Risk
1/17/2012
02:14 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Releases Secure Android Version

National Security Agency publicly releases SE Android, a secure version of Google's Android platform that delivers app isolation and related security meausres.

The National Security Agency has made its first public release of SE Android, a secure version of Google's Android platform.

SE Android aims to close Android's security gaps by isolating apps from one another, mitigating problems with flawed or malicious apps, instituting permission and other security checks, restricting use of system facilities by apps, and taking related steps.

The project is based on SE Linux, a security-hardened version of Linux which the NSA initially released in 2000. Numerous parts of SE Linux were eventually integrated into the official Linux kernel and other Linux-based platforms. Android, too, is powered by Linux, so the fit is somewhat natural.

First announced at the Linux Security Summit in September, SE Android remains in early stages. There are not yet any pre-compiled builds of SE Android, so installation is anything but simple at this point. Those wishing to use SE Android will, for now, have to follow directions posted on the project's Web page. However, Android developers have already hit developer bulletin boards to discuss plans to release packaged versions.

One big focus of SE Android is application security. Application-level permissions control access to application components and system resources. A big change from SE Linux is that SE Android switches from Discretionary Access Control, which lets users set permissions, to Mandatory Access Control, which does not. This can, for example, prevent malicious apps from running processes that wipe a device of all data.

Sandboxing and process isolation also play large parts. Android SE isolates applications from one another and the system--unlike many apps on Google's Android Market that have broad permissions to access other apps and device elements like Bluetooth and the camera. Sandboxing prevents bypass of the application-level controls as well.

The NSA doesn't consider SE Android to be a panacea, according to a presentation from the Linux Security Summit, which cautions that SE Android is not a cure-all to mitigate all kernel vulnerabilities.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Thank God for Cyber Monday sales."
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.