October 21, 2008

Fears of Google Android Wiretaps and More -- Plus a "Security Proposal"

Greetings. First, I'd like thank everyone who sent me topic suggestions for last Sunday night's radio show. I was able to touch on a number of the suggestions and I hope we did them justice within the constraints of format and time.

Now to the subject at hand. With the first Google Android phone (the HTC G1) hitting the streets nationally tomorrow (though some pre-orders are already arriving, and the San Francisco T-Mobile store is starting to sell them today) reactions to my glowing endorsements of the Android open development and deployment model have been arriving at an increasing pace. Many of these reactions are negative and sometimes rather accusatory.

My view is that Android represents a massive sea change in mobile technology, with enormously positive potential implications for both consumer and corporate applications.

Quite a few people are taking me to task for this opinion, and they're suggesting that Android will bring a "pestilence" of dangerous and contaminated applications that will destroy users' data, wreck whatever remains of the U.S. economy, and (judging by the intensity of some statements I've received) perhaps also disrupt the space-time continuum.

Concerns over the potential dangers of Android applications appear to be raging in such quarters despite the fact that Google reportedly has a "kill switch" that can disable renegade applications when necessary -- a wise move in the context of such a sophisticated mobile platform.

I'm being bombarded with a range of Android conspiracy theories and related theoreticals, with a number of persons pointing at my own early 2007 discussion and video "Is Your Cell Phone Bugged?" and suggesting that Android represents the ideal platform for the sorts of "wiretapping" exploits I described.

It would be hypocritical for me to claim that an open platform like Google doesn't carry with it different sorts of risks than relatively closed platforms like the iPhone or Windows Mobile, not to mention completely proprietary mobile ecosystems.

But the potential positive benefits in terms of an explosion of wonderful applications for Android is likely to be like nothing we've ever seen before for mobile devices, and just as with the Internet itself, PCs, and even motor vehicles for that matter, to get the benefits of technology we usually have to accept some risks and potential downside aspects as well.

In the case of Android, reputation labeling of posted applications by the Android user community should go a long way to help weed out disruptive programs. And each program presents a manifest of its resources access requirements at install time (though admittedly there may be a tendency for many users to click-through these without much thought or sufficient understanding of the ramifications, and it's possible that granted privileges could be used for other than the "advertised" purposes).

OK, there are risks. On the other hand, it's about time that adult users of advanced mobile devices be treated as thinking adults who can make their own decisions about the code that they wish to run on their phones. Android treats its users as adults in this manner, for the first time from any mobile system vendor.

Yet there will be persons who wish to use Android platform phones -- like the G1 -- and who may be concerned that they simply do not have sufficient expertise to make informed judgments about which applications are safe to run, especially for programs relatively new on the scene. This is a valid concern.

So I'll make the following proposal and query. What say you to the idea of establishing a standalone group -- structure to be determined -- to review completely voluntary submissions of Android applications for pre-release security analysis of associated distributable installable Android packages?

This would not be a formal "certification" program, would never be a requirement of any kind. Nor would it offer guarantees of applications' performance. But it could provide a voluntary layer of independent expertise to look over applications in advance of release, so that those potential Android users who might be otherwise reluctant to run various programs (e.g. those from relatively unknown parties) can have added confidence in doing so.

Obviously, the devil is in the details for any such proposal, and I won't even attempt to dig into such details in this posting. But I would hate to see users who could greatly benefit from the openness of Android being unnecessarily scared off by the very aspects of open development and deployment that could be of such immense value to them.

Perhaps this sort of voluntary review program could help to bridge the gap of concern that significant numbers of persons may feel while moving from the dark, closed world of controlled mobile applications, into the bright, open world of Android.

Please drop me a line with your thoughts on this proposal. And if you might wish to participate in such a project, please be sure to let me know.

Thanks as always.

--Lauren--

Posted by Lauren at October 21, 2008 06:32 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein