Trust and the Mobile OS
I wish today’s disclosure that some Samsung devices have a USSD code that can wipe the device would be completely surprising, but it is not. As I noted in a recent blog post, Android has massive surface area to try to secure. Mods of that OS — such as Samsung’s — may increase this surface area.
One of the fundamental attributes of an OS is trust: device owners have to trust the OS to work on the device owners’s behalf and not on anyone else’s. Samsung’s flaw, Canonical’s decisions regarding searching Amazon by default, and so on simply degrade the user’s trust in those OS distros.
The problem is that our options are limited.
In Android, in theory, independent ROM mods would offer potential for increased trust. And there is little doubt that they are more trustworthy than the built-in firmware in many cases, as CarrierIQ, today’s flaws, and so on illustrate. However, too many independent ROM mods “play fast and loose” with software licensing, distributing drivers, the Play Store, and so forth without obvious rights to do so. While none of that directly impacts security, one must wonder whether such mods might also “play fast and loose” with other aspects of their distros, in ways that might impact security. Trust is weakened by the licensing issues, and that weakened trust affects matters across the board.
What would be awesome would be a tiered approach:
Tier 0 is the AOSP proper, as distributed by Google today.
Tier 1 is the AOSP, with the minimum possible changes, and installation scripts/recipes for various devices, with an emphasis on transparency (i.e., we all know what those scripts do) and license integrity (i.e., either upgrade in place or copy necessary binary blobs off the device on the fly, to avoid distributing such blobs).
Tier 2 would be based on Tier 1 with security fixes applied, potentially including fixes that Google declines to apply. For example, in recent weeks, I have been told by Google that flaws that allow third parties to blow past the keyguard via USB cable “is not a bug”, and that flaws that malware can exploit to prevent the user from using their device “are considered below our security bug bar”. Tier 2 might also be independently vetted for security issues, providing further fodder for fixes.
Regular ROM mods, designed for users, business, etc., would be built off of Tier 1 or Tier 2 as desired.
Tier 1 and 2 could be maintained by an independent foundation, perhaps based on the Mozilla model, with a wholly-owned corporate subsidiary (akin to the Mozilla Corporation) that sells things to fund the foundation’s work (e.g., enterprise ROM toasters). The objective of the foundation is to be trustworthy, above and beyond all technical prowess, as it is only via trust that tech wizardry will matter.
Perhaps something like this exists and I am simply unaware of it — I certainly am not deeply embedded in this segment of the Android ecosystem. If anyone knows of such an initiative, please let me know.
Perhaps something like this is technically infeasible at the moment (e.g., avoiding distribution of closed source unlicensed binaries), or there are other issues that make this impractical of which I am unaware.
But somewhere, we need a solid independent foundation of trust.
Want an expert opinion on your Android app architecture decisions? Perhaps Mark Murphy can help!