North America is in the foul clutches of Superbowl Sunday: an orgy or consumerist messages interspersed with football. A visiting USAnian was regaling me with tales of a sideline man with giant orange gloves, whose sole job is to get the attention of the referee when it is time for more commercials.

First up we have the XPeria Play, Sony’s Android 2.3 powered gamephone. I find this thing very interesting: Sony is normally fastidious about copy protection, locking their systems down hard. Of course this never stops their systems from being hacked, but they try. Android is arguably (actually: demonstrably) the least secure mobile operating system on the market today. Obvious conclusion: Sony will be baking their own game DRM into Android 2.3, perpetuating their “no upgrades for you” philosophy.

Then we’ve got the Motorola Xoom: “The world’s first Android 3.0 tablet”. The ad is a blindingly obvious dig at the iFanboys. Huge call given that no one has really played with one, and Apple appears to be on the cusp of launching the iPad 2. Still, early reports have the Xoom looking and performing “pretty awesome“.

Tablets though? It it only me that has this nagging feeling that we’re heading down the same path as netbooks: a huge, short hypecycle that quickly ends up satisfying niche purchasers and no one else?

Android: Everywhere and Nowhere

Both of these appear to be excellent Android™ devices, but they are worlds apart. There’s no way you’ll ever play Sony’s games on the Motorola Xoom, and I’ll bet a considerable sum that you’ll never see Android 3.0 on Sony’s Xperia Play. This is my conflict: I want OEMs to adopt a good operating system — and Android is really getting there much faster than previous efforts — but it’s just so damn confusing.

I get questions all the time from friends and visitors. It’s easy when they ask “should I buy an iPhone?”. I can say: sure, if you don’t mind Apple’s ecosystem and don’t have a philisophical position on open software. When they ask “should I buy an Android?”, I have to say: It depends on which Android you are talking about, then explain about versions, hardware and upgrades.

Join the Conversation


  1. Uh…that link to ZDNet refers to an app that is not and never has been on the Android Market.

    It’s nothing to do with any vulnerabilities in the Android platform and like the Russian Porn player trojan (also only available from altrnative markets) actually asks permission to do what it does.

    It’s certainly a malicious app, but you have to want to install it from a third party site.

    If you are prepared to install 3rd party software (which has it’s benefits obviously) you need to look out for the dangers.

    As Steve Reilly and Jesper Johanssen of MS once said at Tech Ed, “Given the choice of dancing pigs and security, users will choose dancing pigs, every single time.”

    Let’s not confuse scams and Phishing with vulnerabilities.

    Most platforms are vulnerable to the former in one way or another.

    CERT currently list one vulnerability apiece for IOS and Android.

      1. It’s also built into the DNA of Windows, OS X (at the moment at least), Linux and every other desktop OS. Should it be considered a mark in the insecure column for them?

        Android has it’s issues, but I’ve never seen anything to suggest it’s inherently insecure in anyway.

        Also in the Android devices I’ve used, you have to specifically change a setting to allow non-Market apps.

        Otherwise you may well have a point. But then again there’s heaps of iPad apps that will never run on an iPhone. And even quite a few iOS 4 apps that won’t run on iOS 3.

        What if someone asks you “hey Ben, should I buy a second-hand iPhone?” – you’d ask which model and what OS, and then explain about hardware limitations and OS support. Apple maintains a very tight control on their products, but if iOS were an OEM product no doubt it would face exactly the same issues.

  2. Don’t confuse 3rd party applications with alternative sources of applications.

    Both the Android Market and the Apple App store allow folks to install apps from third party dveelopers.

    The difference with Android is that users can also choose to install applications from third party sources other than the official Android Market if they choose to.

    It’s disabled by default and there are big warnings and a huge disclaimer when you enable it.

    I expect most people never do,(except those looking for Russian porn obviously), however its an option and a personal choice.

    On IOS you need to jailbreak to do it, but people obviously do.

    So I think you need to be more specific about your terminology.

    You state that, “Android is arguably (actually: demonstrably) the least secure mobile operating system on the market today..” then give an example that (from a technical security point of view) has nothing to do with platform security and everything to do with user behavior.

    A platform security issue is a vulnerabilty that if exploited becomes a threat.

    In that respect Android fares pretty well compared with other OS vendors.

    If you were to say that Android users have a great deal more freedom to choose what they do with their devices so need to take more responsibility for being cautious about what they install then I think that would be more accurate.

