Eweek published a puff piece promoting the security of Google’s Android operating system that is starting to show up on some mobile phones. It read like a rip and read job from a Google marketing brochure:
1 – not really valid – we’ve said open source code gets more secure, more quickly but it is the security focus of the development cycle that determines if code starts out and ends up more secure.
2 – Running applications in multiple processes by no means guarantees that “no application gains critical access to system components”
3 – Starting from Linux does not guarantee a more secure OS.
4 – Access restrictions that somehow guarantee that applications won’t harm the user or touch sensitive data would be very nice. No evidence that they have actually achieved this.
5 – Code signing support, nothing new here, but a good thing.
6 – Total hogwash: “Google has shown time and again that it is focused on user security.” Not been true to date any more than any other software vendor.
7. – More hogwash – putting the bug reporting email address on your web site is pretty standard for every software vendor. I did a RN grading IT vendor web sites on this and other web site security pages over 5 years ago.
8 – Sounds like the UAC feature in Windows Vista, which didn’t exactly prove to be effective, let alone popular.
9 – Not building a media player into the OS is a good thing, but the claims that “One of the most common ways attackers gain entry to a mobile phone is through audio and video running in a web browser” is a totally false strawman.
10 – “Google gets the web” is certainly valid, but so was “Microsoft gets the desktop” – Google certainly does have a good view of web sites and through acquisitions of security companies like Postini does have a good view of malware running out there. However, talking with Gartner clients at our security conference and the recent Symposium I listened to many complaints from unhappy Postini customers since Google acquired them – it is not clear that Google actually “gets” how to secure the web.
Yesterday, I pointed out that “Transparency plus inspection is the friend of security, freshness not so much.” This certainly holds true for Android – transparency and freshness, yes – inspection, not so much yet.
Category: Uncategorized Tags: