Commits to the Android source code show how the American National Security Agency (NSA) contributes to the mobile operating system. Besides committing code, the NSA is also involved in decision making with issues concerning the OS. We spotted at least five NSA developers involved with Android. As the NSA is daily in the news for spying on the internet this is a critical fact. Do we trust the NSA to guard the security of our mobile phone?
In a commit from the Android Open Source Project (AOSP) we spotted a military e-mail address belonging to the domain tycho.ncsc.mil. A quick search on Google reveals that the domain belongs to the National Information Assurance Research Lab, which in its turn is part of the NSA.
The NSA is no stranger to open source projects and also contributes to Linux. The commits to the Android source code have the goal to strengthen the security of Google's operating system, most of them are related to Security Enhancements for Android or SEandroid. This project is created to identify and address critical gaps in the security of Android. The major goal of the project is to add NSA developed SELinux in Android which should add an additional layer of security and limit damage to the OS caused by malware.
SELinux was first included and enabled in Android 4.3 (Jellybean), Android 4.4 (Kitkat) is the first version that puts SELinux in enforcing mode which means it can't be disabled by malware, even with administrator permissions. For those who hope to be NSA free, the same commits are also merged into the open source Android clone Cyanogenmod.
Given the news about the NSA infecting more than 50,000 computers, the involvement of the NSA is at least interesting. On one side the NSA works with software developers on securing their systems while on the other side it tries to use loopholes in systems to be able to spy on them.
As Android is open source you would expect that NSA code would be checked for loopholes. That's very likely the case, however being the initial developer of SELinux there is a lot of knowhow inside the NSA. The NSA could easily use a different, less obvious, identity to introduce potential holes to the software. Linux is everywhere, from mobile phones to internet servers and routers so it would make sense for the NSA to invest resources in the operating system.
While the NSA's goal is to defend American property and therefore a backdoor might not be obvious as it leaves also an opportunity for others, a properly designed loophole could potentially only be accessible to the NSA. Loopholes could be purposely made errors into the software which would be hard to discover but could be exploited by the NSA when required.
