Google's long-anticipated mobile plans finally emerged this week in the form of Android, the company's mobile Linux platform.
However, despite the short time that has elapsed since the platform's announcement, a debate has already been sparked around the security of its development. Can the open-source model produce secure code? Will phones based on Android, dubbed "Gphones" by many, be more or less secure than Apple's iPhone, which has been developed using proprietary software? What will Android's developers be able to do to stop authors of malicious code for mobile devices capitalising on its openness?
Security vendor McAfee, which produces proprietary security software for mobile devices, has been quick to defend open-source practices for developing mobile code. McAfee is a member of the Linux Mobile (LiMo) Foundation, a group of companies formed to develop an open mobile-device software platform. Many of the companies in the LiMo Foundation have also become members of the Open Handset Alliance (OHA), which Google has formed to develop and promote Android.
Jan Volzke, global marketing manager for McAfee Mobile Security, said that Linux is not new to the mobile arena and maintained that secure coding practices can successfully be built into the Android development process.
"Japan has a large deployment, with 60 percent of phones powered by Linux. McAfee protection has been integrated in the majority of these mobile Linux phones for many years," said Volzke. "For any mobile-device platform, security should not be a developer option but a mandatory requirement. Consumers — as well as operators — expect devices to be safe from the outset, with no effort required from them."
Volzke said security can be built in from the beginning of the development process by collaboration between security companies, although, at the moment, McAfee is the only security player in the LiMo Foundation.
However, open coding practices still seem ripe for abuse. Making source code available to everyone inevitably invites the attention of black hat hackers.
"Linux has so far been used on the enterprise server-side, with most deployments being professionally IT administrated," said Volzke. "Due to a number of industry initiatives, especially the LiMo Foundation — and now also the Open Handset Alliance — Linux will become more widely available in the consumer space. As a result, visibility to already experienced hackers increases. Open means open to everyone — with [both] good and malicious intent."
The debate about the relative security merits of open-source as opposed to proprietary software development has been a very long-running one. Open-source software development has the advantage of many pairs of eyes scrutinising the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one of the disadvantages of open-source development is that anyone can scrutinise the source code to find vulnerabilities and write exploits.
The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering. However, as fewer people see proprietary source code, critics argue that code is more likely to be buggy. Some observers also claim that, once vulnerabilities have been found, updates are slower to be pushed out, especially by large multinational software companies.
Most security vendors try to avoid commenting on whether open-source or proprietary software is more secure, often arguing that it is like comparing apples to oranges.
Volzke said it was not possible to compare the security of development practices for Android-based devices and Apple's iPhone handset, which will be released on Friday. "Apple's iPhone has nothing to do with open source. Instead Apple will provide a software development kit," said Volzke. "Comparing the security challenges for an open-source device platform versus a device-specific software development kit will result in different conclusions."
Read this
Roundup: Google's Android joins three-horse mobile race
Symbian and Microsoft face a new threat from the Android software stack, the software development kit for which is due out next week...
However, one security vendor was willing to grasp the nettle, albeit gingerly. Ben Whitaker, head of security at mobile security development company Masabi, came down cautiously on the side of open source. "Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone," said Whitaker. "It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer [of both the iPhone and Gphone] won't be secure when the first product comes out."
Whitaker said that the iPhone has a number of vulnerabilities and that, as a smartphone with full internet connectivity, it would be more vulnerable than a strictly Java-based mobile platform, which he classed as "semi-smart". It will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based.
"[In the case of the iPhone], with any brand new web browser, malicious websites will take advantage of Ajax, JavaScript and ActiveX vulnerabilities," said Whitaker. "The less smart a phone is, the less vulnerable it is. [Android] developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks."
Whitaker added that, like the iPhone, Gphone devices will have vulnerabilities. "The Gphone could allow full apps to run on it, which would open it to keyloggers," said Whitaker. "At the moment, the Gphone platform doesn't run on an encrypted file system and has a vulnerable log-in. It's so stealable that these [an encrypted file system and a secure log-in] should by default be included."
With much development work yet to take place — and the UK market still waiting for both the Apple and Google-based devices to arrive — the jury remains out on which model will be most secure. But one thing is for certain: no device which connects to the outside world can be totally secure, and neither of these will prove to be the exception.
Talkback
Great article Tom; in summary I believe you said it all when you noted “no device which connects to the outside world can be totally secure”. As I consider the vulnerabilities that the gPhone and iPhone uniquely represent I circle back to the necessity of a mobile security solution in today’s environment.
I know as the Founder of MyMobiSafe.com, naturally I am more biased than others about mobile security. The underlying truth is that a mobile security solution provides a level of security that every cell phone owner should consider. As this article points out the eminent threats of the mobile environment, every handset has its own unique vulnerabilities. The true protection that a mobile security solution provides is the continuous monitoring of the mobile environment so that potential threats can be mitigated before they become real vulnerabilities at the handset level. I respect the move of Google to adopt an open platform, but the reality is that they should probably consider buying a mobile security provider (MSP) in the process.
The more I consider the dynamics of the Google offering in wireless, the more an acquisition of an MSP makes better since. The reality of the mobile security industry is that those of us already in market like F-Secure, McAfee, Symantec, and MyMobiSafe have all established the core technologies and monitoring centers to address issues before they become problems. By acquiring an MSP early, Google would be in the position to have the long term security requirements of the Google Phone built-in to the core operations of the MSP. Assuming a company like MyMobiSafe.com were to be acquired by Google, in addition to having a core mobile security group Google would be able to capitalize on the revenue generated by the MSP across a diverse subscriber group.
In the beginning it might seem be less expensive to sign an exclusive contract with an MSP, but in reality unless Google acquires an MSP to bring them in-house the level of security will likely fail over the long run. Realistically the more I consider the dynamics of the mobile security industry an early MSP acquisition by Google would seemingly pay for itself ten-fold. Either way Google moves forward, the reality is that mobile security is going to be a serious issue to contend with. An open-source OS only allows for greater creativity and thus greater potential vulnerability at the handset level. Android was a big move into what will ultimately become turbulent territory.
Your friend and mobile security guru,
Eric Everson,
Founder – MyMobiSafe.com
Eric.Everson@MyMobiSafe.com
This sums it all up. While open source is inherently more secure than most proprietary code, it can still be compromised. The user is the last line of defense, and must remain alert and always use caution when downloading or viewing sites. The good news is that a fix will be quick to arrive.
Great point about the security aspects of these networks. I did a comparison of these on a consumer basis: http://www.openxfer.com/wordpress/2008/06/10/what-the-android-needs-to-do-to-compete-with-the-iphone/?21
It's valid to go back to consider the security of these devices as it seems like it's mostly forgotten in the last few months.
This post has been removed by a moderator.