Security (NSA, Android app, any app, OS...)
 

Call me a masochist, Jolla is sitting next to me yet I still bang on the keyboard and let the 'soon' last a little longer :), still was thinking about this for a while, so here goes.

The question: How can you tell? (if your device is secure, if the app doesn't sneakily send out your private data)

First thing that comes to mind:

Wireshark on device -> Yamas or any other MITM tool (N900 should work nicely for this, also wireshark on it doesn't have to wait for Wayland support) -> router

Compare what Wireshark gives you vs what Yamas captures, matches = no low level sneaky stuff in OS (is this positive/conclusive? can something sneak through MITM?)

Verifying apps is getting a little trickier. Sure you can capture, but most apps will encode data, so even if you get same dump, you will not know what is inside (your contacts/addresses?). Yamas will help only with https, so no luck here.
One way would be to provide crooked ssl.so that is decodable/predictable, though seeing what measures people put in skype vs reveng one could assume an NSA app will come with its own libraries.
Play with the clock/random number generator of the device (would that be even possible or would the whole system crash/die?) so their own lib generates multiple times the same encoding (prepare contacts and all other worth stealing info on the device so you can repeat this as many times as you want and deduce the algorithm from there?)

So, is there a way to really NSA-proof yourself? (even if proprietary-binary scenario with fake .so's is unrealistic, would vetting the system with Wireshark/MITM actually give some insight?)

Re: Security (NSA, Android app, any app, OS...)
 

As long as "all other people", as in people you interact with on a day to day basis, use apps/tools without a sufficient crypto, you might aswell accept that you are being monitored ;). Even if you can prove that the phone itself is "clean" - what about all the traffic you send and receive e.g. over your carrier network? So the only proofing there is, is strong end to end crypto - and there should at least be android apps for that.

Re: Security (NSA, Android app, any app, OS...)
 

Well, if you vet the OS, you can interact with people who will install same PGP based app for IM that uses some 'safe' (yeah, I know, but it is doable, upload your public key to piratebay, deal with it NSA) communication channel, carrier can do nothing :D (even encrypted voice calls could work if you are sure the OS/base is safe, maybe a bit of lag)

Re: Security (NSA, Android app, any app, OS...)
 

Well even if there are options (and yes of course it is doable :) ), the fact and the matters is, that it is really hard to convince average joe (even if average joe happens to be a family member/a good friend) to transition away from skype or application X, or just ordinary voice calls.

Re: Security (NSA, Android app, any app, OS...)
 

The idea is not about one-button-click secure from NSA solution, this will never happen, more about: is it even possible? Some claim 'there is no NSA on Jolla', I would really like to believe it. How can (is it at all possible, skipping the obvious 'linux kernel openness vs billions of dollars NSA can pay for 0-days' dilemma) one check/investigate what is happening with his device. (yeah carrying Jolla + separate device for communication will not work, BTS usage will identify you instantly (jolla on wifi only, no data/roaming with macchanger every 5 minutes? I hope this is like Neo900 where you will be able to trust modem is actually OFF without removing the battery), but can jolla be 'safe' as for carrying corporate documents? I would not trust WP/iOS/Android for such)

Re: Security (NSA, Android app, any app, OS...)
 

The fact that we're having to think about NSA-proofing our devices is going to crest and the thoughts of "Why even use this stuff?" needs to start happening... but not at risk of hurting companies like Jolla, but to state that we're just "tired of it and we're not taking it anymore..."

I'm going to subscribe to this thread. Can't wait to see if anything actually comes out of it.

Re: Security (NSA, Android app, any app, OS...)
 

I don't think there is a practical way to proof that the device is totally safe, unless you're able to make it live all the time 'sandboxed' into your own tapping monitoring: your own (portable) BTS to bridge GSM communications and similarly for WLAN.
As, what if the Qualcomm firmware every second full moon and x MB of traffic decides to 'fart out' to somewhere a concise summary of your last communications? It would be a needle in a haystack that not even the sailors who signed NDAs with their providers would know its existance.

