Skip to main content

The NSA Has Inserted Its Code Into Android OS, Or Three Quarters Of All Smartphones


The NSA Has Inserted Its Code Into Android OS, Or Three Quarters Of All
Smartphones
Tyler Durden's pictureSubmitted by Tyler Durden on 07/09/2013 20:34 -0400

Apple default Google PrISM


Over a decade ago, it was discovered that the NSA embedded backdoor access
into Windows 95, and likely into virtually all other subsequent internet
connected, desktop-based operating systems. However, with the passage of
time, more and more people went "mobile", and as a result the NSA had to
adapt. And adapt they have: as Bloomberg reports, "The NSA is quietly
writing code for Google’s Android OS."

Is it ironic that the same "don't be evil" Google which went to such great
lengths in the aftermath of the Snowden scandal to wash its hands of
snooping on its customers and even filed a request with the secretive FISA
court asking permission to disclose more information about the government’s
data requests, is embedding NSA code into its mobile operating system,
which according to IDC runs on three-quarters of all smartphones shipped in
the first quarter? Yes, yes it is.

Google spokeswoman Gina Scigliano confirms that the company has already
inserted some of the NSA’s programming in Android OS. "All Android code and
contributors are publicly available for review at source.android.com."
Scigliano says, declining to comment further.

From Bloomberg:

Through its open-source Android project, Google has agreed to incorporate
code, first developed by the agency in 2011, into future versions of its
mobile operating system, which according to market researcher IDC runs on
three-quarters of the smartphones shipped globally in the first quarter. NSA
officials say their code, known as Security Enhancements for Android,
isolates apps to prevent hackers and marketers from gaining access to
personal or corporate data stored on a device. Eventually all new phones,
tablets, televisions, cars, and other devices that rely on Android will
include NSA code, agency spokeswoman Vanee’ Vines said in an e-mailed
statement. NSA researcher Stephen Smalley, who works on the program, says,
“Our goal is to raise the bar in the security of commodity mobile devices.”
See, there's no need to worry: the reason the NSA is generously providing
the source code for every Google-based smartphone is for your own security.
Oh but it's open-sourced, so someone else will intercept any and all
attempts at malice. We forgot.

The story continues:

In a 2011 presentation obtained by Bloomberg Businessweek, Smalley listed
among the benefits of the program that it’s “normally invisible to users.
” The program’s top goal, according to that presentation: “Improve our
understanding of Android security.”
Well one wouldn't want their bug to be visible to users now, would one...

Vines wouldn’t say whether the agency’s work on Android and other software
is part of or helps with Prism. “The source code is publicly available for
anyone to use, and that includes the ability to review the code line by
line,” she said in her statement. Most of the NSA’s suggested additions to
the operating system can already be found buried in Google’s latest
release—on newer devices including Sony’s Xperia Z, HTC’s One, and
Samsung Electronics’ Galaxy S4. Although the features are not turned on by
default, according to agency documentation, future versions will be. In May
the Pentagon approved the use of smartphones and tablets that run Samsung’s
mobile enterprise software, Knox, which also includes NSA programming, the
company wrote in a June white paper. Sony, HTC, and Samsung declined to
comment.
Apple appears to be immune from this unprecedented breach of customer
loyalty, if only for now, although open-sourced Linux may not be as lucky:

“Apple (AAPL) does not accept source code from any government agencies for
any of our operating systems or other products,” says Kristin Huguet, a
spokeswoman for the company. It’s not known if any other proprietary
operating systems are using NSA code. SE for Android is an offshoot of a
long-running NSA project called Security-Enhanced Linux. That code was
integrated a decade ago into the main version of the open-source operating
system, the server platform of choice for Internet leaders including Google,
Facebook (FB), and Yahoo! (YHOO). Jeff Zemlin, the executive director of
the Linux Foundation, says the NSA didn’t add any obvious means of
eavesdropping. “This code was peer-reviewed by a lot of people,” he says.
But that's not all:

The NSA developed a separate Android project because Google’s mobile OS
required markedly different programming, according to Smalley’s 2011
presentation. Brian Honan, an information technology consultant in Dublin,
says his clients in European governments and multinational corporations are
worried about how vulnerable their data are when dealing with U.S. companies
. The information security world had been preoccupied with Chinese hacking
until recently, Honan says. “With Prism, the same accusations can be laid
against the U.S. government.”
In short: the (big brother supervised) fun never stops in Stasi 2.0 world.
Just buy your 100 P/E stocks, eat your burgers, watch your Dancing With The
Stars, pay your taxes, and engage in as much internet contact with other
internet-addicted organisms as possible and all shall be well.

Comments

Popular posts from this blog

CKA Simulator Kubernetes 1.22

  https://killer.sh Pre Setup Once you've gained access to your terminal it might be wise to spend ~1 minute to setup your environment. You could set these: alias k = kubectl                         # will already be pre-configured export do = "--dry-run=client -o yaml"     # k get pod x $do export now = "--force --grace-period 0"   # k delete pod x $now Vim To make vim use 2 spaces for a tab edit ~/.vimrc to contain: set tabstop=2 set expandtab set shiftwidth=2 More setup suggestions are in the tips section .     Question 1 | Contexts Task weight: 1%   You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl . Finally write a second command doing the same thing into ...

OWASP Top 10 Threats and Mitigations Exam - Single Select

Last updated 4 Aug 11 Course Title: OWASP Top 10 Threats and Mitigation Exam Questions - Single Select 1) Which of the following consequences is most likely to occur due to an injection attack? Spoofing Cross-site request forgery Denial of service   Correct Insecure direct object references 2) Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? Injection   Correct Insecure direct object references Failure to restrict URL access Insufficient transport layer protection 3) Which of the following scenarios is most likely to cause an injection attack? Unvalidated input is embedded in an instruction stream.   Correct Unvalidated input can be distinguished from valid instructions. A Web application does not validate a client’s access to a resource. A Web action performs an operation on behalf of the user without checkin...