> For example, consider an Android application which handles confidential > medical records. The application's developer is under a legal obligation to > protect the information. If you root your device and install a backup > program like Titanium Backup, you may be compromising that data by backing > it up. In essence, you've taken away the right of the application developer > to determine how their application handles their data
You know, you're absolutely right! That must be why the medical industry doesn't use PC's to store medical records! Oh wait... I forgot! They do use PC's, and yet somehow the sky has never fallen. The *owner* of the phone is the only user who's consent matters for rooting, reflashing, etc. If you're concerned about what the owner of the phone will do with the data in your app, make them agree to a contract before *using* the app. That's what laws and contracts are *for*. Beside, remember that it's *not* rooting, it's openness: http://android-developers.blogspot.com/2010/12/its-not-rooting-its-openness.html On Dec 22, 3:33 pm, Nick Kralevich <[email protected]> wrote: > On Wed, Dec 22, 2010 at 2:05 PM, BobMcCormick <[email protected]>wrote: > > > Being "rootable" is not, in and of itself, a bad thing. The owner of > > the device should have the right to assert control of the device, just > > like with a PC or a laptop. > > I'm not sure I entirely agree... > > One of the key principles of security, IMHO, is "consent". A system can > only be considered secure if all parties involved consent to interact with > each other. > > In the case of a phone, there are multiple parties involved. The main ones > are: > > * The user or owner of the device > * The application developer / content producer > * The carrier > > (ignoring other parties like the government, employers, etc...) > > When a user "roots" their device using a security hole, they are bypassing > the implicit consent granted by the other parties. This, IMHO, is a bad > thing. > > For example, consider an Android application which handles confidential > medical records. The application's developer is under a legal obligation to > protect the information. If you root your device and install a backup > program like Titanium Backup, you may be compromising that data by backing > it up. In essence, you've taken away the right of the application developer > to determine how their application handles their data. > > There's a role for legitimately unlocking devices. It's valuable and > needed. But the unlocking needs to be done with everyone's full and > complete consent. > > * Users should be able to choose what applications can be installed on their > phones > * Developers should be able to choose whether or not to run on a rooted > phone. > * Carriers should be able to effectively manage and control their network. > > IMHO. > > -- Nick -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