Re: Security (NSA, Android app, any app, OS...)
 

Actually this is something that I have been thinking about, it is far from impossible :D

An "one-click-safe-from-NSA-voicecalls" solution;

• 1.) prerequisities; Both A&B subscribers have the encryption software installed in their devices
• 2.) normal CS/PS voice call initiation
• 3.) when both parties have verified that the other end is who it is supposed to be, they enter secure mode by starting the encryption application
• 4.) the encrypting applications take over the voice channel, users are cut out from audio;
  - Layer 1 is audio modulation with fairly low bitrate and similar characteristics as speech range so that it passes reasonably unaltered through echo cancellation and other mangling that RAN does to it.
  - TCP/IP over that carries the connection data
  - SSL handshaking takes care of protecting the connection
  - finally the voice connection is now run on top of the secure connection
• 5.) users have end-to-end encrypted voice channel for the duration of the rest of the call

There was a study and demonstration set up with N900 devices, I belive. It would be easy to have this kind of system on multiple platforms, you'd not be limited to use this only on Jolla-to-Jolla calls.


The scenario I suggested above will of course not hide your device location, nothing can be used to do that if you want ot be on a public cellullar network, but there are ways of hiding who you are communicating with;
Imagine that instead of having a direct voicecall between A&B subscribers you could also set up the system so that both parties have their own connection point in their own controlled networks. After each party sets up connection to their own systems, call could be routed via TOR or similar approach between the connection points :D

Re: Security (NSA, Android app, any app, OS...)
 

Isn't this a lot like RedPhone (open sauce!) ?
The main problem with phone call encryption is that you're either dealing with the restraints of mobile data latencies (eww) or the already-low bandwidth of a GSM call (eww eww).

The best approach would be to implement proper, endpoints-only, key exchange and modern encryption algorithms, possibly with rekeying to prevent dictionary/hash table attacks as part of mobile standards.
But the spooks won't let us have that :(

It's not too late to change though - we could have this in VoLTE. Nobody uses it yet - maybe someone at ITU could propose this change?

Re: Security (NSA, Android app, any app, OS...)
 

I know of only one possibly viable, practical (temporary)solution that I would be confident in.

There are 2 problems to remember when securing your Android device, #1 is that because Android is not open source, it is more likely to have backdoors in it for the NSA, just as Windows or Apple products do. For that reason it will be vulnerable even with encryption tools such as Redphone so long as Anddroid is installed. This is akin to how HTML5 video tags (and scripts etc.) can leak DNS info while you are on the TOR network, usurping the security it provides.

Secondly, even if you put an open source alternative to it such as Replicant on the device, there is the fact that all network traffic is being monitored. This is where encryption comes in.

Now as was previously mentioned, encryption over these networks can cause problems with call quality. So the only alternative I can think of is this:

1. Use an open source OS such as Replicant
2. Make calls via WIFI rather than the cellular network and encrypt them.

Now no2 is a bit tricky because most people prefer Skype which will also allow such calls but it's a Microsoft product and will never be secure. So the trickiest part is to ditch Skype and convince your circle of colleagues to do the same, in favor of a SIP application such as linphone or CSipSimple and use something that encrypts it as securely as possible such as the FREE Ostel.co service.

The details on doing this, as well as lots of excellent tips and links to securing your data from the treasonous cold war being levied on us by traitors in the NSSA can be found at:

http:///prism-break.org

Now this will mean that you will need to use WIFI(not 3g etc.) to make calls, but if security is important to you, then you will adapt to this or just keep it to yourself.

Re: Security (NSA, Android app, any app, OS...)
 

Do you have proof of this, or can point to someone that has reverse engineered these operating systems and found actual backdoors? I don't mean vulnerabilities in the code, these are not proof of NSA pressure on the companies to create "backdoors", just mistakes made in coding and/or quality control.

I'd be very surprised if the NSA pressured either company into putting backdoors into their products, especially when those products can easily be reverse engineered and those backdoors can be found and exploited by almost anyone.

