Unveiling the Samsung Galaxy back-door

Yesterday, we disclosed our findings about the Samsung Galaxy back-door, an anti-feature found in Samsung Galaxy devices that lets the modem access the files stored on the device. For a complete statement about the issue, you can refer to the article we published at the Free Software Foundation’s website. A technical description of the issue is available on a dedicated page of the Replicant wiki, along with more information regarding the back-door.

The information spread out very quickly and we’re glad the press is finding interest in such matters as privacy and unjust control over one’s computing. This demonstrates yet another time why free software is essential and how a single piece of proprietary software can compromise a whole device.

We have yet to hear from Samsung about this issue, as we are hoping that the reason for the presence of this back-door will be clarified. In that regard, we’d be very glad to work with Samsung in order to make things right, for instance through releasing free software or documentation that would make it easy for community Android versions to get rid of the incriminated blob.

Update: Several sources, including Samsung, claim this is a non-issue. A complementary statement to address these claims was issued at Paul Kocialkowski’s personal blog.

Replicant 4.2 kicks out!

We’ve been working very hard over the past few months to push Replicant to a newer Android version: the work started when CyanogenMod released version 10.1.3, based on the latest Android 4.2 code, back in September 2013. Bringing Replicant to a new Android version is a really big piece of work, especially given that the project only counts one active developer (however, we have hopes to see more people getting involved in the future)! The biggest motivation for the new version is to allow us to port Replicant to newer devices, that were not supported by Android 4.0, upon which Replicant 4.0 is based. Aside of that, Replicant 4.2 also brings the various improvements that come along with Android 4.2 and CyanogenMod 10.1.

All the devices that were supported by Replicant 4.0 were successfully ported to version 4.2, but some devices encounter serious slowness issues that are yet to be resolved. On the bright side of things, support for a new device was added, the Galaxy Note 2 N7100, which is mostly similar to the already supported Galaxy S 3. That was only made possible thanks to the generous donations that were made to the project, which enable us to buy devices for the current developer to work on. We are looking forward to adding support for even more devices in the future as well! Our wiki was updated to reflect the status of the supported devices as of the Replicant 4.2 release and features updated installation and usage guides. The Replicant SDK was also updated and is available for download.

The Replicant website and wiki were also cleaned up a bit during the preparation of this release. Our blog shall now only be used for posting updated on the project while our wiki holds the core informations about Replicant. As a reminder, please do not use the comment section of this blog to ask general-purpose questions, but use our forums or mailing-list instead!

This release also puts the emphasis on security: given the recent concerns that raised up concerning wide-scale surveillance from governments and certain companies, we though it would be good to make Replicant more bullet-proof. The Replicant 4.2 images for devices are now built in the userdebug fashion, which ensures a better level of security, the shipped system applications are signed with our own private keys, for which we provide the certificates and the releases are signed with our very own GPG release key. It is encouraged that you check the authenticity of the Replicant images or binaries before installing anything you downloaded!

As usual, you can checkout the complete changelog, download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Replicant 2.3 0005 images, fixing the USSD vulnerability

Earlier this week, we were noticed that an USSD vulnerability was discovered in Android. After doing a bit of research, we came to understand the nature of the vulnerability: intents can basically dial a number and start a call without asking confirmation to the user. That could seem harmless at first sight, but it turns out it also works with USSD codes, and some of them are very powerful. This is mostly the case of vendor-specific USSD codes (that are not included in Replicant), which could erase the phone’s user data.

What’s also problematic about this is that web pages can trigger such intents (through an iframe with the tel: prefix for instance).
Since this vulnerability was present in our Replicant images (although the damage was reduced as we don’t include vendor-specific USSD codes), we decided to include the fix in our code base and release new images. That’s nearly the only new feature of these images (Galaxy S also got a nasty graphic bug fixed).

You can download the images from the ReplicantImages page and find installation instructions as well as build guides on the Replicant wiki.

Replicant lacks tracking antifeatures

Recently there was a lot of hype about mobile operating systems spying the users: Apple iOSPalm WebOS, Google Android.

Since Replicant is based on Android someone could be concerned about our operating system too.

According to Magnus Eriksson on github:

The files are named cache.cell & cache.wifi and is located in /data/data/com.google.android.location/files on the Android device.

Well we are proud to confirm that on Replicant (tested both on htc dream and nexus one) those files are missing,  even with "Settings -> Location & Security -> Use wireless networks" enabled.

The directory that should contain those files( /data/data/com.google.android.location/files ) doesn’t even exist  in Replicant.

But beware: even if Replicant itself doesn’t track its users’ position, this doesn’t mean that the phone can’t spy on you.

A smartphone usually has two components that talk to each other: a cpu and a modem. If the modem gets a call, it tells the CPU about it and viceversa for outbound calls, the CPU will order the modem to make a call (if you are curious about how it works there is a paper about how mobile phones work).

The modem and the CPU running Replicant are separated, and while we are trying to do our best to ship a fully free mobile os, the code running on the modem is proprietary software and can’t be changed. Since we don’t know what it does, we have no way to be sure that it doesn’t spy.

Also note that on the HTC Dream and the nexus one mobile phones,  GPS and audio parts are controlled by the modem.

The cellphone network can also spy, in fact in order to work it has to know your location.

This is just to remind you that every mobile phone is a tracking device and if you don’t want to be spied at all you should not use one.

So why do people invest time on Replicant?

Here are some reasons:

  • The modem or the network has no access to the CPU where replicant is running. That opens up some possibilities such as VPN, TOR,SSH, etc…
  • If mobile phones become the computers of the future we want to run free software on them.

Edit: I learned that the Modem’s CPU has access to the memory(the RAM chips) of the CPU running replicant, in other words the modem CPU can spy replicant’s CPU.

That will force us to port replicant to some devices that don’t have this problem, such as the nokia n900 for instance.