Nexus One vs. Top 10 Phone Security Requirements

hiouridah writes "Consumer Grade or Enterprise Ready? The Nexus One is entering a smart phone market that is taking increasing heat from enterprises for their lack of robust security features. So how does the Nexus One stack up?"

Im going to wait.....

I will personally be waiting for the next gen to come around. It will most likely be like the iPhone was. First model was ok but the later were much better...

Re:Im going to wait.....

[stiggle]

I'm going to wait for the 6th version to come along.
I was to see the video footage it takes of "Attack Ships on fire off the shoulder of Orion" :-)

Re:Im going to wait.....

[norminator]

I will personally be waiting for the next gen to come around. It will most likely be like the iPhone was. First model was ok but the later were much better...

This is only the first gen for the hardware of the device, which already includes 3G (T-Mobile only, though), which wasn't available on the iPhone until the 2nd gen. The 3rd Gen iPhone added performance improvements, hardware-wise, but it wasn't fixing any design flaws in the device. Also, as far as hardware goes, it's built by HTC, and isn't a huge departure from the general design of HTC's other handsets, so there's not likely to be many hardware snags.

As far as software goes though, the Android platform is already on its second generation, and out of that, this is the second Android phone to use Android 2.x.

So basically, this (along with the Droid) is the next gen Android phone.

Re:Im going to wait.....

[blincoln]

I'm waiting for the meta-reference ad campaign with "I want more life, fucker - I ain't done" as the tag line.

hmmm...

It stacks fairly well but will topple if you stack too many

Re:hmmm...

[Suki+I]

Is double sided tape cheating?

Re:hmmm...

[Anonymous+Monkey]

Yes, Lego still stacks up better than anything else. Therefore Lego should produce all our computer and communications hardware.

I for one welcome our new Mindstorm(tm) overlords having a grammar war over Lego/Legos.

N1 vs Iphone

[Karganeth]

521MB RAM vs 256MB RAM
800x480 vs 480x320
1Ghz vs 600Mhz
5MP vs 3MP
AMOLED vs TFT

To top it off the nexus one is a slimmer device. Need I say anymore? The iPhone is no longer king! Hoorah!

Re:N1 vs Iphone

1ghz vs 2 * 600mhz

Re:N1 vs Iphone

no.

Re:N1 vs Iphone

[whisper_jeff]

The iPhone is no longer king! Hoorah!

Ok. Listen closely.

The iPhone wasn't king WHEN IT CAME OUT!

Seriously. There were better phones, hardware-wise, when the iPhone first launched. And there's always been better phones. And I'm willing to bet there will always be better phones, hardware-wise.

It. Does. Not. Matter.

The iPhone's success is not linked to its hardware. When you figure that out - when you realize why the iPhone is actually successful - you might begin to understand what it takes to make the fabled iPhone-killer.

Re:N1 vs Iphone

521MB RAM vs 256MB RAM

800x480 vs 480x320

1Ghz vs 600Mhz

5MP vs 3MP

AMOLED vs TFT

To top it off the nexus one is a slimmer device.

Need I say anymore? The iPhone is no longer king! Hoorah!

512 MB internal storage + 4GB flash card vs 16GB (32GB with upgrade)

With all the apps/music/videos that people like to carry around with them now days, storage space kind of matters now.

Re:N1 vs Iphone

[alen]

4GB vs 16GB or 32GB storage

by the time you add more storage to the N1 it's more expensive. and it pretty much locked down to T-Mo since it can't use AT&T's 3G frequencies. and T-Mo sucks. and with all the corporate/work related apps in the app store Google's limit on the number of apps is dumb.

Re:N1 vs Iphone

[Deanalator]

Nice comparison, between a phone that came out last year and a phone that just came out. You won't be able to judge anything until you look at the 2010 iphone specs. Apple has been working on a delayed timeline, only releasing features when a major competitor enables the feature first. Now that android has finally gotten it's act together, we will see what apple puts in it's new iphone. I think they will be able to keep up (since they did have a 2 year head start), but if they can't, then I will finally be moving over to android (something I thought I would be doing years ago).

Re:N1 vs Iphone

[scorpivs]

There's an app for that.

Re:N1 vs Iphone

[GooberToo]

4GB vs 16GB or 32GB storage

by the time you add more storage to the N1 it's more expensive.

Hate to burst your bubble, but storage is cheap these days. Plus, over the term of a two year contract, there is a huge difference in cost. You can add 32GB plus a card reader for your computer and still be way ahead of the iPhone 3Gs over two years, with twice the removable storage.

Re:N1 vs Iphone

[CyberNigma]

Keep in mind, something I found out as I was about to pick one up myself, the iPhone by default stores its apps and app data on the 4/8/16gb flash memory it has and runs them from there. Android devices, even with SD/SDHC slots capable of 32gb of memory will not allow, by default apps to be downloaded and run from the SD/SDHC. All apps have to be run (by default) from within that 512MB of internal memory.

The only alternative is to root your device and make modifications to allows apps to be run from the SD/SDHC. This was put in place to protect (a drm of sort) purchased apps from the Android marketplace.

oogle admits they are trying to find a solution to the problem, such as encrypting purchased apps so they can be run from removable media. Until that is done, the Nexus One has approximately 256MB of space for downloaded apps and the iPhone has 4+gb of space for said apps. Again, unless you root your device.

iPhone app space = 4/8/16gb
Nexus One (default/non-rooted) app space = ~256MB
Nexu One (rooted) app space = size of SD/SDHC card (~32gb)

Re:N1 vs Iphone

[GooberToo]

The iPhone 3Gs came out last June. That's roughly six months ago. That's not that long ago. Sure, if you want to place an arbitrary divider into the discussion (2009 vs 2010) to make it sound like its been longer, feel free, but it doesn't change the fact that the iPhone 3Gs hasn't been out long and Apple is working hard to chase Android. Android's impact was already observed with the release of the iPhone 3Gs. There's not an iPhone 3Gs user that doesn't owe a thanks to Android. That's the nature of true competition. Everyone wins.

Re:N1 vs Iphone

[GooberToo]

Nexu One (rooted) app space = size of SD/SDHC card (~32gb)

The N1 comes with a boot loader which allows EVERYONE to root the device.

Re:N1 vs Iphone

[CyberNigma]

That's what I was saying. If you root the device the storage restriction is not there. How you root the devices (android) doesn't matter - I didn't say it would be difficult. The fact is you have to root it. Technically, it may violate the TOS depending on how you purchase it. Obviously the unlocked version does not have that caveat since there are no real terms of service.

Most people will probably not be rooting their phone, just like most people probably don't jailbreak their iPhone.

Re:N1 vs Iphone

[CyberNigma]

The Nexus One will not run apps from external storage (flash card) unless you root it. By default, it will not allow it since they are trying to prevent pirating of paid apps. They are working on a solution such as encrypting paid apps so they can be downloaded to a flash card and run from there. Currently, however you have to root the device, which is easy, but necessary and may violate your operator's terms of service.

By default, Nexus One only has about 256MB (internal memory storage) of space for apps and can't be upgraded.
If you root the Nexus One then you have as much space as you can afford in the form of storage cards.

If you download a lot of apps and choose not to root your phone, you will run out of space very quick and will have to pick which apps you really want.

Re:N1 vs Iphone

[GooberToo]

Wasn't trying to take away from anything you said. I was just making it known that the N1 doesn't require exploiting a bug to root it. Its rootable on day one. The N1 comes ready to be rooted. Of course, as you rightly pointed out, that may well violate your TOS, depending on how you obtained your phone.

Re:N1 vs Iphone

[Achromatic1978]

512 MB internal storage + 4GB flash card vs 16GB (32GB with upgrade)

That sound is a muscle tearing as it grasps at a straw. Funny, it always seems to happen with Apple. Doesn't matter that all the other specs are superior, an Apple fan will say "but it has no X! ergo it is fail/inferior/different", where X can be one criteria, often as small as "Bluetooth 2.1 versus 2.0", or "integrated SD reader or webcam".

That being said, storage is useful. So that's why my Nokia N97 has 32GB on-board by default, and a 32GB SDHC in slot.

Re:N1 vs Iphone

[Sechr+Nibw]

Huge difference? I suppose, perhaps. I've got a shared iPhone 3G plan with my brother, and we're paying $80 a month each. That's $30 each for unlimited data, $15 each for unlimited text, and $35 each for 550 (I think) minutes a month. Considering that we don't use the voice part of the plan much, and that AT&T has Rollover, that means that when we need the phone to be used as a phone, it's there, and with a surplus of spare minutes for emergencies and whatnot, without paying for features we don't need.

The 2 year comparison done above was based on unlimited voice minutes as well, but didn't include texting on the N1 ($30 a month), so unlimited everything is $150 on iPhone 3G(S), $130 on Google Nexus 1. This means the difference over 2 years is $480, which is a large difference, but I wouldn't say huge, like the $1,200 difference posted above.

Re:N1 vs Iphone

[Hasney]

N1 has no multitouch though. Since there is no physical keyboard, thats a dealbreaker for me.

Add in multi-touch and I'm there Day 1 it hits the UK.

Re:N1 vs Iphone

[GooberToo]

When the difference is enough to turn around and buy another high end smart phone at the end of your contract, I consider that huge. Or, another way of looking at it is, its enough to out strip the competition's storage by roughly 20-30 times; which after all, was one of your points of contention. Or add roughly 480 songs to your music collection, for "free".

