The Perfect Trojan Horse

Giovanni Russello, a security expert, writes a post about Android security.
The launch of the new Galaxy S4 has been celebrated a couple of weeks ago. Indeed, it looks like a slick device with lots of nice features that is making Apple really nervous. At the software level, the S4 ships with Android 4.2 Jelly Bean. Together with the Samsung pre-installed apps, we will find in the S4 Knox. Knox is a security solution developed by Samsung for supporting the Bring Your Own Device (BYOD) policy in enterprises. Knox allows the creation of different environments in your phone. Essentially, a secure environment will be used for containing enterprise-related data and apps; while an open environment will be used for personal content. The work environment can be managed by the IT admin of the enterprise. Your personal environment is entirely yours to populate with whatever junk you might like. The content of one environment is not accessible to apps from the other environment, keeping everyone happy.
   Knox relies on the Mandatory Access Control (MAC) mechanism provided by SELinux. So how did SELinux ended up in a Samsung phone? The news that people were at work to port SELinux on to Android is not new actually. What is news is that SELinux is now (or is going be) fully integrated in the Android Open Software Project (AOSP), the official Android trunk that Google provides to vendors. And it is not a simple matter of swapping a Linux kernel for another. In a recent paper at NDSS 13, Smalley describes in details the changes required at the level of the Android middleware to be able to integrate the SELinux MAC mechanism seamless with the Android application framework.
    What are the implications of having SELinux as part of the AOSP? From now on, Android code will have SELinux modules as part of its base distribution. In terms of security, SELinux can really help in solving some of the Android security issues. However, we have to realise here that SELinux is a research project of the National Security Agency (NSA). The NSA is one of the most nosey agencies in the US. One of the NSA main activities is to look for vulnerabilities that allow them to eavesdrop and in some cases even attacking “enemy” systems (see the case of Stuxnet).
   Now Google has teamed up with NSA and any new Android phones will have NSA code running on it.  Even though SELinux can help in keeping the bad guys out, are we sure that will keep the good guys’ noses out from our phones?
    Timeo Danaos et dona ferentes

Open vs. closed

There's a piece in Slate magazine by Esther Dyson that puts forward the idea that Steve Jobs didn't like open systems because he knew that Apple could do better.

"Openness is great, and a strategy I normally applaud: No single vendor is likely to be the best, so openness allows a broad range of suppliers to compete and differentiate so the best can emerge. The closed strategy makes sense only if you are the best. That is what Steve was."

    To an extent I agree but I think Apple was perceived as being closed for very different reasons. First, although Apple is not known for championing open systems it did develop WebKit and make it open source. WebKit is the core of Apple's Safari browser, Google's Chrome, the browser on the Kindle and Android. So that's quite a major contribution to the open source movement I'd say. I'm not sure if Apple is closed in the same sense as the opposite of open source. I see Apple's so called "walled garden" as being a way of ensuring that users don't get really crappy apps on their devices. Apple is vetting them for quality and since that costs $$s it takes a proportion of the apps sale price (zero if the app is free). 
    I think Jobs was all to well aware of the chaos that an unregulated market in software had caused in the Windows ecosystem and did not want that repeated on iOS devices. It's particularly important that your cell phone doesn't crash or contain spyware. I'm sorry but as more naive users buy computers they do need protecting from some fairly unpleasant people out there on the internet and that doesn't just mean anti-virus software. Somebody has to vet the applications people may be trying to install on their machines. Apple have taken it upon themselves to do that and it's not unreasonable that they get paid to do so. Remember that walled gardens were made to create a better micro-climate inside the garden than out.