BADASS monitors smartphone apps

The Intercept has an interesting and detailed report on a joint GCHQ-CSE presentation on intelligence collection from smartphone apps (Micah Lee, "Secret ‘BADASS’ Intelligence Program Spied on Smartphones," The Intercept, 26 January 2015):

British and Canadian spy agencies accumulated sensitive data on smartphone users, including location, app preferences, and unique device identifiers, by piggybacking on ubiquitous software from advertising and analytics companies, according to a document obtained by NSA whistleblower Edward Snowden.

The document, included in a trove of Snowden material released by Der Spiegel on January 17, outlines a secret program run by the intelligence agencies called BADASS. The German newsweekly did not write about the BADASS document, attaching it to a broader article on cyberwarfare. According to The Intercept‘s analysis of the document, intelligence agents applied BADASS software filters to streams of intercepted internet traffic, plucking from that traffic unencrypted uploads from smartphones to servers run by advertising and analytics companies. ...

For spy agencies, this smartphone monitoring data represented a new, convenient way of learning more about surveillance targets, including information about their physical movements and digital activities. It also would have made it possible to design more focused cyberattacks against those people, for example by exploiting a weakness in a particular app known to be used by a particular person. Such scenarios are strongly hinted at in a 2010 NSA presentation, provided by agency whistleblower Edward Snowden and published last year in The New York Times, Pro Publica, and The Guardian. That presentation stated that smartphone monitoring would be useful because it could lead to “additional exploitation” and the unearthing of “target knowledge/leads, location, [and] target technology.”

The article notes that some of the apps discussed in the presentation have subsequently begun efforts to encrypt their communications. But it appears likely that many vulnerable apps remain.

In addition to Yahoo’s Flurry and Google’s AdMob, the BADASS presentation also shows that British and Canadian intelligence were targeting Mobclix, Mydas, Medialets, and MSN Mobile Advertising. But it’s clear that any mobile-related plaintext traffic from any company is a potential target. While the BADASS presentation focuses on traffic from analytics and ad companies, it also shows spying on Google Maps heartbeat traffic, and capturing “beacons” sent out when apps are first opened (listing Qriously, Com2Us, Fluentmobile, and Papayamobile as examples). The BADASS presentation also mentions capturing GPS coordinates that get leaked when opening BlackBerry’s app store.

The article also notes that

While the BADASS program is specifically designed to target smartphone traffic, websites suffer from these exact same problems, and in many cases they’re even worse.

Websites routinely include bits of tracking code from several different companies for ads, analytics, and other behavioral tracking. This, combined with the lack of HTTPS, turns your web browser into a surveillance device that follows you around, even if you switch networks or use proxy servers.

In other words, while the BADASS presentation may be four years old, and while it’s been a year and a half since Snowden’s leaks began educating technology companies and users about the massive privacy threats they face, the big privacy holes exploited by BADASS remain a huge problem.

The CSE part of the presentation, prepared by someone from CSE's Global Access directorate, appears to be the second part of the discussion (pages 22-58, entitled "We Know How Bad You Are At “Angry Birds”: Exploring and Exploiting Leaky Mobile Apps with BADASS (OtH)".