Come on, we're not talking about a difference of a couple dozen bucks here.

Re:N1 vs Iphone

[stewbacca]

Yes, because a phone is the sum of its collective hardware parts and the quality of the software, ergonomics and operating system matter not one bit.

Re:N1 vs Iphone

[stewbacca]

Anyone who injects "flash card" or "replaceable battery" into an argument about MP3 players, laptops or phones automatically loses. There should be an Internet law for this phenomenon.

Re:N1 vs Iphone

[stewbacca]

You are right. There's no accounting for user experience, evidently. Of course I haven't used a Nexus One yet, but it would have to be damned good for me to care about the menial savings over an iPhone. I'll take the "known-good" over the "might-be-good-and-costs-a-few-hundred-less" every time. Maybe not a possibility for those on tight budgets, but not all consumers are on tight budgets (i.e., there is a market for a phone that costs $480 more over two years than another phone).

Re:N1 vs Iphone

[CyberNigma]

yeah sorry. I re-read my comment and it doesn't sound like I meant lol.

Thanks :-)

Re:N1 vs Iphone

[GooberToo]

You are right. There's no accounting for user experience, evidently.

Nice backhanded stab.

There is a reason why Droid has been stealing lots of users from all of the popular smart phones, including the iPhone. There's a reason why Droid is Time's #1 mobile gadget and the iPhone 3Gs is #4. And there's yet another reason why Android has clearly stolen serious mind share from the iPhone. Obviously user experience does count and many are choosing to leave the iPhone, among others.

So to quote you,

You are right. There's no accounting for user experience, evidently.

Since you clearly can have an equal or superior user experience with an Android device, and the fact you can do that cheaper than the iPhone with your choice of carriers and plans, is nothing but goodness.

Let's ignore for a moment that the N1 just came out which is significantly better than the Droid, which is on par (true competition) with the iPhone 3Gs. Let's also ignore that Android 2.1 is just over the horizon which is likely to sport 2+x performance increase for Dalvik apps. Let's also forget that Droid/Milestone are both highly visible targets for Android 2.1. Lastly, let's not forget that even AT&T will be putting out no less than five Android handsets in the first half of this year.

Even AT&T sees the writing on the walls... perhaps you should too.

The bottom line is that competition is good for everyone. Android has already modestly influenced the iPhone 3Gs and it will significantly influence every iPhone to come. If fact, if you see a new model of iPhone come out sooner than the next year and a half, you can directly thank Android. Likely every significant new feature coming to new iPhones and/or OS updates will have some influence from Android. In turn, as new iPhones are made available, I'm sure the influence will positively affect Android. Without a doubt, everyone wins here.

Stop pouting. You'll ultimately still be a winner because of Android's success.

Re:N1 vs Iphone

[stewbacca]

The reason the Droid is stealing lots of users is because it is new. Nothing against it (I may check it out once my contract is up), but every new product enjoys a bump. Also, most iPhone users already have an iPhone they like, so there's no reason to rush out and buy a 3Gs.

I make no claim that the Android experience is worse than the iPhone, only that the iPhone experience is a known, and many people chose to go with the known over the unknown. I was merely positing that a few hundred dollars more is worth the cost if you like the UI you are getting.

I make absolutely no backhanded stabs. I was merely pointing out that the price difference of a few hundred dollars between one phone and the other can not be quantified simply by hardware specs, like the original post is claiming. I'm saying that a known, nice UI is worth $480 over two years to some people, even if the unknown UI turns out to be the best thing since sliced bread.

Competition IS good for everyone, and because of this, the next smart phone I get will be better than my current one. I don't think that the Android market really affects me as an iPhone user, in the fact that I don't think an Android phone will integrate as well with my OSX machines at home. Not that this is the most important feature, but it is the most important feature to me, so whichever phone does that the best will get my business.

Obvious article is obvious

[nitefallz]

I don't think the N1 is targeted at the corporate world. Google seems to have larger mobile plans than this, so I would expect some corporate type product in the future.

Re:Obvious article is obvious

[toastar]

Wait Wait Wait.... Are you saying the Iphone is targeted at the business world?

I'm not sure the article fully understands androids capabilities, I have a remote wipe app on my g1.
The only real security feature the iphone has is the lack of a SD card.

Re:Obvious article is obvious

What does any of this have to do with the iphone?

Re:Obvious article is obvious

[Changa_MC]

Have you attached an iPhone to an exchange server, ever? Remote wipe, required passkey locking, ability to disable camera...

Apple gave my corporate overlords huge amounts of power when I hooked my personal phone into the company email/calendar.

Re:Obvious article is obvious

[toastar]

Yes, But Can you delete your saved passwords without flashing the phone?

If your buying a phone for security it isn't a an iphone or an android flavor... it's a blackberry.

Not only can it remote wipe,(Which is a new feature added when the 3G came out) The Black berry can Do a remote Wipe if someone pulls out the sim card or even if they leave it in a Farday cage for too long. or even too many failed password guesses.

Actually can you have the password timeout error wipe the Iphone?

Re:Obvious article is obvious

It all depends what level of risk you're willing to tolerate for how much money/convenience.

If your buying a phone for security it isn't a an iphone or an android flavor... it's a blackberry.

Well, if you don't mind a Canadian company storing all your corporate data, I suppose that's true. I think you can see Russia from there, so...

Not only can it remote wipe,(Which is a new feature added when the 3G came out) The Black berry can Do a remote Wipe if someone pulls out the sim card or even if they leave it in a Farday cage for too long. or even too many failed password guesses.

Actually can you have the password timeout error wipe the Iphone?

That a bit disingenuous, as it's iphone os 2.2.1 that supports remote wipe, even on my original iphone.
And it's iphone os 3.0 that supports wiping after multiple password attempts. Again on my original iphone.

From the article

[Albanach]

-Operating system: The Android operating system is in its infancy and like any new piece of software is likely to be full of security bugs. Android is also open source, so it is highly susceptible to developers with malicious intent finding those bugs quicker than if the OS was closed like the iPhone or blackberry OS. However, the open source nature of the OS should also become a benefit for its security longer term as coders with good intent scrub Android and find the security holes and patch them. Without the source code this job becomes much harder and takes considerably longer. Bottom line is it’s a mixed bag, less secure in the short term but able to become more secure faster than a close OS can.

Is there any evidence that an open source program is less secure in the short term than a closed source one?

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

Re:From the article

[jeffmeden]

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

Beg the question much? Your conclusion is just as vague as the one in the article. I don't have any actual data either, but I would venture that accidental bugs are a much much much greater security risk than malicious ones, open source or not. Of course, it's pretty darn hard to spot a cleverly hidden bit of malicious code (and be able to distinguish it from a bug), so we may never know anyway.

Re:From the article

[jimbobborg]

Yes, I find this point annoying. But the article is from Network World, by the "Cisco Security Expert." But the Nexus One gets 4 of the 9 phone security requirements, including screen lock, VPN, wireless security, and application sandboxing. The ones missed, besides the OS being open source, include application signing, corporate enforcement of security settings, hardware data encryption, and remote wiping capability. I would hope that the data encryption would be added at some point, and be better than the USB thumb drives from the story yesterday. I'm sure the others can be added later, although one of the nice things about this is not requiring the blessing of Google to run an app.

Re:From the article

[nxtw]

Is there any evidence that an open source program is less secure in the short term than a closed source one?

There's nothing inherently secure or insecure about open source software. It's not like all open source software is built with different tools or in safer languages.

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

One could assert that open source programmers (at least those working for free) don't need to care about reliability or security since they aren't getting paid. One could also assert that anyone can create / contribute to an open source project, including those who don't know what they are doing.
However I don't think there's evidence for your assertion or my assertions.

Re:From the article

Is there any evidence that an open source program is less secure in the short term than a closed source one?

If we assume that Google's engineers have to follow the same code quality standards for open-source projects as for their various closed-source projects, then shouldn't we expect the quality of the code base to be equal, whether or not the source is disclosed to the public or not? If this is indeed the case, I think the statement that errors are more visible in an open-source project has merit.

After all, when coding an program they know will be open sourced, programmers are much less likely to add a vulnerable piece of code in the hope it won't be spotted or with the intention to fix it at some later date.

Why would this be the case? Doesn't Google apply the same quality assurance practices (peer reviews and such) to their internal codebase (i.e. those projects that are critical to Google's operation)? I don't think adding vulnerable code to an internal (closed source) project is any more acceptable than to an open-source project.

Re:From the article

[TubeSteak]

They're going to put Flash on the Nexus.
Unless Adobe/Google's programmers have done the impossible and magically
secured Flash, most of their security isn't going to be worth a damn.

Re:From the article

[nine-times]

Also I'd question what the article means by Android being "in its infancy". Android is based on a well-tested OS that's been around for a while (Linux), the first phone running Android came out about a year ago, and the OS is past v2 (though version numbers don't necessarily tell you anything). I wouldn't call Android a long-running or well-established OS, but it's not like it was slapped together from scratch 6 months ago.

Re:From the article

[Mr_Silver]

Is there any evidence that an open source program is less secure in the short term than a closed source one?

Yes there is evidence, but it goes both ways. It is impossible to make generic statements about the security of open source (either for or against) without being ripped to shreds with counter points. Anyone who tries to make such a generic comment is going to be wrong.

