While Google, Microsoft, Apple and Facebook are busy bending knee to their government handlers and/or telling marketing departments what color underwear you have on, the incredibly smart and capable developers of the CyanogenMod aftermarket Android distribution are cooking up compelling and even potentially disruptive mobile privacy technologies.
In a blog post earlier today the CM development team described a new, opt-in service platform, available only to CyanogenMod users and still in dev/test, designed to support eavesdropping-proof end-to-end encrypted mobile applications, with a long-term goal of integrated secure SMS.
Developer Koush then shared in an ensuing Google+ post some of the technical design details of the first proof of concept application to leverage the new framework, a “find my phone” (locate/wipe) service to be dubbed CyanogenMod Device Finder.
Now, Google just earlier this month released their own version of such a service in the form of Android Device Manager. Android users who had previously been relegated to third-party apps for this purpose cheered the “better late than nothing” arrival of the native Google facility, matching similar services long offered by Apple and Microsoft for their respective mobile operating systems.
So why do we need another one? Because major providers’ security models are inherently technically deficient if you can’t trust the middleman. And lately, you can’t.
Koush explains the security model of CyanogenMod Device Finder:
The server never has your password. Your authentication is a derived password.
A public key is generated in the browser, and hmac’d with the actual password (unavailable to the server).
On a device find request, the Android device receives this public key, and validates it is authentic, as the Android device also has the same, underived/original, password.
The Android device sends back an encrypted symmetric key using the public key.
The server can not decrypt the symmetric key, as it does not have the private key.
The browser receives the encrypted payload, and decrypts the symmetric key.
The browser and phone at this point have a secure communication channel, and both sides have authenticated each other. The server is not capable of listening in. It merely provides a transport.
The browser then requests the device location (or requests a wipe) through this secure channel.
The result? As seen in firebug below, the data sent through the server is completely opaque.
This is how device finding should be done. You can not trust that a service will never be compromised. You can never trust that a service provider will not be subject to the will of a government request.
You can only trust that your data was secure from the service itself.
Let me detechnical that somewhat… skipping a lot for brevity…
When you use Android Device Manager to find your phone, you log into your Google Account, as you, in a web browser. From your browser window, you ask Google’s server to ask your phone for its location.
Google’s server pings your phone over the air via a service layer, Google Play Services, that operates silently on your phone. Google’s server authenticates to your phone. Your phone has been told it can trust Google’s server. That it should do what Google’s server says. That’s designed in. Your phone trusts Google’s server so it relays its location. Google’s server then passes the location back to your web browser, where it is presented to you.
Google’s server acts as a hands-on intermediary here. It has the information in the clear. Maybe it can pretend to be you and ask your phone where it is. Maybe someone would like to know where your phone is that’s not you. Someone who can pay or compel Google to reveal that information. Could someone want to do that? I don’t know. The point is, the trust model is open to abuse. The pipes are open.
When you use CyanogenMod Device Finder to find your phone, you log into your CyanogenMod Account, as you, in a web browser. From your browser window, you ask CyanogenMod’s server to create a communication path between you and your phone.
You and your phone know a secret password (that you set earlier), that CyanogenMod’s server doesn’t know and will never know. The server stands up the communication path in a series of steps that keeps it blind. It provides a channel but it can’t listen in. Trust and confidentiality are established end-to-end, between your phone and your browser window. The middle is opaque. At the end of the key exchange process your phone trusts you, and sends cleartext to you only.
When your phone sends its location, no agent in the middle can read it. No one can pick it up in transport. No one can initiate the tracking but you. No one can pay or compel the people operating the server to track your phone’s location via this facility without your knowledge or authorization.
Google, and the rest, have incentives to not protect your privacy in spite of everything they tell you. They make money from targeted advertising, backed by big data, your data, you’re the product, as I’m sure you’ve heard. They also operate at the whim of certain interests, interests that can hold their arm behind their back until they say uncle.
Apple deployed an eavesdropping-proof secure messaging application in 2012 and law enforcement has been tripping over itself to shut it down or get back door access ever since. Startup Silent Circle has just shut down its encrypted email service in response to or anticipation of government meddling.
CyanogenMod (in spite of being around for quite a while actually) is still like a startup in its infancy. It has incentives to create a quality product with features that people want and need so that its user base grows. It is built by a distributed community of volunteers and is completely open source and freely licensed. I couldn’t tell you what their business model or end game is or if they even have any money. They seem to be doing it out of genuine care for the cause. From the announcement:
* We have no interest in selling your data
* We cannot track you or wipe your device. We designed the protocol in such a way that makes it impossible for anyone but you to do that.
They’re just scratching the surface of a much bigger problem right now, but it’s a start. Piece by piece the whole paradigm can change, your privacy rights built in to more and more segments of the technology. These developers are undertaking extremely important, game changing work here that everyone can benefit from. And releasing it to the public for free in open source.
Don’t need this? Who cares if Google knows where your phone is? Privacy paradigms bore you? No problem. These innovations might just filter down to you, in time, and might benefit you, whether you realize it or not. There’s an exchange of ideas between official, reference Android and the modding community. That’s what open source is all about.
In the meantime, you can, and probably should, use Android Device Manager, as it’s the solution that exists right now, and you’ll be sad when you lose your phone and can’t find it.
But keep an eye on this.
Resources
CyanogenMod Account announcement