Security risks? Privacy threats? Hell, these days, security and privacy issues are a dime a dozen. They are pretty much expected to be in any software system, web service, or computing platform, regardless of how obscure or unlikely an exploitation may be. So it’s no surprise when new vulnerabilities are discovered, but some flaws which pose security risks and compromise privacy are so obvious and obtuse that their potential threat is shocking, and even more shocking is when they appear to be intentionally put in place by manufacturers and developers. A couple of vulnerabilities discovered within Android in the past few months are exactly that…
Carrier IQ was one such vulnerability in which a rootkit, installed into many Android devices by manufacturers and carriers, is able to record keystrokes, passwords, text messages, browser history, and so forth. WTF?! Controversy and legal battle surrounded the discovery, leading to the involvement of the EFF and other such agencies.
Another, somewhat more recent issue with privacy related to Android was the discovery of HTC’s HTCLogger.apk by androidpolice.com. In this case, the good ole privacy-protection minded folks at HTC went above and beyond the call of duty to protect their customers’ data by logging bookoos of it in plain text, where it is accessible by any application using the very very common android.permission.INTERNET permission. Thanks guys!
Let’s make it clear though. Neither of these risque behaviors is committed by the actual Android system, nor are they exploits of technical flaws – the device manufacturers and carriers pushing those devices are the culprits to these invasive, and outright stupid, leaks of data, as they are intentionally putting this slaw dog garbage into their customized versions of the open-source Android platform. That’s why I was surprised by the somewhat slanted portrayal of these issues in an article on wired.com that paraphrases the androidpolice.com article. After correctly rewriting the findings of Trevor E. et al on Android Police in an effective less-informative manner, the Wired.com article goes on to say
Out of all the currently available mobile operating systems, security issues and exploits plague Android the most by far. Because applications submitted to the Android Market are not vetted by Google in advance, malware and insecure applications have a far greater chance of slipping in undetected. In August, McAfee released a report citing Android as the “most attacked operating system,” with Android mobile malware attacks jumping 76 percent in a three month period. In May, the popular Skype app for Android was also discovered to contain a security vulnerability, which could allow malicious apps access to personal data.
But as Android Police says, the Skype loophole pales in comparison to HTC’s security issues. Whereas Apple could deploy a quick fix just a week after its GPS-gate affair (which was little more than location data being cached in the iPhone and not being encrypted during backups), Android OS updates are notoriously slow to roll out. Because the carrier takes care of the updates, it can be months before they are pushed to customers, if at all.
It should be made clear (yet again) that this issue with HTC logging data and personal information is something introduced intentionally by HTC into their models, so there really is no reason that HTC and the carriers pushing the affected model would have a hard time pushing updates to remove it – they just have to do it.
Updates to Android which are “slow to roll out” are those made to the base, vanilla Android system by Google’s developers. They are slow to roll out because manufacturers/carriers have to take the updated base system, integrate their custom changes back into it, fix, test, modify, etc., and finally release to market. Aside from the costs and efforts required to do that, many carriers are commercially inclined to hold back major updates from existing devices, so that newly released devices can offer the newer platform exclusively, creating an artificial need for users to pay to upgrade to new phones. K thanks. There’s nothing inherent to Android’s design or architecture that makes updates slow; it’s the business models of the adopting manufacturers and carriers.
Android, being an open platform all the way down to system source code, introduces some interesting trade-offs.. the rate of market penetration suggests that there is a rapidly growing community contributing to the platform in some way duh, and the openness allows lots of uninhibited experimental and bleeding-edge development to reach the market, providing new tools and technologies to users at a fascinating rate.. just look at the number of carriers and manufacturers providing custom flavors of the platform with various enhancements, and look at the endless count of useful, creative, nifty and inspiring applications freely available for Android.
It’s great for geeks like me who want to experiment, test, bend, break and make, but it does put more burden on the end-consumer to be savvy and aware of the complexities within the system. Of course, the lack of restriction and review can sometimes amount to security vulnerabilities and risks for the end user, living within both applications and the platform they run in. It also puts burden on carriers and manufacturers to be aware of which issues affect their customized flavors and which do not, and to roll out the updates for those that do.
Android’s open source model is quite different than Apple’s proprietary, centrally controlled approach, and each has their set of advantages and drawbacks, to both the manufacturers and carriers, to developers, and to the end users. And, maybe Apple can get core-system updates (no pun intended on core) out to the user faster than Android is able to. But to blame the Android platform for HTC’s slow release of critical fixes to problems they intentionally introduce is misinformed.
One thing anyone can do is root and flash their device with Cyanogen mod or any other custom Android system image. Many of the more popular custom roms are well tested, open-sourced, and thanks to the communities around them, have updates ready for many devices before phone manufacturers and carriers even begin.
