Earlier this fall, a contributor to The State of Securityexplained that one of the greatest privacy and security challenges confronting our smartphones today are the apps we choose to install.
He noted in his post how app developers often make money by harvesting data from users’ devices and in turn selling this information to marketers. They also sometimes incorporate third-party libraries and tools into their products in an attempt to further collect user data, the extent and nature of which may or may not be disclosed in the applications’ privacy policies.
Marketers are not the only ones who benefit from the collection of smartphone data. Law enforcement, repressive nation-states, and a host of other actors also have an incentive to obtain mobile users’ information.
However, for the purposes of some of these entities, the types of data yielded from app developers are commonly not of sufficient mass or quality. They must, therefore, turn to more overtly surveillance-based technologies to suit their needs.
Such is the reality that has led to InterApp. Produced by Israeli-based Rayzone Group, an alleged partner of the spyware company Hacking Team that itself was hacked earlier this year, InterApp is a “tactical intelligence system” that according to its website can collect “intimate information of any phone user… in the system’s proximity.”
This data includes passwords, contact lists, email addresses, web browsing history, photos, locations and more.
All one needs is a target that has Wi-Fi enabled on a mobile device.
“InterApp is fully transparent to the target and does not require any cooperation from the phone owner,” reads the system’s description. “The only required condition is that the WIFI transmitter of the mobile device will be open (No need to surf the web).”
Rayzone Group goes on to explain in a brochure that InterApp requires little technical training and is fully adaptable, enabling it to serve as part of a “strategic system, installed in a variety of points of interest with large geographical coverage with one analysis and control center. (Safe city / airports / etc.).” It is no wonder therefore that the system was included in a counter-terrorism exposition that occurred just days after the ISIS attacks in Paris last month.
Clearly, InterApp seems like it can accomplish a lot. But there’s speculation whether the system can actually live up to all the hype. This doubt is in part fueled by analysts’ uncertainty regarding how InterApp can actually gather the types of user information Rayzone Group says it can.
“Either they collect data from apps that leak it in clear[text], or they compromise the device, but it doesn’t sound like [the latter],” Claudio Guarnieri, an activist and security researcher who monitors the surveillance industry, told Motherboard in an online chat. “In many cases when we get to learn more, it turns out they’re not as good as advertised. The power of this system relies on how credible the vulnerabilities they claim they have are.”
When MotherBoard pressed Ron Zilka from Rayzone Group for comment on how InterApp works, he refused to comment “to any journalist” and stated that the system “is only for governments.”
“I wish you all the best. I got your email, and I wish not to respond,” he said.
International Business Times UK also tried to contact Rayzone Group only to find that the company’s main number had been disconnected and its Facebook page disabled or made private. Its website and Twitter page are still up and running, however, which might suggest that the company is attempting to dodge coverage for the time being.
It is currently unclear how InterApp functions. But that will not always be the case. Curiosity will likely get the better of someone who will manage to get a hold of the system and reverse engineer it. We can only hope that InterApp’s capabilities are wildly overstated. If not, we might need to re-evaluate how comfortable we feel about leaving our Wi-Fi open when we go out in public.