How phone apps become tools of war
Quoted in the article
Shortly after Israel and the U.S. launched missiles into Tehran on Saturday, Iranians began receiving messages on a Muslim prayer app known as the BadeSaba Calendar.
The messages, written in Farsi, urged Iranians to help topple the government. “The regime’s repressive forces will pay for their cruel and merciless actions against the innocent people of Iran,” one read, according to WIRED Middle East. “Anyone who joins in defending and protecting the Iranian nation will be granted amnesty and forgiveness.”
The Wall Street Journal reports that Israel was behind the BadeSaba hack, and cybersecurity researchers say that the country was likely responsible. BadeSaba, the Israeli Embassy in D.C. and the Israel Defense Forces did not respond to DFD’s inquiries.
Infiltrating phone apps has become an increasingly common practice, both for propaganda and surveillance. The IDF has previously accused Hamas of trying to get troops to download malware-infested dating apps, and the U.S. military has contracted with data brokers who purchase location data from other Muslim prayer apps.
Former intelligence and security policy officials told DFD that apps are an attractive target in international conflicts both for surveillance and psychological warfare. They often have variable security protections and can serve as a direct channel for contacting people. Plus, lots of people use them — BadeSaba has been downloaded more than 5 million times from the Google Play store.
“This app was probably identified as one that is in pretty broad use in Iran, but also as one that probably had lesser security protections and offered more opportunity for a successful exploit,” said Nicholas Reese, former director of emerging technology policy at the Department of Homeland Security.
Hacking a phone app can be more effective than trying to tap into a computer, according to Reese. People generally store more personal information on their phones, often without realizing it. Accessing a computer typically requires infiltrating popular cloud services, which have sophisticated and standardized security protections. There are a lot more app developers than cloud services, and not all of them implement rigorous protections — making it easier to commandeer certain apps for data collection or sending unsolicited messages.
Even within the smartphone ecosystem, apps are a more useful target than other communication features on a device. “You have two options: you get to them through an app that they use, or you send them a text message or a phone call,” said Herb Lin, who previously served on President Barack Obama’s Commission on Enhancing National Cybersecurity. He added that the main advantage is that you can access a broader user base by just tapping into a particular app, instead of having to collect phone numbers for calls or texts.
The trend among operatives toward hacking apps also reflects a strategic shift toward targeting broader groups of users. “If you’re going to do an influence operation, [you’d] usually target those devices individually,” Reese told DFD. “In this [BadeSaba] case, the aperture was much, much wider, and so they were actually hitting a much wider section of the population.”
Broadening the scope of a hacking operation by infiltrating apps has its pluses and minuses, Reese said. For the purposes of disseminating propaganda, it might not be a big deal if you reach more people than you intended — BadeSaba users in the U.S. might just brush off the Iranian messaging as irrelevant. But if you collect way more app data than you need, it can be hard to sift through everything to find the relevant types of information from a particular group of people without powerful analytics tools.
The psychological impact of exploiting phone apps to convey wartime messaging is also different compared to traditional ways of reaching populations in an adversarial country — like dropping leaflets from planes or broadcasting propaganda over radio waves.
Wes J. Bryant, a former senior policy analyst at the Pentagon, told DFD that reaching someone directly through an app is much more invasive. The tactic might be effective as a demonstration of power, but it’s unclear whether the maneuver will actually have the desired impact. “I don’t see any strategic gain by doing this [BadeSaba hack],” he said. “I see it as just terrorizing a population.”
Bryant also contended that targeting an app that people use for a personal activity like prayer is also dicey. He said that when he worked with psychological operations teams during the war in Afghanistan, the U.S. military was a bit more wary of targeting religious sites. (The U.S. hasn’t always strayed away from attacking them, however.)
Based on his experience, Bryant noted that interfering in religious activities — whether on an app or at a physical place of worship — can backfire. “It creates anger. It’s a form of invasion,” he told DFD. “The hidden message there is ... you’re our enemy.”
Read the article here.