Wednesday, Aug 22, 2018 | Last Update : 10:29 AM IST

‘Spyware’ apps in your phone pose a big risk

Published : Feb 6, 2018, 1:22 am IST
Updated : Feb 6, 2018, 1:23 am IST

This isn’t the first time apps have rung alarm bells in security circles.

This then is the brave new world of global surveillance; one where our very phones can be used to compromise us.
 This then is the brave new world of global surveillance; one where our very phones can be used to compromise us.

Health freaks can be quite a pain. You know the type: they turn up their nose at nihari, count their calories and crusade against carbohydrates. Given half a chance they’ll bore you with tales of their gym exploits, preach the cult of CrossFit and the benefits of boot camp, all the while counting steps on their accursed Fitbits. Because, much like vegans, they seem to feel that it’s not enough to simply practice; one must also preach. And of course, it’s no fun just competing against yourself: thanks to fitness apps that record and share the details of your workout, you can now show off your regimen to virtual strangers. Which brings us to the latest: while fitness evangelists have always been annoying, now they’re a bona fide security threat.

Take the online fitness tracker Strava: Using your mobile phone’s GPS and also data from other fitness devices like Fitbit and Jawbone, it publishes “heat maps” showing the routes taken by its users as they jog, walk or bicycle, with the more frequently used routes showing up as brighter lines.

Now that’s fine when it comes to a public park or jogging track, but less so when it comes to military bases like the Bagram airbase in Afghanistan. A nerve centre of US operations in the Forever War, Bagram has been targeted by the Afghan Taliban, insider attacks and espionage, but now it seems that the latest security threat comes from jogging US military personnel sharing their location data with the world.

When you look at the map, you can tell which routes in the bases are used most frequently, and can even work out which nearby roads are more frequently patrolled — useful information for attackers and infiltrators. A similar problem was seen in the US forward bases in Helmand, and the base at Tanf in Syria. By contrast, few lights show up on Russian bases and none on Iranian bases in Syria: apparently being less wired has its upside. Moreover, a hacker who accesses Strava’s data can also potentially track individual users and — if they happen to be military personnel — can come up with a fairly accurate picture of military deployment schedules.

This isn’t the first time apps have rung alarm bells in security circles. The Pokemon Go! fad sparked similar concerns in China, the US and Israel — to name just three countries. The Israeli army banned soldiers from playing Pokemon Go for fear that they could inadvertently expose military secrets — given that the app requires access to users’ locations and camera there are real concerns that soldiers hunting Pokemon on a military base could very well give away crucial information.

The US, for its part, also warned military personnel of the dangers and also cautioned them to make sure they had installed the original game, and not one of the many counterfeit apps that one can find on the internet — bootleg versions of popular apps like WhatsApp, for example, which are riddled with spyware and malware that can allow access to your personal data.

In the Ukraine conflict, it was reported that Russian hackers developed a “poisoned” version of a Ukrainian military app used for processing targeting data for a weapon called the D-30 Howitzer.

Currently the most dangerous spyware masquerading as an app is considered to be Chrysaor, developed by Israeli firm NSO Group Technologies. Discovered by researchers at Google and Lookout, it can hack users’ cameras and microphone, as well as track calls, messages and internet history.

But even if you’re using original apps and being careful about not displaying your location or allowing those apps access to your camera, you’re still streaming tons of information about yourself to anyone with a capability of tapping that stream.

And the world’s top intel agencies very much have that capability: according to classified documents leaked by whistleblower Edward Snowden America’s National Security Agency and the UK’s Government Communications Headquarters have spent billions developing the ability to scoop up user data from commercially available apps like Angry Birds — mining metadata and user submitted profile data — allowing them to develop accurate profiles of users (including their political affiliations) and even potentially track their movements.

This then is the brave new world of global surveillance; one where our very phones can be used to compromise us. For militaries and governments across the world it poses a new challenge to operational security and also provides an opportunity for the more technologically advanced. It’s not just loose lips that can sink ships anymore.

By arrangement with Dawn

Tags: fitbit, pokemon go, spyware