What they appear to be saying is that since the code is open source, it's easier for people to find security flaws. Which would seem (to me) to be true. On the flip side, once it's found, it's going to get patched much quicker because you don't have a wait for the only people who can see the code to do something.

Slashdot loves to use Apache and IIS as examples of the security differences in open vs closed source. The problem is that Apache is not indicative of the quality of open source and Microsoft is not indicate of the quality of closed source.

For every good quality closed source vendor, I can equally find an open source project from Freshmeat riddled with security flaws.

Re:From the article

[maxume]

Have there been any flash exploits that bust out of the IE8 sandboxing in Windows 7?

(Real question...)

Re:From the article

[tweek]

The attack vector for mobile flash on android is going to be insanely hard to get around. The browser is already sandboxed. It's quite likely that the flash plugin will be a separate sandboxed application as well. The ONLY android permissions that flash needs are media related and MAYBE MAYBE MAYBE geolocation information.

Re:From the article

[ducomputergeek]

Linux is a kernel. Nothing more. An OS is the kernel + userland. In that respect, Android is indeed still in the infancy.

Re:From the article

[TheGratefulNet]

the first phone running Android came out about a year ago

(HOW old are you?)

a person who considers a year-old product 'mature' -- hmmm -- I have to wonder about how old this person is, themselves.

seriously, a year is no sign of stability.

look at the telco world where standards have been in place for *decades* (some even over a century, now).

"a year" == mature. oh man, you children really crack me up.

Re:From the article

[benro03]

The problem I have with the article is that he completely blows his credibility with that one simple statement about it being insecure by the virtue of it being open source. Everything else he's pretty much spot on.

Re:From the article

[FlyingBishop]

The point is that Android is not a random open source project from Freshmeat. It's a platform half a dozen major corporations have spent the past two years working on, and the operating system layer has been in constant development for nearly two decades, and has one of the best security records around. In terms of security, it's a sturdy platform built on bedrock.

On the other hand, there are a number of ways it is obviously insecure. Gesture unlock instead of a real password is my biggest concern, as well as the unencrypted SD card. But just the same, the point is that excepting the obvious gaping holes, there's no reason to believe that Android has any more security flaws than another Linux-based OS.

Re:From the article

[GooberToo]

Also I'd question what the article means by Android being "in its infancy".

Android right now means Linux + Framework. Sure the framework can be made to run on other OSs, but for now they use Linux.

No bones about it, the Android framework is definitely in its infancy. Google breaks applications left and right with just about every release. In some cases they even deprecate interfaces without providing an alternative interface; leaving developers and users boned.

And because of Android's infancy, Verizon's Droid has known Android incompatibilities between the emulator and the GSM variant (Milestone). In fact, that's what was behind Droid's update from 2.0 to 2.01; even requiring an SDK update and new SDK version (5 to 6) for developer's to support. Despite the 2.01 update, Droid still has some broken interfaces because Verizon was forced to write their own Android-CDMA framework hooks - as Android's native CDMA interface wasn't ready at the time.

While I think Android is excellent and I even own an Android phone, to be absolutely clear, both users and developers are very much feeling both the pains and absolute indifference Google has for them. For example, the Android market application and interfaces available to developers is still third world crap and a far cry from acceptable. Right now developers have to support Android 1.1 (large deprecated now), 1.5, 1.6, 2.0 (obsoleted), 2.01, and soon 2.1. Each has their own quirks, incompatibilities, broken interfaces, new and improved interfaces, screen sizes, etc. Contrary to the recent stream of FUD being spread, with the possible exception of Verizon's breakages, none of this means Android is fracturing and/or forking, but it does make for a huge headache for users and especially developers.

As for the market, Google can't even properly count the number of actively installed applications for developers. The numbers provided are known to be completely useless and inaccurate. They still don't provide tools to developers. You still can't browse the market from your computer. Application descriptions are laughably terse. The user comment system exists solely to abuse developers and harm sells. Developers can't event reply to criticism - only the most recent. About the only positive thing the Android market has going now is that its easy to remove spam and abusive comments - but that makes one wonder how often legitimate comments are now removed as anyone can mark comments as spam.

In short, Google still has a very long way to make Android grown up. Sure its continuously getting better, and more stable with each release, but anyone who believes Android is stable and full grown simply doesn't have their ear to the ground to hear the real state of things.

Re:From the article

[nine-times]

Um...

I wouldn't call Android a long-running or well-established OS

I didn't say it was mature. I stated in the first sentence what the purpose of my post was: to question what is intended when the author says Android is "in its infancy". The author mostly seems to be comparing Android to Blackberry's OS and the iPhone OS, but the iPhone was only released a couple of years ago.

If the point is just to say "Blackberries have been around longer and their development is more mature than either the iPhone or the Android," then of course that's true. Of course, on the other side of that, the Blackberry OS is showing its age a bit, and RIM has had a problem with their servers going down, knocking out Blackberry users all over the place.

But anyway, when a technology is "in its infancy" is pretty relative. Relative to the wheel, books are still "in their infancy." Relative to books, audio recordings are still "in their infancy". I'd like a little more specificity here on what it means for Android to be "in its infancy".

Re:From the article

[GooberToo]

BTW, my "stable" comments are directed at APIs, not OS/framework stability.

And my "Tools" comments are directed at tools available for developer+market access, not development tools.

Re:From the article

[GooberToo]

Why is parent modded flamebait? Nothing stated is false. Hell, he even provided a link to a video showing Flash on the N1 and raises a legitimate, topical point of contention.

Re:From the article

[GooberToo]

The ONLY android permissions that flash needs are media related and MAYBE MAYBE MAYBE geolocation information.

Not likely to be true. Internet access is likely a given. Also, camera and mic access may also be within the realm of reason. Factually, the Internet access permission is all someone needs to make nasty with your device. Who cares if a spam bot is running at the flash user id - its still ripe for abuse.

Re:From the article

[BitZtream]

Contrary to popular belief, a kernel does not an OS make.

While I'm not real concerned that the Linux kernel will be exploited, I'd rate my concern about on par with the NT kernel being exploited honestly.

The problem isn't the kernel though, the problem is that all the supporting code, many applications which are just as privileged as the kernel effectively are relatively new, the general structure is new. We're not talking about Slackware with the standard GNU tool set and KDE here, we're talking about the kernel and a radically different userland.

Does that make it unsafe? Of course not, BUT it means its certainly not as well examined as its standard Linux desktop brothers. Its likely that more people have seen the code to things like Explorer.exe and the IE internals at this point than have seen the Android code base, based on age alone.

Does that make it unsafe? Of course not, :), if all things were equal (which they aren't) it would just mean that its likely that Android is less safe than the alternative.

I know that short term, Open Source is less secure. Throw the source out there and there are 3 types of people who find bugs.

1) The user who finds a bug by complete accident. This happens in all software so we ignore it, they find bugs, a few report them, most just get annoyed and ignore them, very few know enough to even report them in such a way that someone will bother to look for the bug.
2) The malicious hacker, motivated by financial or political greed or something like that. These guys get paid
3) The good hacker, motivated by self interest to find bugs and make the software better for themselves and/or others. There are lots of reasons these guys do what they do, most of it is personal motivations that while they do the work and some work hard as hell to find and fix bugs, most people just do it as a hobby. There are a few that get paid to do it, but not a lot.

1 is useless, and there are far more 2 than 3, whats worse is that #2 probably gets paid better than #3. It is simply a fact that open source can be exploited faster. It is also a fact that it is possible for more people to find and implement fixes before it gets found by a malicious attacker. However, once found and fixed, because of its open source nature, every hacker instantly has the information needed to find and exploit the bug on unpatched devices, so thats a downside, short term. Even as an open source advocate, I have no delusions about the security aspect of open source. Regardless of whats said, it only has a potential to be more secure, it isn't by default just because its open source. The fact is, closed source software can have massive bugs that go unpatched and unexploited years simply because no one notices them. Security through obscurity? Certainly, but then, if you actually understand how encryption works, you know that encryption as we know it today is security through obscurity with calculated odds.

I have more faith in high profile old code which has been beaten and battered and FIXED than I do new code, open or closed source, doesn't matter, the same reasoning applies.

Do I think Windows Mobile or the iPhone OS are more secure than Android? Yes, even though they are closed source they have been attacked by more people, many of those people were happy to share their exploits in order to allow others to get more functionality out of the device, for the most part though, these OSes now have been hardened against the easy to find and exploit attacks. The hard to find attacks that would be made a lot easier with source aren't all that likely to be exploited, so they are probably safer for now. 10 years down the road, the tables might be turned and Androids open nature would have not only resulted in the easy bugs being found and fixed, but also a lot of the harder ones. Either way, they'll probably all result in about the same number of exploits turning up as a ratio of new code added over time a

Re:From the article

[IamTheRealMike]

Right now developers have to support Android 1.1 (large deprecated now), 1.5, 1.6, 2.0 (obsoleted), 2.01, and soon 2.1.

No, that's not quite accurate.

The rest of your post, well, I don't feel like responding to each point right now. Suffice it to say, if you want to argue with your users on the market, you're doing it wrong (I say this as somebody who has published his own quite popular Android app last year). I've seen a lot of developers who somehow believe that if users say their app crashes or doesn't work, it's Androids fault! And as an Android user, I've experienced exactly zero app compatibility issues. Maybe you think Android development is some kind of major headache but having done it myself, I strongly disagree.

