Google’s open source boss defends Android security isssues

Google hits out at security industry, which replies citing lack of app review process
Kerry Butters

December 1, 2011
Android Logo

As yet more research uncovers further security threats in Android devices, Google’s Chris DiBona has accused security firms and anti-virus vendors of being nothing more than “charlatans and scammers” who create scare stories in order to sell their software.

Angry at what he sees as an attack on open source software in general, DiBona posted a rant on Google+ about why open source has little to worry about from viruses.

This has led to a number of reports that suggest that Google’s approach to the Android malware problem is nothing more than burying their head in the sand, something which worries the security community greatly.

New research out this week found that Android devices from manufacturers such as HTC, Motorola and Samsung don’t “properly enforce the permission based security model.”

The study was carried out by boffins at North Carolina State University, hardly the types to invent scare stories in order to sell security products.

Permission based security in Android devices ensures (or is supposed to ensure) that users can review permissions requested by an app before installation to make sure it doesn’t ask to do anything it shouldn’t.

On the phones that don’t properly enforce these, apps which have no business accessing permissions can and do use them without user intervention or knowledge.

Malicious apps designed for the Android platform have seen a huge increase this year, worrying many a security expert.

The popularity of the platform makes for a perfect target for cybercriminals who can make money (and lots of it) by writing malware which signs users up to premium rate services.

However, according to DiBona, Android as a platform is no more at risk than any other OS and “no major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen.”

However, Google’s open source manager seems to be missing the point that security researchers and vendors alike have been making.

This is, that whilst nobody is knocking Android as an OS, they are certainly knocking Google over their app review process which is the only real thing making the platform insecure.

Trend Micro’s Rik Ferguson hits back at DiBona in a blog post directly addressing his points and answering them.

He cites the problem as being with Google, as the official Android Market provides “no upfront vetting of code or functionality.”

“Couple that with the undeniable and deserved popularity of the platform, it is no surprise that criminals are already actively exploiting an opportunity here. It’s not the open source, it’s the openness of the source,” states Ferguson.

Whilst all phone OS offer apps to their users, and pretty much all of them have been found to have a malicious app or two pop up on their marketplace, most get taken down quickly.

This isn’t the case with Android, users are most likely to be the ones to notice malware infected apps and the system relies on reports from them.

This has led to malware laden apps remaining available for weeks and sometimes even months.

Ferguson also accuses DiBona of “wilfully missing the point when it comes to the current threat landscape that confronts smartphone users today.”

Or to put it another way, burying his head in the sand.

It seems a surprising rant from DiBona insomuch as he attacks professionals who are basically working in the same industry and often providing valuable information to consumers, corporations and even governments.

Whilst all security experts seem to be in agreement that the insecurity of the platform is due to nothing more than Google’s review process, the only person that seems to be disagreeing is a Google employee in charge of open source.

Why not just listen to what the security industry is saying instead? They are saying that open source is great, that the Android platform is rightly popular as it’s a great product and that tightening the review process would fix the malware problem.

As Ferguson points out, criminals are demonstrating “current, active and sustained criminal interest in the mobile platform”. They’re not going away, so why continue making it easy for them.


Post a comment

Your email address will not be published. Required fields are marked *

Visited 5284 times, 4 so far today