Hacker News new | comments | show | ask | jobs | submit login
US Navy to pay $1M to make Android more secure (sbirsource.com)
51 points by ariabov 1427 days ago | hide | past | web | 50 comments | favorite

The DoD is committing to Android as a platform in a massive way. Apps 4 Army is a key example. The push is so large and widespread that I think it will force the whole US Gov't along with it. Everyone from political leaders, to soldiers, to doctors at VA hospitals, to employees at defense contractors, will be required to use Android because of government security certifications and custom apps. There's a good chance that Android will become the very dominant winner in the mobile platform space because of this.

Android is going to be the low cost field deployable random gadget, and this is an investment in bringing a minimum level of security to the platform.

For actual classified applications, the NSA (which provides solutions downstream to DoD and other groups) is already trying to standardize on a highly customized version of Windows CE built by General Dynamics that runs on XScale processors with NSA specific modifications. Some publicly visible applications of this stack are the Sectera Edge (the phone that replaced Obamas Blackberry) and the DTD2000.

Windows CE will become the very dominant winner in the mobile platform space because of this. :)

Windows CE? I'm surprised. I always thought the NSA really seemed to be embracing Linux.

I guess the way the Government see the situation is. If they're paying Microsoft to provide them with a service/software with guarantees drafted up into a contract when SHTF the Government can turn it all back on Microsoft and say, "But the contracted stated you would be providing a secure platform..." You'd be surprised how popular Windows CE actually is. I've seen it used a lot on touchscreen kiosks here in Australia.

Well, I certainly hope of all our governmental organizations the NSA is going to be the least inclined to satisfy themselves with "passing the blame to the supplier when security is inevitably compromised"

Yes, its used in single board applications like the mini2440. Though android 2.3 is quickly gaining popularity due to how simple it is to adapt and run.

I've heard this before. Remember 15+ years ago when the US Army chose WebObjects because it was so obscure it had no security issues? How is their adoption of Apple server gear since then?

DoD has a very effective PKI system using smart-cards deployed, so I wouldn't be as surprised as you to see them develop a baseline of software for Android.

What I would be surprised about is whether it's usable without needing 7 different contractor apps installed, or less than 3 years behind the times.

Now there is some pie-in-the-sky hope. I don't think it is going to play out that way though.

It would be pretty irresponsible for them to standardize on a single source vendor for this, so what are the alternatives? WinMo? Plus the government already has a long history of investing R&D into securing linux-based systems.

The alternative is to support multiple platforms. Standardizing on a single platform is as foolhardy as standardizing on a single company. Even open platforms have defacto owners/controllers (Java anyone?).

Government and multiple platforms. That's cute. I guess you've never worked an IT job in the government before.

> It would be pretty irresponsible for them to standardize on a single source vendor

What they typically do is write the specs to an existing product sometimes it is laughable really, you can tell exactly the product they mean without them actually mentioning its name. That is one way to put out bids that on paper look open and not tied to a particular vendor but in practice they are.

The other way is to do a pie in the sky kind of write-up. We want something that does everything and we're requesting quotes for it. That is silly as well.

What type of deluded nonsense is this ? Since when did adoption by the US government decide who will win the mobile platform 'war'.

And I was under the impression that Apps 4 Army was built for iOS first. Does that mean iOS will now 'win' ?

Summary -

The US navy wants to use (near) commercial android devices. These might be used to display confidential reports (as in a normal buisness), but may also be used to control the ship.

The navy already have secure versions of Linux and Windows, and want something similar for android.

This will take the form of additional security layers, similar to the ones the NSA did for Linux[1].

Some of them will be made commercially available, hopefully increasing security to the whole platform. If this included e.g. application sandboxing, you can see that it would be of general interest, particularly to people with similar needs (Android based control terminal for a power station, or sys admin wants to roll out policy to coorp devices).

Android is becoming the default embedded OS for a lot of UI, so it's really nice to see this.


Hmm, who actually is the one to usually do this sort of thing?

Clearly it is a good idea, but I don't think it really makes sense for the Navy to do it for themselves. Isn't this more the sort of thing the NSA should be doing on the behalf of everyone else in government?

I think the Naval Research Laboratory is more than capable.


NSA handles crypto, certainly (though even that is being pushed ahead by NIST), but the Navy already has been developing software (or overseeing its development) for decades.

They named a ship after Admiral Grace Murray Hopper, after all, and even today their Virginia-class SSNs already use Linux in some areas.

Perhaps even the same. Android is pretty much Linux and converging fast. They can probably reuse a lot.

I found it interesting that they specifically called out use on Virginia-class submarines. As a former submarine officer myself, there certainly are some applications on board where this would certainly make sense. (Not in the engine room operationally, but in other areas definitely.)

yes, that struck me as odd actually. What about those submarines make them a good fit with android technology?

There's very little space on board a submarine. If the Navy was willing/interested in putting paper-based workflows onto Android devices, it could save a good amount of physical space on board.

I just don't see the phone-sized form factor working too well. Maybe for taking log readings or simple lineups shifts it would be nice, but anything beyond that is either going to require SUBSAFE certification (e.g. fly-by-wire interfacing) or need to be tablet-sized or larger (e.g. running DC Central or looking up operating procedures).

And God only forbid you drop one of those mobiles in the bilge...

Like the other commenter, I think the opportunity is more for tablets, too.

There are just so damn many things that need to be logged and tracked on paper and that don't have anything to do with [reactor operations, SUBSAFE, emergency/DC procedures]. If you can reduce the stacks of binders and/or manuals, and also improve process compliance, it would be well worth the effort.

Don't forget that Android is not just for mobile phones (cell phones for our friend from across the pond). Think of it as a portable personal device running an open sourced operating system with an emphasis on touch based UI.