The NSA can, and most likely did force companies like Google and Microsoft to provide them with their SSL private keys so that the NSA can spy on all your encrypted traffic to Gmail and Hotmail. That could be done quite easily and wouldn't be likely to cause any collateral damage.

Re: Security (NSA, Android app, any app, OS...)
 

Your logic makes sense, yet these instances grow bolder as well. Torture in Irak. The work of a few evil grunts on the loose.
Google collecting Wifi payload in streets all accross Europe? A programming mistake.
Countless examples where one low level rotten apple is to be held responsible whenever caught red handed.
This communication strategy works so well that it is becoming the standard answer whenever a totally wrong political or corporate policy is being exposed for what it truly is.

So the question remains, who is going to reverse engineer the millions of lines of codes to discover the backdoor?
Probably nobody.
But suppose a backdoor is found, it will be the work of a single individual coder with low moral standards and he / she might get fired. That is certain.

Re: Security (NSA, Android app, any app, OS...)
 

I can't see why a phone running an open source custom after market Android ROM/distro such as CyanogenMod together with an OTR XMPP client such as Jitsi and the F-droid repo of nearly a thousand free software apps would be any worse from a privacy standpoint than the pseudo-open Linux solutions that Nokia released.

I love MeeGo and the N9 but it is not and never was a fully open source experience.

Re: Security (NSA, Android app, any app, OS...)
 

Kindly vote for cleaning the Android VM from hard coded Google DNS servers.

https://together.jolla.com/question/...different-dns/

Re: Security (NSA, Android app, any app, OS...)
 

One of the NSA documents leaked by Eric Snowden was a confidential 41 slide powerpoint presentation stating they had 'direct access' to the 'systems' and 'collection directly from the servers' of US multinationals including Apple, Google, Microsoft, FaceBook, Yahoo, YouTube, Skype, AOL and PalTalk. The presentation also states the program (called Prism) is run with the assistance of the companies.

Re: Security (NSA, Android app, any app, OS...)
 

Every mobile has a second operating system that you have no control over.

http://www.osnews.com/story/27416/Th...y_mobile_phone

I'm the biggest supporter of the Free Software Foundation that I personally know, but even I'm beginning to feel like "What's the point of even trying anymore?". :(

Re: Security (NSA, Android app, any app, OS...)
 

Which is why Sammy are our best hope, because they can build the whole kit and caboodle.

Re: Security (NSA, Android app, any app, OS...)
 

Is it possible to catch all radio emissions from a device? Idea would be to buy a fresh Jolla and a starter/pay as you go sim card. Stand at the entrance to the Ecuadorian embassy in London and insert it. If one could catch unexpected radio chatter, would prove Qualcomm drivers are iffy, no? (probably everybody is aware of US equipment they planted there that was misconfigured and welcomed everybody to Uganda, we can expect attack or maybe just a wakeup call there)

Edit: to elaborate, I believe NSA(GCHQ) have a weakness, we know who they target. If you do such test with nexus/galaxy/iphone/lumia we could at least dismiss the notion of backdoor (if they have all UK carriers providing them with full access this won't help a lot, but next to a red-hot target I would assume they will try to backdoor, then again it might be in do-not's of spying, Uganda would suggest they follow flaky procedures though)

Re: Security (NSA, Android app, any app, OS...)
 

Re: Security (NSA, Android app, any app, OS...)
 

How secure Sailfish Os is?

Re: Security (NSA, Android app, any app, OS...)
 

Not safer than Android, I'd say.

The core OS might be secure, but there's absolutely no protection against rogue apps stealing your data (apart from the Jolla store validation, which I doubt can catch these).

Re: Security (NSA, Android app, any app, OS...)
 

Privacy growing in to big business and its comes to thing that if you want some privacy you should pay for that. Sadly but thats where i see its going to:

https://github.com/SilentCircle

Re: Security (NSA, Android app, any app, OS...)
 

hmmm and what you think of this:
https://www.blackphone.ch/

Re: Security (NSA, Android app, any app, OS...)
 

looks like just another Android phone with some preinstalled security apps and predefined VPN if you ask me.
... and a fancy name :)

Re: Security (NSA, Android app, any app, OS...)
 

