Why you shouldn't worry that the NSA is inside Android's code

Summary:People worry that Google is accepting code from the NSA and pushing it into Android, but really, don't we want some of those code breakers showing us how to do it right?

It's not difficult to jump to conclusions when you hear NSA, refining code, and Android in a single sentence, but that's exactly what a lot of people are doing.

I'm referring to the "revelation" that Google has accepted code from the US National Security Agency (NSA), and included it in Android.

Certainly, with PRISM hitting the headlines, it's a great time to get stuck into the NSA, but honestly, when that three-letter organisation starts meddling with something, it's not always for a bad reason.

And it would be an especially dumb move for the nation's code breakers when it is pointed out that Android is an open-source project where anyone can review anyone else's code (at least, code that's contributed by developers like the NSA). The NSA would be a laughing stock to place any back door in such plain sight.

The NSA's own code falls under its contributions to the Security Enhancements for Android project, which it describes as one that helps to "identify and address critical gaps in the security of Android".

If it at all sounds familiar, it's because the NSA has already done the same sort of thing with Linux in the form of Security-Enhanced Linux (SELinux). In fact, the NSA was one of the first developers for SELinux, and its changes have been already integrated into the Linux kernel for almost a decade.

To those people who seem worried that NSA-written code might make its way into Android devices the world over: Don't worry, it's already been all over your Linux distributions for years.

And speaking of years, let's go back farther. To 1975, in fact, to demonstrate that the spooks haven't always been trying to probe us.

That was about the time that the Data Encryption Standard (DES), developed by IBM, was published. The NSA's code-breaking sleuths had an interesting take on it once they got their hands on it. They wanted to reduce the proposed key length from 64 bit to 48 bits — because, hey, why not if you're the biggest code-breaking organisation in the US? — but it also made some unexplainable-at-the-time changes to the substitution boxes. These S-Boxes were just one part of the DES algorithm, and no one could immediately see why the NSA's changes would make much difference.

Conspiracy theorists of course came forth with claims that perhaps the NSA was weakening the encryption standard. But after time, the opposite was found to be true when an IBM researcher revealed in 1994 that the NSA's changes had actually strengthened the algorithm against differential cryptanalysis — a technique of observing how subtle changes to an algorithm's input changes the output, and, from this, determining what the key material might be.

And before it was eventually broken, as all encryption is once computers get fast enough, DES was like Linux and Android. It was everywhere. As the go-to standard for encryption, it was used in military networks, government installations, and anything that fell in between the '80s to the early '90s that needed some form of protection.

Evidence eventually pointed to the NSA doing the right thing, despite a decade of naysayers thinking the opposite.

I wouldn't worry about the NSA getting all up in Android, especially when it's open source and there's the potential for severe embarrassment if it decides to pull a quick one.

Go ahead and wonder whether it's intercepting our data ethically and legally, sure; but on these sort of projects, it's a good idea to have some code breakers on your side.

Topics: Security, Android, Google, Privacy

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.