On 2013-06-13 18:14, Nathaniel Husted wrote: > This has been a topic I've been concerned with for a while > (http://www.csl.sri.com/users/gehani/papers/GTIP-2011.Android.pdf). I've > always argued a lot of the issues with Android's security are more > fundamental issues with the culture of the mobile computing arena as it > currently exists. Everyone tries to makes phones as locked down as possible > (with some exceptions being the Google sanctioned devices for AOSP > development). > > Other problems are due to engineering and design trade-offs without valuing > security highly enough. Android could have used a packaged based update > mechanism (behind the scenes) for only core components, but they did not. > They could have required carriers and device manufacturers let them be, > largely, in control of the platform, but they did not. I'm sure, given time, > we could come up with a number of things that Google could have done given > enough forethought (not that I would have expected them, or anyone else, to > predict these things), but did not do. > > All that leaves us in the situation we are now, and the process is so locked > down that I don't it will change much unless, as mentioned previously, > there's some legislative/regulator pressure. The cell phone closed platform > model wasn't an issue when they were just feature phones, but now they're > far, far, far more than then that, and the mobile device manufacturers need > to start wising up. I think the WP8 is a relatively decent start and a > trade-off between Apple's tryannical approach and Google's Laissez-fair > approach.
Comparing WP8 with Android is not completely fair since Android has existed much longer time and there are so many more models out there. In addition, WP8 has not been a target for exploits or security research since it 1) has limited volume 2) is based on closed source. Automatic updates are great in Linux but they only cover a single distribution which shows that this is a very tricky business due to all dependencies. In the phone-world there are a lot of proprietary drivers which makes things more challenging. Cheers Anders > > Cheers, > Nathaniel > > On Thu, Jun 13, 2013 at 11:55 AM, Jeffrey Walton <[email protected] > <mailto:[email protected]>> wrote: > > On Thu, Jun 13, 2013 at 11:43 AM, seattleandrew <[email protected] > <mailto:[email protected]>> wrote: > > ... > > > > Fine... tl;dr Samsung's built-in apps (i.e. the non-stock apps Samsung > > bundles in) allow any application installed on the device to leverage > their > > permissions, content providers, etc. Thus leaving a huge gap in the > Android > > security model. In other words, I can create an app that appears to > have no > > permissions, but rather uses the permissions from apps already > installed on > > the device. > That's one of two problems. Its either a Confused Deputy or Permission > Re-delegation. The paper should tell you which. > > > Okay, so what's up with my sensationalist title-- As security > researchers, > > professionals, enthusiasts, what can we do about this? For users I > imagine > > flashing a custom ROM or sticking with a Nexus device would suffice, but > > what about government and corporate implications? > Android is a tough sell for the Enterprise. Its hard to bring them > into an organization safely (barring split role phones with > technologies like BlackBerry Balance and Knox). > > > One of the biggest issues for me have been the speed at which Android > > updates to other devices, often referred to as fragmentation. In this > case I > > think the groups largely responsible for delaying security patches are > the > > carriers. This is because some of them take months/years to deploy > patches > > and updates and by then, exploits will have been in the while for a long > > time. Can carriers be held responsible for willingly delaying security > > patches to their customers devices? Even if the intentions are good, > e.g. > > "we want to retain a high QA standard that's associated with our > brand." I > > can't help but feel we need a different update model for these mobile > > connected devices. > Yes, this is a well known problem. > > I [personally] believe we - consumers and users - need legislative > relief. Waiting for a corporation to "do the right thing" is futile. > The risk equations need to be unbalanced because the current state is > nearly all carrot, and almost no stick. > > > Why aren't Security updates completely separate from Usability updates? > WIndows Phone requires OEMs and Carriers to make available updates in > a timely manner. Its a contractual obligation > (http://channel9.msdn.com/Events/TechEd/Europe/2012/WPH304). > > How about the illegal tying - you have to have Gmail account to get > bug fixes and security updates for a defective product Where's the FTC > when you need them? As soon as you use a Gmail account, data cross > pollination occurs because Google feels like your data is their data. > Confer: see how well your weather widget works on the homescreen when > you refuse to share data with Google. > > Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:android-security-discuss%[email protected]>. > To post to this group, send email to > [email protected] > <mailto:[email protected]>. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at > http://groups.google.com/group/android-security-discuss?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
