Slashdot Mirror
Twitter To Open Source Android Security Tech
itwbennett writes "Following last month's acquisition of Whisper Systems, Twitter is open sourcing 'some' of the company's Android security products. First up: TextSecure, a text messaging client that encrypts messages. Souce code is on GitHub now. 'Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent,' writes IDG News Service's Nancy Gohring."
Offering the technology to the community so soon after the acquisition could indicate that Twitter made the acquisition primarily for the developer talent.
So, apparently whispersystems has to do with that Moxie Marlinspike character, who strikes me as someone who might have some open souring as a requisite for the acquisition?
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
This makes a lot of sense. Twitter is and has always been a facilitator of open communication, particularly from censoring governments. This is just an extension of that.
I have always kept an eye on Whisper Systems and specifically TextSecure (and WhisperCore) but they never became really "usable". I would (and I think many people) love to be able to securely text message (or via iMessage or Facebook) knowing it's safely encrypted but still highly usable (similar to Pidgin + OTR).
Will they try to use this for corporate evil? Maybe. But at the same token WhisperSystems never had enough power/traction to develop what they really wanted and we (the people) needed.
While yes, TextSecure is similar in nature to PGP, it isn't the tech, so much as the interface, that makes it a great app. While I can agree with some of your objections to what Web 2.0 heralds as new and I believe there are legitimate questions about the wisdom of the direction we are going with technology, I think your rant may be misplaced here. TextSecure is a local Android SMS client that smoothly integrates key exchange and secure messaging with SMS so that the user doesn't have to concern themselves as much with the "complicated" details. You simply choose a contact, request a key exchange, verify a code it gives you via some other channel to make sure there is no man in the middle and the keys are then stored with the contact for future verified, secure communication without having to do anything more than send text messages like you normally would (though through the TextSecure app).
What we should take from "Web 2.0" is the attention to what kinds of interfaces and interactions users gravitate towards and this is where TextSecure seems to shine the most. What we might be wiser not to take from Web 2.0 is some of the more questionable technical "innovation" that seems to be moving backward in capability to what we had in the past in the name of supporting the new UI. Examples from my perspective at least are the pushes towards things like Metro and trying to do entire desktop replacement application development in HTML5. Sure the idea of a pure touch friendly UI sounds good to marketing, but the fact is there is a lot that can't be effectively done with it. You might cover the needs of half the population even, but you are greatly limiting the development of the fringe of technology which has always been what pushes us forward.
Recently there seems to be this idea that the goal should be to get everyone, from the biggest technophiles to granny in a nursing home should embrace new tech, but too often the way that seems to be accomplished is the lazy approach of making a limited product that doesn't really push the envelope or encourage further growth. For the longest time tech has started in the hands of those who understand how to push it forward and then propagated down to the masses after going through a lot of refinement and filtering to find the best stuff. Now things just get thrown out to mass market and that filtering and direction is lost. Effectively control of the direction of technology is getting handed to marketing instead of technologists. That's a great way to make money, but a horrible way to move technological progression forward.
Similarly, HTML5 being used for desktop apps is a nice goal to try to have apps that can be used anywhere and not require install, but the fact is that the tools really aren't there to do it efficiently yet and it's really a wasteful process when you consider the extra development effort required for many projects combined with the extra energy required to run the necessarily inefficient code (just the lack of a good ability to push notification from server to client is a huge issue, let alone the security concerns and the performance of java script in general). On the other hand you do save having to produce hardware for the home, but that hardware and more is just having to go in data centers instead (though it is more fully utilized in a data center.)
AJ Henderson
The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)
Regarding the open sourcing of the encryption code, generally self-written encryption routines are inadequate at best. If you're not leveraging one of the well vetted encryption libraries, odds are that your solution is weak and will only stand up to cursory inspection. Otherwise, you're using PGP, RSA, Blowfish, etc, and your code is merely a light wrapper around those libraries. (No, I did not review the code)
As for chat clients and the like connecting to each other with encryption, this has been around and open sourced a long time, one implementation is Off-the-Record. And of course there's the PGP solution that has been around since the early 90s.
The cesspool just got a check and balance.
Here's to hoping for a MeeGo port...
And good job, Twitter. Somehow you're becoming far more sympathetic than that 'other' big social network player...
Practically EVERY WEEK, & for YEARS now? Yes - You see a NEW "security bug" turning up on ANDROID, a Linux variant!
[Citation Needed]
Yes, I know... Don't feed the trolls and all of that...
- Toast
CarrierIQ is not an android problem.
Apparently you haven't played with X11 at all if you think we're doing more now than in the 80s.
I distinctly recall using SGI machines to run PATRAN modeling software that was backed by a Cray YMP-16. If you think a little Web 2.0 app comes anywhere near the intricacy of visualizing stress results on a 300K 3D element model, you need to revisit what existed back in the late 80s. It might just shock you back into the future. (and no, it wasn't real time either, you submitted commands and went to get a cup of pretty much whatever was furthest away)
The cesspool just got a check and balance.
The truly funny part is Web 2.0 is back to classic Client/Server programming, utilizing an HTML engine as the client. I believe that existed since the 60s with dumb terminals, but certainly no later than the early 80s with the current modern thick client/server model (think X11 and the like)
It seems like you're talking about HTML5 (Creating websites with application-like user experience with combinations of the latest HTML, CSS and JS features) though you refer to it as Web 2.0.
Web 2.0 has nothing to do with user interface (though certain UI elements, such as types of glossy buttons, are often referred to as "Web 2.0 style" because they got popular in blogs, etc.). Web 2.0 refers to the change in how people view the internet and how the content is produced. Web 2.0 refers to the change from passive users (who just visit corporation.com to look up information) to active users (who produce the content themselves. e.g., blogs, youtube, Slashdot community, etc.).
I know there are too many buzzwords these days, but these are the ones that everyone should know. Web 2.0 has been pretty well established for years and I think that it well describes very important change in how we view the web. HTML5 is more of a buzzword (as it doesn't actually refer to any new technology, it seems like a newer version of "DHTML") but it's quite widely used and the meaning is pretty consistent, too. :)
But CarrierIQ runs on the iPhone as well, and Nokias, so how is it an "Android problem"?
The old Razr mobiles could be used as remote listening devices.
APK in "computers can run software" shocker.
No
It doesn't run on my android phone.
But it does run on any phone its installed on.
Because my phone is Android, and it didn't come with CarrierIQ, and other peoples phones are not Android, and they do come with CarrierIQ so how can it be a android problem?
CarrierIQ is installed "on purpose" by the people who sell you the phone, its not the operating systems fault some people get their hardware from a dodgy vendor, and that vendor doesn't care what operating system you chose.
Not sure what a hosts file has to do with anything, but as you correctly point out, its less of a problem for android than other phones, because at least you can easily remove it if you are misguided enough to get a phone with such dodgy software.
Saying
"CarrierIQ is an Android problem"
is a lot like saying
"Cars are a Suzuki problem"
Sorry but
Not all cars are Susuki's
like
Not all CarrierIQs are on Android
and
Not all Susuki's are cars
like
not all Androids have carrierIQ
and cars aren't that much of a problem
like
CarrierIQ is not that much of a problem
And plenty of Windows PC's come with CarrierIQ like stuff installed on them:
http://www.dailymail.co.uk/news/article-1383216/Rental-chain-Aarons-caught-spying-customers-home-taking-webcam-photos.html
The point we seem to be labouring, is you seem to think vendors installing malware is a security issue.
security issues are ones in which problems arise after you get the device, outside of its intended use. Most of what you are posting is complaints about software doing what it was intended to do (albeit not what the user expected), That is something very different to say, switching your computer on and instantly getting infected with a virus, which has plagued windows for decades and has never been a problem on linux.
The very fact your own link says:
http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/
The Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.
However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.
__
Shows this is still much more of a problem on windows devices than linux based ones.
There are also tools out for Android based devices that let you revoke permissions for installed apps, Is there anything like that for windows devices?
Simple fact is, Linux is as secure as you make it, but you cannot make windows secure.
The minimum ones are:
DHCP Client
DNS Client
Plug & Play
Remote Procedure Call (RPC)
So you still had to rely on Linux to protect you from the Blaster worm then?
