Its name is SE Android, for Security Enhanced Android. Its mission: “to identify and address Android’s serious security flaws.” It’s the brainchild of a newcomer to the smartphone market, the NSA. Yep, NSA for National Security Agency, the US intelligence agency in charge of spying on foreign telecommunications and the security of US government communications.
The Android Market – the equivalent of Apple’s App Store – is home to a lot of malicious applications. These applications can expose users to unwanted premium rate calls, or even allow someone to remotely activate the microphone of a phone or read the contents of the user’s ‘private’ messages. The SE Android aims to limit the type of damage that such an application could do to a phone’s data.
Every day about 700,000 Android phones are activated throughout the world, including to members of US government departments and agencies. Anxious to fulfill its mission to secure government telecommunications, the NSA published in early January of this year the initial version of SE Android. In reality it’s not so new: it’s based on SE Linux, another security module developed by the NSA specifically for Linux, the popular open source operating system.
The code for the SE Android is also open source. It’s accessible to any amateur or professional developers who want to “audit” it.
Back door
But the NSA is not only responsible for securing the telecommunications of the US government. Part of its brief is also to engage in signals intelligence, also known as telecommunications interception. Its own website states:
We gather information that America’s adversaries wish to keep secret.
The US government has come under suspicion on numerous occasions of using backdoor Trojans for the purpose of espionage. These often undetectable programs allow someone to remotely take control of a computer system, and steal a user’s data without their knowledge. According to a research engineer in computer security contacted by OWNI, “it is very easy to insert a backdoor and drown it in amongst thousands of lines of code”.
In 2007 and 2009, the NSA admitted to having worked with Microsoft on the security for their Windows Vista and Windows 7 operating systems. In December 2010, doubts about the intentions of the US government culminated in the Open BSD case. A software engineer by the name of Gregory Perry revealed that his former company, NETSEC, had at the behest of the FBI inserted backdoor Trojans into the code of Open BSD, a free operating system similar to Linux.
A number of computer experts interviewed by OWNI are doubtful about the possibility of backdoors within the SE Android. Radoniaina Andriatsimandefitra, a PhD student at the Ecole Superieure d’Electricite de Rennes:
Following my first examination of the SE Android code, nothing indicates the presence of backdoors in place in order to intercept data from the phone. In addition, an open source code available is read by many people which increases the possibility of detection by use of the product itself. However, even if such a thing seems unlikely, it can not be excluded.
Cédric Blancher, a computer security lab researcher for EADS Innovation Works, agrees:
The NSA would be taking a huge risk in leaving a backdoor in the code, given the significant likelihood that it will be discovered one day.
As the SE Android code is open to be investigated by anyone who fancies getting their hands dirty, it would seem unlikely that the NSA would have inserted a back door within it. But the sheer density of the code could still hold some surprises: “We could discover a Trojan horse in ten years time!”, suggests one computer engineer.
Subcontracting on the cheap
The open sourcing of the SE’s code provides a new way for US intelligence agencies to impose their own security standards on phones around the world. It’s certainly likely to go down better than the revelation of their collaboration with Microsoft.
But open source offers another advantage for the NSA. According to Radoniaina Andriatsimandefitra:
It offers the possibility to delegate part of the development and maintenance to a the community of developers for free.
A security code maintained and enriched for free by a community of fans – what could be better for the NSA? It’s far from sure that the security agency would return the favor, according to Cédric Blancher:
They will no doubt use the SE Android as the foundation for other development projects that will remain internal.
The community of developers may also be contributing to the progress of a future smartphone for US soldiers. Which, coincidentally, runs on Android.
Image Credits: Flickr CC Scarigamy (BY-SA), Solo (BY-NC-SA)
Follow @pierreleibo on Twitter
💬 Discussion
No comments yet. Be the first to comment!