[Cryptography] What everyone is saying about mobile OS security is wrong

Natanael natanael.l at gmail.com
Sun Mar 25 21:02:45 EDT 2018


Den sön 18 mars 2018 07:54Ryan Carboni <ryacko at gmail.com> skrev:

>
> It is extremely trivial for Google to make Android more secure, [...]
> require security updates within one month of the issue being discovered for
> Google Play access, etc.
>

This would cause all OEM:s to do an Amazon and ditch Google, because even
if they could afford it they would consider it unprofitable compared to the
option of selling their devices with alternative app stores and services.

Google is already applying as much leverage in terms of security as they
can. Trying to be stricter would make them lose the grip.

Samsung already have copies of pretty much every important service or tool
Google has for Android. Too hard requirements from Google would make it
worth it to ditch Google and put more funding into their own competing
services. Samsung even has their own OS, Tizen. LG also has WebOS.

You should look into project Treble. Google has officially parted the
Android userspace from the kernel and HAL in Android 8.0 with standardized
API:s in a way that makes updates much easier. They're reducing the cost of
developing updates.

Once every new device ships with Treble, then Google will finally be able
to put more pressure on issuing updates more frequently without too much
resistance from OEM:s, because then the profitability calculations will
finally be in favor of security.

So if nothing has changed in about a year or two from now, then your
criticism would be completely fair. But right now it's not taking market
dynamics into consideration.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180326/cf6ad355/attachment.html>


More information about the cryptography mailing list