GCHQ in Cheltenham, Gloucestershire Ministry of Defence/Wikipedia

On Monday, the latest Edward Snowden leaks revealed GCHQ and the National Security Agency were targeting specific mobile applications in their attempts to gather information on intelligence targets. Exploited apps included Google Maps and Rovio's Angry Birds.

The leaks highlighted the innumerable ways applications can be exploited by outside actors. Yet the reports did not go into detail on the many weaknesses resident in some of the world's most popular applications and how exactly hackers find those weaknesses to pilfer information from devices, whether they're based on Google Android, Apple iOS or other platforms.


Here's how the NSA and others can use freely available software, documented and undocumented vulnerabilities, and surreptitious techniques to siphon off people's data from their smartphones in relatively trivial ways. Head to the bottom for some tips on avoiding the snoops too.

Hunting for flaws

Read next You can now make encrypted video calls with Signal You can now make encrypted video calls with Signal

The first step for an attacker is to find vulnerabilities. One of the trickiest but most effective ways of finding usable flaws is reverse engineering. This involves picking apart the app's code.

Certain disassembler and debugger tools are available to help with this, such as IDA Pro.


A less onerous and considerably more popular technique is "fuzzing", automated probing of software for weaknesses.

Penetration testing frameworks, such as the much-loved Metasploit, are used by legitimate pentesters and snoops alike to fuzz software. They monitor the output of apps to uncover data being transmitted in plaintext that should be encrypted.

Most applications store data on your device. Sometimes it's nothing special, sometimes it's the login for your bank account Edd Hardy

Read next WIRED Awake: 10 must-read articles for February 13 WIRED Awake: 10 must-read articles for February 13

To seek for this lack of encryption, attackers can set up a proxy server to view traffic coming and going from the phone.


Helpful software like Burp Suite allows the attacker to do this, viewing every message sent and received by the application and, more importantly, to play with those messages. DroidBox for Android, or Cycript and Snoop-it for iOS, are also helpful for this kind of dynamic analysis.

What's particularly interesting from this week's NSA leaks is that ad networks are specifically mentioned. Many supply code for millions of free apps and transmit data over HTTP, not HTTPS, leaving information in transit unencrypted. These ad networks also allow for certain actions to take place over HTTP, using what is known as a JavaScriptInterface. That means anyone sitting on the same network as a user could take photos, read and write applications and record audio on victims' devices.

Other hugely popular apps have been guilty of mixed SSL, where some traffic is encrypted but other bits are not. A serious WhatsApp vulnerability uncovered last year saw the massively popular messaging tool sending messages between the app's browser, which launches when payments are initiated, and the software maker's server unencrypted.

Another common flaw in mobile apps is unencrypted storage of critical data. This was recently seen in the Starbucks iOS app, where the software crash log contained the user's unencrypted password. To find unencrypted information storage, hackers will often root, or jailbreak, a device, before using tools like SQLite Database Browser to probe for unprotected databases. "Most applications store data on your device. Sometimes it's nothing special, sometimes it's the login for your bank account," says pentester Edd Hardy, from security consultancy Hut3. "You would think that everything would be encrypted, often it's not. It's not unusual for us to find passwords and private documents hidden in an SQLite database. If you can access the database, then you can take the data."

Read next WIRED Awake: 10 must-read articles for December 13 WIRED Awake: 10 must-read articles for December 13

Taking data

After finding a flaw, the attacker needs to develop an exploit -- the method that will let them make off with the target's data. Not all vulnerabilities can be exploited in a meaningful way.

For Android and iOS, exploits designed to carry out actions on a user device, such as nabbing contact information, will often have to be "chained", where a number of linked flaws are exploited. This is so the attacker's code can jump out of sandboxes, which run the app in an emulator to check what it's doing and to see if it's dangerous. Security researchers have found this easier to do on Android, due to its open nature, where apps communicate more openly with one another.

Given internet service providers are apparently in bed with intelligence agencies and technology providers, exploits could be carried out right back at the ISP level. KeepInline

Yet where proper encryption is not used by an application, as is often the case in mobile apps, it is trivial to acquire interesting information with "man-in-the-middle attacks". This involves the attacker sitting on the same network as a user and intercepting traffic. That can either be achieved by logging onto the same unprotected Wi-Fi network as a target, or doing something sneakier, like setting up a fake Wi-Fi network. Often this is done by providing it with an SSID of a popular outlet, such as a café chain, or a name like "BT Wi-Fi" that people will inherently trust.

Read next Snowden dismisses 'distorted' US report on mass surveillance disclosures Snowden dismisses 'distorted' US report on mass surveillance disclosures

Hackers have also used cellular boosters, otherwise known as repeaters, as a kind of proxy to intercept app communications.

Indeed, this is something many suspect intelligence agencies to be doing frequently. As long as the rogue booster provides a stronger signal than the cellular tower operated by the mobile service provider, devices will automatically bind to them, sending their traffic through them.

Once on the same network, attackers can view all information being passed around in unencrypted fashion. They can do more than just scoop up information like passwords or bank data, however. "It's not just about taking the data, if we can modify data we often find we can escalate privileges, e.g become an admin user or get into someone else's account," says Hardy. "Something as simple as changing a variable called ADMIN from 'no' to 'yes' can have worrying effects."

As SSL certificates, which are used to check for legitimate encryption between devices and servers, are infrequently checked by mobile applications that do actually use HTTPS, it is easy to toy with supposedly secure connections between the app and the web portal or application provider, notes Gunter Ollmann, CTO of security research and consultancy firm IOActive. "This technique is used to great effect in altering mobile banking transactions by professional organised crime entities in Eastern Europe and South East Asia," he says.

Given internet service providers are apparently in bed with intelligence agencies and technology providers, exploits could be carried out right back at the ISP level. "While much discussion has been made of rogue applications appearing in the app stores, it is important to note that the telecom providers themselves have the default ability to remotely install and remove software from their customers phones. Given the right authority, a telco can 'push an update to phones (selectively or en masse)," says Ollmann.

Read next Edward Snowden's iPhone case detects government spying Edward Snowden's iPhone case detects government spying

Protecting yourself

The depressing takeaway from all this is that many mobile applications don't protect your information effectively. If you want to share something, away from the prying eyes of intelligence agents and digital crooks, don't use popular mobile apps. "Don't trust companies to store your data securely. If it's really private or important data, don't upload it to your phone or the internet," recommends Hardy.

Do not use mobile banking applications or play online games that provide in-game purchases when connected to untrusted Wi-Fi connections, and do not let your phone "remember" your Wi-Fi connections.


Even updating an application on untrusted Wi-Fi networks is a bad idea. "Given the intricacies of DNS answers and latency of WiFi networks, attackers on the same local Wi-Fi network can always answer DNS lookup responses faster than the legitimate internet services -- which means they can re-route internet traffic to destinations they select, and can provide counterfeit services," warns Ollmann.

Users should not accept certificates that their phone doesn't trust either. "No legitimate company should ask you to accept a self signed certificate," adds Hardy.

In a world where attacks at ISP level are feasible, if you want to stay private, be distrustful, be aware and know your enemies.