Android's security weakness is a recipe for trouble
Android is now growing at a rate of 500,000 activated devices per month, or so announced development head Andry Rubin in one of his super-rare tweets from a biblical mountain top.That’s a healthy growth rate and probably better than...
That’s a healthy growth rate and probably better than anything Apple is doing let alone Windows Phone 7, which is still stuck in a metaphoric charging dock.
If Rubin gets around to reading a new analysis of Android security by Symantec’s Carey Nachenberg he might ponder that there’s a lot more to a successful mobile operating system than growth figures alone.
Nachenberg ranked Apple’s iOS security used on the iPhone and iPad as being, if not invulnerable then at least significantly superior to Android. You might think that this is true but beside the point. Apple is a locked and closed system, Android isn’t. Each model has its advantages and disadvantages and openness involves higher risk.
But how far are Android users going to get the benefits of Google’s relatively open model and are the security downsides fully understood?
In Nachenberg’s view, Android’s biggest security weakness is that it hands responsibility for making security decisions to the user through the design of its permissions system, much as Windows ended up doing on Windows for entirely different reasons with User Access Control.
What an app can do, of course, is more limited than on the weak security design of Windows, but far from foolproof. If an app asks a user for permission to do certain things, even quite suspect actions, it will be permitted to carry on as long as the user allows it.
Apple’s iOS is more restricted - which has its disadvantages - but at least the users can’t inadvertently fire the bullet into their own heads.
This is compounded by several wrinkles Google and Rubin seem reluctant to address openly, starting with the weakness of its Marketplace. Google should be vetting apps but doesn’t appear to do as good a job as Apple, as evidenced by malware incidents earlier this year.
How did these apps get there in the first place?
Then there is the issue of app impersonation caused by the ease with which developers can reverse engineer Java-based Android apps, and the ability to feed these to Android users through third-party download sites. Again, Google doesn’t ask developers to apply for code-signing certificates through a secure vetting system as does Apple.
Topping it off is the problem of version fragmentation (which leaves users with unpatchable, older versions) an issue Google does at least plan to address from 3.0 onwards.
No doubt Google has a plan to address these weaknesses but, so far, security still feels like an afterthought.