Based on SE Linux, SE Android-developed by the U.S. National Security Agency-is a security-enhanced version of Google's mobile platform with stricter access-control policies.
The National
Security Agency has publicly released SE Android, a secure version of Google's
mobile operating system.
A
security-enhanced version of Android, SE Android would enforce stricter access-control
policies and better sandboxing than what is currently available in the most
up-to-date version of Google Android. The NSA announced the project at the
Linux Security Summit in September and released the first version Jan. 6.
SE Android is
based on SE Linux, a hardened version of Linux that the NSA initially released
in 2000. Several SE Linux components have eventually made it back into the
official Linux kernel as well as various Linux distributions, Solaris and
FreeBSD.
"Security
Enhanced (SE) Android is a project to identify and address critical gaps in the
security of Android," the agency wrote in the project documentation.
As designed,
SE Android would isolate applications from each other, mitigate problems
introduced by flawed or malicious applications, prevent applications from
accessing system resources, ensure proper permission levels and perform
security checks. Every file and folder on the device can be individually locked
and encrypted, and WiFi and mobile network security features have been
enhanced.
Android's
application security model allows applications run by a particular user to have
access to all the files and resources normally available to that user. This has
been an issue with applications having too much control over device elements
like Bluetooth and the camera. SE Android uses Mandatory Access Control, which
relies on policies to restrict the system resources available to the application
regardless of user permissions.
"Even if
an application were to break out its security sandbox, it would have limited
ability to affect core system functionality," Cameron Camp, an ESET
researcher, wrote on the ESET Threat Blog.
The team is
expected to further incorporate SE Android into Application Layer Security, to
thwart unauthorized access and compromised programs at the application layer
instead of letting it reach the kernel.
The NSA does
not appear to be offering SE Android as the answer to all kernel issues,
according to a presentation from the Linux Security Summit, but it suggested that many
existing exploits would have been stopped with SE Android. Published Android
root exploits, such as GingerBreak, Exploid or RageAgainstTheCage, target
vulnerabilities in Android services and launch processes. SE Android can block
the GingerBreak exploit at six different steps during its execution, depending
on how strict the enforced policies are, NSA's Stephen Smalley said in the
presentation.
NSA is clearly
targeting mobile developers, security experts and device manufacturers who need
to implement strict access-control policies, such as the ones mandated by the
U.S. Department of Defense, in mobile devices and applications.
While it
remains to be seen if SE Android will see widespread commercial adoption, it
seems to indicate a growing role for Android in enterprise settings where SE
platforms are currently deployed, according to Camp. "Having more security
options for the mobile platform seems like a move in a positive
direction," Camp said.
Installing SE
Android-still in its early stages-is a fairly complex process as there are no
precompiled binaries available. Interested users and developers would need to
download and build the official Android Open Source Project source code before
obtaining patches and modifications from the SE Android code repositories.
However, some developers are already discussing plans to release packaged
versions to make it easier to work with.
Email
Print
