Yes, the NSA contributed code to Android. No, you don’t have to freak out about it

by: Bogdan PetrovanJuly 4, 2013

nsa android

To call the avalanche of leaks triggered by Edward Snowden a scandal is an understatement. Not a week passes without an embarrassing disclosure, and the secretive National Security Agency is at the center of it all.

The NSA is allegedly snooping on the electronic communications of everyone from foreign nationals, to citizens of allied countries, and even Americans. Moreover, major tech companies including Google are purportedly cooperating with the NSA on a massive scale. Carriers hand over call meta data in bulk. It goes on and on.

In this climate of confusion, the last thing we need is more fear, uncertainty, and doubt. Well, perhaps we need to doubt more things, but Android is probably not one of them. I am mentioning Android because, according to Bloomberg Businessweek journalist Mark Milian, we should all throw out our Android phones (and maybe switch to an iPhone).

Gasp, the NSA has been contributing to the source code of Android!

NSA code in Android? That’s got to be bad! The NSA is surely reading my texts, viewing my naughty Snapchat pics, monitoring my web usage, right? Actually, no. While it’s possible for NSA to do all those things, the agency is probably not doing it through a backdoor it sneakily planted into Android.

Security-enhanced Android, by NSA

So, if it’s not looking to plant backdoors, what’s the NSA’s business with Android? Ironically, the agency has been working to make Android more secure.

The agency is a longtime contributor to Linux, and its work is the basis of Security-Enhanced Linux, a feature that provides users and administrators more control over who gets to access what in the operating system.

In January 2012, NSA launched Security-Enhanced Android, a project aimed at finding and closing security holes in Android. According to Businessweek, some of the code that NSA wrote has already been merged into the latest version of Android that runs on devices like the Galaxy S4 or the HTC One.

NSA launched Security-Enhanced Android, a project aimed at finding and closing security holes in Android.

But why is the NSA interested in securing Android and Linux in the first place? Because the two operating systems are open source, flexible, and free, and therefore ideal for use in government systems. Android has already been used for a number of defense-related projects, and recently, Samsung devices running KNOX, a suite of enterprise security features, have been approved for use by the Pentagon. Long story short, it makes sense for the NSA to help harden an operating system that will run on devices  that access critical government systems.

Keep calm and spread FUD

I’d go out on a limb to say that the only thing nefarious about this story is Mark Milian’s reporting. The author tries to throw doubt upon Android, insinuating that the presence of code written by the NSA is jeopardizing the security of Android devices. Moreover, Milian goes as far as to suggest that open source software in general is a threat to security.

[quote qtext=”The bottom line: The NSA is quietly writing code for Google’s Android OS. Google says anyone has the right to do so.” qperson=”” qsource=”” qposition=”center”]

The fact that security features in general are, and should be, invisible to the user, isn’t going to stop some good fear mongering:

[quote qtext=”In a 2011 presentation obtained by Bloomberg Businessweek, Smalley listed among the benefits of the program that it’s “normally invisible to users.” The program’s top goal, according to that presentation: “Improve our understanding of Android security.”” qperson=”” qsource=”” qposition=”center”]

Fortunately, we have alternatives:

[quote qtext=”Apple (AAPL) does not accept source code from any government agencies for any of our operating systems or other products,” says Kristin Huguet, a spokeswoman for the company.” qperson=”” qsource=”” qposition=”center”]

The idea that NSA would add backdoors or vulnerabilities to its submissions, when all the source code is publicly accessible and is combed through by thousands of people, is simply ridiculous. It is just as preposterous to think that the best way to gain access to any operating system is to publicly announce that you are contributing to the OS, and make the tainted code accessible to anyone with an interest in it.

Don’t get me wrong. I am sure that NSA is indeed doing everything it can to penetrate Android, Windows, iOS, Linux, and every other operating system. Massive surveillance programs exist and no device or communication channel is truly secure. But this report from Bloomberg Businessweek is just a poorly thought out attempt to gain pageviews at the cost of spreading FUD.

  • Anon

    Nice article. Thanks for sharing your knowledge and ideas

  • No doubt about connections. Google is the most impressive search engine. Google map has the best images from satellite datas. Whatever, I enjoyed using google map and google search.

    Technology is too sophisticated for us to know all its details. If you choose to know everything, then spend your whole life investigating – not enjoying it.

    • twistedgamer

      Evidently you don’t realize that Google buys their images from the same PRIVATE company the Govt buys images from. The only differences is Google is restricted from the extremely high res images that the Govt gets because of export control laws and Govt restrictions on satellite images. Google being a tech company has a work around for that. Combine images from multiple sources. That’s how some area’s have more detailed images and how they are generating their 3D views in the new maps beta.

  • phreezerburn

    The NSA is where your platform agnostic crypto originated from folks and Mr Malain needs to crack a book or two.

  • beamu

    Why are you stating allegedly the official documents prove this is happening.

  • raindog469

    I’ll still take an OS whose source code I can read, NSA contributions or not, over one whose source code is kept under lock and key… NSAKEY, in Microsoft’s case. Who knows whether Apple is telling the truth, but we can easily verify Google’s story using git. On most devices, we can install a ROM based on AOSP to be sure that the code we see is what we’re actually running, or even build it ourselves if we believe coders on XDA are in some big conspiracy with Google and the US government. And if you’re feeling old-school, there’s always Replicant.

    Things like modem firmware, on the other hand, we don’t have access to on just about any device.

    • qwik

      agree with you.
      most closed-source OS out there use “security through obscurity”. not quite reassuring, I might say.

    • lostatsea

      I agree that I’d take Open-Source any day over closed source. But, it’s not *easily* verified by dl source using git. There are millions of lines of source code to parse through. And there are ways of hiding the true intention in source.

      • raindog469

        I meant easily verified by security researchers, of course, not the layman, who’ll be taking someone’s word for it either way.

        • Scott Thompson

          [email protected]:/ # id
          uid=0(root) gid=0(root) context=u:r:init_shell:s0

          [email protected]:/ # exit
          [email protected]:/ $ id
          uid=10049(u0_a49) gid=10049(u0_a49) groups=1015(sdcard_rw),1028(sdcard_r),3003(inet),50049(all_a49) context=u:r:untrusted_app:s0

          [email protected]:/ $ stty
          speed 38400 baud; line = 0; <– That should be ==0

          The graphics card executes with FULL Root Permissions set up as srwx—– So in some respects your correct about it being a problem with the Hardware but it's also right there in the software too.

          user id = 0 – Classic Backdoor!

          But what really pisses me off – ITS NOT A PHONE!

          • Scott Thompson

            Google & the Government they do wonderful work, instead of prevent terrorism, they’ve effectively propergated it and now millions of user’s can have all there details and contacts stolen!

        • Scott Thompson

          Try: echo $uid (hit return and watch what happens!)

  • Simos Katsiaris

    if i could write even a line like the guys in NSA i would have been rich right now and have my own security company….

  • APai

    NSA has zero credibility. I’d rather assume that there are unknown spooks out there to get our data than trust someone who’d backstab us

  • lostatsea
  • silly

    And you believe this person?