Google’s Android team is asking carriers and handset makers to provide unlocking mechanisms for Android smartphones so that application developers can tweak the operating system without circumventing Android’s security.
Android, which is aggressively challenging Apple’s iPhone, is by nature open source. However, wireless carriers and handset makers “lock down” the devices to prevent tech-savvy folks from modifying the software that companies hand-pick for their specific handsets.
In truth, some developers deliberately exploit the device to gain root access (known as rooting), prompting claims that the platform is insecure.
When Engadget reported that the Nexus S (which launched unlocked or with a two-year contract from T-Mobile) had been rooted, a commenter claimed, in a not-so-delicate manner, this happened because Android’s security was inadequate.
Nick Kralevich, an engineer on the Android Security team, took exception to the claim in his blog post. He noted that Google-branded Android phones such as the Nexus One and Nexus S are designed to allow developers to customise the operating system.
Kralevich explained that all Android apps adhere to strict permissions and are “sandboxed” from each other to prevent any bugs from infesting other apps.
Despite Google’s efforts at protecting its platform and consumers for malcontents, there are those who conduct rooting attacks by exploiting a security hole on the device.
All of this is quite the windup for Kralevich’s closing. He argues that carriers such as Verizon Wireless and AT&T and handset makers such as Motorola and HTC are partly to blame because they do not readily allow benevolent developers to unlock devices for customisation.
This leads to tension between the rooting and security communities.
“We can only hope that carriers and manufacturers will recognise this, and not force users to choose between device openness and security. It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice.”
Ars Technica offers the best technical write-up of the issue here.
Microsoft faces formal EU antitrust charges over videoconferencing app Teams after concessions to European Commission…
Workers at New Jersey Apple Store vote against joining union as post-pandemic labour drive at…
Microsoft-backed OpenAI releases new AI model GPT-4o with voice conversation capability, desktop app and updated…
SpaceX prepares fourth Starship test flight, launches more Starlink satellites, shows EVA suit for commercial…
SpaceX and its contractors have left construction bills unpaid in Texas, angering many smaller suppliers,…
US to triple domestic chipmaking capacity and control 30 percent of advanced chips by 2032…
View Comments
True to form the carriers are being disingenuous. Giving the user root privileges is NOT inherently insecure: it is insecure only if you do it the wrong way -- which the carriers make MORE likely by forcing users to go to the "rooting community".
Consider the recent social analogue: when abortion was illegal, many people went to illegal, back-alley providers, at risk to their own health. But now that it is legal in most parts of the world, the official medical community can at least give reasonable guarantees that the procedure is safe for the mother -- if not the child.
Similarly here: if the carriers lock down the phone, then people go to back-alley providers, of at least slightly shady provenance and no guarantees. But if the carriers could ever get over their ridiculously high opinion of their own judgement concerning what software the user wants, then they would provide rooting capability themselves, making it much safer to root the phone.
So what is "the right way"? Ubuntu Linux has a very good example: instead of a superuser who logs in, they add all user's to the 'sudoer's list, so that the user is in superuser mode for one command only.
Now I will not claim that the Ubuntu model will work safely with no modification even in the phone environment, in Android's rather idiosyncratic version of Linux. But I will claim that it is the sort of thing carriers should be supporting, the right solution will look at lot like Ubuntu's.
Finally, yes, I am aware the article quotes Kraievich as also blaming the manufacturers. But from my experience with the OEMs (phone manufacturers), they do things like this because they believe, rightly or wrongly, that that is what the carrier wants.
Yes, they have a long history of designing the phones for what the carrier wants, NOT for what the end user wants. Android has made a dent in that, but that history has not lost its influence yet.