Re:From the article

There's an article???? You must be new here...

Re:From the article

[tweek]

Well I would consider camera and mic to be media related. Sorry if that wasn't clear. Additionally, I would have assumed internet access was a given..what with being flash and all.

My point is that with the default android settings (no root access, no installable apk files unless from the market) and a very solid sandbox system, there really ISN'T much that a flash "virus" could do. The android garbage collector would kill it so no background process running. Again, the sandbox permissions would prevent it from getting into any sensitive data.

We'll just have to see how well flash is sandboxed but the mental exercise is fun.

Re:From the article

[GooberToo]

No, that's not quite accurate.

WTF? You say, "not quite" and the provide a well known link that says EXACTLY what I just said. Holy shit slash dot has gone to the dogs.

And as an Android user, I've experienced exactly zero app compatibility issues. Maybe you think Android development is some kind of major headache but having done it myself, I strongly disagree.

Exactly as I said, you don't have your ears to the ground. Its very possible to write Android applications which do not have compatibility issues and I never said anything contrary to that. Then again, many do have compatibility issues, especially those in the tools category as those tend to be closest to the hardware and push the limits of the provided interfaces.

Please, if you want to argue, the least you could do is actually know what you're talking about. Thus far you've disagreed with by validating everything I've said and then provided a narrow view based on you're own application experience to discount well known (in developer circles) facts. I strongly urge you to visit developer web sites, talk to other developers, read the Google groups, and generally become more informed. At this point, you sound terribly naive as to the true state of Android.

Heck, half of everything I've stated is a recurring complaint by developers for over a year now. In short, everything I've stated is well known in developer circles; if only you bother to pull your head out of the sand.

Re:From the article

[morgajel]

Quick, someone knows what they're talking about- STONE HIM!

Re:From the article

[GooberToo]

We'll just have to see how well flash is sandboxed but the mental exercise is fun.

You seem to entirely miss the point. It doesn't matter one bit how well the application is sand-boxed. If there is a flash exploit to be found, they can install some native code and fork a process which will not be reclaimed during normal Android process life cycle. That fork'd process can then run until the phone is rebooted, which can be days, weeks, or even months. And, once actually on the phone, if there is a local root exploit to be found, the entire system is easily abused, including post-reboot abuse. Sure that last part isn't nearly as likely but then again, kernels don't get updated very frequently on these devices either and local root exploits are not terribly rare.

Re:From the article

[stewbacca]

There's nothing inherently secure or insecure about open source software.

I'd agree there is nothing inherently secure about OSS (other than the inherent opportunities for security collaboration and open standards, blah blah blah). However OSS is inherently insecure, by its very nature, because the source code is completely open for anyone to see.

Specs don't matter

[ThrowAwaySociety]

521MB RAM vs 256MB RAM

800x480 vs 480x320

1Ghz vs 600Mhz

5MP vs 3MP

AMOLED vs TFT

To top it off the nexus one is a slimmer device.

Need I say anymore? The iPhone is no longer king! Hoorah!

Pretty sure that the iPhone was never king among the geeks that care about hardware specs. The iPhone is king among the people who care about the number of apps, user experience, and style. The kind of people who base their decision on what they see on TV, or what their friends like, and not what they read on Slashdot.

You know, the vast majority of the population.

Re:Specs don't matter

[b0bby]

Pretty sure that the iPhone was never king among the geeks that care about hardware specs.

I'm not so sure, the biggest phone geek I know has switched to an iphone. "User experience" is important for geeks too, and I have to say the iphone seems to deliver a great one (at a price).

Re:Specs don't matter

The iPhone is king among the people who care about the number of apps, user experience, and style.

Why is having 100,000 useless apps better than having 30,000 useless apps?

The kind of people who base their decision on what they see on TV, or what their friends like, and not what they read on Slashdot.

People who value bling & celebrity wow factor over anything else.. we call them chavs around here.

Re:Specs don't matter

[Manip]

Could you be any more smug and arrogant?

I believe the reason why people like the iPhone/Touch is that the UI is very clean, simple, and responsive. Plus in addition to that you have an insanely good multi-touch interface that with software simulated physics feels "real" somehow. All in all the iPhone/Touch software is a very intuitive piece of kit, which makes people want to create cool applications for it and thus the cycle continues.

I am a geek, I read tech-spec's, but I also know that MOST of what I am buying is a software experience, that's why I buy a branded device at all instead of a Chinese eBay import with generic software that is at least twice as powerful and half the price.

Re:Specs don't matter

[MrHanky]

"not what they read on Slashdot"? The internet's number ... 5 or 6, probably, iHype generator?

Slashdot hasn't been a tech site ever since the Apple segment of consumerist morons moved in.

Re:Specs don't matter

[ThrowAwaySociety]

Could you be any more smug and arrogant?

I don't think so. I managed to insult both the Slashdot-nerd crowd, and the regular-Joe-Shmoe crowd. I think that makes me the smuggest, most arrogant bastard going.

Thanks for acknowledging that achievement, though!

Re:Specs don't matter

[Karganeth]

Why do slashdot users insist on perpetuating the myth that the general population is completely clueless about anything hardware? If someone's going to invest $2,580 for a nexus one (or $3780 for an iPhone) chance are they're going to know a decent amount about it. Even if they don't know the particular processor chip inside or what AMOLED means, they'll know that it feels fast and they'll see that the screen is nothing but amazing.

Re:Specs don't matter

[furball]

Why is having 100,000 useless apps better than having 30,000 useless apps?

Choice!

Re:Specs don't matter

[FlyingBishop]

I can't bring myself to purchase a computer that lacks an interpreter I can use to write scripts.

Re:Specs don't matter

[EvilNTUser]

I care about hardware specs, and I would probably choose any Android device over iPhone OS. BUT, and this is a big but, staring at raw hardware specs is even more stupid with phones than with computers. They're not even running the same OS.

Just to make a point:

521MB RAM vs 256MB RAM - How much of this is actually free after the OS is loaded? What proportion of apps are statically linked (if the OS has poor libraries)?

1GHz vs 600MHz - a) Is the theoretically faster speed achieved with a pipeline that's too long (see Netburst)? b) Even if it's faster, is it actually noticeable or are most operations I/O-bound? c) What operations are hardware accelerated in each OS?

5MP vs 3MP - And lens quality?

AMOLED vs TFT - Whatever, show me photos with daylight and I'll see what I think.

Re:Specs don't matter

[GooberToo]

If someone's going to invest $2,580 for a nexus one (or $3780 for an iPhone) chance are they're going to know a decent amount

I wouldn't be so quick to make that assumption.

The vast majority of car purchases in the US are classified as "impulse purchases". Ya I know, shocking the stupidity. If a common $20,000 - $50,000+ purchase, at roughly the same interval, can be based on an uneducated, impulse to purchase, what makes you so sure that a $2,000 - $4,000 purchase, payed out over two years, is going to be any different. In fact, I'd argue its vastly, vastly more likely these phone purchases are impulse behaviors rather than well researched actions.

I strongly suspect you're thinking like a geek (imagine finding you here) and not the average consumer.

Re:Specs don't matter

[Mana+Mana]

"User experience" is important for geeks too

Reminds me of the the old pearl: newsreaders are for pussies, real men use telnet.

Re:Specs don't matter

[_Sprocket_]

Pretty sure that the iPhone was never king among the geeks that care about hardware specs.

I'm not so sure, the biggest phone geek I know has switched to an iphone. "User experience" is important for geeks too, and I have to say the iphone seems to deliver a great one (at a price).

Yes - because a user experience is one of the most important hardware specs to consider!

Re:Specs don't matter

[_Sprocket_]

Could you be any more smug and arrogant?

I suppose he could have talked about how "insanely great" his Apple product was.

Re:Specs don't matter

[_Sprocket_]

Why do slashdot users insist on perpetuating the myth that the general population is completely clueless about anything hardware? If someone's going to invest $2,580 for a nexus one (or $3780 for an iPhone) chance are they're going to know a decent amount about it.

You've just described the purchase in a context that is lost on the majority of consumers. People don't look at these things in terms of a lifetime cost. On geek sites you see things like hardware specs. On phone geek sites you see discussions of lifetime cost (as well as hardware specs). On mainstream forums, the conversation is more about how cool a phone is or, in very general terms, which is "best."

Re:Specs don't matter

[Mr2001]

"User experience" is important for geeks too, and I have to say the iphone seems to deliver a great one (at a price).

Such geeks ought to be excited to learn that the Nexus One delivers an equally great experience, especially since it costs less and is more open.

The Android user experience has always been limited by one thing: CPU power. With the release of the Droid, and now the Nexus One, that's no longer an issue.

Re:Specs don't matter

Why is having 100,000 useless apps better than having 30,000 useless apps?

Why is 11 louder than 10?

Re:Specs don't matter

[toastar]

It's more memory then Raw CPU.

Re:Specs don't matter

[TooMuchToDo]

If you didn't know (I just stumbled on this the other day): http://code.google.com/p/android-scripting/

Re:Specs don't matter

[Sechr+Nibw]

$3,780 for an iPhone: $200 for the phone, $150 a month for 24 months. This assumes the Unlimited Talk, Unlimited Text, and Unlimited Data (only the last is required).
$2,580 for a Nexus One: $180 for the phone, $100 a month for 24 months. This assumes Unlimited Talk, Unlimited Data. You didn't include the extra $30 a month for Unlimited Text. Just a little nitpick, that brings the total to $3,300.