Well there are some known for security people behind it but I'm not an expert so I belive in their marketing to some point.

Re: Security (NSA, Android app, any app, OS...)
 

fw190

yea.. i aware about blackphone project its collaboration of GeeksPhone and SilentCircle. But to me privacy and Android never going to be compatible :-)
btw GeeksPhone coming with a new phone yet again it runs Android and some alternative OS probably Firefox OS.
http://www.geeksphone.com/#

☺

Re: Security (NSA, Android app, any app, OS...)
 

Relevant: http://redmine.replicant.us/projects...GalaxyBackdoor

Re: Security (NSA, Android app, any app, OS...)
 

It's only too bad this kind of backdoor cannot be prevented on devices that have modems that can directly access the device memory (all Qualcomm chipsets, that is...)

Re: Security (NSA, Android app, any app, OS...)
 

Dated 02/04/2014 06:57 PM? In the future? No wonder there is no response from Samsung yet! :)

Re: Security (NSA, Android app, any app, OS...)
 

maybe you misinterpreted something. My Browser (de_de) shows 4.2.2014 which is February 4th

Re: Security (NSA, Android app, any app, OS...)
 

Jolla that is, too! :(

Re: Security (NSA, Android app, any app, OS...)
 

Yes, that is unfortunate.
If I had the possibility I'd want to stay clear of all Qualcomm products, but unfortunately we do not have that luxury :(

Originally Qualcomm was a spinout of US Defence industry, to commercialize the research done on CDMA technologies. Even today there are close ties between the defence contractors and US government three-letter-agencies.

Re: Security (NSA, Android app, any app, OS...)
 

Yesterday there was an update to the topic already stating
"Samsung Backdoor May Not Be as Wide Open as Initially Thought"

Re: Security (NSA, Android app, any app, OS...)
 

Where? My three browsers (MicroB, Firefox and now, just for the laugh, IE10) all show "Paul Kocialkowski, 02/04/2014 06:57 PM" near at the end, next to the link to the patch - as well on the top of the patch page. It's hard-coded in the page sources, not browser or locale dependent. Which was my point :)

Re: Security (NSA, Android app, any app, OS...)
 

Ehh... we accidentally left open a way to read all your files as root (when it came out 4 years ago on the galaxy S), just like this accidental comment in the code makes the encryption vulnerable and every other backdoor pretending to be a genuine slip. It's good that later firmwares leave only sdcard vulnerable somewhat patching the hole, but dismissing it based on no evidence of it being actually triggered remotely? I'll leave my tin foil hat on

Re: Security (NSA, Android app, any app, OS...)
 

The server probably does not locate you in North America it seems (the only place where month comes first). The hardcoded part is determined with your request prior to the receiving of the html code, that is when you send your request for delivery to the server. I have checked with MicroB, Firefox (both 17.0.9 ESR and 27.0.1) and IE9, all stating "Paul Kocialkowski, 04.02.2014 18:57"
Date representation has always been an issue (see https://en.wikipedia.org/wiki/Date_format_by_country for reference) when using slash as separator.

Re: Security (NSA, Android app, any app, OS...)
 

Scary **** indeed...a nice read though...

"The National Security Agency has built a surveillance system capable of recording “100 percent” of a foreign country’s telephone calls, enabling the agency to rewind and review conversations as long as a month after they take place, according to people with direct knowledge of the effort and documents supplied by former contractor Edward Snowden."

http://www.washingtonpost.com/world/...f19_story.html

Re: Security (NSA, Android app, any app, OS...)
 

The point is that it DOES think I am in North America :) If the content is dynamically generated - and indeed what is presented to you would suggest that to be the case - then it is generated based on the wrong premise. You speak English? So you must be American! :)

Re: Security (NSA, Android app, any app, OS...)
 

See, it got me confused again. ;)