NSA constructs hardened Android, unleashes it on world
Vicious apps squashed by super-spook mobile OS
The US Defense Department's The National Security Agency (NSA) has released a security-hardened version of Google's mobile OS, Android.
The spook-enhanced build of the operating system was released last week and is based on SELinux, also created by the National Security Agency. The inaugural release of the SE Android project focuses on limiting the scope for malicious or flawed apps to cause mischief, as explained in the project documentation:
Security Enhanced (SE) Android is a project to identify and address critical gaps in the security of Android. Initially, the SE Android project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps and in order to enforce separation guarantees between apps. However, the scope of the SE Android project is not limited to SELinux.
Links to SE Android source code and instructions on putting it together can be found on the project's web page. The focus of the project is on damage limitation rather than prevention. The target audience of the project is clearly mobile developers, security experts or perhaps device manufacturers, and not regular Android smartphone users looking for a little extra privacy and security.
App support is low and if you don't know what you are doing you might even end up with a bricked smartphone. The goals of the SE Android were first publicly outlined during a presentation [PDF] at last year's Linux Security Summit. ®
Whilst I have to admire the kneejerk tinfoil-hattery in that, the fact that this is distributed as source code makes it entirely possible to prove the existance of any nefarious goings on and remove them.
So if they had done this it would be utterly pointless and regardless of their other failings, as I doubt they're as thick as pigshit they almost certainly haven't.
What's most useful is that some or many of the security enhancements here could end up being merged back into the core product, providing a better product for all. Well done those spooks!
People, please. For the record SELinux has been part of the main linux kernel tree for _years_ and has been gone through with the proverbial fine toothed comb. If you think SELinux has a backdoor then you're saying all linux kernel versions since 2.6 that it was integrated have a backdoor.
Nevermind that the NSA are not even involved in maintaining it anymore, since it was added to mainline.
And anyway, SELinux is an implentation of a mandatory access control architecture, it doesnt even touch any parts of linux that _could_ be used to make a backdoor.
Be paranoid but at least base the paranoia on some element of truth.
"Can't the NSA use special invisible ink code for the dodgy bits"
Surely you sanitize all your source code by boiling for an hour before use ?