Also
"Nobody USES Linux nearly as much as Windows"
Simply isn't true. users may use windows, because that is what they are sold, but it terms of the computing they use they use linux far more, you, reading this, are probably using 1 windows machine, and rely on maybe upwards of 20 machines using some nix variant, before you get on to any of the other networking activities. Just because its transparent doesn't make those machines any less important.
Windows just isn't built for security, it is built for usability, but that is just because a windows machine typically has only one user, whereas a typical nix machine has hundreds, thousands, even hundreds of thousands everyday.
I'm still waiting for you to post a security flaw on android that doesn't require the "user" to install malicious software - i.e. one that affects anyone just "using" it. (you know, like simply reading a pdf document, or simply connecting the machine to the internet).
Perhaps the best one you have come up with so far is:
http://it.slashdot.org/story/10/11/05/0229205/Researcher-To-Release-Web-Based-Android-Attack
which "does not affect Android 2.2 or later versions"
I have no problems with security flaws being found & released after they have been fixed, I care slightly more about security flaws that are found after they are being actively used in the wild (e.g. zeus bot), but as far as I can see, that remains the nearly sole domain of windows systems.
What gave you THAT idea?
Blaster worm infected anyone connected directly to the internet(i.e.not going through a router- which ussually runs linux)with RPC active
Sure it is that nearly NOBODY uses Linux (on PC's & Desktops especially vs. Windows)
http://en.wikipedia.org/wiki/Google_platform
http://www.computerworld.com/s/article/9116787/Wikipedia_simplifies_IT_infrastructure_by_moving_to_one_Linux_vendor
http://www.linuxtoday.com/developer/2010072300835NWHESV
etc. etc.
I did even better in posting ones regarding:
1.found and fixed before exploited in the wild.
2.Froyo = 2.2, now on 3.2
->I still do NOT "get" HOW you can say I relied on Linux
When you use the internet, you use much more than just the sinngle machine you are sat on. LAMP is the backbone of the modern internet.
The main reason for this is the security of linux systems. Facebook, for example, is a much higher profile target than you and your worthless windows machine with anything usefull disabled. IIS just never made the grade.
J6P uses windows, because its easy to support by vendors, and easy for the non tech savvy to use. But anyone who cares about security uses linux - and by default anyone who uses the services of those companies uses and relies on linux. This may be "transparent" (i.e. the lowly user never knows they used linux), but then same lowly user is unlikely to know where microsoft stops and where activivsion starts when they fire up that latest game they got for Christmas.
_P.S.=> It's also funny how you "abandoned" your statements here requoted in my last post too:
http://news.slashdot.org/comments.pl?sid=2586024&cid=38502472
About how YOU stated that I didn't post any DIRECT Linux kernel level errors in ANDROID, & how things can install via malwares on ANDROID WITHOUT USER INTERACTION, despite your stating otherwise - I did, & it "silenced you" on that account... lol
_
So google and facebook are "nobody"?
Now that's a real ROFL!!!
You're the one who brought up Windows & desktop PC's, and hosts files, but still with no real explanation of wtf they have to do with Android, I was just pointing out that despite all the claims to the "contrary" using some "market share" metric, the simple fact is in real terms - i.e. what the internet actually gets used for, windows is a small fish in a large ocean, little more than a typewriter in the space age.
Going back to what I said earlier
"Linux is as secure as you make it"
i.e. sure there are problems, but nothing that has been seriously exploited that hadn't already been fixed.
"You cannot make windows secure"
i.e. Doesn't matter how hard you try, there will always be a significant number of flaws that are exploited before they are fixed.
My comment was never that Android doesn't have any security issues, it was just that many/most of these "supposed" security flaws you are posting are not "Android problems" or are "no longer a problem for Android".
Also
London stock Exchange woes were not Linuxs fault!
http://www.zdnet.com/blog/open-source/london-stock-exchange-woes-not-linuxs-fault/8358
yet more "OMG someone using linux has problems - blame linux" FUD.
Its pretty obvious why you want "no questions asked".
Thanks to 3rd party advertising code embedded in the old LSE website, no linux to blame there, just good old html.
Thanks to 3rd party windows machines not doing what they were supposed to.
Ooops, shoot. foot. self.
I guess next you'll be blaming some flood damage on operating system choice. I'm sure you can manage it somehow if you try hard enough.
No you didn't, you posted a link to security issues which were:
->fixed before they were exploited.
