Chris Palmer — formerly Google Android security framework engineer and now Technology Director of the Electronic Frontier Foundation — writes about the cavalier attitude toward security exhibited by the major mobile operating system vendors, and the risk this poses to all of us:
By contrast, mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements…
Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)
Don't Sacrifice Security on Mobile Devices
- GSM security defeated by German hacker: NYT on CCC Boing Boing
- Now you, too, can engage in warrantless wiretapping! – Boing Boing
- More on the T-Mobile G2 "rootkit" — it's actually a "NAND Lock …
- Boing Boing: TOS on Cingular's wireless data service sucks as much …
- Password Doesn't Shear Firesheep – Boing Boing
- Boing Boing: Security blunder: Sprint Wireless leaks customer data
- China cracks down on "money sucking" mobile phones loaded with …