Monday, 8 July 2013

Labels:
, ,

Yes, the NSA contributed code to Android. No, you don’t have to freak out about it

nsa android

To call the avalanche of leaks triggered by Edward Snowden a scandal is an understatement. Not a week passes without an embarrassing disclosure, and the secretive National Security Agency is at the center of it all.
The NSA is allegedly snooping on the electronic communications of everyone from foreign nationals, to citizens of allied countries, and even Americans. Moreover, major tech companies including Google are purportedly cooperating with the NSA on a massive scale. Carriers hand over call meta data in bulk. It goes on and on.
In this climate of confusion, the last thing we need is more fear, uncertainty, and doubt. Well, perhaps we need to doubt more things, but Android is probably not one of them. I am mentioning Android because, according to Bloomberg Businessweek journalist Mark Milian, we should all throw out our Android phones (and maybe switch to an iPhone).
Gasp, the NSA has been contributing to the source code of Android!
NSA code in Android? That’s got to be bad! The NSA is surely reading my texts, viewing my naughty Snapchat pics, monitoring my web usage, right? Actually, no. While it’s possible for NSA to do all those things, the agency is probably not doing it through a backdoor it sneakily planted into Android.

Security-enhanced Android, by NSA

So, if it’s not looking to plant backdoors, what’s the NSA’s business with Android? Ironically, the agency has been working to make Android more secure.
The agency is a longtime contributor to Linux, and its work is the basis of Security-Enhanced Linux, a feature that provides users and administrators more control over who gets to access what in the operating system.
In January 2012, NSA launched Security-Enhanced Android, a project aimed at finding and closing security holes in Android. According to Businessweek, some of the code that NSA wrote has already been merged into the latest version of Android that runs on devices like the Galaxy S4 or the HTC One.
NSA LAUNCHED SECURITY-ENHANCED ANDROID, A PROJECT AIMED AT FINDING AND CLOSING SECURITY HOLES IN ANDROID.
But why is the NSA interested in securing Android and Linux in the first place? Because the two operating systems areopen source, flexible, and free, and therefore ideal for use in government systems. Android has already been used for a number of defense-related projects, and recently, Samsung devices running KNOX, a suite of enterprise security features, have been approved for use by the Pentagon. Long story short, it makes sense for the NSA to help harden an operating system that will run on devices  that access critical government systems.

Keep calm and spread FUD

I’d go out on a limb to say that the only thing nefarious about this story is Mark Milian’s reporting. The author tries to throw doubt upon Android, insinuating that the presence of code written by the NSA is jeopardizing the security of Android devices. Moreover, Milian goes as far as to suggest that open source software in general is a threat to security.
The bottom line: The NSA is quietly writing code for Google’s Android OS. Google says anyone has the right to do so.
The fact that security features in general are, and should be, invisible to the user, isn’t going to stop some good fear mongering:
In a 2011 presentation obtained by Bloomberg Businessweek, Smalley listed among the benefits of the program that it’s “normally invisible to users.” The program’s top goal, according to that presentation: “Improve our understanding of Android security.”
Fortunately, we have alternatives:
Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products,” says Kristin Huguet, a spokeswoman for the company.
The idea that NSA would add backdoors or vulnerabilities to its submissions, when all the source code is publicly accessible and is combed through by thousands of people, is simply ridiculous. It is just as preposterous to think that the best way to gain access to any operating system is to publicly announce that you are contributing to the OS, and make the tainted code accessible to anyone with an interest in it.
Don’t get me wrong. I am sure that NSA is indeed doing everything it can to penetrate Android, Windows, iOS, Linux, and every other operating system. Massive surveillance programs exist and no device or communication channel is truly secure. But this report from Bloomberg Businessweek is just a poorly thought out attempt to gain pageviews at the cost of spreading FUD.





0 comments:

Post a Comment