Re:Specs don't matter

[stewbacca]

I don't recall ever meeting a chav that could actually afford an iPhone (or any smartphone, for that matter).

Re:Specs don't matter

[stewbacca]

The general population is ignorant about anything hardware (anything consumer, for that matter). Have you ever watched a television commercial and been impressed by the validity of the claims within? Probably not, yet people buy crap over better alternatives every day based on ads. Some people don't care..they see a price that suits them and they buy it. Others, like you, are informed and really look into it. You are the exception.

Most people in those big long lines at the Apple store don't know and don't care how much the iPhone will cost over two years compared to the Nexus One, or the Droid, or the (fillintheblank Blackberry).

Re:Specs don't matter

[stewbacca]

An even bigger whole in the hardware spec superiority argument is this: who in the hell buys a phone for its camera quality?

Re:Specs don't matter

[Vrtigo1]

Because the general population is ignorant and clueless about most everything, not just technology. They decide they want a new phone, go to the store and buy the one that looks the shiniest, has the biggest display and is pushed the most by the salespeople. I would wager that at LEAST 80% of phone purchases are impulse buys involving less than 20 minutes of research, or no research at all. I say this because as the resident IT monkey, people bring their new phones to me for help when they can't figure out why they can't get feature X to work, to which I reply your phone doesn't include feature X, and then I ask them if they bothered to read the spec sheet before signing on the dotted line and they sulk and walk away...

Revoke Applications

[dwandy]

From TFA: Apple iPhone requires application signing and it issues and revokes the certificates making it a powerful security feature.

This "feature" is a prime reason I didn't buy an iPhone. I guess as a Security Guy he has to be willing to give up all his freedoms in his quest for security...

Re:Revoke Applications

[FlyingBishop]

He's primarily talking about the signing process, and he's quite right. Actually, it's worse than he's letting on. The Android Dev Tool plugin for Eclipse (which is the preferred frontend for signing your Android applications) is itself an unsigned Eclipse package - complete with warning from Eclipse that it's unsigned.

So think about that for a moment: You're signing software using unsigned software. All someone has to do is get a man in the middle on you, and the whole chain of trust is blown wide open. It's absurd. I love my Droid, and knowing what an application can do is nice, but Google needs to look at dealing with these obvious problems.

Also I've never been able to connect to get updates to the SDK over https. The great advice on the Android site is to click "force https sources to be fetched over http." Honestly, we might as well be transmitting this crap over irc for all the attention they're paying to security.

4 real issues

[Enderandrew]

We're talking enterprise here, right?

Who cares about touch screens and resolution. I do as a geek, but these are the real issues:

Do you need a separate server to properly sync with Exchange?
How well does it sync with Exchange?
How secure is it, and can it handle encryption? (The iPhone can't be used in many organizations for this very reason)
Is the email app any good? The iPhone mail app for instance is very much lacking in comparison to the Blackberry email app.

Suits care about covering their asses, and checking email. If it can't do that, it won't be used in the enterprise.

Re:4 real issues

[essjaytee]

Sounds like it doesn't correctly, completely, implement ActiveSync Security. Just like all other Android phones.

It'll never be supported here until it really works with ActiveSync.

Re:4 real issues

Enchange? With or without receipt?

Still using software from the nineties?

Re:4 real issues

[Skuld-Chan]

My friend's HTC droid works just fine with Exchange - I assume the N1 would as well.

Re:4 real issues

[alen]

the 3GS can handle encryption and if you have exchange 2007 SP1 you can force the phone to encrypt the data which means any pre-3GS devices won't work

Re:4 real issues

[Enderandrew]

If I recall (and I can be mistaken) the big issue is that the iPhone can only do encryption one-way when syncing. Apple was literally bidding on a government contract for iPhone usage in the military, and the bid got thrown out when that was uncovered.

Oddly enough, Apple has still yet to fix the issue.

Re:4 real issues

What do you mean it can't handle encryption? It has an IPSec VPN client that works like a charm, and supports using SSL with Exchange. Can you elaborate?

FYI, the mail app is one of my favorite applications on the iPhone. Originally had Treos for work and I don't get why Apples software works BETTER than Microsofts at interfacing with their own damn product. It renders emails much more akin to how you'd see them at a desktop.

Re:4 real issues

[fermion]

If applications can be added, then encryption of data can be done through a third party app. Someone, presumably, can write an appropriate exchange client and do whatever is needed. The only drawback is the built in apps will still be there, along with whatever security vunelerabilities exist along side their presence.

As much as many of us hate it, application signing is going to be a requirement on any corporate phone, or pretty much any phone that is not bought as hacking toy. I, for instance, expect my phone to work, and I am not willing for it to become compromised, especially since it is a communication device and tends to come into contact with many more networks than my laptop. As such if I were the boss I would not give any google phone to employees who would likely put any arbitrary maliciou software on it if it meant being sent the sports scores or soap opera updates on a regular basis. They don't care that they destroyed a phone, all they care about is that they were entertained for a minute.

Re:4 real issues

[Enderandrew]

A better solution (which Android provides and the iPhone does not) is access to the source code. Fix the core email app and sync functionality.

Re:4 real issues

[Enry]

Separate server? No. Works with ActiveSync

How well does it work? I have both the standard application and a third party app (TouchDown) installed on my Droid. I like Touchdown better as it supports the security models and offers a number of features that the native exchange client doesn't (like signatures).

The base e-mail app is quite good. Where Android is really shining for me is the integration. Contacts from gmail, exchange, and facebook get unified in one contact list. When you edit an individual contact, you see information for each of the sources, but if gmail and exchange have the same phone number for a contact, you'll only see it once. Each phone number can be called with one touch either from your cell phone # or google voice. The gesture-based screen locking is quite good and better than having to type in a password every time.

There's a few things the blackberry does better, but they mostly rely on the fact there's a separate blackberry server. For example, I can have messages sent to the blackberry with level 1 notification and have the blackberry treat that message differently. I can also set up pattern matching to select messages I *don't* want forwarded to the blackberry, but want to remain in outlook. The droid (and touchdown) isn't able to do either of these things yet, though that seems to be more a limitation of activesync than android itself since I understand the iPhone has the same problems.

Re:4 real issues

My friend's HTC droid works just fine with Exchange - I assume the N1 would as well.

In order to use anything with the Android 2.0+ OS with Exchange, either the device security restrictions on the Exchange server have to be disabled, or you have to purchase a 3rd party app.

Android 2.0 doesn't currently support remote wipe via Exchange or the password requirements for locking the device.

This is something I find extremely perplexing considering that Google licensed ActiveSync from Microsoft recently.

RIM's bread and butter

[ArhcAngel]

I increasingly hear this question from both my IT peers and users alike "Why does our company stick with Blackberry when phone XYZ is so much better?" The long and the short of it is SECURITY. I mean when India insisted RIM provide them with a back door so they could spy on BB users RIM's response was "We don't even have a back door". I would love to see a smartphone come out with all of the security features RIM has had for years so I could offer it to the Executive VP instead of telling him "I'm sorry but since you receive strictly private emails you are not allowed to use anything but a Blackberry" and having him start making calls and ultimately buying it on his expense account connecting it to the network in rogue fashion.

Re:RIM's bread and butter

I was going to Google "India RIM backdoor", but quickly thought against that idea.

Re:RIM's bread and butter

[gad_zuki!]

I doubt its because of security soley. Its the BES management features that really sell it. Centralized policies, remote wipes, etc. Security is only part of that. The BB system relies on your pumping your mail to Ontario and BB's getting it from Ontario. Its not a direct connection to the BES server in your enterprise. So any outtage in Ontario means an outtage for you. Not sure how good of an idea that is, especially since Android and other Activesync phones connect straight to your mail server just like any email client, and not through BB's proxies, which can be compromised. Sure they use end to end security but how feasible are MITM attacks?

I could see Google or Microsoft reproducing some of these features for corporate customers. That would pretty much kill the BB. For every thing the BB does well it does 5 other things badly.

Re:RIM's bread and butter

Nice try.. As per this post, Blackberry backed-down and allowed Indian Government to snoop BB users.

http://www.engadget.com/2008/05/22/rim-allows-indian-government-to-monitor-blackberry-network/

Re:RIM's bread and butter

[ArhcAngel]

I don't disagree with what you are saying but you are referencing things that have only been viable in the last year or so. Android is in its infancy and Microsoft just recently got their Mobile guys and Exchange guys to talk to each other. Given it takes a large company 3 years to DECIDE on what to implement and another 2 years to actually implement it you begin to understand why those options haven't been introduced into many large scale operations. I still don't know of any other mobile communication device (outside of the NSA) that implements hardware encryption like Blackberries do. Apple introduced encryption on the 3Gs but it was cracked about fifteen minutes after it was announced if memory serves. I fully expect RIM to lose market share this year but I would not count them out just yet.

I doubt this is Google's business offering. They know it will take much more to crack that nut. In the meantime they can sell this to the masses to increase interest in a business class device.

Re:RIM's bread and butter

I doubt its because of security soley. Its the BES management features that really sell it. Centralized policies, remote wipes, etc. Security is only part of that.

True.

The BB system relies on your pumping your mail to Ontario and BB's getting it from Ontario.

Not true. RIM does have NOCs around the world.

