Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

NSA releases a security-enhanced version of Android

The National Security Agency's version of Android provides better access-control policies

The National Security Agency (NSA) has released SE Android, a security-enhanced version of Android, which provides and enforces stricter access-control policies than those found in the popular mobile operating system by default.

SE Android is based on NSA's previous research into mandatory access controls that gave birth to the Security-Enhanced Linux project back in 2000. SE Linux is a collection of Linux kernel security modules and other tools that provide a flexible mechanism for restricting what resources users or applications can access.

Over the years, most of the low-level SE Linux modifications were merged into the official Linux kernel and they were also ported to Solaris and FreeBSD.

The NSA revealed its plan to port SE Linux to Android as part of a new project called SE Android at the Linux Security Summit last year. The first version was released on Jan. 6.

One of the main things that SE Android is trying to improve is Android's application security model, which is based on the default Linux discretionary access control. Under DAC, an application run by a particular user has access to all of the files and resources accessible to that user.

However, under the MAC model implemented by SE Linux and now SE Android, the resources available to an application can be restricted to whatever is defined in a policy, regardless of the user's permissions on the system. Because of this, SE Android can be used to confine privileged services and limit the damage that attackers can do if they exploit vulnerabilities.

Many Android root exploits like GingerBreak, Exploid or RageAgainstTheCage, target vulnerabilities in Android services. For example, the GingerBreak exploit leverages a vulnerability in vold, the Android volume daemon, which runs as root. SE Android can block the GingerBreak exploit at six different steps during its execution, depending on how strict the enforced policies are.

Unfortunately, installing SE Android on devices is not as straightforward as installing other custom Android ROMs, because the SE Android project doesn't provide any pre-compiled builds.

Users interested in deploying SE Android need to download and build the official Android Open Source Project source code and then sync their AOSP clone with the SE Android git trees in order to apply all patches and modifications. The SE Android project website contains instructions on how to do this.

SE Android is aimed at companies and organizations that need to implement strict access-control policies similar to those mandated by the U.S. Department of Defense.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ARC, Linux, National Security Agency, NSA
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Android OS, mobile, Mobile OSes, National Security Agency, security
Latest Blog Posts
Whitepapers
  • SOA Adoption for Dummies
    This book describes our approach to SOA adoption, which we call SOA rocket science. SOA adoption, like a real-world rocket, experiences a danger zone between blast-off and the weightlessness of orbit. When fully realized, SOA can transform your business. But until firmly established, your SOA dreams can plummet back to earth.
    Learn more »
  • Printer Usage and Cost Management Strategies for the Australian Mid-market, an Unrealised Opportunity
    This whitepaper was commissioned to aid senior business and ICT decision makers of medium-sized government and corporate organisations, including marketing, finance, and technology executives to better understand the current use of print devices including copiers, printers and multi-function Page 19 Reproductions in whole or in part are prohibited. This whitepaper also provides insights into how current management practices can be improved to optimise investments and improve sustainability. Read on.
    Learn more »
  • Top 5 Myths of Safe Web Browsing
    There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts it’s next to impossible to stay protected against today’s changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.