Why you shouldn't worry that the NSA is inside Android's code

Why you shouldn't worry that the NSA is inside Android's code

Summary: People worry that Google is accepting code from the NSA and pushing it into Android, but really, don't we want some of those code breakers showing us how to do it right?


It's not difficult to jump to conclusions when you hear NSA, refining code, and Android in a single sentence, but that's exactly what a lot of people are doing.

I'm referring to the "revelation" that Google has accepted code from the US National Security Agency (NSA), and included it in Android.

Certainly, with PRISM hitting the headlines, it's a great time to get stuck into the NSA, but honestly, when that three-letter organisation starts meddling with something, it's not always for a bad reason.

And it would be an especially dumb move for the nation's code breakers when it is pointed out that Android is an open-source project where anyone can review anyone else's code (at least, code that's contributed by developers like the NSA). The NSA would be a laughing stock to place any back door in such plain sight.

The NSA's own code falls under its contributions to the Security Enhancements for Android project, which it describes as one that helps to "identify and address critical gaps in the security of Android".

If it at all sounds familiar, it's because the NSA has already done the same sort of thing with Linux in the form of Security-Enhanced Linux (SELinux). In fact, the NSA was one of the first developers for SELinux, and its changes have been already integrated into the Linux kernel for almost a decade.

To those people who seem worried that NSA-written code might make its way into Android devices the world over: Don't worry, it's already been all over your Linux distributions for years.

And speaking of years, let's go back farther. To 1975, in fact, to demonstrate that the spooks haven't always been trying to probe us.

That was about the time that the Data Encryption Standard (DES), developed by IBM, was published. The NSA's code-breaking sleuths had an interesting take on it once they got their hands on it. They wanted to reduce the proposed key length from 64 bit to 48 bits — because, hey, why not if you're the biggest code-breaking organisation in the US? — but it also made some unexplainable-at-the-time changes to the substitution boxes. These S-Boxes were just one part of the DES algorithm, and no one could immediately see why the NSA's changes would make much difference.

Conspiracy theorists of course came forth with claims that perhaps the NSA was weakening the encryption standard. But after time, the opposite was found to be true when an IBM researcher revealed in 1994 that the NSA's changes had actually strengthened the algorithm against differential cryptanalysis — a technique of observing how subtle changes to an algorithm's input changes the output, and, from this, determining what the key material might be.

And before it was eventually broken, as all encryption is once computers get fast enough, DES was like Linux and Android. It was everywhere. As the go-to standard for encryption, it was used in military networks, government installations, and anything that fell in between the '80s to the early '90s that needed some form of protection.

Evidence eventually pointed to the NSA doing the right thing, despite a decade of naysayers thinking the opposite.

I wouldn't worry about the NSA getting all up in Android, especially when it's open source and there's the potential for severe embarrassment if it decides to pull a quick one.

Go ahead and wonder whether it's intercepting our data ethically and legally, sure; but on these sort of projects, it's a good idea to have some code breakers on your side.

Topics: Security, Android, Google, Privacy

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Unlike Apple's iPOS, Android is open source

    You could not put NSA code into Android even if you wanted to. There are literally thousands kernels and ROMs out there that take apart Android source code and make their own. NSA code in the source code for Android has nowhere to hide. There are no binaries. This is a SOURCE CODE. The place that the NSA has no problem infiltrating and hiding in is Apple's iPhone and iPOS. You guys don't have a clue what's in there... and you never will... maybe Apple should rename the iPhone to NSA listening device. LOL
    • In practice...

      Android has many proprietary add-ons - other than Google's Nexus phones and tablets, every phone manufacturer adds its own interface tweaks, from MotoBlur to HTC Sense to Samsung TouchWiz and whatnot. These are not open-source and eavesdropping code could easily be embedded invisibly there.

      Not only that: even for the underlying Android kernel (and the Nexus devices), there is no guarantee that the manufacturer-compiled code that made its way into the device isn't bugged and faithfully corresponds to the published source code.

      One could, of course, compile one's own code from the published source and load the phone with it, but it's tiny fraction of users who have technical skills and knowledge to do so, and an even tinier fraction of that fraction who have interest, motivation or willingness to do so. In practice, if the NSA or any other agency, American or not, has the means to convince, coerce or mandate a phone manufacturer to embed spying code in Android (and they do have the means), they will, and it will be highly successful.
      • AOSP is all 100% Open source

        Hey goyta, you have no clue what you are talking about. 100% of AOSP is open source. Get it yet? All the roms and kernels I'm talking about are based off AOSP. Go to XDA and take a look at how many AOSP kernels and roms you can get for your phone. These are not the Samsung or HTC or Sony skins. These are based of 100% open source AOSP.
    • +Microsoft

      I'm pretty sure that Microsoft's Windows don't have any NSA code because Microsoft is sneaking by himself and probably automatically sending all the data with wishes according to the latest news how Microsoft helps NSA with passion
  • There is a difference...

    A private company can do whatever they want, within the law. The government is FORBIDDEN to do what they are doing by one of the very few statements actually spelled out in our Constitution. Breaking one of these is an act of sedition.
    Tony Burzio
    • not really sedition

      sedition is a person inciting people to rebel against the governmen, i don't think sedition is actually illegal, it's the inciting to riot is. what the NSA and FBI is violating the constitution behind the veil of secret courts and probably just straight up violating the constitution and issuing gag orders so the few people that really know cant talk about it.
  • Dumbest article I've ever read

    Yeah, and I'll let the maid move in because she is so good at cleaning the floors.
    • Huh?

      What the heck are you talking about?
    • Oops You're flagged

      for the doubts. Didn't you also criticize Putin? Oops Google Russia got a request on you. And how about commies? Did you ever say something? Oops Google China got a request on you. Said something about North Korea? Muslims? Oops oops oops oops
  • NSA coding

    Ok, it make sense. They know code, they know communications, and lots of stuff about coding, and decoding, so they should be able to write good code that is secure. Now, let's talk about their record for staying at the appointed job, and doing that job within guidelines. NOT so good. I seriously doubt that they would pass up the opportunity to embed code that will make any Android device wide open to them at the sending of a code sequence. We are dealing with people whose business is spying, and collecting information. Can they resist such a golden opportunity? I doubt it, and evidence recently argues against it.
  • Better locks?

    The point of the article is that the NSA contributed code helps the USER to have a more secure lock to keep out, in theory, ALL intruders. And while it is POSSIBLE for the NSA to have given themselves a "skeleton key" to intrude on users themselves, the author believes that the open source nature of Linux/Android would make such a key obvious to anyone with the technical knowledge to understand the source code.

    Whether true or not, I cannot personally judge. I would, however, be leery of buying a burglar proof padlock from a known burglar.
  • Well

    The NSA has made some great contributions over the years, not everything they do is bad. Maybe PRISM is a huge crap storm atm but thats not everything the NSA has done.
  • Points irrelavent

    why something of this nature is a zdnet article I don't know but the points you make can be argued. As a matter of fact there are many places where such code can be kept out of plain sight. Even encrypted and unseen without a backdoor.
  • Why you shouldn't worry that the NSA is inside Android's code

    Pssst! Hey folks, the cat is out of the bag already. The horse is gone, why bother to close the barn door? The Chinese have been building back-doors into system boards for years, WAKE ON LAN could be, and likely is, a huge open door. It's disabled on all my systems.

    Just don't converse about anything you don't want others to know about on your computer, email, Skype, IM, Android or hardline phone. Eye to eye inside a Faraday cage is the only safe means of communication. Or perhaps in a noisy crown using a pen and paper. And burn the paper.

    Trust your enemies - to BE YOUR ENEMIES. Don't trust the government. They break the very laws that are meant to be checks and balances on themselves.
    John Mood
    • It is plain naive

      to believe that governments are law abiding.
      patrick lion