Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

EFF warns: mobile OS vendors aren't serious about security

Cory Doctorow at 2:09 am Sat, Jan 22, 2011

— FEATURED —

Science

Last chance to enter the Armchair Taxonomist challenge!

Book Review

Black Code: how spies, cops and crims are making cyberspace unfit for human habitation

Book Review

We Can Fix it! - a graphic novel time travel memoir

Science

The technology that links taxonomy and Star Trek

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle
Chris Palmer -- formerly Google Android security framework engineer and now Technology Director of the Electronic Frontier Foundation -- writes about the cavalier attitude toward security exhibited by the major mobile operating system vendors, and the risk this poses to all of us:
By contrast, mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements...

Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)

Don't Sacrifice Security on Mobile Devices
 
  • GSM security defeated by German hacker: NYT on CCC Boing Boing
  • Now you, too, can engage in warrantless wiretapping! - Boing Boing
  • More on the T-Mobile G2 "rootkit" -- it's actually a "NAND Lock ...
  • Boing Boing: TOS on Cingular's wireless data service sucks as much ...
  • Password Doesn't Shear Firesheep - Boing Boing
  • Boing Boing: Security blunder: Sprint Wireless leaks customer data
  • China cracks down on "money sucking" mobile phones loaded with ...

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE:  google

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

  • Anonymous

    The ex-Googler needs to understand the ‘mobile’ does not equal ‘open’. And that ‘established industry standards’ meant for desktop/workstations do not mesh well in the mobile *firmware* -based world. It’s not practical to go thru what seems to be a weekly disclose-patch-oops variations patch cycle that companies like Microsoft have to go thru with on their ‘ubiquitous platform.’ Not when every OS update is, in reality a ‘complete re-install of the OS’ as is done on the iPhone.

    So what Chris Palmer is trying to tell us is that having a strictly walled AppStore, refusing ‘ubiquitous’ security sieves like Flash, and finally patching serious issues (like the Freetype issue) on a quarterly timeline are not enough? Wha?

    Sorry. I want my iOS software well ‘baked’ (tested), and, for my end users, I like it closed, locked down, and on an update schedule that is more judicious than reactionary.

    -Leo M. http://twitter.com/leoofborg

  • Anonymous

    Leo: yeah, and if hundreds of thousands of users might get screwed over royally through a security vulnerability during that quarter of a year it takes until the next update then too bad for them! Or?

    The phone OS situation risks turning the security clock back many year. For Android we also have additional fragmentation among phone manufacturer, on top of googles internal Android problems. Meanwhile, the threats sure will continue to accumulate in terms of quantity, sophistication and resources. That is a ticking bomb scenario. Many end users will suffer the consequences, getting their private life, personal economy and perhaps also their worklife ripped apart.

  • Stephen

    We’ve seen a botnet on Symbian and the potential for a botnet on Android in the form of Geinimi. Has anything like this been seen in the real world on iOS?

    The omission of any discussion of Symbian, and holding up Windows as an example of effective security make me think EFF is just looking for publicity.

  • DaveP

    i don’t believe it for a second. apple does everything right and micro$oft does not. everybody knows this.

  • Anonymous

    Maybe the delay acting on bugs by apple( and probably google) is an under handed way of supporting the jailbreaking and rooting communities. If apple jumped on every bug it would be very difficult for the world that has sprung up around jailbroken devices.

  • rebdav

    Nokia will be in the lead if Meego follows the normal quick Linux security updates routine.