Troops' Android Devices Put In Virtual Security 'Bubble'

The U.S. Department of Defense's Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Laboratory (ARL) have awarded a $21.4 million contract to security software firm Invincea, Inc., to secure Android-based smartphones and tablets for the military.

"Today, we have 3,000 to 4,000 users in an ongoing program in Afghanistan using a secure, robust Android handheld device," said Dr. Mari Maeda, deputy director, Defense Sciences Office, DARPA," in an article on the U.S. Army website. "We roll out new capabilities every three to four months, from new apps to new server capabilities."

Invincea's software uses "lightweight virtualization to protect apps from being compromised,'' said Anup Ghosh, Invincea founder and CEO. Currently, security on the desktop in the enterprise is reactive--it protects against threats it knows about ahead of time, he said. The software Invincea is designing for DARPA puts a browser "in a bubble so when it gets compromised, the system does not," without requiring signatures for each threat. Invincea's platform "seamlessly moves the browser, PDF reader, Microsoft Office suite, .zip, and .exe file types from the native operating system into secure virtualized environments without altering the user experience," according to a separate statement.

"DARPA is ... clearly signaling they view the mobile device as the new battle field for where threats are going to be coming in the military," said Ghosh. "What we're going to see in the future is exploiting the apps you have already downloaded by taking advantage of the vulnerabilities in them, and the classic example is the browser."

Most enterprises are still focused on mobile device management (MDM), which addresses "basic blocking and tackling" by enforcing corporate policies across devices, Ghosh maintained, including the ability to remotely wipe a lost or stolen device, as well as forcing the use of passwords and added encryption to read emails.

"Where we are not, as far as technology development goes, is addressing the mobile malware threats: malware apps and exploiting vulnerabilities in the trusted apps," said Ghosh. "The industry hasn't yet tackled those two problems."

MDM is less about security and more about the management aspect of mobile devices, concurred Chris Hazelton, research director of mobile and wireless at The 451 Group. With the contract, DARPA is ensuring that the Android OS on its mobile devices is secure and the browser is siloed when it puts them in the hands of soldiers, he says.

Click here for 7 ways to toughen enterprise mobile device security.

Besides the browser, another emerging area of attack is when users click on a link sent in SMS texts, Ghosh noted. Hazelton added that downloading malicious apps from websites or app stores are other logical points of entry on mobile devices, as well as when false Wi-Fi access points are created--and even through the use of Bluetooth and NFC.

DARPA's mission is to avoid "technology surprise," said Ghosh. "What they're saying by investing in this new technology is, 'We anticipate that the adversary is going to move from desktop-oriented exploits to smart, handled device exploits,' and they're trying to get out in front of a threat before it becomes pervasive and without requiring a signature."

He declined to comment on specific features of the software, saying DARPA will not allow the security firm to discuss them in detail.

As to why the software is being developed for the Android OS, Ghosh said the military feels strongly about layering in security software on top of the open source platform. "Ironically, for same reason [Android is] targeted so heavily [by malware creators] it's a good operating system to secure,'' he explains. "We will target securing Windows Mobile when it captures enough market share for adversaries to develop exploits for it. Before then it won't make sense."

As for the corporate realm, Ghosh doesn't believe enough enterprises are yet overly concerned about their mobile devices becoming compromised. "What we anticipate is the technology being developed under the DARPA contract to protect military phones for military apps will have application for business apps,'' he said.

What the military has started to do is a good move, said Hazelton, because the Invincea software will lock down the devices while still providing some freedom for the soldiers who use them. "It lines up with what the next steps are in the enterprise: managing the application, not just the device."