It’s called Alwari. An Android .apk that is side-loaded by the user and circumvents the ‘security’ of the PlayStore distribution method. Another hole poked into the Google schema of technology distribution.
I have contacted Ghost Security Group about their findings, and asked them a few question about the encryption and other matters. But what you need to realize, is that it is not difficult to implement encryption in your comms app. You don’t even need to understand how encryption works, just that it does, and the libraries for encrypted communication over open source platforms are available for anyone to use. I will outline…in hind sight…how our own lack of vision, or perhaps ignorance, incurred such an unfortunate consequence and looks to have been steered by our own choices.
I’ll explain why failures in the Google-Android business model compounded with cultural concerns for security and the misrepresentation of the importance of this by the media but more importantly, I will demonstrate how legislative reactions and the causality in the demands for governance envisioned by the Federal Law Enforcement Community have made Android the platform of choice for terrorists.
ISIS gets appified
After monitored account ejections from Twitter (with the help of Ghost Security Group who takes credit for over 100K banned accounts), being banned from Telegraph after the Paris attacks, and knowing that compliance was recognized from WhatsApp Developers at the direction the United States Government and its demand for back-door channels that would be used as tools for monitoring real-time data transactions, ISIS is aspiring to be a member to the Google Developer community. The Islamic State has simply created its own encrypted communications platform, using the easiest, least expensive and most popular avenue they could find.
An on-line Counter-Terrorism team named Ghost Security Group, expatriates from the hactivist group GhostSec.org, makes the claim that while the Alwari app might not have an encryption algorithm that is as sophisticated as the one deployed in Telegraph, they did disclose that there was a rudimentary encryption effort placed into its development, and also made some predictions based on what their findings yielded:
The encryption is not as robust as what you would find coming out of a company’s R&D labs, but it does stand to prove that they are making efforts to encrypt their own communications to some degree. I believe it would be safe to assume that the future of ISIS online may be apps
Identifying the enemy and giving it a name: The war on Encryption
When it comes to encryption, most security analysts I have spoken with are overwhelmingly in support of open standards in encryption. They will tell you that the reason open source schemes work, is because they are publicly visible and they get tested: If they get broken they get fixed…and if they can’t be fixed they get dropped. Having more eyes on the scheme means more opportunity for it to be tested. However, some applications like Telegraph and possibly the Alwari app, use roll-you-own crypto or encryption methods that use schemes that are propriety, and usually as strong as the tape keeping everyone’s mouth shut about how the scheme was built. Whether or not open is more effective tHan home-spun cryptographic schemes is not the focus, because the important issue that we have to deal with is the enemy is deploying electronic counter intelligence, and they are doing it to obscure their electronic transmissions to each other as the plot to kill you.
Now let’s analyze the platform they deploy it on, and why Washington has it wrong when it comes to the focus of national security pertaining to mobile devices, privacy and thinking the ‘back-door’ was even a solution to begin with.
ISIS Picks a Platform
It is open-source, and the referring documentation can be acquired by anyone, whenever they want it, from the AOSP website. Without eyebrows being raised or attracting attention. It is popular. The Google technology distribution model is based on no-cost or low-cost features and software tools deployed on inexpensive hardware platforms. This distribution model favors rapid propagation by eliminating the cost of acquisition objections that its competitors must handle, for a broad capture of market share. The strategy can be summed up by:
Give it away for free so there is no reason that anyone should say no. Saturate the market to place a choke hold on the competition. Figure out how (they) can make money on it later.
Google’s decision to retain Android INCs vision of Android to be open-source but then allow the OEM to make it proprietary again once it was deployed from partners like Samsung, HTC and Lenovorola, was once met with a, “Hey! You shouldn’t let them do that!”, response from the open source community.
Then, when the community learned that all of the Google Applications (which are required to ship on authorized OEM partner devices) were also proprietary, things began to make perfect business sense.
Google didn’t have a hardware manufacturing arm when the iPhone was announced, and when Steve Jobs showed the world the iPhone, and Andy Rubin informed Google about the resulting. inadequacy that the first Android prototype had just become because of the Apple announcement, plans had to change. There was no way to rapidly engineer their own multi-touch hardware platform in a timeframe that would be conducive to competing with Apple at launch. And to get an assembly line and manufacturing operation stood up would take months.
While they didn’t think their current vision for an Android phone deployment could compete, they knew that the operating system could. But people don’t buy mobile phone operating systems. So they made Android ‘free’, and ‘sold’ it to any of the hundreds of smart phone hardware platform OEM’s that would take it. Google promised tools like Maps and Search would be available to install on the end-product, making their OS Platform a value-added no-brainer when it came to sales in the B2C market.
