VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”
VPN Haus: Impressively, the Android Security Team responded within 20 minutes of your notifying them. But despite this quick response, you have concerns on how quickly users will get the patch since Android OS updates typically come through OEMs and carriers. Do you think there should be some kind of industry standard to expedite patches for mobile devices, as OEMs or carriers are typically involved?
Thomas Cannon: If we look at the desktop computing industry we can see an industry standard for patching just hasn’t happened, and I feel it is unlikely to happen on mobile devices either. What would be the incentive? It would require the public to care enough about security – to hold their carrier, manufacturer or OS provider accountable for timely fixes. We see usability, features, marketing, design and fashion win out over security in consumer devices. Being secure can be a unique selling point, one that RIM has used to dominate the business and government markets. As we see the push to introduce other mobile devices into the business by tech savvy staff, we are seeing companies like Apple respond by introducing enhanced security so that they become more acceptable to the business. When using security as a selling point, you don’t want to follow an industry standard; you want to be better than your competition.
VPN Haus: Do you think Android being an open platform can make developing a patch and maintaining the software a tricky business?
Cannon: I don’t agree that being open means developing a patch is tricky. Being open allows more people to understand the code and the patch. I don’t think being open is the cause of software maintainability issues either. That said, in the case of Android it has enabled OEMs and carriers to modify the OS, and if they don’t invest in maintaining their version of the OS then that causes maintainability issues. It is similar to Desktop Linux – some vendors maintain their distributions very well, others don’t. You can of course get an Android device that gets updates directly from Google, in the same way the iOS devices get updates directly from Apple.
Next week, we’ll conclude this conversation with Cannon, talking about the Android’s future in the enterprise and key security concerns around open devices.