Yawn, must try harder.
Oh, and the CA's and were breached using good old brute force attacks on ftp and sql servers.
Again, not Linux specific issues.
which "note"?
vulnerable to what?
Linux has never had anything like Blaster, Zeusbot or any of the other myriad of worms that infest Windows machines on a daily basis, despite Linux machines being much higher value targets and connected to the web 24/7.
Heck, I don't see how the internet could of happened if your average server was vulnerable to the infamous ping of death and the like, which is why IIS has never stayed on webservers longer than a year or two.
You find a few examples of specifically targeted machines, which required hundreds of hours of computation time to breach, and use them as examples of how windows is just as secure, despite nearly every windows machine requiring milliseconds of computation time to pwn, while its doing nothing more than presenting a few badly drawn documents.
Comparable my arse, the security of Linux may not be perfect, never said it was, but in terms of network safety Linux is a Challenger tank with Trophy system and Windows is a bus full of Palestinian suicide bombers.
And all this is beside the point, that firstly, you haven't found a single exploited Android vulnerability; the best you can do is audit reports and fixes of unexploited vulnerabilities, or trojans bundled with other software which are easy enough to find and uninstall as to not pose a serious risk. And secondly, you have offered up no alternative to Android. iOS doesn't count because its useless to anyone who wants/needs to install anything homebrew, and the dire lack of security on windows phone
http://techcrunch.com/2011/12/13/security-flaw-in-windows-phone-7-5-kills-the-messaging-hub/
is the least of its woes.
You linked
http://linux.slashdot.org/story/10/11/02/2238205/Serious-Security-Bugs-Found-In-Android-Kernel
which is a summary of
http://www.techweekeurope.co.uk/news/serious-security-bugs-found-in-android-kernel-11040
which says
Not my fault if you failed to RTFA.
You do realise you are posting on slashdot right?
But every windows machine connects to at least 20 Linux machines a day, which is where your argument falls flat on its face.
It's true you've posted lots of links to security firms fixing Android bugs before they were seen exploited in the wild. I'm still waiting for one that was found in the wild before it was fixed. I showed you one for windows;
http://techcrunch.com/2011/12/13/security-flaw-in-windows-phone-7-5-kills-the-messaging-hub/
Surely you can manage at least one?
Nope, that was still you failing to RTFA
summary of
http://www.eweekeurope.co.uk/news/serious-security-bugs-found-in-android-kernel-11040
says:
->fixed before they were exploited.
Must try harder
Just checking
Nope, because you can't run services on windows without loosing security. Which is why you wrote that post saying shut them all down. Remember.
Fixed before exploited
APK in computers can run software shocker
APK in computers can run software shocker
APK in computers can run software shocker
APK discovers phones have GPS shocker
APK in computers may be able to run software shocker
APK in computers can run software shocker
APK in computers shouldn't run software shocker
Still waiting for just one that is a security problem in the wild rather than merely a vendor problem
one
Seriously, no point in running through an entire spybot S&D list, you'll find a hulluva lot more than 72 malicious apps.
just uninstall them (or don't install them in the first place), if you care that much.
Very different to getting a text message that bricks your phone, switching off text messaging not a viable alternative for mobile phone users methinks.
ROFL
And you think Linux has a limited market share!
here:
I don't understand the question.
I need all of them, else why would they be there?
That's the point of
"APK in computers can run software shocker"
And on balance, so far they have all appear to be Apple paid up Fear, Uncertainty and Doubt (FUD). Designed to make people think being able to run their own software on computers is in some way a bad thing.
Take a lot more than "Chinese make nasty applications" to make me want to give up the right to decide what software is installed on my own hardware, that is about a bad a security risk (my security that is) as there is going.
I'm still waiting for one example of an "in the wild" security risk that is Android related, as opposed to some variant of "computers can run software shocker".
Not sure where you're coming from now, you're twisting yourself in knots. Presumably because you recently realised how lame disabling services is as a solution to all the security problems in those services.
Obviously my "turn them all off" was my reference to this, not that you said to literally disable every windows service (although this is the only way to make windows secure, hence my earlier comment about windows being little more than a typewriter in the space age).
No, so far you've posted (mostly) 70 odd links to one issue. The fact that you can install software on Android. (plus a few fixes during security audits)
Admittedly the iPhone doesn't have this security issue, because you can't install software on the iPhone, which is why Apple pays for so much FUD.
But that is one security issue I think most people are willing to live with, and really doesn't demonstrate "insecurity" issues with Android, since installing other peoples software is optional (unlike the iPhone).
Which brings us back to point, please find one remote code exploit seen in the wild on a stock, up to date Android phone.
And, afaics, not one of them pertains to a critical security flaw in Android.
Which means Android is, to date, more secure than both windows phone and the iPhone (who both have, and have had, critical remote code vulnerabilities exploited in the wild before they were fixed).
Case closed, no questions asked.
ROFL
not 72 links of good or bad things.
72 links of FUD, which is less than DoD certification and your inability to find a single one pertaining to a critical security flaw.
Simples.
_
I'd like to thank you, been an interesting discussion, before this I just considered Android to be the best of a bad bunch, "least worst option" so to speak, But you managed to convince me I was overly critical, and that actually Android has a pretty flawless security history.
Shame the same can't be said for the alternatives.
Certainly don't min double checking Android is the most secure, good of you to collate them for anyone who happens accross this thread..
Already checked: No critical remote code exploits here .
Others are mostly repeats of the same, but this, Dec 20th, is probably the best summary of the current state of affairs, deafening in its silence
My short summary; up to Dec 20th this year, the only security risk Android suffers is the users of Android phones. And the only way to "fix" this is to not allow users to install custom applications on their phones which haven't been sanctioned by big brother.
I rarely use this meme, but it's always fun when I do.
APK in EPIC FAIL
I completely agree.
They were just "things".
Windows = Don't care
In what way were they "BAD"?
Seems to me, if anything, being able to install software on your phone is a fairly useful thing, but mostly its just something you would expect in this day an age.
If they chose to install software that does all that, whats the problem?
We've already established there are no known remote code vulnerabilities to let such things get on there by accident.
Unlike any of the alternatives.
You're right.
Windows has never even pretended it offered these permissions, guess that makes it much more secure.
Bless.
If only windows had sandboxing (you know, like linux and Android), at least then it wouldn't matter for windowz.
lol.
Clutch at straws much?
And, btw, I know everything about windows I need to know.
My main day to day machine is a fedora installation, been on fedora since 2004, and has never been compromised.
My laptop is a win7 machine, and has had to be reset to factory settings 3 times since I got it a couple of years ago, after it got some nasty infection that I could find no trace of to remove (found via networking logs @ the gateway), despite generally doing nothing on it but reading a few word documents and browsing the net.
Tells me all I need to know about windows security.
I'd already have nix on it, but some poor bastards are still stuck on legacy VBA stuff (despite it being a steaming pile of shite, and charging them 5 times as much to work with it) which afaik has no OSS alternative atm.
like I said before,
Windows = Don't care
Its more that I can't be arsed "security-hardening" it
i.e.
I need my USB ports
I need the CPU and HDD cycles antivirus would use
I like flash animations
I like porn
I read lots of full featured PDFs
You should try running your windows machine with no antivirus on it for a bit, admittedly it won't last very long (unlike linux, but then secretly you know linux is more secure), but while it does you'll be amazed how snappy it really is.
much easier to use something that works "out of the box", and spend my time being productive, than learn how to actually make the piece of shit work, then just zap the nearly useless typewriter back to factory settings every time it breaks.
Saying that, when you have as good as acknowledged the only way they can get these "exploits" onto an android phone or linux is if you install them; click the "yes, please install this software from this chinese vendor I've never heard of" button, rather than the apple/windows phones, where anyone can do it without your knowledge, by remotely telling your phone(or windows) to install (or uninstall) malicious programs, shows you have absolutely zero understanding of security.
I agree, using a Linux Desktop is like living in the Garden of Eden, and using a windows desktop is lot like living in Detroit.
No, not "torn up", that's what happens when a windows machine visits porn sites.
More like lots of burglars asking politely if they can look after your house keys, just tell them no (which you can only do with Android/Linux), simples.
but I use multiple plugins, and all the stock trading platforms I use run on javascript and java. Like I said "disable it" isn't a security answer, its a cop out for an insecure operating system.