Its not a direct connection to the BES server in your enterprise. So any outtage in Ontario means an outtage for you.

Not everyone goes through the Ontario NOC, although North America does.

Not sure how good of an idea that is, especially since Android and other Activesync phones connect straight to your mail server just like any email client, and not through BB's proxies, which can be compromised.

The beauty of the Blackberry Enterprise Server platform is that it doesn't matter if RIM's infrastructure is compromised. The encryption keys are located in two places: on the blackberry, and on your Blackberry Enterprise Server, which runs on a server in your office. RIM does not have the keys to decrypt. The cell phone carrier does not have the keys to decrypt.

That is part of the reason the Blackberry Enterprise Server platform has been audited & received so many security certifications: http://na.blackberry.com/eng/ataglance/security/certifications.jsp

How many security certifications does the iphone have? Android? Nokia? I strongly suspect the answer is none.

Not everyone needs the level of security offered by Blackberry, but some of us do.

Sure they use end to end security but how feasible are MITM attacks?

Once a blackberry is activated with a Blackberry Enterprise Server, not possible. You can even set up the key exchange between the Blackberry Enterprise Server & the blackberry over a usb cable - hard to spoof that.

Re:RIM's bread and butter

[ArhcAngel]

Thanks, for some reason Google failed me. But it would probably be better to direct to the actual article rather than a tech blog about the article...

http://economictimes.indiatimes.com/RIM_agrees_to_pass_BlackBerry_content_on_condition/rssarticleshow/3056271.cms

from the article:

"The encrypted data packets sent through BlackBerry are password protected and could be deciphered only with the help of "Public Key" and "Private Key" together. The other provision is to build a super computer, which could take nearly three years and the results beyond a certain frequency were not guaranteed.

So yeah they "helped" the Indian government snoop but hardly gave them a master key.

Re:RIM's bread and butter

[Rich0]

For corporate-issued phones I have no issues with remote/wiping, security attestation, etc.

However, in many cases the model is more one of worker-provides-phone and company-allows-access. In that kind of a scenario I'd never use an email program that allowed my employer to have control over my phone. Fortunately, as long as I own the hardware and they don't go TPM, that will never be a problem for me...

Re:RIM's bread and butter

The TTS feature of the Nexus One sends your speech to Google servers and then back as text to your device. So, here are centralized data that could be compromised on the Nexus One.

See page 40 of the User's guide http://www.google.com/googlephone/nexusone-userguide.pdf

Re:RIM's bread and butter

[Rexdude]

Let's not even think about doing an image search..

Well, by definition it has to be Human

It is the Nexus One, after all. That makes it by definition More Human Than Human, as per Messr. Zombie.

Re:Well, by definition it has to be Human

[NotBornYesterday]

as per Messr. Zombie?

Turn in your geek card, and don't come back until you've watched Blade Runner.

I saw a tv 'news' report on the n1 today...

[distantbody]

...I found it interesting that after the 2-second blurb by the anchor on channel 9 (aus) the only other commentary was from some standard and poors 'analyst' saying 'we are confident that the iphone is superior to the n1 in every way' followed by footage of the iphone. It seems they'll put any spin on for the right price.

Good prediction

[YourExperiment]

I particularly loved this line from the article: -

But for now, I don't expect to see any corporations handing out the Nexus One to their employees.

I guess he didn't hear about a little corporation named "Google".

Re:Good prediction

He meant real corporations....

Re:Good prediction

[zullnero]

The only thing funny about this statement is how it seems to totally not get the entire point of the article.

The point being, of course, that just because it's made by Google doesn't instantly mean that its perfectly secure.

Until security becomes a primary feature, it generally will take a backseat to features leading up to an initial release, in my own experience. Then again, this article is chock full of assumptions, and a security assessment based on assumptions is pretty much useless, so who knows.

Re:Good prediction

[YourExperiment]

The only thing funny about this post is how it seems to totally not get the point of my post. :)

Re:Good prediction

[alen]

and google probably has an email system where everything is stored in Gmail in the cloud. for the rest of us, we have exchange and people store a lot of data on phones

Remote data wipe?

[ducomputergeek]

Phones are easy to loose or get nicked. One of the features enterprises like about the Blackbery is the ability to do a remote datawipe. On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself. I can also do a remote datawipe as well. I've tried googling about this feature on the N1 and so far have found nothing.

Ability to do a remote data wipe is key for the enterprise market.

Re:Remote data wipe?

[Qubit]

On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself.

I take it you have no small children or friends with an impish sense of humor, do you?

Re:Remote data wipe?

[nxtw]

On my iPhone I can set a password. If it's entered incorrectly 10 times, the device automatically wipes itself.

Only the iPhone 3G S can do this quickly, and only if device encryption is enabled. With encryption, the device just erases the key. Without encryption, the wipe must overwrite the entire memory area.

Re:Remote data wipe?

[DJRumpy]

You can't disable encryption on a 3GS. It's built in.

Re:Remote data wipe?

[Duradin]

How well does remote wiping work with SD cards? Steal the phone, pop out SD card, profit?

Re:Remote data wipe?

[nxtw]

How well does remote wiping work with SD cards? Steal the phone, pop out SD card, profit?

Windows Mobile can encrypt content on SD cards which would make the content unreadable after a remote wipe deletes the key. I would assume that BlackBerry devices can encrypt SD card contents too or at least disable the SD slot.

Re:Remote data wipe?

[natehoy]

Despite the inconvenience, remote wipe and "bad password attempt" wipe are critical features in a corporate environment. If my company email is on my phone, I don't want to be the one that allowed someone else to read it.

The default configuration at my company is:
  - I have to set a password on my Blackberry. It has to be at least 6 characters long, and contain at least one number and one character.
  - The password must be changed every 60 days.
  - The phone will lock itself requiring the password to unlock it after 15 minutes.
  - All data on the phone is encrypted, including anything written to a Secure Digital chip. The SD card is unreadable outside the phone.
  - Ten bad password attempts will wipe the device clean, including nuking the decryption key for any SD card that may be associated with the phone. The company can also remote-wipe it if I tell them it's lost.

With that sort of security arrangement there is always the risk that someone could do a denial of service attack by simply entering a bad password as many times as it takes to wipe the device. That's why corporate smartphones rarely contain original copies of any important information and can be reloaded remotely as easily as they can be nuked. If my seven-year-old nuked my phone, it could be reloaded with all of my data in about an hour or two, and all I have to do is call my company helpdesk (on the same phone) and have them initiate the reload. If I dropped it down a storm drain, my company can reissue an identical phone with all of my corporate data on it in a few hours.

I have to reinstall my non-corporate apps (Google Maps, my RSS reader, etc), but even those use server-side data and all I need to do is log into them. No real data of value is lost unless I'm dumb enough not to have backed up some pictures of value to me or something.

Re:Remote data wipe?

[natehoy]

Sounds like WinMo and BB use the same basic idea.

Blackberry devices can encrypt the entire SD card, or part of the SD card (my company allows the /music, /ringtones, /videos, and /pictures folders to be unencrypted, everything else gets encrypted). The encryption key is on the phone, and in the event of a wipe that encryption key is deleted from the phone and all the encrypted data on the SD chip is now useless, even on the original handset.

Re:Remote data wipe?

[GooberToo]

Ability to do a remote data wipe is key for the enterprise market.

There have been applications on the market to do this for a long time now.

Re:Remote data wipe?

[TooMuchToDo]

The Mobile Defense app provides this functionality on several smartphone platforms: http://www.mobiledefense.com/

Re:Remote data wipe?

I found a nice program called Mobile Defender that I use on my G1. I can lookup where my phone is (assuming it's online, on the network, and it picks up GPS satellites), lock it, and remote wipe

Get off your high horse

[Sockatume]

He's not endorsing it, he's discussing it, in the specific context of how it changes the phone's security. Given the remit of the article, were you expecting him to go off on an eight-page screed against software signing at that stage, or something? The application sandboxing is going to seriously affect the way you interact with the phone as a programmer, should he have included something about sandboxing and its serious drawbacks for software authors too? Shit, VPN, there's another thing, I'm absolutely horrified that he didn't bring up the sociological impact of working from fucking home in his article about how god-damn secure the device is.

JESUS.

Re:I have my doubts

[shentino]

How do we know the government hasn't got some super-secret telepathy interceptor that you are just trying to lead our thoughts right into?

You could very well be a double agent yourself.

Why should we trust you?

For those who don't want to skim TFA

[DJRumpy]

Screen Lock (including gestures to unlock in addition to alphanumeric codes)
VPN support
Standard Wireless Support (Wireless-N as well which is nice)
Application Sandboxing
Lacks Corporate Policy Enforcement (fail for enterprise)
Application Signing - Doesn't require trusted signers which defeats the purpose
No hardware encryption (fail for enterprise)
No Remote Wipe (fail for enterprise)

IMO, the phone definitely seems ready for the home user, but is very lacking for enterprise

Re:For those who don't want to skim TFA

[landoltjp]

Good quick summary. Please mod Parent up. A few points, though:

• it's a new device, so it's possible (probable) that many / all of these features are coming ('cept for hardware encryption which may be limited to HW upgrades)
• Have application signing with self-signed certs as an enforceable policy.

King? iPhone Is The 3rd Place Phone

[MediaStreams]

http://www.intomobile.com/2009/11/12/apple-iphone-takes-third-place-in-q3-global-smartphone-sales.html

Nokia is the king.
RIM behind them.

And finally Apple in third place. So, no, Apple and iPhone isn't the king of anything in the cellphone market.

Re:King? iPhone Is The 3rd Place Phone

[0100010001010011]

Nokia is King as a company.
iPhone may be King as a model.

How many 'smart phones' are Nokia's sales spread across? Apple has the iPhone 3G and 3Gs. (And a few more if you split it up memory size).

Nokia's product line reminds me of Apple's in the early 90s. There's the 5530, the 5533a, 5005 WITH camera*. Etc.

* model names made up.

Re:King? iPhone Is The 3rd Place Phone

[Patch86]

And no consumers want choice, right? People much prefer to compromise on what they want from a product because of a limited product line, obviously!

(Nokia sells a range of different devices filling a whole range of price and hardware niches. Seeing as their combined range outsells Apples combined range by a considerable amount, I'd guess it's a strategy which is serving them pretty well).

Re:King? iPhone Is The 3rd Place Phone

Not sure but "rim behind them" doesn't sound like a place to be.

Re:King? iPhone Is The 3rd Place Phone

[dasmoo]

Consumers don't really like choice: http://www.youtube.com/watch?v=VO6XEQIsCoM

Re:King? iPhone Is The 3rd Place Phone

http://www.intomobile.com/2009/11/12/apple-iphone-takes-third-place-in-q3-global-smartphone-sales.html

Nokia is the king.
RIM behind them.

And finally Apple in third place. So, no, Apple and iPhone isn't the king of anything in the cellphone market.

Third in market share, but first in profit share.
http://digitaldaily.allthingsd.com/20090804/iphone-claims-32-percent-of-handset-industry-operating-profits/

Remote datawipe does exist on Android.

[tweek]

While the default Exchange integration on Android 2.0 doesn't support all of the Exchange security features, Touchdown ( http://www.nitrodesk.com/dk_touchdownFeatures.aspx ) DOES. I used it initially on my DROID and am currently testing the native stuff now that Motorola released a corporate directory app on the app store. Remote wipe *IS* supported by the native android ActiveSync implementation but not PIN security IIRC.

Re:Remote datawipe does exist on Android.

[essjaytee]

I believe the main issue is that it doesn't respond correctly to the Exchange ActiveSync server. So while the device may be implementing correction password policy, etc, the Exchange server doesn't know it.

There is an option in Exchange for "Allow Unsupported Devices." Turning this on bypasses the security requirements, but you're nuts if you think you can enable this at any legitimate enterprise.

Re:Remote datawipe does exist on Android.

[tweek]

I'm not suggesting that enterprises disable "Allow Unsupported Devices" but my understanding of Touchdown is that it DOES implement ActiveSync properly. What's really annoying about the whole argument is that all it takes is for the security to be bypassed is for the activesync client to lie about capabilities.

Re:I have my doubts

This is a weakness which I have already considered. Thus, when I think, I always make sure to think the opposite of what I'm really thinking, to confuse the Italian spies and cause errors in G$$Gle's spy computers. -- CFAFI underground commando

At least he avoided using "sheeple"

[Quiet_Desperation]

Yeah, a good user experience and plenty of useful applications that just work. What sort of damned fool would ever want that?

Re:At least he avoided using "sheeple"

[elrous0]

Yeah, everything on the iPhone just works--until AT&T's crappy network drops your call yet again or you try to get consistent 3G coverage.

Re:At least he avoided using "sheeple"

And then you remember that your phone is one of the few with WiFi, and turn that back on and don't worry about 3G...

Re:At least he avoided using "sheeple"

[indiechild]

The universe doesn't revolve around the US.

SMIME

No SMIME?

Application signing is worthless?

[tibman]

The application signing is worthless because they are self-signed certs? WTF is this guy smoking. Just because someone pays a CA to sign their cert doesn't make it magically more secure. I'll be honest, i think CAs should die off (in their current forms).

Re:Application signing is worthless?

You need to do some research on self-signed certs, they are worthless. PKI is built on a trusted source framework with Certificate authorities being that trusted source. Like he points out in the article apple controls the CA for their apps so if an app writter does a trojan horse in their app then apple can pull the cert and destroy the app. Google needs to do the same. Also certs are used in android to verify what applications are related to each other and become part of the same process. So if a hacker can duplicate your self-signed cert then they can have their trojan app merge in the same process as your real app.

Re:Application signing is worthless?

[tibman]

You need to do some research. All a CA is.. is a Self-Signed Certifcate company that signs other people's certificates for money. That does not make the signed certificates any stronger.

PKI is strong not because CAs exist. A-symmetric keys allow you to distribute your public key so that anyone can encrypt messages sent to you. But you keep the private key and only you can decrypt them. This also allows you to sign a file/document/text and prove that you are the key-holder. PKI not only describes the typical CA type but also web of trust and lots of other systems. Anyone can become a CA, including you. If you are the security manager for a company, you can generate your top-level key and self sign it. Any other key not signed by your key isn't authorized.. get it?

If a business wants signed certificates, all they have to do is Generate a certificate, self-sign it, and use that as the master key to sign allowed apps/packages.

In short: a CA = a top-level Self-Signed certificate.

Re:Application signing is worthless?

[Rysc]

It is my assumption that certs are required for two purposes: Providing a unique, unambiguous identifier and to allow for revocation in case of malware. Self signed certs are OK for the former, but what about the latter?

In any event, however kool-aid it may be, a lot of people (read: companies and governments) like verifiable certs with known CAs. Adding an option to require this would make them happy.

Re:Application signing is worthless?

[tibman]

You are very right about the revocation certificate. If you needed to check for revoked certificates the CA or signer should be maintaining the revocation list. If you self-signed, it would be difficult to get your revocation cert out there to your public key users.

There are public (and free) key-exchange servers but that probably isn't a good alternative for businesses. A trusted third party like a typical CA is their best bet, atm. I doubt a small business wants to setup their own server just to maintain that stuff.

I have to bring up that if your CA revokes their cert, how would you know? Someone at the top has to self-sign. Unless you go with a web of trust, everybody signing each other, which isn't a CA.

Re:Application signing is worthless?

[dasmoo]

OK so how do you revoke someone elses self signed cert if they create a malicious app?

Re:Application signing is worthless?

[jc79]

You don't. You simply choose not to install any more apps signed with their key. For example, you could remove their key from the list of trusted keys which your package management software uses.

Re:I have my doubts

[shutdown+-p+now]

Since it comes from G$$Gle

I'm really curious now. How do you spell "Apple", "Sun", and "IBM"?

Nexus One vs iPhone 3Gs vs. N900

[Hurricane78]

I’m sure if you ask the Japanese, they will laugh in your face. But a quick comparison:

Nexus One vs iPhone vs. N900

CPU: 1GHz Qualcomm SnapDragon | 600 Mhz ARM Cortex-A8 + PowerVR SGX | 600 MHz ARM Cortex-A8 + PowerVR SGX
RAM: 512MB | 256MB | 1GB
Display: 800x480 AMOLED | 480x320 TFT | 800x480 TFT
Camera: 5 MP, LED flash | 3 MP, no flash | 5 MB + 0.3 MP (dual), LED flash | (All without optical zoom, which in this day and age, is pathetic.)
Storage: 4 GB + unlimited | 16 GB (fixed) | 32 GB + unlimited
Battery: 1400 mAh | 1219 mAh (non-removable) | 1320 mAh | (all 3.7 V li-ion)
Input: capacitive touchscreen + trackball | multi-touch touchscreen | resistive touchscreen + 38-key backlit keyboard
OS: Android | iPhone OS | Maemo Linux
Dimensions: 119 * 59.8 * 11.5 mm | 115.5 * 62.1 * 12.3 mm | 110.9 * 59.8 * 18 mm
Java support: yes | no | yes
GPS: They all got A-GPS and Wi-Fi triangulation is possible with a software. Although from what I heard, the iPhone has that software built-in. (I bought it for 3€ for my Nokia, so not much trouble there.)
Ability to put on it and do with it what you want: likely | locked down | absolutely
FM radio: no | no | yes

That’s about the differences I could make out. I hope this gives a better picture. I tried to stay unbiased. (And I’m sure I will draw hate for this. ;) As always: No guarantees.

Re:Nexus One vs iPhone 3Gs vs. N900

[jspenguin1]

The N900 has 256MB actual RAM, plus 768MB swap on an internal MMC card. It has to have more memory because unlike the iPhone and Android, applications must be explicitly closed (by closing the window) before they are unloaded.

The internal storage card is split into three partitions: 2GiB app storage, 768MiB swap, 25GiB user. The reason the app storage is separate is because it is formatted ext3, but the user storage must be formatted FAT for Windows hosts to access it through USB Mass Storage. Some applications (games, mostly) do install large data files there, though.

Re:Nexus One vs iPhone 3Gs vs. N900

Tested by 'Will it blend?': no | yes | no

there!

Re:Nexus One vs iPhone 3Gs vs. N900

[naveenkumar.s]

Java support: yes | no | yes

Java on Android is Dalvik, right? You get "real" Java with N900 (not J2ME).

Nexus One's TTS seems like a killer feature

Re:Nexus One vs iPhone 3Gs vs. N900

[Hurricane78]

My Nokia 5800 already has text to speech. And speech to text! It can e.g. say the name of someone if that someone calls me. And it can recognize a name that I speak into the microphone, without me previously recording it. That feature surprised me, and from my experience works very well.

