Google Changes the Rules, and that brings with it the end of the walled gardens.

A short news item on Late Night Linux episode 126 referencing this Public Security Announcement in r/privacytoolsIO on Reddit gave me a very rude awakening. It describes Google forcing application developers to hand over their package signing keys to Google so they can sign the packages on their behalf. This change was introduced along with the change from APK packages to the newer Android App Bundles (.abb) as of August, 2021.

So far I had followed the discussions around government-sponsored Trojans with a bit of a smirk. I imagined the delivery of such malware onto end user devices involved significant hardships such as getting physical access to the phone or tablet. Or possibly tricking the victim to download and sideload a boobytrapped app. Who'd possibly be so dumb...?

The Offensive Element of the App Store

What nearly got me to choke on my morning coffee was the revelation that in fact Google was now preparing a delivery mechanism that I like to call "micro-targetting", and that could be scaled out and automated. It works like this:

1. Joe User is required to register a Play Store account when activating his new Android phone. From then on the phone identifies against the app store using that saved information, which also includes information such as the mobile phone's IMEI (International Mobile Equipment Identification) and SIM data.

2. Applications are downloaded from the store, and the store app regularly checks for updates and installs them when available. It has highest system privileges, so can do whatever is necessary on the device without so much as getting permission from or giving notification to the user.

3. Now imagine Google receives a message from the friendly neighborhood Three Letter Agency requesting assistance with a certain suspect person. Based on IMEI and/or SIM data the suitable account(s) are identified. With the application author's signing key available to Google a specially-crafted package is generated and stored ready for the next update cycle from the phone, upon which this bundle is delivered and updated on the device.

4. The boobytrapped application works its magic. In many cases this will be used to create a copy of transmitted information before it's being encrypted by a secure messenger, or received information after it's been decrypted. This plain text and any attachments can be sent off to a command & control server for analysis. This is how government spies get around strong end-to-end encryption without actually breaking it.

5. The "special" application package can at any time be reverted back to the original version simply by placing the next, unmodified, update into the App Store queue.

So far application packages were available in statically signed form packaged by the author, and they were only available in a very small number of flavors - many times just a single one. Now, however, it is perfectly doable to offer for download highly customized builds that would target individual devices and their owners/users.

So this is bad. Really bad. Or, as a user on the original Reddit thread sums it up:

With this new capability you cannot trust the apps you receive from the Play Store, which is a lot worse than GMS' various tracking measures.

What About Apple?

I cannot say how they do it exactly, but here is a rather mumblespeak-y bit that they use their own code signing certificates: https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format?preferredLanguage=occ​

This is the part that worries me the most: "For apps that you distribute through the App Store [...], App Store Connect [...] re-signs the app using an Apple identity". I think this is broadly similar to what Google is doing.

Two Companies Doing the Same Thing?

Maybe. At almost exactly the same time? Hmm. Out of their own motiviation, and what exactly is that motiviation?

Call me a tinfoil hat but to me this smells like government "wishes". It's pretty clear the Five Eyes and their "friends" are laying down the law on Google and Apple to help in their fight against universal strong encryption, and they're going for the tremendous pot of gold that's waiting at the end of those two rainbows - billions of users and their data and communications.

Smartphones are universal and central to peoples' lives and everybody has been conditioned to welcome the security and convenience the app store walled gardens offer. After all Google has been discouraging sideloading from "unknown sources", while Apple has been actively removing the possibility from their phones altogether during the "jailbreak wars". Even if that has been done with the best of intentions (well...), it's proving worth a fortune to the agencies.

Summary

1. Treat the app stores of Apple and Google as compromised. There is no cryptographic security in them anymore.
2. Apps downloaded from the stores must be expected to have been tampered with. No app publisher can be sure that whatever is delivered via the stores is actually what they uploaded.
3. Modification of the apps can be tailored towards individuals through information such as device and SIM identification which is hard to falsify (try buying a SIM card without providing ID) and fairly static.
4. Secure encryption can be circumvented instead of broken, with minimal effort, and without having to deal with physical access to transmission infrastructure.
5. The process has been industrialized to scale out to any number of targets.
6. Traces can be easily made unseen.

Looking at this list it's high time to get rid of the Google and Apple ecosystems if you are interested in privacy.

Apple is a completely lost cause as you can barely do anything with the device disconnected from their mother ship.

Android at least stands a bit of a chance. Sideloading, formerly considered a security risk, is now almost inevitable but of course comes with its own set of downsides:

• Apps will be left without updates because people forgot they downloaded them.
• Questionable APKs can contain all kinds of malware and other modifications as there is no easy way to check them.
• Updates to the base services of the operating systems are either unavailable if all the ties to the manufacturers' updates are cut, or one runs the chance of getting unwanted modifications or additions as those channels are just as uncontrollable.

The Road Ahead

In the end, whatever we chose to do with Android and iOS devices won't really help. What will help is a new set of completely open devices, which run a free and open source operating system as well as services and applications. Essentially what Linux or BSD are offering on laptops and desktops, but extended to phones and tablets.

The Librem and PinePhone smartphones are a great first start, but are not yet daily driver-ready both from the hard- as well as software perspectives. But all our hopes must rest on this new type of device and application ecosystem.

Until then do not use smartphones for confidential communications or anything with privacy impact.