Now, give me a read only OS, full featured, up to date, no activation, usb bootable installation of windows, like the linux live usb stick I carry round in my wallet for when I use other peoples machines (or just want to do something secure on the laptop), and we can talk.
Until then its linux all the way baby.
" YEARS of safe" less secure than read only @ the hardware level.
sorry. but that "can't secure" will stand as long as you can't install windowz on a read only file system, and no amount of disabling insecure services, tweeking round the edges, installing 3rd party addons or handing resources over to AV software will ever match it.
you do realize I was being serious about that "typewriter" comment don't you.
You have used:
http://fedoraproject.org/wiki/FedoraLiveCD
or something similar?
Assuming we've given up on Android for now.
The point you were arguing against is
Linux is as secure as you make it (up to "impenetrable, read only)
you can't make windows secure (since it has no read only full desktop option).
you are talking about "cleans reliably", No need to clean a linux "live" install, because once configured to your liking, its impossible to write malicious software to it in the first place.
Why waste time trying to secure a substandard (not least due to no multiple desktops) OS, when a simple reboot is all you need to guarantee the OS is secure.
I just can't see how you can begin to believe it's comparable, not only are you less likely to get hit by malicious software day to day (even if that is purely because there are less burglars asking for the keys, although it seems to me its also much more than that), but if you really need it (dealing with very high value trades, for example), you can use an identical, completely secure & impenetrable OS, on any machine that will let you boot from USB.
nope, you make the customisations before committing it (e.g. adding truecrypt capabilities) to usb,
and as per the earlier link:
Does this mean you are comparing to linux without actually having used it in any serious manner?
shame on you.
Like I said, I carry it round with me on a usb stick in my wallet, then if I need a "secure environment" on a machine I cannot vouch for just boot from that, truecrypt makes sure any persistent data is secure if I lose the stick. Linux live is not a "lightweight installation", its a full featured desktop environment (My fedora live stick has office 2007, eclipse and chrome with several client side certs installed on it, for example), only "disadvantage" over a normal full install is it takes a little longer to boot into (and is more "static", so not suitable for installing new stuff, but since "installing new stuff" is the only way to breach a nix machine that can't be avoided).
There are three main apps that hold linux back in the consumer market.
Office (wine does work great, I use winetricked office 2007 on this fedora machine and my usb stick, but no VBA and its something of a bitch to install)
Autocad (never managed to get it working)
Adobe CS (have earlier versions working, but not really useable in a production environment, Mrs Sparks is an Architect)
What actually "switched" me to linux was kile:
http://kile.sourceforge.net/
By far the best document editor I've ever used, ran it in a vm for a while, then as more and more software got better linux alternatives (e.g. chromium, eclipse) I found I was using the vm more than the windows install, now have an old legacy windowsXP install (which is "hardened" as you put it) running in a vm on one of the 6x Dell R710s in my home office (which I can vnc into from anywhere using vpn), rarely gets used for anything other than plugging in hardware that doesn't have good nix drivers - almost nothing, the last main app was replaced yesterday, the climate control and monitoring system for the house).
Best decision I ever made, but now I'm so used to a full desktop that doesn't spend up to 90% of its time running everything through AV software I can't bring myself to install AV on the laptop, just not worth it, chrome is "bullet proof" enough (IE is hidden away, comes full of HP installed shite) to browse even the darkest areas of the net without incident (most of the time), I use the usb stick for anything banking/work related (most of the time just do it from the office), and it has a read only factory install of windows I revert back to whenever something suspicious happens (takes about three hours from pressing F2 at boot to getting everything "new" back on it - office - eclipse - dropbox - truecrypt - chrome and tigerVNC).
Totally agree "each to his own", I'm not the "linux nut" you make out, it's not so much that I "dislike" windows - if it wasn't for internet explorer there would be very little difference in terms of security between a win7 machine and a nix machine. (although I do miss the Altgr keyboard shortcuts and multiple desktops)
BUT, and this is a big BUT.
When you move into the embedded space its a whole different story.
If I write some nix code on my dev linux machine, I can for example, shift it straight over to any of the linux embedded devices (some good ones include the NSLU2, the WRT brand routers, and possibly (not tried it yet) the Archos tablets with Angstrom installed) with almost zero hassle.
