Android Security – making sense of all the choices

By Chris Buerger

Chris_bio_pic_2Last week’s public release of the Security Enhanced (SE) Android project and associated source code is hailed by many as an important foundational step to add a new set of options to create secure Android devices. While the recent release of the code base by the National Security Agency (NSA) is familiar territory for Android experts such as Wind River who have been designing and implementing comprehensive security layers to a wide spectrum of Android devices for a few years now, the portrayal of this development in the media as an all-encompassing security solution grossly oversimplifies the complex subject matter that Android security represents.

Simply speaking, compiling and flashing the SE Android code base on to your Nexus S will not make it completely 'secure.'

Wind River has been enabling Android devices for close to five years now. Based on that experience and over a decade of pioneering mobile Linux-based devices, four key security-related points stand out.

One, Android security is a like a puzzle that incorporates many different pieces to create a truly secure device. Two, security is a use case driven concept; a military mobile communications terminal has a different definition and set of requirements for security than, for example, an Android software stack running on an in-vehicle infotainment system (IVI).  Three, a security implementation is not a ‘fire and forget’ exercise. Care must be taken to architect a system that is both able to withstand new attack types and that can be upgraded in the field to the latest version of Android (and, if need be, specific security-oriented patches) while maintaining or improving its previous security level. Finally, simply declaring a software implementation as ‘secure’ is insufficient. There needs to be a test framework and automated test scripts that put the device under test (DUT) under stress, emulate attacks and deliver measurable proof-points that certain attack types will not interfere with the primary use cases defined for the target device. This test framework needs to be expandable to rapidly validate devices running the latest Android release as well be flexible enough to incorporate new attack scripts.

Let’s take a closer look at these four points.

Based on our analysis, we have identified over a dozen distinct areas of Android security. This includes areas such as user identification/authentication, user data protection across multiple memory locations, incoming/outgoing data filtering, event recording to enable remote audits, the choice and implementation of a variety of cryptography technologies, trusted paths, rights management, virtualization and spatial/temporal domain separation, trusted boot, malware mitigation, firmware update protection, application installation management … the list goes on and on. To give you a visual reference, the situation reminds me of a recent family visit to an old Soviet submarine that had hundreds of control point valves that could be manipulated to manage the various systems on the ship. The required expertise clearly needs to exist in both the definition of the control points as well as in the knowledgeable management of them. On a submarine as well as in Android, you need to have experts that know which ‘valve’ to turn, when and how much. In addition, the choice of application processor technology (e.g. ARM vs. IA) can influence how to use, for example, embedded virtualization technologies such as Wind River’s Hypervisor.

To address the second point, Wind River has designed and implemented Android security technologies for a wide spectrum of devices ranging from custom-developed enterprise tablets to media phones, smartphones, tablets, IVI systems and devices used in the public safety and medical device sectors. Interestingly, a common thread that runs through all of these Android projects is that the approach to Android security is almost completely different for each device type. In other words, the device use cases mandated different priorities in the implementation of security technologies, different customizations to Android as well as different software validation concepts. To give you a concrete example, for a set of security concerns in the IVI space, check out the joint whitepaper from McAfee and Wind River. Understanding devices’ use cases is key and that step must be tightly coupled with Android security expertise.

Firmware management is a common enough concept in the mobile world. OMA-DM, for instance, has been used for many years in hundreds of millions of mobile terminals. The challenge that occurs for Android devices that fall outside of the smartphone world is that none of the generally operator-based device, user, services and policy management infrastructure exists. To fill this need, Wind River has developed a set of Solution Accelerators for Android that offer a choice of firmware management options to keep devices up-to-date with the latest Android security software. Additionally, a number of Wind River partners have also developed security-oriented policy management solutions that can be applied to meet specific use cases.

And finally, there needs to be expert testing of the Android security implementation on the target device. Of course, some testing can be done manually, however, using industry-leading automated test tools such as Wind River Framework for Automated Software Test (FAST) for Android can often deliver significant gains in test efficiency. This is especially true when Android DUTs need to be put under load by, for example, running an accelerated day profile test scenario as part of a soak test plan while concurrently running a set of attack scripts.

So, Android security is clearly not a ‘one size fits all’ situation. SE Android is but one component to developing a sensible, market-oriented software solution that provides additional security to the Android stack. Expert help is often needed due to the wide choice of technologies and options associated with a diverse range of device use cases. Seek out and engage with the global Wind River team should you have questions or concerns about building your secure Android device.


For additional information from Wind River, visit