Open source OSes at bigger risk of spying?

by: J. Angelo RacomaApril 24, 2013
Who needs spyware when you can eavesdrop from next door?

Who needs spyware when you can eavesdrop from next door?

Security experts are torn in their opinion of open source platforms. For some, open source platforms offer better security because these can be scrutinized for potential threats and attack points. To some, open source platforms are less secure because these can easily be manipulated toward a malicious entity’s gain. This is exactly the case with Android, or at least some analysts would like to think so.

In a speculative post by John Hempton at the Bronte Capital Blog, he opines that Android as a platform is at risk of being corrupted, simply because of the ease by which the software can be modified. Take for instance the example of China, where Android forks do not provide access to Google Play, the official Android app repository, for the simple reason that the government bans access to the service. As such, manufacturers offer apps through hundreds of other alternative app marketplaces. But try to think of it the other way around: there is a risk that developers can be manipulated into incorporating spyware into smartphones and tablets in this scenario.

Open source is a force for good or evil and in this case it was evil. Google could distribute “good Android” and the oppressive authorities could force their phone companies to distribute “bad Android”.

The clear solution here, of course, is to modify your Android device yourself, if you live in fear of being spied upon. You can root your device and install an alternative ROM, which could either be the stock ROM from the manufacturer or a custom one like CyanogenMod, AOKP or any other ROM from a reputable source. But rooting and ROM flashing are not for everyone, and only a very small minority of users are comfortable with even tinkering with their phones’ advanced settings.

We’ve heard time and again about Android being a target for malware, simply because of the ease by which users can be fooled into installing dubious APKs. Even Google Play had hosted malicious apps time and again before eventually removing these apps. Of course, we would rather attribute this to numbers (Android has become a big target because of the sheer size of its user base). But this one goes far deeper.

The premise of Hempton‘s article is valid, although bordering on sensationalist, because he speculates that Android could be dominant in China because of its potential to be used as a platform for oppression. This means the Chinese government may be planting bugs and backdoors into the likes of MIUI, Baidu Yi or other Chinese Android derivative. But would they need to? Chinese ISPs are already monitoring traffic and filtering anything that might be against the government’s liking. Heck, even American carriers and law enforcement agencies are likely to be doing this, to some extent, too. Oftentimes, we mobile users even betray our own privacy by posting too much on social networks, to the extent of geo-tagging our photos and posts.

If at all, this could be an aha moment for anyone interested in turning mobile devices into spying gadgets. If the Chinese government is adamant at spying on its citizens by embedding spyware on Android itself, then what’s stopping them from requiring manufacturing plants in China that produce smartphones from embedding spyware on the hardware itself, including the infrastructure, even those that are meant for other markets?

Knowing that your ISP or government could be spying on you, what should you do then? If you’re not really doing anything wrong, then there might be no point in worrying too much, unless you have something to hide. And if you’re doing something potentially subversive (or illegal) with your mobile device, then you should at least consider using encryption apps like Silent Circle.

It’s not Android, per se, that’s a privacy and spyware risk. The open-source nature makes it an easy target, but by no means the only one.

  • freedomspopular

    “If you’re not really doing anything wrong, then there might be no point in worrying too much…” Pretty much one of the biggest misconceptions ever, and it’s pretty disappointing to see it being peddled on a “professional” site.

  • Mike A

    Good article. You make a good point about Chinese government spying on its own people and it not that big of leap for them to try to use a company like Huawei to do that to other country’s people. After all, knowledge is power.

    On the other hand. Illegal or not, we all have stuff we want to hide. Its called personal things, and one should not be able to spy on you and use it against you. My personal life is my business and no one else.

    • APai

      but, the chinese government would spy on its citizens regardless of the OS! so the claim of anyone saying closed source is better is bollocks

  • Mike Reid

    Open source tends to be more secure. But nothing will ever be completely secure.

    Hackers sell “0 day exploits” to intelligence agencies, and they tend to target what makes them the most money. Windows, windows apps, and iPhone are among the top paying targets.

  • APai

    …sounds like FUD

  • Does anyone remember Blackberry and Saudi Arabia? Blackberry and India ?Closed source and openly allowing spying by any Government that threatens a ban.

  • SamsaraGuru

    Another good reason not to buy anything made in communist China – remember this is the country that will copy anything good it can; steal anything anything that isn’t nailed down and hack anyone and anything it thinks has anything of value worth stealing.