| |||||||||||||
Android application securityAndroid application securityPosted Feb 7, 2009 2:30 UTC (Sat) by jwb (guest, #15467)Parent article: Android application security
Maybe Android's security is broken, and maybe not, but the premise of this article is FUD. The ability to install software from any place without "vetting" by incompetent middlemen like Apple is a feature, not a bug. Software for the BlackBerry is not vetted by anybody, and it can be installed from any web page, email message, or storage card. The BlackBerry store is optional, not a bottleneck. And yet no such security problems plague the BlackBerry platform, which is vastly more widespread than Android is.
So please, keep the blame on the technical side. Turning over control of your program to middlemen is not a security enhancement.
(Log in to post comments)
Android application security Posted Feb 7, 2009 3:48 UTC (Sat) by jake (editor, #205) [Link]
> Maybe Android's security is broken, and maybe not, but the premise of this article is FUD.
While you may disagree with the article, and you make some reasonable points, it is hardly 'FUD'. Calling everything we disagree with 'FUD' only serves to dilute that term.
One of my points, which may well have been inadequately stated, was that there is no one serving the role that Linux distributions traditionally play for Android. There is a distinct danger to Android users who download applications and install them without thought. Given what you say, I am shocked, actually, that there haven't been security problems for Blackberry. Surely you don't think there are no malicious entities out there who would like to get malware installed on Androids, Blackberrys, or iPhones.
But I don't see any 'Fear, Uncertainty, and Doubt' being promulgated here.
jake
Android application security Posted Feb 7, 2009 6:03 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
I don't doubt that there is malware available for the blackberry.
but it's enough for malware to just be available for there to be a significant security problem, there needs to be a way for that malware to be run.
on windows systems this happens through network holes or application flaws when seeing specific content.
on the blackberry (and the Android) this requires that the user actually install the malware.
that doesn't mean that bad things don't happen, but it does mean that the scale of them happening is low enough that it doesn't generate any attention.
Android application security Posted Feb 7, 2009 17:08 UTC (Sat) by jake (editor, #205) [Link]
> on windows systems this happens through network holes or application flaws when seeing specific content.
that's certainly one vector, but people installing malware on windows (and elsewhere) is pretty common. spyware, adware, etc. come with the latest codec that has to be installed to see the cool video of the day, etc.
less than clueful users (and even some clueful ones) voluntarily install dubious stuff on their computers all the time, why do we expect mobile phones to be any different?
jake
Android application security Posted Feb 8, 2009 8:54 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]
mobile phones are not receiving spam targeted at them or seeing the same barage of advertisements that a desktop user sees.
the spam thing may change (especially if there is a way to identify vunerable users), but the number of portable users is much less than the number if normal computer users, and the connectivity of the portable users is significantly less (although it may be on full-time). as a result taking over thse system is less attractive to the bad guys.
the smaller screen means that a 'typical web page' with a paragraph of info surrounded by advertisements is unreadable, so users don't go there, or if they do, would have to go to extra effort to see the advertisements.
so, for all these reasons, I just don't see the mobile malware problem ever getting as bad as the windows malware problem currently is.
Android application security Posted Feb 9, 2009 18:13 UTC (Mon) by bronson (subscriber, #4806) [Link]
> for all these reasons, I just don't see the mobile malware problem ever getting as bad as the windows malware problem currently is.
You don't see mobile malware bringing entire power distribution grids to their knees? Or infecting 1 in 3 handsets? Or spawning a $500 million / year industry devoted to broken-by-design antivirus snake oil?
Well, that's a relief! Guess we don't need to worry about it then.
Android application security Posted Feb 11, 2009 10:40 UTC (Wed) by job (guest, #670) [Link]
Smartphones and PDAs aren't new. Symbian and Palm has orders of magnitude more user installable software than iPhone and Android. I fail to see the 1-in-3-handsets malware you speak of.
Android application security Posted Feb 7, 2009 19:41 UTC (Sat) by jwb (guest, #15467) [Link] You say:Unlike the iPhone App Store, Android applications are not vetted before being placed into the Android Market. I think that's FUD. You hold up Apple as a positive example, and then you portray Android in a bad light because they don't follow the Apple example. But the fact is that the iPhone is the least secure mobile platform by a huge margin. Any iPhone application can do whatever the hell it wants, and "jailbreaking" is just a fancy word for exploitation of the platform's numerous gaping security holes. Their attempt to socially enforce security rules by bottlenecking application distribution is just a whitewash over their horrible security record. By contrast both Android and BlackBerry have functioning technical security defenses. They should be applauded for having these security features, even if in Android's case those features are faulty and in need of fixing.
Android application security Posted Feb 7, 2009 20:08 UTC (Sat) by jake (editor, #205) [Link]
> You hold up Apple as a positive example, and then you portray Android in
> a bad light because they don't follow the Apple example.
well, i am sorry you see it that way. i don't think Apple is a positive example, nor do i think was portraying Android in a particularly bad light. i was simply pointing out a vulnerability. but, evidently, i didn't do it clearly enough.
the last sentences of the paragraph you quoted are possibly of interest:
"Given the problems with Apple's inconsistent and anti-competitive decisions on iPhone applications, Google's openness has some benefits. But it also has some pitfalls."
but i still find it very difficult to see how the article is spreading "fear, uncertainty, and doubt". YMMV
jake
Android application security Posted Feb 8, 2009 23:42 UTC (Sun) by mikov (subscriber, #33179) [Link]
I for one found the article well written and thought provoking and did not think it was FUD (even though I am a huge fan of Android).
jwb does have a very valid point that the Android has a functioning security system, while the iPhone has none. Even though I already knew that, it didn't spring to my mind while I was reading, so perhaps it should have been mentioned. For better or worse Apple really has no choice but to carefully vet every single application.
Perhaps the best solution is a combination of both. Allow both verified and un-verified applications to be distributed and installed, and it is up to the user to choose to install an unverified one. The question is who is doing the vetting, how expensive it is and does it make economic sense?
Android application security Posted Feb 9, 2009 11:48 UTC (Mon) by massimiliano (subscriber, #3048) [Link] The question is who is doing the vetting, how expensive it is and does it make economic sense? Well, IMHO one key point is the freedom of doing the vetting, and the freedom of setting up a vetting system that is acceptable for the users. With the Apple model this simply is not possible. The Android model, on the other hand, gives users a choice. We should not accomplish security by denying choice (the freedom to instal any application he wants) to the user! What I'd really like is seeing a healthy ecosystem of Free Sofware (or Open Source, as you like) applications available for Android. That would allow the review process to be public and distributed, which is the real reason why I trust my Linux distribution more that how I would trust a closed OS. And it would be nice to educate the users to this kind of sensibility to freedom... which at least with Android is possible.
My 2c,
|
|||||||||||||