbers, and GPS coordinates of devices is far from anonymous<\/a>.<\/p>\n

In one slide, the phrase \u201canonymous usage statistics\u201d appears in conspicuous quotation marks. The spies are well aware that despite not including specific types of information, the data they collect from leaky smartphone apps is enough for them to uniquely identify their targets.<\/p>\n

\"badass7-1000x750<\/a><\/p>\n

The following slides show a chunk of Flurry\u2019s privacy policy (at this point it has\u00a0been replaced by Yahoo\u2019s privacy policy), which states what information it collects from devices and how it believes this is anonymous.<\/p>\n

\"badass8-1000x750<\/a><\/p>\n

\"badass9-1000x750<\/a><\/p>\n

The red box, which is present in the original slides, highlights this part:\u00a0\u201cNone of this information can identify the individual. No names, phone numbers, email addresses, or anything else considered personally identifiable information is ever collected.\u201d<\/p>\n

Clearly the intelligence services\u00a0disagree.<\/p>\n

\u201cCommercial surveillance often appears very benign,\u201d Angwin says. \u201cThe reason Flurry exists is not to \u2018spy on people\u2019 but to help people learn who\u2019s using their apps. But what we\u2019ve also seen through Snowden revelations is that spy agencies seek to use that for their own purposes.\u201d<\/p>\n

The Web has the Exact Same Problems<\/strong><\/p>\n

While the BADASS program is specifically designed to target smartphone traffic, websites suffer from these exact same problems, and in many cases they\u2019re even worse.<\/p>\n

Websites routinely include bits of tracking code from several different companies for ads, analytics, and other behavioral tracking. This, combined with the lack of HTTPS, turns your web browser into a surveillance device that follows you around, even if you switch networks or use proxy servers.<\/p>\n

In other words, while the BADASS presentation may be four years old, and while it\u2019s been a year and a half since Snowden\u2019s leaks began educating technology\u00a0companies and users about the massive privacy threats they face, the big privacy holes exploited by BADASS remain a huge problem.<\/p>\n

____________________________<\/p>\n

Email the author: micah.lee@theintercept.com<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

26 Jan 2015 – British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-53291","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/53291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=53291"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/53291\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=53291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=53291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=53291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}