News Archive (1999-2012) | 2013-current at LinuxGizmos | Current Tech News Portal |    About   

NSA releases security-enhanced Android

Jan 19, 2012 — by LinuxDevices Staff — from the LinuxDevices Archive — 1 views

The U.S. National Security Agency (NSA) released a security-enhanced version of Android based on the hardened SE Linux, featuring stricter access control policies. SE Android restricts the system resources available to an Android app regardless of user permissions, blocking malware such as the “GingerBreak” exploit at six different steps during execution, says the NSA.

The National Security Agency (NSA) has released the first version of SE Android, a secure version of Google's Android operating system. This security-enhanced version of Android, SE Android will enforce stricter access control policies and better sandboxing compared to what is currently available in the most up-to-date version of Android. The NSA announced the project at the Linux Security Summit in September.

SE Android is based on SE Linux (SE Linux project logo shown at right). Often spelled "SELinux," this hardened version of Linux was initially released by the NSA in 2000. Several SE Linux components eventually made it back into the official Linux kernel as well as various Linux distributions, Solaris, and FreeBSD.

As designed, SE Android will isolate apps from one another, mitigate problems introduced by flawed or malicious apps, prevent apps from accessing system resources, ensure proper permission levels, and perform security checks. Every file and folder on the device can be individually locked and encrypted. In addition, Wi-Fi and mobile network security features are said to have been enhanced.

"Security Enhanced (SE) Android is a project to identify and address critical gaps in the security of Android," the agency stated in the project documentation.

Android's application security model allows apps run by a particular user to have access to all of the files and resources normally available to that user. This has been an issue with apps that have too much control over device elements like Bluetooth and the camera.

To address this, SE Android uses Mandatory Access Control, which relies on policies to restrict the system resources available to the app regardless of user permissions.

"Even if an application were to break out of its security sandbox, it would have limited ability to affect core system functionality," Cameron Camp, an ESET researcher, wrote on the ESET Threat Blog.

The SE Linux team is expected to further incorporate SE Android into Android's Application Layer Security. This would have the advantage of thwarting unauthorized access and compromised programs at the application layer instead of letting potential exploits reach the kernel.

A cure for the common GingerBreak

The NSA does not appear to be offering SE Android as the answer to all kernel issues, according to a presentation from the Linux Security Summit [PDF], but the agency suggests that many existing exploits would have been stopped with SE Android.

Published Android root exploits such as GingerBreak, Exploid, or RageAgainstTheCage target vulnerabilities in Android services and launch processes. SE Android can block the GingerBreak exploit at six different steps during its execution, depending on how strict the enforced policies are, NSA's Stephen Smalley stated in the presentation.

NSA is targeting mobile developers, security experts, and device manufacturers who need to implement strict access control policies, such as the ones mandated by the U.S. Department of Defense. While it remains to be seen if SE Android will see widespread commercial adoption, it seems to indicate a growing role for Android in enterprise settings where SE platforms are currently deployed, according to Camp.

"Having more security options for the mobile platform seems like a move in a positive direction," Camp stated.

Still in its early stages, SE Android has a fairly complex installation process, as there are no pre-compiled binaries available. Interested users and developers would need to download and build the official Android Open Source Project source code before obtaining patches and modifications from the SE Android code repositories. However, some developers are already discussing plans to release packaged versions to make SE Android easier to work with.

Fahmida Rashid is a writer for eWEEK.


This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.



Comments are closed.