Android is good because of Java, and if anything I am a bit of a Java nut (write once, run anywhere is f'ing sexy).
I don't think you rate the iPhone over Android? which leaves Windo
But that's the other big flaw in your comments.
"Android" isn't "Linux"
"Android" is closer to a (clean room) JVM built using GPL linux code for the HAL.
afaik all the malware you have posted have been attacking this JVM, not the nix code it runs on (which you need a "rooted" phone/tablet to access).
That malware authors target the largest audience should be no surprise to anyone, the question is how successful they are, and from looking through all those links you posted there hasn't been one incident relating to any serious breach (remote code exploit), and nothing that shouldn't be expected from any device that allows users to install 3rd party software.
Google obviously haven't got their additional features "perfect" yet, but pretty good imho for such an immature project.
Absolutely not.
the only "bug" there was it didn't ask for internet permission.
It still ran isolated from all the phones file system (except SD card which is shared between apps, but still isolated from things like email, contacts, - anything personal - and any other apps installed on the phone)
Even the "most severe" problems you have posted still run in "userspace" they are all bugs in googles Dalvik VM, not the Linux basecode it runs in.
You do realise, these "84 bugs" still represent a higher level of application level security than a windows 7, or even (to some degree) a linux desktop installation?
There are no "application guid" permissions (that I am aware of) on either windows or linux desktops. Its all group and user level.
These "84 bugs", at worst, bring your phone to the level of security provided by a standard desktop install, for an app running with user level permissions.
Except windows desktops still have remote code exploits that allow a malicious person to install persistent software simply by having you visit a webpage (or worse, simply sending a malicious packet to an IP address, there's a ton of active worms circulating on windows desktops), a new such hole that is being exploited is plugged every other month.
OK,
So strip out all the "proof of concept" and other "fixed before exploited" audits by the likes of coverity, where users were never affected.
Drop any that involve CarrierIQ, since CarrierIQ is a problem with mobile phone carriers rather than anything to do with Android.
And how many are you actually left with?
Do any of them give permissions more powerful than can be achieved with an Internet Explorer BHO?
Users that install fake (not needed) Antivirus from a chinese vendor, give it permission to send premium rate sms messages, deserve everything they get.
PICNIC.
http://mobile.slashdot.org/story/10/11/14/0115255/Android-Holes-Allow-Secret-Installation-of-Apps
Yawn.
So still more secure than an IE BHO then.....
I completely disagree, I've not seen one link to a "serious" issue so far. Mildly annoying for complete morons yes, but nothing that would do any substantial damage to an android user. And mostly just behaviour outside of full application isolation.
Yup, a BHO is less secure, since they are in user space (outside the sandbox), and all these android apps are still sandboxed, and even easier to remove (listed with all other installed applications, 1 click wipe of any data they create, 1 click to uninstall them).
e.g. a BHO could silently install one of these apps on any phone that gets plugged into it, none of these apps have the power to install software on the computer.
"What" happens to me?
I install some software on my phone?
How is that serious?
Just stick with
http://f-droid.org/
or some such.
and there is zero risk?
I still can't get my head around how you can think an OS hat exposes an informed sensible user who sticks with FOSS to zero risk can have "serious security flaws".
Yawn, not true.
https://www.vpnreactor.com/android_l2tp_ipsec.html
Its not "3rd party", its part of the standard install.
So you don't even have an Android phone then.
No more due to an "Android security problem" than 401 scams are due to an "email security problem".
PICNIC = Problem In Chair Not In Computer
But its just not true, the link just tells you exactly which settings on a stock android installation to connect to a L2TP/IPSEC VPN, the link I gave is just for an encrypted VPN provider that supports Android.
I use it to connect to home, just checked and my router says the connection is:
( msparks ) L2TP
3DES-SHA1 Auth
Data is encrypted.
Which is great, because it lets me visit all the pron and whatnot on my phone (which are otherwise blocked on the 3G network), along with giving me full access to JANET on my phone.
I believe what's missing is a cisco client, because cisco VPN's do not abide by any particular standards, and cisco haven't released a VPN client for android.
Wow, that has to be the most feeble attempt at constructing an argument I have seen in a long time.
