[mikegerwitz]

You cannot have privacy and security without free/libre software. While such doesn't doesn't guarantee privacy or security, operating systems that make an effort to build the system entirely from source without any proprietary components are much less likely to have a problem like this slip through the cracks of a large, active development community.

Unfortunately, currently the only Android operating system to do this is Replicant, which has terrible hardware support and---due to the sorry state of affairs for mobile---lacks many features requiring proprietary drivers. Cyanogenmod stops short, but would still make situations like this much more difficult.

Even if you don't subscribe to the principles of software freedom, please consider helping out the Replicant project if you know enough about the operating system. I use a Replicant device (S3) and I'd love to see others working to get version 6 out:

http://blog.replicant.us/2016/08/replicant-6-early-work-upst...

We also need reproducible builds of the operating system and its software---again, something that cannot be done without a fully free/libre OS.

Despite increased surveillance on such a vulnerable and enticing target, this doesn't get enough emphasis.

[hackuser]

Regarding more secure versions of Android, what are your (or anyone's) thoughts on the following?

* CopperheadOS

* OmniROM

* PrivatOS, on Silent Circle Blackphones AFAIK

* The version on Blackberry Priv phones

.

I've also come across these, but don't know much about them:

* Cryptogenmod: I'm not sure this project ever went anywhere

* Chamelephon: http://chamelephon.com/

* GuardianROM: Discontinued?

* KeyROM by Mocana: Seems aimed at businesses that need secure Android. https://www.mocana.com/iot-security/keyrom

* Privacy phone by FreedomPOP: https://www.freedompop.com/theprivacyphone

.

And a couple probably not available to the public:

* OK:Android by General Dynamics: http://gdmissionsystems.com/cyber/products/trusted-computing...

* The OS on Boeing Black smartphones: http://www.boeing.com/defense/boeing-black/index.page

[the_duke]

That's the old open source argument.

And while many things could most certainly be discovered by extensive, costly audits, that someone has to pay for...

OS code bases are huge.

How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?

How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?

Not very, I think.

If someone puts an Android fork online, who has the time to go through the changes to discover something like this?

Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.

If you don't build the hardware yourself, component by component (assuming that the components themselves are trustworthy), and audit every single LOC in the OS, something can always slip by.

[dandelion_lover]

The source code is not the only condition for security. However it drastically decreases the threshold for the audits. People can even make a crowdfunding campaign and pay to professionals like it was done with TrueCrypt.

But even without such a campaign, evil developers would be in a constant danger that someone may discover a backdoor. It is a very unstable situation: just one person is enough to make a lot of noise, and everyone could be this person. And yes, people do read the sources:

https://www.fsf.org/blogs/community/who-actually-reads-the-c...

It's all about defense in depth:

https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...

[mikegerwitz]

> That's the old open source argument.

Indeed, so it's unfortunate that it doesn't get more discussion in situations such as these.

> How difficult would it be to hide functionality like this in some obscure code that's camouflaged as something else?

More difficult than it would be with proprietary software, where anyone at any time can add malicious code that may never even be discovered over the lifetime of the device.

Free software doesn't prevent malicious actors from contributing malicious code, but it certainly improves chances. It also makes such a move very risky. Just as laws are a deterrent for many crimes, so is public scrutiny.

> How hard would it be to automatically install an app that does this after first boot, disguised as some self updating or analytics feature?

In a fully free OS, this app would have been built from source. So the same arguments apply.

> If someone puts an Android fork online, who has the time to go through the changes to discover something like this?

Again, it improves changes. Here's a good example from Replicant:

http://redmine.replicant.us/projects/replicant/wiki/SamsungG...

> Also, such features could even easily be placed on a tiny, dedicated chip inside the phone, completely apart from the OS.

Sure, but that's not an excuse to throw our hands up and not worry about the security of the software running on it. The OS might even be able to itself mitigate certain things (e.g. the Samsung backdoor mentioned above).

This issue also exists on PCs:

https://libreboot.org/faq/#intelme

[rectang]

The promise of reproducible builds divides-and-conquers the system, allowing us to validate individual components. From there, we need to be concerned about how well the source code for each component is managed.

Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.

Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.