Over a decade ago, it was discovered that the NSA embedded backdoor access into Windows 95, and likely into virtually all other subsequent internet connected, desktop-based operating systems. However, with the passage of time, more and more people went “mobile”, and as a result the NSA had to adapt. And adapt they have: as Bloomberg reports, “The NSA is quietly writing code for Google’s Android OS.”
Is it ironic that the same “don’t be evil” Google which went to such great lengths in the aftermath of the Snowden scandal to wash its hands of snooping on its customers and even filed a request with the secretive FISA court asking permission to disclose more information about the government’s data requests, is embedding NSA code into its mobile operating system, which according to IDC runs on three-quarters of all smartphones shipped in the first quarter? Yes, yes it is.
Google spokeswoman Gina Scigliano confirms that the company has already inserted some of the NSA’s programming in Android OS. “All Android code and contributors are publicly available for review at source.android.com.” Scigliano says, declining to comment further.
From Bloomberg:
Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Eventually all new phones, tablets, televisions, cars, and other devices that rely on Android will include NSA code, agency spokeswoman Vanee’ Vines said in an e-mailed statement. NSA researcher Stephen Smalley, who works on the program, says, “Our goal is to raise the bar in the security of commodity mobile devices.”
See, there’s no need to worry: the reason the NSA is generously providing the source code for every Google-based smartphone is for your own security. Oh but it’s open-sourced, so someone else will intercept any and all attempts at malice. We forgot.
The story continues:
In a 2011 presentation obtained by Bloomberg Businessweek, Smalley listed among the benefits of the program that it’s “normally invisible to users.” The program’s top goal, according to that presentation: “Improve our understanding of Android security.”
Well one wouldn’t want their bug to be visible to users now, would one…
Vines wouldn’t say whether the agency’s work on Android and other software is part of or helps with Prism. “The source code is publicly available for anyone to use, and that includes the ability to review the code line by line,” she said in her statement. Most of the NSA’s suggested additions to the operating system can already be found buried in Google’s latest release—on newer devices including Sony’s Xperia Z, HTC’s One, and Samsung Electronics’ Galaxy S4. Although the features are not turned on by default, according to agency documentation, future versions will be. In May the Pentagon approved the use of smartphones and tablets that run Samsung’s mobile enterprise software, Knox, which also includes NSA programming, the company wrote in a June white paper. Sony, HTC, and Samsung declined to comment.
Apple appears to be immune from this unprecedented breach of customer loyalty, if only for now, although open-sourced Linux may not be as lucky:
“Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products,” says Kristin Huguet, a spokeswoman for the company. It’s not known if any other proprietary operating systems are using NSA code. SE for Android is an offshoot of a long-running NSA project called Security-Enhanced Linux. That code was integrated a decade ago into the main version of the open-source operating system, the server platform of choice for Internet leaders including Google, Facebook (FB), and Yahoo! (YHOO). Jeff Zemlin, the executive director of the Linux Foundation, says the NSA didn’t add any obvious means of eavesdropping. “This code was peer-reviewed by a lot of people,” he says.
But that’s not all:
The NSA developed a separate Android project because Google’s mobile OS required markedly different programming, according to Smalley’s 2011 presentation. Brian Honan, an information technology consultant in Dublin, says his clients in European governments and multinational corporations are worried about how vulnerable their data are when dealing with U.S. companies. The information security world had been preoccupied with Chinese hacking until recently, Honan says. “With Prism, the same accusations can be laid against the U.S. government.”
In short: the (big brother supervised) fun never stops in Stasi 2.0 world. Just buy your 100 P/E stocks, eat your burgers, watch your Dancing With The Stars, pay your taxes, and engage in as much internet contact with other internet-addicted organisms as possible and all shall be well.
Oh, and from this…
To this (courtesy of @paradism_)
And just think, you are paying through the ass to be spied upon……
I have actually read the source to SELinux and Security Enhancements for Android (precisely because I don’t trust anything that comes out of the Nazi Spy Agency).
If they have hidden anything in there (and if the released code actually matches the shipped binaries, of which there is no guarantee – only few people actually compile their Android themselves), they’ve hidden it really well.
There don’t seem to be any backdoors in the released source code.
There’s a few simple explanations — one is that the NSA did it because they want to protect their own phones (common enemy — spammers and competing secret services), another is that they wanted a way in (so after the code passed initial scrutiny like mine, they can push bogus “bugfixes” introducing backdoors without making much noise). Possibly it’s a combination of both.