Firstly, we've already established none of your 90 odd links relate to hacked linux, all they show is despite significant effort by hackers to target Android users, they have not escaped Linux userspace, and the best they can do is bypass some additional permissions created by the Dalvik VM in applications the user chooses to install. And even then they are easy to remove using stock application management settings.
And then to top it all off you finish with a blatantly false claim.
Here is a screenshot of the "IPSec solution integrated into stock ANDROID" settings screen.
https://sc1.checkpoint.com/sc/SolutionsStatics/sk63324/AndroidL2TP.png
As I said elsewhere, it isn't missing built in IPSEC, its just that Cisco don't have a standards compliant VPN solution, and haven't released a 3rd party app to allow people invested in their hardware to connect to their routers over secure VPN.
Take it up with Cisco.
You mean you/they are too poor to pay twice.
I can't imagine why that would be.
But as we've already established, securing an android phone really couldn't get any easier, and is no different than an ordinary phone.
Step 1. Don't install any new software on it (other than stuff you write yourself).
Which is why "I won't get a smartphone cos it's to insecure", really means "I won't get a smartphone cos I can't afford it".
Although, in your case, I suspect it's more like "I won't get a smartphone cos mummy won't buy me one"
Well, it was "attacked", and by the looks of your "90 links", with quite some furore.
But no one seems to of actually found a serious vulnerability yet, given despite your efforts you still haven't found a single vulnerability that can get past "Step 1:Don't install new software on it (other than ones you write yourself)".
I have to love the irony of the man sat on the bus full of Palestinian suicide bombers telling a tank driver his armour isn't thick enough so he doesn't wouldn't want to ride in the tank anyway.
You're a perfect example of cognitive dissonance imho.
Confirmation bias.
Which apparently is the user rather than the OS.
ROFL
You still haven't explained why,
choosing to install software on a mobile phone that can:
Read contacts
Make phone calls
read emails
and send SMS messages
read documents
view webpages
and watch videos
In any way constitutes a "serious security vulnerability"
But to say this is "just like windows" (for all its remote code exploits)........
The only person in denial here seems to be you.
But we've been through these two already.
The first is the results of a security audit (rather than 0day vulns) to secure the operating system, the second is not an "exploit" any more than:
http://sourceforge.net/apps/mediawiki/tigervnc/index.php?title=Welcome_to_TigerVNC
But for some reason you are ignoring the fact it is making as vulnerable a target as a tank is to a young boys rocks.
Yawn.
Why is the ability to control a completed isolated sandbox on your phone (or someone who you allow) remotely "bad"?
Does a security hardened windows not allow a remote shell?
How do you manage it remotely?
Hang on, did you just say windows 2000 and XP isn't secure?
Why would you use a remote shell to break your own sandbox?
I use one on the tablet so I can control it while its connected to the HDTV using my phone.
I doubt there are many articles about it, there is only really one thing you need do, which is only install software on it you trust to use your phone.
If only windows were that simple.
ROFL.
Top link
Andriod FAQ.
Q.Is android secure
A. Yes,The security and privacy of our users' data is of primary importance to the Android Open Source Project. We are dedicated to building and maintaining one of the most secure mobile platforms available while still fulfilling our goal of opening the mobile device space to innovation and competition.
Entirely subjective.
you see 90 odd links demonstrating insecurities.
Anyone who can afford decent consumer electronics and so owns an Android device sees 90 odd links that don't and won't affect them.
Exploiting a websever is a much higher value target than a normal user, what marker share does linux have in the webserver market:
http://www.thegeeksclub.com/windows-linux-os-secure-easy
Even in the more accurate studies of the "ultra high value" fortune1000 companies Nix holds a very strong market share:
http://www.port80software.com/surveys/top1000webservers/
Therefore your argument that Linux is somehow some "obscure" OS that no one uses doesn't hold water.
The only place it seems to have any relevance is in terms of the applications used by users on these operating systems. But here Android is lightyears ahead of both windows and linux, simply because its application model is secure by design, but nix and windows only offer userspace, and your "90 odd links" show nothing more than some reversion back to the level of security offered by userspace.
In short, you posted 90 odd links showing Android is at least as secure as the most secure windows and linux installations.
And they are still better off than if they bought an iPhone.
Even if it was true.
But my guess is your source is about as reliable as the morons who told you Android has no IPSEC.
Seem like you are getting a bit desperate now.