NSA code in Android OS

I thought the comic from the Joy of Tech was fairly cute and didn’t expect it to actually be true. After a bit of searching, it seems to be fairly well corroborated:

I found this quote from Business Week to be particularly interesting…

Through its open-source Android project, Google has agreed to incorporate code, first developed by the agency in 2011, into future versions of its mobile operating system, which according to market researcher IDC runs on three-quarters of the smartphones shipped globally in the first quarter. NSA officials say their code, known as Security Enhancements for Android, isolates apps to prevent hackers and marketers from gaining access to personal or corporate data stored on a device. Eventually all new phones, tablets, televisions, cars, and other devices that rely on Android will include NSA code, agency spokeswoman Vanee’ Vines said in an e-mailed statement.

Naturally, this made me wonder if the code does anything more than just make the devices more secure. I’d be curious to know if anyone in the Android community has actually examined the code to see if it has any hidden surprises. It also looks as though Apple doesn’t accept source code from government agencies… so there’s that.

I’m a big fan of open source for situations where it is appropriate — and many great technologies are developed this way. WordPress and its vast plugin community is a perfect example. The main core functionality is meticulously curated by a single organization; yet anyone can contribute to the project. Code contributions are considered, integrated, tested and then potentially approved into the platform (or not). This “Linux-like Benevolent Dictator” approach works well because there exists one ruling body to enforce and control a universally consistent distributable version of the software.

This approach breaks down if core code is modified because responsibility for upkeep of the code base transitions to the party modifying it. Updates cannot be deployed without merging or reapplying expensive changes. Developing for a branched version is no longer standard and when left unchecked, complicates the entire landscape for developers because of the potential for mind blowing fragmentation. While orthogonal updates are good (plugins/apps), taking ownership of a vast codebase is generally not so good; especially from a cost perspective where unanticipated support costs can easily outweigh the revenue and make it cost prohibitive to keep the branch up to date. In the case of WordPress, this happens when a developer doesn’t respect the boundaries with core code — these folks are pretty universally considered sloppy. With Android, these are the phone manufacturers that alter the core OS for their devices and subsequently fail to maintain the software. The OEMs have little choice but to take ownership of the support since tent-pole features like Email and Calendar are not even included as part of the core Android Framework.

An environment that requires each manufacturer assumes such a level of support for a framework they didn’t create leads to a fragmented, unmanageable ecosystem which punishes application developers and end users alike. In this muddied landscape, the NSA has just as much right and reason to contribute to the codebase as any other organization — and hey, at least they’re contributing, right? Just make sure you understand that when choosing your next mobile device.