This made me think of Halo/Star Trek, I can imagine a commander on deck speaking into a navy spec android device 'Captain's log, gregorian calendar date ...'

In all seriousness though, I forgot how premium physical space is on a submarine, this makes sense to me!

The fact that this project is "focused on reducing the impact of short life cycles for commercial mobile devices" excites me as I'm sure many folks dislike how quickly technology grows obsolete and stale when you just bought a new phone and a new one comes out a few weeks later. That being said, security of mobile devices is an increasingly important issue as we become more and more reliant on information connectivity for our daily lives.

I would be curious to hear the results of Phase I and of course look at the framework they use to extend the Android OS.

Why not try to commit the Security extensions into the Android project?

They didn't say they're lengthening the life cycle, they said they plan on reducing the security impact of such short life cycles.

The Navy has an SBIR solicitation out for this topic, but it does not necessarily mean that it is going to put up $1MM. Phase I funding is small (less than $100k per award) and sometimes no Phase II contracts are awarded for a topic. Of course, the Navy could also spend much more than $1MM if they decide to fund multiple Phase IIs (also not uncommon). It really depends on the results they see during Phase I and the importance of the topic compared to other funding opportunities.

The average is for them to fund 2-5 Phase 1 awards at $150K and then 1-2 Phase II awards of $1MM each based on the most promising of the Phase I. Given recent changes to the SBIR program, note that Phase I SBIRs can now be for $150K and Phase IIs at $1MM.

It can happen, but is rare, that they would fund nothing on a topic in the solicitation.

And as you say, compelling results out of the SBIR work can lead to follow-on work that is >> $1MM.

The short of it is, the Navy is interested in this topic, and if you have a small tech business with innovative ideas in this space there is a great funding opportunity here for you to advance your tech and grow your business.

Note: By "less hackable" they mean "more secure" and not "less open".

I think the military appreciates the security advantages of open source more than many other organizations. There's really no way to trust national security information to black-box proprietary systems. This concern has even extended to the actual chips running the software, since they're often made in China.

I always assumed the military would insist on having full sourcecode for everything they used, to protect against an important supplier going out of business and the like.

I'd be surprised if they didn't have access to all of the code for pretty much every Windows product for example.

The problem is support. If DoD actually do a source update to a supported software package, such as Windows XP, MS is not required to support that update. From what I understood, if its a security flaw, or major operational impact, they work with MS to fix it and that doesn't cause support problems to the same extent.

Raise of android-based embedded devices is coming. Android already ate ~70% of selling smartphones and now spreading to non-phone areas, like car systems, fridges, cash machines and so on. I really hope android will become even more secure in next few years. Otherwise ... imagine it by ourselves

Why doesn't Google apply? :) They get $1 million to improve Android security - and they can just do it and integrate it into the next release for everyone!

Google is far from a small business, these are funding opportunities for companies with less than 500 employees.

The SBIR program is the largest Federal source of non-dilutive seed-stage funding available. The program is highly competitive, but this funding is available exclusively to small (e.g., < 500 employees) businesses.

The intent of the program is to drive technology development and new business creation and spur innovation in areas to meet identified national needs (in this case a need by the Navy).

This comes hot off the heels of the ACLU filing a FTC complaint about lack of security: http://www.aclu.org/blog/technology-and-liberty/aclu-files-f... Interesting that where the market and the FTC fails to act, the Navy finds it necessary to pick up the slack.

Can anybody comment on how the Navy restriction to US citizens only developing this plays into the FOSS ecosystem of Android? I assume most of it is GPLv2, so isn't this immaterial? Why would it matter when the code is completely FOSS?

Because it's a legal and/or regulatory requirement, which are not required to make sense in the scope of unusual market environments, let alone normal ones. :-/

Seems like a great idea. I expect most of their contributions will make it back to open source via AOSP, and people will be able to run their own secure non-proprietary versions of Android.

The whole device hardware and software needs to be certified. It is hard to make a secure piece of software and prove it so if the hardware or firmware it is running on is compromised.

Pfft. Have you ever had a project EALx/Common Criteria certified? The program is a joke. You can certify a ham sandwich if you document what brand of mayo you use.

We had some experience with it but indirectly. EALx is a bureaucratic joke, but I see FIPS 140-2 more emphasized.

The higher the level of the customer (the more authority they have) the more flexible they are. Some lower level labs don't really have much of a choice but accept a standard boiler plate set of certification stamps.

FIPS 140-2 is very narrowly constrained and the parts that aren't crypto-related are the same kind of boilerplate make-work that EAL2/EAL3 is. But also bear in mind that you can pull a list of EAL4+ products right now, and quickly see how many of them have had ridiculous vulnerabilities.

Has anyone on hn experimented with the Samsung security stuff yet?

Fucking Navy. First they waste tons of money on NMCI and then tons more on Navy ERP. I'm amazed anything works.

NMCI is actually quite successful in meeting most of its design criteria. Unfortunately said criteria don't seem to include rolling releases to recent software, or cost effectiveness (the contract seems optimized to ensure you have to go through the help desk for anything and incur a charge).

I can't speak to ERP but I'd be surprised if it were any worse than our existing menagerie of mainframe-based "corporate data" systems that run batch transactions once a day and require tedious manual correction seemingly all the time.

For all of you Flipper fanatics, I found a gem of a funding source "To develop probiotic pharmaceuticals to treat and prevent gastrointestinal disease in dolphins and improve their health through the utilization of indigenous commensal microbes of these marine mammals." https://sbirsource.com/grantiq#/topics/87793 . Big money to solve these big problems: http://www.youtube.com/watch?v=6S6PPKUDGfc

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact