Saturday, February 4, 2012

U.S. officials to get secure Android phones

(CNN) -- Some U.S. officials this year are expected to get smartphones capable of handling classified government documents over cellular networks, according to people involved in the project.

The phones will run a modified version of Google's Android software, which is being developed as part of an initiative that spans multiple federal agencies and government contractors, these people said.

The smartphones are first being deployed to U.S. soldiers, people familiar with the project said. Later, federal agencies are expected to get phones for sending and receiving government cables while away from their offices, sources said. Eventually, local governments and corporations could give workers phones with similar software.

The Army has been testing touchscreen devices at U.S. bases for nearly two years, said Michael McCarthy, a director for the Army's Brigade Modernization Command, in a phone interview. About 40 phones were sent to fighters overseas a year ago, and the Army plans to ship 50 more phones and 75 tablets to soldiers abroad in March, he said.

"We've had kind of an accelerated approval process," McCarthy said. "This is a hugely significant event."

Currently, the United States doesn't allow government workers or soldiers to use smartphones for sending classified messages because the devices have not met security certifications.

Officials have said they worry that hackers or rogue apps could tap into the commercial version of Android and spill state secrets to foreign governments or to the Web through a publisher such as WikiLeaks. As many as 5 million Android users may have had their phones compromised by a recent virus outbreak rooted in apps found on Google's market, said security software maker Symantec.

But with a secure smartphone, a soldier could see fellow infantry on a digital map, or an official could send an important dispatch from Washington's Metro subway without fear of security breaches.

Developers in the government program have completed a version that has been authorized for storing classified documents but not transmitting them over a cell network, said two people contributing to the initiative. Smartphones cleared for top-secret dispatches -- high-level classified information that would compromise national security if intercepted -- are expected to be ready in the next few months, they said.

Rather than building special handsets hardwired with secure components, the government plans to install its software on commercially available phones, the people familiar with the project said. This approach is far less expensive and allows the government to stay up to date with the latest phones on the market, they said.

Android vs. Apple

There are hundreds of different Android models available, and more than half of all smartphones sold globally in a recent quarter use Android, according to industry research firm Gartner.

Verizon Wireless has sold more Android phones than any other U.S. cell carrier, thanks in part to its marketing emphasis interest on the Droid brand. About a year ago, Verizon also got the iPhone, ending AT&T's U.S. exclusivity with that device.

"There's a lot of interest in Android," Bryan Schromsky, a Verizon director for its wireless data services, said in a phone interview. "We are seeing Android sales across all branches of government."

Still, Apple's iPhone and iPad are also highly desired among U.S. officials, and people involved in the U.S. smartphone program said their goal is to support any type of smartphone. As CNN has reported, the Chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, uses an iPad to read his classified intelligence by downloading cables and disconnecting from the network.

However, the government chose to work on Android first because Google already allows people to tinker freely with its code, said those working on the project. Federal officials have met with Apple, but they were told they could not have access to the core of the company's mobile operating system, said Angelos Stavrou, an information-security director at George Mason University who is working on the government project as a contractor, in a phone interview.

"Android was more cooperative in supporting some of the capabilities that we wanted to support in the operating system, whereas Apple was more averse," Stavrou told CNN. "They're shifting the strategy now."

An Apple spokeswoman declined to comment on the meeting or any changes to its strategy.

Google publishes the source code for Android on its website for anyone to download and modify, and some partners are given access to the code before others. A Google spokesman declined to comment on the government project.

When Google releases a new version of Android or when a new version of its phones comes out, a compatible software update to the government's secure Android can be ready within two weeks, Stavrou said.

Emphasis on security

Government programmers are making security modifications to Android's kernel, which is the operating system's central component, the people involved said. The version will allow users to choose which data from Android and its applications can be sent over the Internet, they said.

"When you download an application on your phone, you don't really know what it does," Stavrou said. "We test the application in labs before the user consumes that application."

After testing more than 200,000 apps, the researchers discovered that many programs ask for access to far more personal information contained in the phone than they need and, more alarmingly, send some of that superfluous data to the app developers' servers, Stavrou said.

Even some well-intentioned features can compromise national security if left unchecked. For example, a weather app may automatically send a phone's GPS coordinates over the Internet to deliver a local forecast, or games may send the device's unique identifier along with a high score.

On government phones, officials will be prompted with detailed reports about what data may be sent, and they can decline or allow each transmission, the people involved said.

"People want to play 'Angry Birds,' and we do want our people to be able to download 'Angry Birds,' " Stavrou said. But he added, "If a clock application gets your GPS and transmits something over the network, that's not something that we would want to support."

Stavrou, along with seven others at George Mason and the National Institute of Standards and Technology, are developing the smartphone software. They are also consulting with several federal agencies, many within the Department of Defense, he said. He declined to name them.

"The government is actually working pretty hard in getting this technology to most agencies," Stavrou said. "Security is everybody's concern."

A secret project

Officials have not spoken in depth about the project until now. Reuters and some trade publications, including Government Computer News and FedTech Magazine, have previously reported some details.

"We are very cautious about what we release to the public," Stavrou said. "The details of the technology have been something that we have not publicly disclosed."

The project is funded by the Defense Advanced Research Projects Agency, the group responsible for early development of GPS and the Internet, Stavrou said. The Defense Department, which houses the agency, has designated the smartphone project as a priority, he said.

The National Security Agency has been designated with evaluating the smartphone software for certification, Stavrou said. The NSA gave approval for an earlier version of the system to handle classified data stored on a device, he said.

The NSA is also working on a competing system called SE Android, or Security Enhanced Android, Stephen Smalley, a National Security Agency official, wrote this month in a brief e-mail to a group of software developers that was obtained by CNN. SE Android is less flexible in supporting new devices or Android updates from Google and is unlikely to be deployed widely, Stavrou said.

An NSA spokeswoman wrote in an e-mail, "The ultimate goal is to give war fighters, analysts and other intelligence professionals access to classified information on the go -- boosting innovation in the field, efficiency and productivity."

In an unusual move for the federal government, each version of the secure Android operating systems will only need to be certified once before it can be deployed to any U.S. agency, said two people involved in the project. Typically, each agency does its own independent security testing, they said.

Also atypical is that the NSA published the source code for SE Android online. The same will be done with the Defense Advanced Research Projects Agency-funded project. Standardization group OpenSSL Software Foundation is helping with security compliance, said Steve Marquess, a co-founder for the company.

The NSA's Smalley announced the first release of SE Android with a two-sentence message two-sentence message on January 6 to a developer mailing list. He concluded by saying, "Enjoy!"

"We had to go through many hoops for that to happen," Stavrou said of the plan to open-source the software. "By handing the source code out, other people will be able to take a look and tell us about bugs."

Private interest

Many companies have expressed interest in the government smartphone project, officials said. The corporations that were among the first to adopt the BlackBerry are interested in Android, said Verizon's Schromsky. The Apple spokeswoman also noted that nearly all Fortune 500 companies are testing or have employees using iPhones and iPads.

Another obstacle for the government will be to figure out how to secure voice calls, Schromsky said.

"Voice is the immediate need," Schromsky said. "These devices are awesome. They can do so many things, but at the end of the day, I still need to make a voice call."

After the Defense Advanced Research Projects Agency project is certified for classified data, developers plan to work on securing the Android system for voice-over IP communications using apps such as Skype, Stavrou said.


Source

No comments:

Post a Comment