back to article Experts cast runes on Google phone security

Google's plans in new mobile phone platforms may not be much further advanced than slideware, but security experts are already picking apart the initiative to look for potential holes. Interest is focused on whether or not Android will be totally open or adopt an (arguably more secure) system of signing approved applications. …

COMMENTS

This topic is closed for new posts.
  1. amanfromMars Silver badge

    Google Android ..... A Post Modern Artilect or Status Quo Artefact

    "It's pretty guaranteed that no criminal attacks will take place until the installed base for Android has become large enough to interest the bad guys financially."

    Oh please, get real, they'll already be embedding their code even now before it is released. All Google can do is hope that they[Google] are SMART enough to buy them into their fold and that is interdependent on both of them being Squeaky Clean and Untouchable, for then you can do Anything you like/All Manner of Dirty Deeds done dirt Cheap with Relative Impunity without breaking any Mickey Mouse laws [the ones you choose to break subjectively]/traditional safeguards.

    Until then, they are easy Prey for all they are becoming is an MS Clone rather than its Nemesis. Just another Puppet in a Gilded Cage.

    However, as in All Things, a New Hire can alight New Fire.

  2. Steven Hewittt
    Mars

    amanfrommars

    Soon as I read the title of the comment from the main article I knew it was our special friend known only as 'amanfrommars'.

    God bless you!

  3. Karl Lattimer
    Flame

    why not both?

    "Interest is focused on whether or not Android will be totally open or adopt an (arguably more secure) system of signing approved applications."

    the N770,N800 and N810 devices can install apps which are signed by nokia via the nokia software channel, or they can install apps from third party repositories which are also digitally signed, and nokia provide hosting of third party apps via the garage which nokia digitally signs.

    I think focusing interest on whether the platform is open vs. ONLY allowing approved apps would have been a more accurate statement to make. Digital signatures aren't relevant to the statement, approved apps ONLY is.

  4. Joe Harrison

    Why are we even having this conversation

    I would not be happy if f someone told me that (for my own good of course) I could only run approved, signed, applications on my laptop because there was an offchance I might execute something malicious.

    So why is my phone different exactly? Except of course that telco has historically been able to manoeuvre us into a situation where we regard it as "normal" to pay 10p to send 160 bytes of ASCII (via SMS.)

    All I can say is "Google, bring on your open environment" and I will sort the consequences out myself thankyouverymuch.

  5. Dan

    The scary thing is...

    amanfrom mars is making more sense in this discussion than anyone else.

  6. pctechxp

    amanfrommars is dead, long live a manfrommars

    Blimey, what he/she/it has said seems to make slightly more sense than usual.

    Surely its not the same person/bot or the bot has developed some AI!!

    The Matrix cant be far away

  7. Anonymous Coward
    Jobs Horns

    The iPhone isn't worth exploiting

    It's become clear that, despite what the experts say, it's not worth anyone's while exploiting the iPhone. Think about it - there was a security hole that allowed web pages to run arbitrary code as root, with a robust, well-documented and very public exploit that could be used to download and run a program supplied by the attacker's. All the tools and know-how to develop such a program exist. Yet, despite all this being available for quite a while before Apple released a patch, no-one actually bothered exploiting it for malicious ends.

  8. Richard Taylor

    No Signing please...

    Signing really doesn't help for several reasons:

    1. signing is a very expensive exercise if you support a lot of phones (and don't kid me that Android will be write once, run everywhere). So there goes the student/amateur/small developer set, which is the vital groundswell

    2. signing won't guarantee that an app-generated SMS isn't premium rate, or that the data being sent isn't sensitive

    3. signing means nothing to the end-user

    My experience is that the application doesn't improve in quality by going through the signing process - the only 'faults' its exposes are very minor problems.

    As far as I can tell, signing is just another way to make money out of developers. Maybe that's where Symantec comes in? :-)

    If this is to be an 'open' OS/API, then the applications also need to be 'open'. Yes, there's a risk placed on the user, but not that different to that of a PC app.

    The right thing to do is educate the user, not lock out developers.

This topic is closed for new posts.

Other stories you might like