Tuesday, December 6, 2011

Android isn't safe

In the past I have not weighed in too heavily on the Android vs iPhone debate. It has seemed to me to be a matter of taste. However, I think a vulnerability to the Android platform has emerged that should concern anyone who ventures to use it. The problem is that all digital platforms have security vulnerabilities. Once the vulnerability is discovered, a race begins between the owners of the platform (who are trying to plug the security hole) and hackers (who are seeking to exploit the breach in order to steal identities and money).

 An example of one such vulnerability is documented here (as linked by Daringfireball.net). Patching this will require a coordinated effort among Google (who builds Android) the individual handset makers, and the telecom companies that put those handsets on their networks (because the software on each phone has to be customized for each network). Google can't do this by themselves, because they have ceded control over the implementation of their software to the telecoms. The handset makers are really hardware manufacturers, and aren't that passionate about the software that runs on their phones. In fact, many Android phones are sold with old versions of the software installed, and then never updated.

 "I don't care about having the latest features, it's just my phone" you might say. That's fine. However, when that phone holds your email, and account information for a myriad of other vendors you use, you should care! Many accounts, such as banks and travel accounts, use your primary email as a way to update your passwords. If someone hacks your email, they can then lock you out (and themselves in) to your accounts, and spend all your money and credit. Apple is certainly not immune to such security vulnerabilities. However, they have maintained control over how their operating system are implemented by the telecoms, and they screen software for malicious code before it is allowed on their gadgets. Furthermore, they are still manufacturing and updating the iPhone 3GS, which is now two generations old. Contrast this with Android phones, which are often abandoned by their telecom support long before the standard two year contract is up.

 Caveat emptor!

1 comment:

  1. Hi Ian-- Is it true that "the software has to be customized for each network"? I was under the impression that the phone company _unecessarily_ mars the Android OS by layering their own crap on top of it. That's the attraction of the Nexus phones-- just the Android, please.

    I think your point is well taken, but lacking a bit in balance. What you buy with the added vulnerability is freedom-- to customize your phone as you see fit and install whatever apps you think are appropriate, not what daddy Apple approves. The claim they are checking for malicious code may be true, but they also use it as an excuse censor software that competes with (outperforms) their own offerings or violates their sense of morality.

    Also, the vulnerability of using your e-mail address as a password is not special to your phone. Instead of a strike against Android, your observation suggests not using a single e-mail address as the primary password governor.