Eweek published a puff piece promoting the security of Google’s Android operating system that is starting to show up on some mobile phones. It read like a rip and read job from a Google marketing brochure:
1 – not really valid – we’ve said open source code gets more secure, more quickly but it is the security focus of the development cycle that determines if code starts out and ends up more secure.
2 – Running applications in multiple processes by no means guarantees that “no application gains critical access to system components”
3 – Starting from Linux does not guarantee a more secure OS.
4 – Access restrictions that somehow guarantee that applications won’t harm the user or touch sensitive data would be very nice. No evidence that they have actually achieved this.
5 – Code signing support, nothing new here, but a good thing.
6 – Total hogwash: “Google has shown time and again that it is focused on user security.” Not been true to date any more than any other software vendor.
7. – More hogwash – putting the bug reporting email address on your web site is pretty standard for every software vendor. I did a RN grading IT vendor web sites on this and other web site security pages over 5 years ago.
8 – Sounds like the UAC feature in Windows Vista, which didn’t exactly prove to be effective, let alone popular.
9 – Not building a media player into the OS is a good thing, but the claims that “One of the most common ways attackers gain entry to a mobile phone is through audio and video running in a web browser” is a totally false strawman.
10 – “Google gets the web” is certainly valid, but so was “Microsoft gets the desktop” – Google certainly does have a good view of web sites and through acquisitions of security companies like Postini does have a good view of malware running out there. However, talking with Gartner clients at our security conference and the recent Symposium I listened to many complaints from unhappy Postini customers since Google acquired them – it is not clear that Google actually “gets” how to secure the web.
Yesterday, I pointed out that “Transparency plus inspection is the friend of security, freshness not so much.” This certainly holds true for Android – transparency and freshness, yes – inspection, not so much yet.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.