SophosLabs: The United States, which currently forbids government workers or soldiers to use smartphones to send classified messages, is preparing a modified version of Google’s Android operating system that will meet its security certifications.
According to CNN, the army has been testing touchscreen devices at U.S. bases for almost two years. Forty phones were sent to soldiers overseas last year, and another 50 phones and 75 tablets are scheduled to ship to soldiers in March.
The military comes first, with federal agencies next in line to get phones for sending and receiving government cables while away from their offices, according to CNN’s sources.
Using a bolted-down smartphone, soldiers could see their comrades on a digital map, or officials could securely send dispatches.
The security issues, of course, are rife. While pinpointing fellow infantrymen would be a boon, the military has to ensure that soldiers aren’t simultaneously broadcasting their own GPS coordinates to enemy combatants. Weather apps, for example, automatically transmit a phone’s GPS coordinates in order to deliver a local forecast.
Poisoned applications in smartphone application marketplaces are another worry.
While the massive Counterclank Android malware scare of last week turned out to be, most likely, just a bunch of pushy adware, Sophos is nonetheless tracking a sharp increase in malicious Android applications. There are now over 4000, which represents an increase of more than 400% since December 2011.
The modified version of Android will be authorised to store classified documents but will be incapable of transmitting them over a cellular network.
Smartphones cleared for top-secret dispatches – those the government seeks to keep out of the hands of hackers, rogue apps, foreign governments or sites such as WikiLeaks – are due out in the next few months.
Sources involved in the U.S. smartphone program told CNN that their goal is to support any type of smartphone. Though why Android over Apple in the first instance? Google freely allows developers to fiddle with its code, that’s why.
CNN quoted Angelos Stavrou, an information-security director at George Mason University and a contractor working on the government project, who said that Apple refused to give the feds access to the core of its mobile operating system. Google was simply more cooperative, he said:
[Google] was more cooperative in supporting some of the capabilities that we wanted to support in the operating system, whereas Apple was more averse. They’re shifting the strategy now.
Well, good luck with that shift. Apple’s never had a cozy relationship with developers or security researchers, and its attempts to be more open, a la rivals Google and Microsoft, have been a tad ginger.
A recent example: In February 2011, Apple made a tentative step toward opening up. It offered a copy of the developer preview of Mac OS X 10.7, aka Lion, to security researchers and asked for their feedback – by invitation only, and only under a non-disclosure agreement regarding whatever researchers found.
That door wasn’t ajar long. Nine months later, it slammed shut on Charlie Miller – aka “that Apple 0-day guy” – when the Accuvant Labs security researcher had the audacity to uncover a potentially dangerous bug he found in Apple’s iOS operating system that allowed unapproved code to be run on iPads and iPhones.
Miller packed a proof-of-concept bug into a fake stock ticker program for distribution in Apple’s App Store.
Apple didn’t appreciate it. Instead of thanking him for pointing out a dangerous hole with a harmless demo, they ripped up Miller’s license as an Apple developer.
Apple has always seemed like a tough business to partner with. Google, on the other hand, can prep an Android version that’s compatible with the government’s secure Android in a matter of two weeks, according to Stavrou.
The program certainly seems to be a thumbs-up to the open-source crowd. In fact, the National Security Agency has taken the unusual step of publishing online the source code for one version of the secure Android.
Here’s how Stavrou classified the open-sourcing:
We had to go through many hoops for that to happen. By handing the source code out, other people will be able to take a look and tell us about bugs.
Here’s hoping the secure Android will be a winning combination of bolting things down to avoid leaks and opening everything up to prevent bugs.