ITEM: The Electronic Frontier Foundation is taking mobile OS vendors to task for not doing enough to secure their platforms, and is advocating third-party patches as a market-pressure tactic to get OS vendors to up their own security game.
An analysis piece posted on the EFF site Friday by Chris Palmer (who briefly worked at Google on Android framework security, according to his bio) says that PC and server OS platforms have become very good over the years at reasonably open disclosure of security bugs and fast distribution of patches to fix them. Mobile OS vendors, by comparison, are way behind the times.
Apple, for example, has been known to release patches for bugs several months old. And Google routinely releases Android patches without announcing them, and with the security fixed unmarked among the other fixes and enhancements included in the release, Palmer writes.
Complicating things for Android is fragmentation, as OEMs and cellcos tend to tweak Android to add unique features and sometimes remove standard ones, says Palmer:
Users may or may not want the new features and the new features may or may not be secure. Their distributions are sometimes based on old and known-vulnerable versions of Android, and they tend to publish updates rarely – or never. As a result, the ecosystem of Android devices is out of date, fragmented, and unnecessarily vulnerable to known attacks. This situation is bad for everyone: users, carriers, OEMs, application developers, and Google.
One thing Android does have going for it is its open-source roots, which enables third-party patches. The problem is that third-party fixes often require jailbreaking the device, which may not be illegal under laws like the Digital Millennium Copyright Act, but will at the very least almost certainly void your warranty and T&C.
However, support for third-party security solutions by users will create economic leverage to convince OS vendors to take security more seriously, Palmer says:
Although there is no guarantee that third-party distributors will be more responsive to security problems, and nor is there any guarantee that they will not introduce new security problems, they do have an opportunity to perform better than Apple and Google have so far and to take market share.
Readers representing the mobile OS vendors are welcome (and encouraged) to respond to this post.