Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2012
02:14 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Releases Secure Android Version

National Security Agency publicly releases SE Android, a secure version of Google's Android platform that delivers app isolation and related security meausres.

The National Security Agency has made its first public release of SE Android, a secure version of Google's Android platform.

SE Android aims to close Android's security gaps by isolating apps from one another, mitigating problems with flawed or malicious apps, instituting permission and other security checks, restricting use of system facilities by apps, and taking related steps.

The project is based on SE Linux, a security-hardened version of Linux which the NSA initially released in 2000. Numerous parts of SE Linux were eventually integrated into the official Linux kernel and other Linux-based platforms. Android, too, is powered by Linux, so the fit is somewhat natural.

First announced at the Linux Security Summit in September, SE Android remains in early stages. There are not yet any pre-compiled builds of SE Android, so installation is anything but simple at this point. Those wishing to use SE Android will, for now, have to follow directions posted on the project's Web page. However, Android developers have already hit developer bulletin boards to discuss plans to release packaged versions.

One big focus of SE Android is application security. Application-level permissions control access to application components and system resources. A big change from SE Linux is that SE Android switches from Discretionary Access Control, which lets users set permissions, to Mandatory Access Control, which does not. This can, for example, prevent malicious apps from running processes that wipe a device of all data.

Sandboxing and process isolation also play large parts. Android SE isolates applications from one another and the system--unlike many apps on Google's Android Market that have broad permissions to access other apps and device elements like Bluetooth and the camera. Sandboxing prevents bypass of the application-level controls as well.

The NSA doesn't consider SE Android to be a panacea, according to a presentation from the Linux Security Summit, which cautions that SE Android is not a cure-all to mitigate all kernel vulnerabilities.

How 10 federal agencies are tapping the power of cloud computing--without compromising security. Also in the new, all-digital InformationWeek Government supplement: To judge the success of the OMB's IT reform efforts, we need concrete numbers on cost savings and returns. Download our Cloud In Action issue of InformationWeek Government now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5647
PUBLISHED: 2020-01-22
The Chrome Plugin for Rapid7 AppSpider can incorrectly keep browser sessions active after recording a macro, even after a restart of the Chrome browser. This behavior could make future session hijacking attempts easier, since the user could believe a session was closed when it was not. This issue af...
CVE-2011-3612
PUBLISHED: 2020-01-22
Cross-Site Request Forgery (CSRF) vulnerability exists in panel.php in UseBB before 1.0.12.
CVE-2011-3613
PUBLISHED: 2020-01-22
An issue exists in Vanilla Forums before 2.0.17.9 due to the way cookies are handled.
CVE-2011-3614
PUBLISHED: 2020-01-22
An Access Control vulnerability exists in the Facebook, Twitter, and Embedded plugins in Vanilla Forums before 2.0.17.9.
CVE-2011-3621
PUBLISHED: 2020-01-22
A reverse proxy issue exists in FluxBB before 1.4.7 when FORUM_BEHIND_REVERSE_PROXY is enabled.