Yes, I should have made that distinction of J2ME vs full Java. Although I think that full Java on Android is definitely possible with those specs. (And on the iPhone too. But I read a statement from Jobs, that he personally thinks Java is crap and therefore the iPhone will not have it. Which as a Java developer, I find pretty arrogant, considered that every single phone of the last 10 years that is out there, except for the iPhone, supports J2ME. In fact is it so common, that software often is not even labeled as being J2ME anymore. Also on at least all modern Nokia phones, you get accelerated OpenGL ES, accelerated EAX-HD-like sound effects, and every important API exposed. It’s all in all a great development platform.)

Re:Nexus One vs iPhone 3Gs vs. N900

[yincrash]

Android programs are made in a Java subset that runs in the Dalvik VM. You can also write parts of the app in native (assembly? or C? i forget) but this can add phone compatibility issues.
There is a free app than runs J2ME programs I believe by basically just interpreting the J2ME bytecode into the Dalvik bytecode. It's sufficient because most J2ME programs aren't that processor intensive anyways.
As a note for the sibling reply, there is also a free text reader program for the android. I believe it is full featured enough to use the phone while being blind, but I am not really a good judge of that.

Re:Nexus One vs iPhone 3Gs vs. N900

[naveenkumar.s]

My Nokia 5800 already has text to speech. And speech to text! It can e.g. say the name of someone if that someone calls me. And it can recognize a name that I speak into the microphone, without me previously recording it. That feature surprised me, and from my experience works very well.

Symbian has that feature, but I don't think maemo has got it yet. Based on what I've read so far, TTS on Android seems to be much more comprehensive. For example, you can do browser form filling through speech-to-text.

Yes, I should have made that distinction of J2ME vs full Java. Although I think that full Java on Android is definitely possible with those specs. (And on the iPhone too. But I read a statement from Jobs, that he personally thinks Java is crap and therefore the iPhone will not have it. Which as a Java developer, I find pretty arrogant, considered that every single phone of the last 10 years that is out there, except for the iPhone, supports J2ME. In fact is it so common, that software often is not even labeled as being J2ME anymore. Also on at least all modern Nokia phones, you get accelerated OpenGL ES, accelerated EAX-HD-like sound effects, and every important API exposed. It’s all in all a great development platform.)

I don't think Apple will ever allow Java on their handhelds. For one thing, it breaks their appstore model and I think they simply don't like VMs. So no Java, no Adobe Flash.

I'm in the market for a new phone and have pretty much made up my mind on N900. But N1 does look very interesting

Re:Nexus One vs iPhone 3Gs vs. N900

[Brian+Quinlan]

I'm not sure what your point is here.

The N900 has 45% more volume than the N1 but also has a few more features (but mostly they seems pretty similar). Is that really surprising?

In other news my desktop has a bigger HD than my laptop, my apartment has better rain protection than my tent, ...

Cheers,
Brian

Re:Nexus One vs iPhone 3Gs vs. N900

I hate to be a party pooper, but with respect to the N900:
RAM: my N900 only has 256MB of RAM. The other 768 is swap!
Camera: The front camera is disabled and should be discounted until such time as nokia actually releases firmware supporting it to the public.
Storage: SDHC is not unlimited
Software: The official Ovi store is not open yet, and maemo-extras is kinda slow on the community approval. Apps are supposed to install to /opt, but many forget or fail to optify everything so the tiny flash / slowly fills up. There's a large backlog of software from previous devices not yet ported to Maemo5, if ever.

There are some unmentioned advantages; the n900 has tv out, and an IR emitter. And we get Fennec, so yay.

Re:Nexus One vs iPhone 3Gs vs. N900

[rdnetto]

The N900 has 256MB actual RAM, plus 768MB swap on an internal MMC card. It has to have more memory because unlike the iPhone and Android, applications must be explicitly closed (by closing the window) before they are unloaded.

The internal storage card is split into three partitions: 2GiB app storage, 768MiB swap, 25GiB user. The reason the app storage is separate is because it is formatted ext3, but the user storage must be formatted FAT for Windows hosts to access it through USB Mass Storage. Some applications (games, mostly) do install large data files there, though.

That probably wouldn't stop you from reformatting the the user storage to ext2 though (although that would be a bit risky). Alternatively, you could probably install programs there by either loop mounting a volume from a file in user or by editing /etc/fstab (one of the benefits of easy root access :).

Re:Nexus One vs iPhone 3Gs vs. N900

[rdnetto]

Symbian has that feature, but I don't think maemo has got it yet. Based on what I've read so far, TTS on Android seems to be much more comprehensive. For example, you can do browser form filling through speech-to-text.

Maemo doesn't support speech-to-text yet, but there is a (working) text-to-speech package in the repositories.

Re:I have my doubts

[TheGratefulNet]

click on the TPM(*) icon and verify for yourself.

(*) Trusted Poster Module. standard equipment on some new whitebox pc's.

Fucking Faggot

As if the world needed another yet example why everyone despises losers with iPhones...

 

Re:I have my doubts

(h)A$$le, $un, I$M

Doesn't work with Exchange for many people

[OG]

It depends on how the Exchange server is set up. For industries that demand security, such as healthcare, Exchange servers tend to require that mobile devices support things like encryption and remote wipe. In order for the device to connect, it has to tell the server that it supports any of these capabilities required by the server. Android's default email client doesn't. The Touchdown app does report capabilities back, but it's basically fudging the truth in order to connect (that's my understanding, anyway). Some admins have glommed on to this trick and are refusing to let Android devices connect at all.

So no, Android isn't ready for the enterprise. I have the HTC Eris and love it. I work at a research/teaching hospital, though, and probably wouldn't be able to use it for work. That's fine by me, but anyone who got the phone in order to keep up with work is going to be quite disappointed.

Re:Doesn't work with Exchange for many people

[GooberToo]

There are currently three or four Exchange clients for Android. You really need to check all of them before you so quickly dismiss Android in the Enterprise.

And from what I understand, HTC has made their Exchange client a high priority so as to allow for their devices to get better corporate penetration. Its reasonably to expect the state of Android + Exchange is only going to rapidly improve in the near term; regardless of what the current state of things may be.

Re:I have my doubts

[norminator]

Way to blow your whole plan by publishing it on the Internet.

Re:I have my doubts

[Arthur+Grumbine]

How do we know the government hasn't got some super-secret telepathy interceptor that you are just trying to lead our thoughts right into?

Actually, I am a telepathy interceptor interceptor and it was I who put that thought into your head - just so I could let you know I've got your back.

I think

White Zombies don't need none of that security crap...

Aren't those security bugs?

[jonaskoelker]

corporate enforcement of security settings

That means they, not I, control the hardware. That means that the phone, from my vantage point, comes with its security pre-broken.

hardware data encryption

Why? Can't you just implement AES in software? Linux can do full-disk encryption just fine.

and remote wiping capability.

This is either "ssh phone 'rm -rf /'", which Linux should be able to do, or it means some not-me can decide to fuck over my phone. If it's the latter, from my vantage point, it's insecure.

Take backup images of your phone

[jonaskoelker]

I think that problem would be easily solved by taking backup copies of your phone's disk image.

Then if some twerp wipes your phone, you just restore the last know good disk image and are ready to go again.

I mean, you do keep backups, right? ;-)

Try another exchange client.

[mjwx]

As I understand it the Touchdown client I use is compatible with Exch 2007 security requirements (not Exch 2003 though). This is the brilliant thing about Android that most of it's detractors miss, if a feature is lacking or non existent it can be added in by a third party or custom ROM. Look at Bluetooth file transfers or tethering, neither of these things are available by default on the standard OS but can be added in via applications (AndrOBEX, Proxoid, PDAnet) or included by default in custom ROM's like Cyanogenmod.

Android has it's shortcomings but it is designed so that they can be overcome by community involvement.

User experience, style, class.

[jotaeleemeese]

Stylish design, user friendly....

Empty marketing words.

Check the numbers and Nokia is the world leader.

Many folks fail to see that the iPhone is a luxury item, and thus by definition it is niche, and the niche it is serving are the people that use words and sentences like the ones above in polite conversation with a straight face.

So?

[jotaeleemeese]

Apple is not even king in the smart phone market.

So again, they are king of what exactly?

Hype and marketing? Yes, absolutely.

Anything else?

Show me the numbers.

False Dichotomy, of sorts

[stewbacca]

If I'm a consumer, I want a consumer device, not an enterprise device. If I'm one of those self-important crackberry nerds at work who can't refrain from bringing work: home, on the plane with me, to the restaurant, then I'll get an enterprise device. Frankly, I could care less that my iPhone added a remote wipe feature and whatever other crappy enterprise features I don't need for my consumer device.

So, I guess it depends on how the Nexus One is marketed. If it is marketed as a consumer device and lacks enterprise features, then what's the problem?

And what about battery life?

[rsborg]

And how hot the handset gets when doing common activities like calls or watching videos? These are all far more important to me than the raw hardware numbers...

In fact, I've given up on raw numbers for almost anything that's my personal kit. More megapixels in a camera are worse when the sensor isn't upgraded (see Canon XSi 450D vs. Canon T1i 500D ... 20% more megapixels with no sensor upgrade = softer pictures). Likewise, I don't want a phone that's running a hot 1Ghz when fully utilized by a poorly-written app.