Oct. 3rd, 2011

There's been rather a lot of talk about vulnerability in recent HTC Android phones, and rather less about the lock screen flaw on the Samsung Galaxy S II for AT&T.

The summary version of the former, for those who don't want to read that whole article or who don't understand it: recent HTC phones include an always-on logger which has access to pretty much everything on the phone. This logger can be accessed by any application on the phone which has the basic "internet" privilege, which is pretty much everything.

So it's a giant gaping hole just waiting for someone to exploit. As best I can tell from the discussion online it's not remotely-exploitable, if you have one of these phones it isn't immediate-panic-stations time, but it does mean that any application you install could be siphoning data off and sending it elsewhere, without needing to ask you first.

The latter requires physical access to the device and may only be relevant to the AT&T variant. It's a simple trick which lets anyone who can get their hands on the phone get in to it even if you've set a security lock.

Both of these demonstrate a risk that comes with Android: there are many fingers in the pie, and you can't be sure where all of them have been. Code on an Android phone will have come from a mix of Google, the device manufacturer, and your mobile operator. You have to trust that all of them get it right, and it is demonstrably true that this is not always the case.

It's an argument in favour of the Apple/Microsoft model wherein only the OS supplier mucks about with the internals, neither the OEM or telco can modify the system beyond installing simple apps with no elevated rights. It may be that Google wind up trying harder to dissuade OEMs from altering the system, we'll have to wait and see how that pans out.

In the meantime it's a pity that Windows Phone 7 isn't getting more carrier love. Obviously they don't like the "can't make mandatory customisations" thing Microsoft is insisting on, just how Microsoft are going to bootstrap to the point Apple is at where the carriers need them more than they need the carriers is another interesting question.

Such a shame the Nokia N9 -- which is even getting television advertising, rather odd for an end-of-line device like this -- is dead on arrival.


Abort, Rephrase, Ignore?

October 2011

2 345678

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags