Kaymera – an Android operating system that works on off-the-shelf devices. Its owners also hack mobiles, whether running Google or Apple’s OS.
“We don’t have any relationship with NSO Group,” says Avi Rosen. He’s keen to put distance between the company over which he presides, the secure Android operating system maker Kaymera, and NSO, a spy tech provider whose iPhone malware was caught trying to snoop on a UAE activist and a Mexican journalist last month. Why the need for distance? The same founders of NSO – Omri Lavie and Shalev Hulio – started and still sit on the board of Kaymera. But the companies never share resources, insists Rosen, and do not collude in any way that might allow NSO’s hacker toolkits to run on Kaymera-powered phones.
Still, it’s hard not to suspect some disingenuousness. That Lavie and Shalev remain amongst Kaymera’s top brass would understandably make some uneasy. The company remains privately owned by Lavie, Shalev and a number of undisclosed investors. And Kaymera employees work in offices adjacent to NSO in the Herzelia district of Tel Aviv, though they have a home in Geneva too.
Nevertheless, Kaymera may well have an exciting security product on its hands. Investors have been impressed enough by the OS to put $13 million into the firm, the most recent round raising $10 million. According to a recent report in Israeli publication Haaretz, Rosen’s company has recorded annual sales estimated at $15 million.
Founded in November 2013, Kaymera has sought to strike a balance between security and usability. When customers come calling, the company flashes its Android software onto corporate phones (obviously, they’ll already need to use Android-compatible devices) and additional features will protect the device without any need for the user to alter their behaviour, Rosen told me.
As for what they get, the Kaymera OS takes Android – an operating system many security professionals see as weaker than iOS – and adds four levels of security. The first is encryption, both for data stored on the phone and for web traffic, meaning users don’t need to use an additional Virtual Private Network (unless they want to route their traffic through certain servers). The second is a firewall that looks at traffic passing between apps and from the device out to detect anything potentially malicious. Third, Kaymera has completely rewritten the permissions process for apps, so it can monitor every process on the device and block suspicious ones. Users can also decide which specific permissions to grant; the software tricks the app into believing it has been given permission to grab certain data or use phone resources, when really they’ve been blocked. The fourth “layer” is anomaly detection, which seeks to uncover other odd behaviour and run user-defined policies.
Unlike American competitor Blackphone, Kaymera “built security into the lowest level of Android” and can work on off the shelf devices, Rosen said.
A former RSA executive, Rosen uses all the sales talk you expect from a security industry professional when bragging about his product. “We built a holistic solution that can protect against modern threats… it raises the bar significantly,” he added. Despite the swanking, Rosen won’t comment on the number of customers he has, only noting thousands of devices were currently running Kaymera. He won’t divulge cost either.
Sounds impressive. And, according to Rosen, more secure than Apple’s operating system. His tweaked version of Google’s Android OS is much more secure, he claims. And it’ll even block NSO’s arsenal from blowing away your privacy shield. Rosen won’t tell if he’s tested NSO on Kaymera, however.
Of Apple’s device, Rosen notes, without a whiff of irony, that NSO’s exploits proved iOS to be weak. Indeed, NSO appeared to have developed a way to silently jailbreak – i.e. completely take over – and iPhone by exploiting three unpatched iOS vulnerabilities with just a click of a link in a text – a remarkable, unprecedented feat. (It may have worked with another organization to develop exploits – the company declined to comment on that).
“It creates a false sense of security,” Rosen added. “Everything they [Apple] do will never be as secure as Kaymera.”
But only governments and private businesses can benefit. Due to those customer restrictions, the individuals who might need protecting most from NSO’s malware won’t be able to get the Kaymera OS. Activists such as UAE’s Ahmed Mansoor – who was hit with malware not just from NSO, but from other bêtes noires of human rights orgs, Hacking Team and FinFisher – will have to make do with standard devices and some common sense.
On each occasion Mansoor was targeted by one of the three spyware makers, he didn’t click on the suspicious links sent via email and text. Instead, he reported them to surveillance software investigators at Citizen Lab. In the case of NSO, the Citizen Lab crew investigated, informed Apple and within just 10 days the exploits abused by the Israeli firm were closed off.
Now that’s a rather remarkable way to protect hundreds of millions of individuals from government surveillance, all for free.