Google’s Android team is asking carriers and handset makers to provide unlocking mechanisms for Android smartphones so that application developers can tweak the operating system without circumventing Android’s security.
Android, which is aggressively challenging Apple’s iPhone, is by nature open source. However, wireless carriers and handset makers “lock down” the devices to prevent tech-savvy folks from modifying the software that companies hand-pick for their specific handsets.
In truth, some developers deliberately exploit the device to gain root access (known as rooting), prompting claims that the platform is insecure.
When Engadget reported that the Nexus S (which launched unlocked or with a two-year contract from T-Mobile) had been rooted, a commenter claimed, in a not-so-delicate manner, this happened because Android’s security was inadequate.
Nick Kralevich, an engineer on the Android Security team, took exception to the claim in his blog post. He noted that Google-branded Android phones such as the Nexus One and Nexus S are designed to allow developers to customise the operating system.
Kralevich explained that all Android apps adhere to strict permissions and are “sandboxed” from each other to prevent any bugs from infesting other apps.
Despite Google’s efforts at protecting its platform and consumers for malcontents, there are those who conduct rooting attacks by exploiting a security hole on the device.
All of this is quite the windup for Kralevich’s closing. He argues that carriers such as Verizon Wireless and AT&T and handset makers such as Motorola and HTC are partly to blame because they do not readily allow benevolent developers to unlock devices for customisation.
This leads to tension between the rooting and security communities.
“We can only hope that carriers and manufacturers will recognise this, and not force users to choose between device openness and security. It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice.”
Ars Technica offers the best technical write-up of the issue here.
Nvidia to partner with TSMC, Foxconn, Wistron, Amkor and SPIL to build $500 billion (£377…
American think tank warns about possible threat to US defence, after China imposes rare earth…
China is reportedly pursuing three alleged US NSA operatives, after cyberattacks on Chinese infrastructure
Chip making giant ASML mirrors other equipment makers, and outlines financial impact of Donald Trump's…
AI is transforming cybersecurity, offering faster defence and smarter attacks. Learn how businesses can harness…
Search engine giant being sued for £5 billion ($6.64 billion) damages over allegations for online…
View Comments
True to form the carriers are being disingenuous. Giving the user root privileges is NOT inherently insecure: it is insecure only if you do it the wrong way -- which the carriers make MORE likely by forcing users to go to the "rooting community".
Consider the recent social analogue: when abortion was illegal, many people went to illegal, back-alley providers, at risk to their own health. But now that it is legal in most parts of the world, the official medical community can at least give reasonable guarantees that the procedure is safe for the mother -- if not the child.
Similarly here: if the carriers lock down the phone, then people go to back-alley providers, of at least slightly shady provenance and no guarantees. But if the carriers could ever get over their ridiculously high opinion of their own judgement concerning what software the user wants, then they would provide rooting capability themselves, making it much safer to root the phone.
So what is "the right way"? Ubuntu Linux has a very good example: instead of a superuser who logs in, they add all user's to the 'sudoer's list, so that the user is in superuser mode for one command only.
Now I will not claim that the Ubuntu model will work safely with no modification even in the phone environment, in Android's rather idiosyncratic version of Linux. But I will claim that it is the sort of thing carriers should be supporting, the right solution will look at lot like Ubuntu's.
Finally, yes, I am aware the article quotes Kraievich as also blaming the manufacturers. But from my experience with the OEMs (phone manufacturers), they do things like this because they believe, rightly or wrongly, that that is what the carrier wants.
Yes, they have a long history of designing the phones for what the carrier wants, NOT for what the end user wants. Android has made a dent in that, but that history has not lost its influence yet.