Android Security Toolkit
Navy SBIR 2013.2 - Topic N132-115
NAVSEA - Mr. Dean Putnam - [email protected]
Opens: May 24, 2013 - Closes: June 26, 2013

N132-115 TITLE: Android Security Toolkit

TECHNOLOGY AREAS: Information Systems, Materials/Processes

ACQUISITION PROGRAM: PMS450, VIRGINIA Class Submarine Program, ACAT I

RESTRICTION ON PERFORMANCE BY FOREIGN CITIZENS (i.e., those holding non-U.S. Passports): This topic is "ITAR Restricted". The information and materials provided pursuant to or resulting from this topic are restricted under the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 - 130, which control the export of defense-related material and services, including the export of sensitive technical data. Foreign Citizens may perform work under an award resulting from this topic only if they hold the "Permanent Resident Card", or are designated as "Protected Individuals" as defined by 8 U.S.C. 1324b(a)(3). If a proposal for this topic contains participation by a foreign citizen who is not in one of the above two categories, the proposal will be rejected.

OBJECTIVE: This topic seeks innovation to develop a library of hardened and tested modules to fortify the security weaknesses of the Android Operating System (OS) and its related mobile applications.

DESCRIPTION: Technologies affected by this topic are commercial in nature and are focused on reducing the impact of short life cycles for commercial mobile devices. Personal Electronic Devices (PED) often has a shelf life of one year or less, and once they have reached end-of-life, they cannot be procured in a reasonable manner. Additionally, the Android operating system, as well as commercially developed applications, is refreshed at a high rate in order to increase hardware performance. There is tremendous opportunity to leverage the vast commercial investment in hardware and software development. By following a refresh cycle similar to that in commercial practice, the Navy will be able to keep pace with industry and use the vast improvements that are being delivered to commercial customers. However, there are logistical challenges associated with moving towards commercial hardware and software based PEDs. A major constraint is the security concerns of the Android OS and its applications. In order to facilitate a wide- spread deployment and use of commercial PEDs, these security vulnerabilities must be addressed (Ref 2). A secure Android-based mobile platform would allow the Navy to capitalize on commercial industry�s investment in Android-based hardware and software applications within the Non-Tactical arena.

Commercially available hardware based technologies employed to aid in securing Android-based mobile platforms are closed and proprietary in nature. They often rely upon unsophisticated brute force attempts to lock-down mobile devices in order to prevent rogue code being executed on the device or unapproved people for accessing data. However, such methodologies greatly impact the device�s utility and makes it extremely difficult for the sailor to use one device to support multiple mission objectives. Emerging software-based security technologies are flawed in similar ways and also artificially and sub-optimally prevent device utility.

The tools and methodologies developed under this topic should support users in their day-to-day activities. The goal of this topic is to reduce the current workload of the Warfighter, rather than create new functionality or capabilities. This topic is focused on novel or innovative methods that will alleviate Android OS and application security concerns and serve as enabling technology for deploying modern Android devices in a DOD environment. While the technology is highly applicable to VIRGINIA Class Submarines, it will also apply to other modern Navy shipboard platforms.

The Navy seeks innovation in kernel hardening (Ref 1), process monitoring, and application management to augment the security of the Android-based PED and its applications by providing reusable and distributable software libraries that address one or more specific security concerns, and can be leveraged by third-party developers to create new applications. Suggested areas of research include, but are not limited to; data encryption (at-rest and in-motion), location awareness, remote device management, peer-to-peer networking and network traffic monitoring, remote locking, application installation restriction, and blocking of unauthorized access (Ref 2). The specific goal is to provide a set of security libraries that will allow multiple Navy programs to address their specific security needs while remaining interoperable with security requirements of other programs that may use a common hardware device.

PHASE I: The company will develop concepts for a library of hardened library modules to fortify the weaknesses of the Android OS and mobile applications developed for Android-base devices. Concepts must address the known security vulnerabilities in Android OS. The company will provide recommended security focus points. The company will demonstrate the feasibility of the concepts in meeting Navy needs and will establish that the concepts can be feasibly developed into a useful product for the Navy. Feasibility will be established by conceptual security module library testing and analytical modeling. The company will provide a Phase II development plan that addresses technical risk reduction and provides performance goals and key technical.

PHASE II: Based on the results of Phase I and the Phase II development plan, the company will develop security module libraries for evaluation. The prototype will be evaluated to determine its capability in meeting the performance goals defined in Phase II development plan and the Navy requirements for this topic. Performance will be demonstrated through prototype evaluation in which compatibility with the Android OS and suitable applications must be demonstrated. Evaluation results will be used to refine the prototype into a design that will meet Navy requirements. The company will prepare a Phase III development plan to transition the technology to Navy use.

PHASE III: The company will be expected to support the Navy in transitioning the technology for Navy use. The company will develop an Android Security Toolkit for evaluation to determine its effectiveness in an operationally relevant environment. The company will support the Navy for test and validation to certify and qualify the system for Navy use.

PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: While products envisioned by this topic have broad applicability outside of the Navy, and many of the security layers might be commercially available, the exact deployment and operation of the products for the Navy�s implementation must be kept unique. However, aspects of the Android OS security toolkit can be used commercially and would be useful to any organization that requires the use of mobile COTS communication devices that require a high degree of information security. Private sector interest may reside in business sensitive, personal information integrity, and financial operations.

REFERENCES:
1. Kenyon, Henry; "Army program for secure Android kernel technology gets attention of NSA and White House;" Defense Systems; 11 Oct 2011; <http://defensesystems.com/articles/2011/10/11/ausa-secure-android-kernel-technology.aspx>

2. Hernon, Mike; 500000 Apps (and Nothin' On), Will Mobile Apps Get Serious in 2011?; Department of the Navy Chief Information Officer; 21 Jan 2011; <http://www.doncio.navy.mil/ContentView.aspx?ID=2094>

KEYWORDS: personal electronic devices in a secure environment; peer to peer networking; remote locking of PEDs; software for PEDs; hardened application development; android operating system; remote PED management

** TOPIC AUTHOR (TPOC) **
DoD Notice:  
Between April 24 through May 24, 2013, you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is
not allowed starting May 24, 2013, when DoD begins accepting proposals for this solicitation.
However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (13.2 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 13.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at (866) 724-7457 or email weblink.