January 21, 2011 | By Chris Palmer

Don't Sacrifice Security on Mobile Devices

Increasingly powerful mobile phones are making Internet access and use more convenient than ever. However, the security of mobile operating systems is not as mature or as strong as that of workstation and server operating systems. Platforms like Windows and Ubuntu receive security scrutiny, and regular and frequent updates to resolve security problems. The open source/free software communities and Microsoft are more or less open about security problems and fixes. (For example, here is Ubuntu’s security notices page and Microsoft’s excellent Security Response Center blog.)

By contrast, mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements.

This is odd for Google; their Chromium OS is a first-class open source project with regular and consistent source updates and a rewards program for friendly hackers who report vulnerabilities.

However, Google’s distribution of Android for “Google Experience Devices” such as the Nexus One is the best commercial distribution and gets updates the most often (rare as they are). Carriers and OEMs like HTC, Verizon, and others tend to release “customized” versions of Android with new features added, and sometimes with standard features removed. Users may or may not want the new features and the new features may or may not be secure. Their distributions are sometimes based on old and known-vulnerable versions of Android, and they tend to publish updates rarely — or never. As a result, the ecosystem of Android devices is out of date, fragmented, and unnecessarily vulnerable to known attacks. This situation is bad for everyone: users, carriers, OEMs, application developers, and Google.

Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)

However, consumers can mitigate their risks by exerting market pressure, and may still have the best chance of doing so with Android phones. Last July, EFF won a rulemaking from the Copyright Office stating that jailbreaking mobile devices is not a violation of the DMCA. Thus, at least for now, it is not a violation of the DMCA to jailbreak your mobile device to install third-party patches or even entire third-party software distributions such as CyanogenMod. (Note: the rulemaking did not affect any other legal barriers, such as your terms of service.) Android’s open source nature makes CyanogenMod possible; don’t expect to see a third-party fork of iOS any time soon.

Enterprise customers, who usually demand at least some security features and response and who crave a competitor to Blackberry, may also create a new market niche for a more secure mobile OS.

Open source, combined with Android’s superior security design, makes Android a very strong mobile platform going forward, in spite of current problems.

Although there is no guarantee that third-party distributors will be more responsive to security problems, and nor is there any guarantee that they will not introduce new security problems, they do have an opportunity to perform better than Apple and Google have so far and to take market share.

Mobile devices such as smartphones and tablets, and their associated operating systems, will increase in power and gradually cannibalize the laptop market (just as laptops gradually cannibalized the desktop workstation market). Bluetooth and docking stations will give mobile devices the capability for sustained daily work, while sacrificing none of the mobility. Users should not have to sacrifice what little security they have in the move to mobile platforms. EFF urges users to exert some market discipline on mobile device vendors, and encourages developers to hack on third-party Android distributions. Mobile platforms are the future of computing. Let's vote with our wallets and tell mobile vendors why we care about security.

FULL DISCLOSURE: I briefly worked at Google on Android framework security, worked for Google as a contractor with iSEC Partners, and was offered a job by 3LM.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

The USA Freedom Act's changes to NSA surveillance have gone into effect. Here's what that means so far: https://www.eff.org/deeplinks...

Nov 30 @ 3:54pm

The Department of Education has extended its deadline. Sign our petition by Dec 16 to support open education. https://act.eff.org/action/te...

Nov 30 @ 1:51pm

Here's a fun argument that the history of DRM stretches back 3000 years. In our view, that's 3000 years too long. http://motherboard.vice.com/r...

Nov 30 @ 12:59pm
JavaScript license information