Android is the most secure mobile smartphone OS in the market today, thanks to the inherent sandboxing inspired from world’s most secure browser: Chrome.
Such security is really consumer grade, its secure in the real world but may not be secure enough for driving Top most secret tasks like the ones Government agencies like NSA is involved with.
The National Security Agency (NSA) released the first version of their custom build of Google’s popular OS, called Security Enhanced Android. The system is designed to minimize the impact of security holes on Android. The SEAndroid project is enabling the use of SELinux in Android in order to limit the damage that can be done by flawed or malicious apps.
SEAndroid is born with robust support for:
- Per-file security labeling support for yaffs2,
- Filesystem images (yaffs2 and ext4) labeled at build time,
- Kernel permission checks controlling Binder IPC,
- Labeling of service sockets and socket files created by init,
- Labeling of device nodes created by ueventd,
- Flexible, configurable labeling of apps and app data directories,
- Userspace permission checks controlling use of the Zygote socket commands,
- Minimal port of SELinux userspace,
- SELinux support for the Android toolbox,
- Small TE policy written from scratch for Android,
- Confined domains for system services and apps,
- Use of MLS categories to isolate apps.
You can integrate SEAndroid into your own Custom ROM. First, you should make sure that you are able to successfully download, build and run the Android Open Source Project (AOSP) source code by following the instructions starting from http://source.android.com/source/initializing.html
Once you have successfully built and run AOSP, you can obtain a local manifest specifying the SE Android git trees from http://selinuxproject.org/~seandroid/local_manifest.xml. Copy this file to the .repo subdirectory of your AOSP clone, and then run repo sync. Your tree should now include the SE Android modifications. For further dev info, visit the official Wiki.