    There is also a lot of baloney talked about ‘Malware in the wild’ There is ‘malware in the wild’ for Symbian, Winmo, IOS (jailbroken) and Android.

    In most cases, it’s not much of a threat because you have to go looking for it.

    More dangerous are the scams, bogus apps or poorly written apps that are, or have been present on all the mentioned platforms.

  3. “Tablets though? It it only me that has this nagging feeling that we’re heading down the same path as netbooks: a huge, short hypecycle that quickly ends up satisfying niche purchasers and no one else?”

    Market research in the US is showing massive numbers of ‘plan to purchase in the next year’ numbers for tablets. It’s always possible that something could change the trend, but the smart money from folks like forrester research is on a tablet workforce in the future.

  4. Re: The myriad paths to patching an android phone, that’s a more resonable argument.

    I’ve said it myself; while Google actually does have a relatively robust bug tracking and squashing process and gets patches out to it’s own Nexus handsets pretty regularly, the other hw vendors vary enormously in their process to pick up and distribute fixes.

    Re the new market remote installation feature, I’ve only just seen it.

    I agree, it’s a bizarre feature and I can’t imagine using it. I would have preferred barcodes for the app url you can point your camera at, like Androlib have been doing for ages. That comes under my ‘sloppy programming’ category I think.

    Re Jailbreaking, why not? It’s user choice again, for similar reasons, while not as simple and not an official option, it’s not that much harder.

    My point anyway was not that they equate in terms of vendor philosophy (obviously, one is allowed, the other isn’t), but that some users on iPhone feel the need to go beyond the App Store and do so.

    A bit further down the contiuum of behavior perhaps, but not out of context.

  5. Just got time to listen to the risky biz podcast.

    Indeed, this is an Andriod vulnerability with an exploit that constitutes a threat.

    In effect and consequence not unlike the researcher using a pdf to exploit a freetype library bug and execute a remote privilege escalation using jailbreakme to own an iphone.

    The complexity of modern OS means that all platforms occaisonally encounter such issues. To say IOS or WP7 or Symbian or whatever is immune to bugs due to how open or closed the OS is not really possible.

    The real issue in this particular instance is the patching process and how quickly once a bug is identified it gets patched before it gets widely exploited.

    As noted previously it’s a legitimate criticism that Android’s patching process leaves a lot to be desired when it comes to the distrubution part.

    Microsoft and some Linux distros have really got this streamlined on the desktop.

    IOS tends to be pretty good, although they have occaisonally been a bit tardy unless pushed by events. OSX has been OK, but really lagged sometimes with patches to GNU libraries they use, compared to some Linux distros.
    (DNS cache poisoning bug an example)

  6. Minor update: If I read it correctly, that webkit remote code execution vulnerability was patched in Android 2.2 -so over 60% of Android devices are not vulnerable to it.

    Which comes back to the patching issue. I would deinitely like to see massive improvements here, with Google owning the patch process, or at least contracually binding certified OEM partners to keep up.

    Incidentally, iPhones with IOS 4.1 or earlier shared the same vulnerability. The difference of course is that Apple release security patches as minor version updates semi-regulalrly and when they do, everyone has the opportunity to install the patch immediately.

    In practice though…well getting back to the user responsibility thing..

    It’s difficult to get good stats, on Apple os distribution, as they don’t publish it and forbid app devs from publish stats on their apps to third parties but rough figures from web advertising firm Chitka has only approximatlely 38% of iphones running on 4.2.1 as of this January. Which leave 62% of iPhone users currently vulnerable to the bug.

    (Bear in mind this is only stats from impressions on its own ad network)

    I don’t know the current state of local privilege escalation vulnerabilities on IOS (which would be needed to complete the exxploit), but I know every version of the IOS has been jailbroken via local vulnerability and cetainly pre 4.1 is vulnerable to the same bug that was used for the jailbreakme exploit.

    None of this alters the fact that Apples IOS updating mechanism is much to be preferred to the current state of Android affairs regarding patching. They have a significant advantage in their ownership of the whole ecosystem, and apparent immunity to carriers impeding the process.

    However if you choose an Android vendor (Nexus, HTC or Samsung, for example)that disribute regular hw and bugfix updates in addition to staying reasonably on top of Android platform updates, then you won’t be far behind.

    Even Sony do maintenance and bugfix updates, though they seem reluctant to do acutal platform updates.

Leave a comment

Leave a Reply to rob-nz Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: