Ask the Expert

How secure is a mobile phone platform with an open source framework?

Although it's early in the game, Google's Android mobile phone platform has an open source framework and allows anyone to write applications. Is this arrangement different from most mobile devices, and if not, is such an approach any more or less secure?

    Requires Free Membership to View

    Login

Google's open source approach to mobile phone platform development has the potential to open up what has been until now a closed industry. The telecommunications companies likes to control the handsets, carriers and services that consumers can use. Carriers have been loath to let third-party applications play on their proprietary networks. But Android has some big backers. In addition to Google, the group developing Android, the Open Handset Alliance, includes more than 30 major companies from the mobile-computing world, including Intel Corp., Samsung Electronics, Motorola Inc., Sprint Nextel, and Texas Instruments Inc.

The aim of the Open Handset Alliance is to accelerate innovation and create a richer, less expensive mobile experience. However, mobile phones are restricted by which software they can run. Programs must run inside a constrained environment with limited amounts of memory and processing power.

Developers can create applications for the phone using the Android software development kit (SDK). Applications are written using the Java programming language and run on Dalvik, a custom virtual machine that has been designed to optimize memory and hardware resources. Dalvik runs on top of a Linux kernel. Linux has the advantage of being modular, meaning that it's relatively easy to piece together only the specific, necessary functionality.

Android is a multi-process system, where each application and part of the system runs in its own process. Most security between applications and the system is enforced at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications. Additional finer-grained security features are provided through a "permission" mechanism that enforces restrictions on the specific operations that a particular process can perform.

With regard to the security of these applications, there is no evidence to show that applications built under an open source framework, where hackers have access to the source code, are any more or less insecure than those built with proprietary source code. Hackers, for example, have access to the source code for the Apache Web server, yet it is seen by most experts as the most secure Web server. The key issue with Android applications will be response times when vulnerabilities are discovered. Open source projects tend to have a better record for releasing patches in a timely fashion than their commercial counterparts.

I believe that the core Android applications will be relatively secure. And they need to be. Today, nearly 3 billion people have a mobile phone. This makes it an attractive target for hackers, particular as mobile phones are being used for diverse tasks. Android will enable developers to build powerful peer-to-peer social applications, and data security will be paramount. However, as is always the case, I expect consumers will rank handset features and cost above security in order of importance. Handsets and services using the Android platform are expected in the second half of 2008.

More information:
 

This was first published in April 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top