Google got exactly what they wanted from the position in which they placed Android: Hundreds of different hardware companies standing in line to get a free operating system stocked with free software, so they could in turn make money by selling what Google gave them for free. This idea…that easy profit could be made from free technology is fallacious, but wouldn’t be realized until almost a decade later. But the fragmentation of Android would be an issue that consumers, Google and their OEM partners, lawyers, legislators, federal law enforcement…and terrorists would eventually become familiar with.
Hunting the wrong fox
This is only one half of the reason why Android makes the quintessential Terrorist Phone. What solidified the deal, had to have been the way law-makers in the United States gained support in public opinion when the discussion of strong encryption came to the media spotlight. After the public berating of technology companies who would not provide back-doors because they said they wouldn’t work for just the good guys.
The U.K. has legislation on the table that makes it lawful for the government to hack cell phones and extract data without the user or owners knowledge. New York is trying to ban any device from using strong encryption in their state. I’m sure the day where we see, “Encryption free zone”, signs are not too far away. I’m sure those who read them will comply.
Most people see the writing on the wall. Governments are going to pressure tech companies into installing the back-door access into all of their products. If they don’t, their products will become illegal to sell. The causality of Governments who dictate to businesses which products are sold to their consumers for the simple fact that they ‘guarantee’ privacy for the one person who commits a crime will result in one thing: The guarantee that no one will have a right to privacy.
ISIS chose Android for the security and obfuscation element they could benefit from in the resulting fragmented environment. The hundreds of different Android phones. The government must realize that ISIS will simply choose a different OEM if the back-door gets deployed. Samsung complied with the back-door? Move to HTC. HTC complied? Migrate to Huawei…and so on. There are almost one thousand smartphone makers across the globe and each has a number of different models. Is the U.S. Government going to be able negotiate each and every one of them to comply? Only one has to say no for the entire effort to fail. Let’s give them the benefit of the doubt and say they there is now a backdoor in every one of the 6.97 billion cellphones with a data subscription:
Do they realize how simple it is to build a mobile computer?
Do we even have the number of personnel needed to monitor every app and each of the 6.97 billion cellphones needed to thwart an attack?
Is electronic counter terrorism even a priority?
Are our own systems secure enough that we can shift focus from those…to monitoring billions of law-abiding people across the globe?
The truth no one wants to talk about
A cursory analysis into the sobering situation that this has become, will yield you an outlook that seems to be challenging for everyone. For Government legislators across the globe, for Tech companies, for the law enforcement community…even you and me. Challenging but far from hopeless. It would certainly benefit from some leadership, vision and commitment to a priority.
Looking introspectively, here is why:
The systems in place used for granting clearances is in a serious situation
Last year, the Office of Personnel and Management’s EQiP system was hacked. The result, was the data of millions of civilians and contractors who are employed by the Defense Department ended up compromised, including my own data and that means my family’s private data was also compromised. The EQiP system is the information system that is used to process SF86 security clearances, and because it was hacked and brought down, and a shift to a paper based pre-processing step was put in place…It went down for months. Last month, the Defense Security Service stopped processing security applications for candidates requesting an elevated clearance, including my own. This happened for about a month, but they are back to getting folks cleared. Why did they stop?
If the United States Federal Government is placing a priority on the security of this country and its citizens, how can the funding for the single point system for processing the nation’s security clearances…just stop?
The repo of data that the intelligence community is trying to process is back-logged….forever.
The NSA spent years collecting data that they can’t process because they don’t have the personnel to do it. Now, they are asking for access to more sources of data…6.97 Billion more sources…so they can add to that ever-growing pile of unprocessed data, that they don’t have enough people to process. They could throw money at it and hire people, but how are they going to get new employees the background checks they need for a security clearance? They could throw money at that too, except they already aren’t. In fact, they just stop clearing people.
Now, I know I went to public school, but I was able to think for a few minutes before it really started to hurt and thank goodness I stopped before I swallowed my tongue. But those few minutes gave me the temporary ability to type the following:
If we don’t have the strength to process the data we currently have that continues to pile up, and we can’t hire any new people to process that data because the single-point system we have for background checks and security clearances is vulnerable to remote attack and sometimes even stops running -for months- due to this country not being able to pay the bills:
How in the hell will opening up the data streams of 6.97 billion cellphones make this country more secure?