When is a game not just a game? Well, when it’s the new recruiting iPhone app released by NSA. The application, “NSA CryptoChallenge,” is targeted at college students and young adults and takes them through a series of puzzles. There’s a social aspect to the app where players can publish their scores to Facebook and Twitter. iTunes describes this game as the following:
Developed by the National Security Agency, NSA CryptoChallenge is a game that tests your pattern recognition skills through a series of cryptographs. Your mission is to decipher encrypted quotes, factoids, historical events and more. It’s you against the clock to see how fast you can crack the code.
When @grecs forwarded me InfosecIsland.com’s blogpost on this, I was curious but do not posses an iPhone myself – and if I did, am too much a paranoid conspiracy freak to install this app. So I had a friend, David Provost, install it. He reported back that the app didn’t disclose any connectivity settings, like Android apps do, and it looked just like a game to him. I wanted to know more about what the app could be getting into without telling us about it, so I went and grabbed my office’s iPhone developer, Brandon Phillips. Brandon handed me a copy of “Mobile Application Security” and gave me 15 minutes to pick his brain.
So, for the non-mobile educated amongst us (including me);
Apple promotes applications to the app store after going through a process of certification with the developer. If an app is going to be connecting to the network or otherwise using services in a way that’s not covered in the standard EULA, the developer is supposed to disclose this, either in an additional EULA that would be posted on the app store, or in a screen pop-up once the app is installed. CryptoChallenge does not post any EULA data in the app store, and there are no screen pop-ups, which means that the app would fall under standard EULA.
Here’s what Apple’s standard EULA says around this (much legalese to wade through).
b. Consent to Use of Data: You agree that Licensor may collect and use technical data and related information—including but not limited to technical information about your device, system and application software, and peripherals – that is gathered periodically to facilitate the provision of software updates, product support, and other services to you (if any) related to the Licensed Application. Licensor may use this information, as long as it is in a form that does not personally identify you, to improve its products or to provide services or technologies to you.
Dave is an infosec guy and wasn’t concerned about doing the install because of seat-belting, which is the iPhone’s sandboxing implementation. According to “Mobile Application Security,” sandboxed apps get installed into their own directories. Applications are allowed ‘limited read access to some system areas but are not allowed to read/write to other applications’ private directories – however, access to the address book and photos is explicitly allowed.’ (p65.)
I’m not sure to what level the app store allows individual developers to track whose downloaded their application. I am, however, very certain that I wouldn’t want an app from the NSA on my phone with that much known information leakage. I definitely wouldn’t want it carried around by young hacklets in training with more skills than common sense. After all, there’s really no one who can say no to a National Security Letter – this app could be pulling more than standard EULA and still have been signed off on by Apple.
I made a valiant effort to get a pcap but apparently most of my friends are paranoid conspiracy freaks too. None of them were willing to let me tunnel their iPhone through Wireshark and sniff the tasty traffic. If you’re local to NoVA and are willing to meet up in say Tysons and install the app so we can see what it’s really doing, ping me @dystonic on Twitter – or test it yourselves and let us know what happens in the comments!
#####
Please let us know what you think. Would you let your kids install this app? Today’s screenshots are thanks to @grecs and Dave Provost. Much love to the NSA – even if I wouldn’t install your app.