Securing Android for warfare
Editor's note: Tim Skutt provides an analysis of the vulnerabilities limiting use of Android-based wireless smartphones and tablets in military conflicts, and what can be done to protect them.
Armed conflict has radically changed due to developments in communications technology. Remotely operated unmanned vehicles and cyber warfare highlight this change. But most importantly, combatants can launch an attack from anywhere between a few hundred meters to half a world away, with equally devastating results.
Securing mobile devices for use by warfighters is crucial because the same capabilities that increase combatant effectiveness can also be subverted and used in unauthorized ways. Android, as an open source platform, provides the foundation for integration of appropriate security controls for the specific mission.
This article addresses the use cases for battle-ready mobile devices, and the threats against those devices. Strategies for protecting mobile system services from disruption, corruption, espionage, and unplanned behavior are identified. However, the specific implementation of these strategies is beyond the scope of this article. Our intention is to give a holistic overview of the challenges. As the vulnerabilities of mobile devices in the battle space are exposed, the value of a holistic approach will be clear. This holistic approach includes threat and risk assessment, solutions that counter those threats, and testing and verification frameworks that enable efficient verification and approval.
Many military and intelligence use cases for Android-based mobile devices parallel consumer and commercial ones, including person-to-person communications and information transmittal, retrieval, and storage. For those reasons, leveraging the consumer and commercial market is attractive for military and intelligence organizations and has the promise of containing costs as well as providing the best possible capabilities for warfighters.
The following use cases provide examples of the device requirements and security-focused characteristics needed by warfighters, and represent points on a continuum of needs for secure mobile devices used in warfare:
- Electronic Flight Bag/Maintenance Tablet – A device not typically connected to a network during normal operation.
- Tethered Device – A mobile device that relies on an external device for data communication and protection functions.
- Secure Smartphone or Tablet – Integrated devices, including their commercial wireless interfaces, applied to the warfighter’s mission.
- Multi-domain Device – Single- or multi-user devices accessing multiple security domains.
Threats and Vulnerabilities
Threats against Android-based devices used for military or intelligence purposes are generally the same as for personal or commercial devices, and include:
- Unauthorized accessto information
- Unauthorized destruction of information
- Unauthorized disclosure of information
- Unauthorized modification of information
- Denial of access to information
Mobile device software stacks consist of many layers of software, from low level boot firmware through operating system kernels, system services, middleware, and applications. Attackers can exploit vulnerabilities in any of these areas. As a result, protection strategies are needed that are flexible enough to address multiple use cases and comprehensive enough to counter the full set of threats against the device.
Commercial Android provides some protection against attacks (Figure 1), however those protections do not fully counter the threats against even the simplest use cases. This is highlighted by device rooting, which is the process of allowing users of smartphones, tablets, and other devices running the Android mobile operating system to attain privileged control (known as "root access") within Android's subsystem.
Click on image to enlarge.
Enhanced protection strategies for Android include technologies that fill the gaps in Android, as well as in software layers surrounding the Android stack. These enhancements, when integrated with protections already provided in Android, cover the spectrum of threats against mobile devices.
Protection strategies that enhance commercial Android include five pillars of functionality supported by a foundation of Test and Verification as shown in the figure below:
Attack Detection and Prevention
Android provides some protection against attacks, for example Discretionary Access Controls (DAC) and sandboxing. These protections are not complete, though, and can be circumvented by applications with native code or by root (super-user) services.
In recognition of these issues, the U.S. National Security Agency (NSA) created SE Android, an Android focused configuration of the proven SE Linux with a simple security policy tailored for Android. By leveraging SE Linux, SE Android enables Mandatory Access Control (MAC) which provides much finer resolution controls than DAC. This allows not only application-based attacks to be detected and prevented, but also attacks invoked by root services.
SE Android is a key part of preventing and detecting attacks against Android devices, however Android includes middleware that allows applications and services to bypass SE Android. Full protection of the Android stack requires the combination of SE Android and middleware controls to protect middleware services.
The NSA has also addressed middleware protection through Middleware MAC, a set of technologies that protect against middleware threats. The combination of SE Android and Middleware MAC provides a potent set of protections for Android.
While SE Android and Middleware MAC provide protections within Android, they can only do their jobs if they are enabled and configured appropriately. If an attacker can modify parts of the software stack to disable protections, those protections cannot be provided.
To ensure that software layers are able to accomplish their functions, it is important that the correct software and configurations are loaded and enabled using a device integrity strategy. Device integrity starts at power on when the first software is loaded and executes. Through the process of booting and initialization, each software layer should verify the integrity of any successive layers it loads and initializes. This progressive verification of integrity provides a trusted foundation for the device and ensures that security protections are in place.
Throughout the device’s lifecycle, it is likely that both functional and security updates will be made. A secure update capability is needed to ensure updates preserve the integrity of the device. Additionally, a mechanism for backup and restore supports recovery from either inadvertent or malicious modifications.
One of the primary purposes of smart mobile devices is generation, consumption, and presentation of information. Protection of information at rest as well as information in motion is required to ensure this is accomplished without risk to the information being exploited.
Android provides information-in-motion protection through commercial encryption libraries, and recently Android incorporated information-at-rest capabilities as well. These are commercial solutions, however, and often do not satisfy military and intelligence cryptography requirements.
Enhanced cryptographic solutions are necessary for comprehensive Android security solutions. Both software as well as hardware implementations are available to satisfy the needs of warfighters.
In some use cases, protection of information between multiple domains is important. Android provides some protections, however a number of freely available technologies have circumvented them. Isolating domains with more rigor is needed to ensure attacks cannot cross domains.
SE Android, by virtue of its foundation in SE Linux, can provide isolation. However, that is not its primary intention. Technologies such as secure hypervisors and other partitioning mechanisms should be used to provide additional isolation.
Secure mobile devices most often operate in a networked system and need to support the secure operation of that system. Capabilities are needed to support secure ingress, egress, and continued operation on these secure networks.
Secure ingress involves identification and authentication of devices and device users, as well as measurement and attestation capabilities so devices can attest their security state to agents on the network. After devices are admitted onto the network, continued measurement monitors the state of the device. Device management solutions provide this monitoring and update devices as necessary. Finally, a device management solution should incorporate an egress solution to protect against counterfeiting and replay attacks.
As devices are enhanced the underlying platform is modified, introducing the risk that the Android model has been compromised. If the security solution compromises the Android model, much of Android’s value can be lost. Test and verification tools ensure compliance with Android standards and form a foundational part of the security solution.
A comprehensive test and verification solution provides confidence that the Android model is intact, and provides value for:
- Device development and regression
- Application development
- Infrastructure interoperability testing
- Certification and accreditation evidence
Holistic Device Security
Threats against mobile devices are broad,coming from device interfaces as well as the network, and they impact all layers of device software. Securing devices requires enhancing the protections already incorporated in commercial Android. With enhancements comes the risk of compromising the Android development and deployment model, so a testing and verification foundation is crucial to ensuring security enhanced devices deliver the value of Android.
The combination of security enhancements with a comprehensive test and verification foundation provides the holistic approach needed to counter threats against the device. The Wind River Android security offering incorporates this holistic approach, and supports integration of both security enhancements tailored to the use case, as well as unique commercial Android capabilities, into security enhanced devices.
Tim Skutt is a Solution Architect at Wind River focused on applying Wind River’s secure and safety critical products to meet customer system objectives. Tim has over 20 years of experience and extensive expertise in security and safety partitioning (MILS and ARINC 653), secure Linux, Android, and real-time operating systems.