DARPA Wants to Lock Down Android Smartphones for Military Use

By: Robert Lemos

Worried about the loss and theft of classified information on mobile devices, the Defense Advanced Research Projects Agency (DARPA) has awarded a $21.4 million contract to create a locked-down version of the Android operating system for use in the field, says security firm Invincea, which won the contract.

Under the project, dubbed “Mobile Armor,” the company has four years to create a version of the popular mobile device OS that can be used by the U.S. Army and other government agencies. The company is working with other federal civilian contractors and defense agencies on the development of secure Android smartphones for deployment in both office environments as well as in the field.

“What DARPA is now signaling to the market is that the threat that has targeted desktops in military networks is now moving to mobile devices,” said Invincea CEO Anup Ghosh. “And we anticipate that we will see similar types of exploits … that will drop code and own the device.”

Invincea is focusing on two facets of security in the project. The first is controlling the device so that only a certain limited list of applications can run. This type of whitelisting technology is a common approach in security-conscious corporations. The second focus is detecting attacks that attempt to exploit those approved applications and limiting the damage of such attacks.

For the military, another big concern is lost devices falling into enemy hands, said Ghosh.

“They are really worried about loss of the device,” says Ghosh. “God forbid you are captured and you lose the device that way.”

Invincea already has an early version of the operating system running in the field in Afghanistan on thousands of phones, he says. Ghosh could not give details of the implementation, such as whether the Army deploys their own base stations, but said that the phones have to evade disruption and detection so as to not give away their positions.

“They are using military apps, I can’t say what they are, but they are specifically for patrols,” said Ghosh.

The fact that the U.S. military is looking at Android devices is not surprising considering the current trend of bring your own device (BYOD) that is forcing IT departments to deal with a wider range of devices within the corporate network. While the iPhone is probably the most popular smartphone invading companies, Android is catching up. This week, with the release of the Android-based Samsung Galaxy S III, the company offered what it calls Samsung Approved for Enterprise (SAFE), which offers features such as 256-bit Advanced Encryption Standard (AES) encryption.

Still, Android is not known for its security. According to one earlier study, Android malware increased about 3,000 percent in 2011, as these devices have grown in popularity. Google has adjusted its security policies to address these issues, with a scanning service such as Bouncer, which checks apps for malicious behavior. Google says that the number of users affected by malicious Android apps has fallen 40 percent in the last year.

In March, Google hired Regina Dugan, who served as a DARPA program manager for five years and, most recently, as director, to fill a senior executive position.