Android Security Issues – A By-Product of Using Open-Source?

May 25
2011

A lot of talk has been circulating lately about security issues in Android. Should anyone really be surprised to discover that an Open-Source system is not only open to legitimate developers but also to hackers? Is it reasonable to expect that a system developed and maintained by thousands of heterogeneous developers can be relied upon to behave reasonably well under all circumstances?

The concept of Open-Source is very appealing. Highly talented developers have created tremendous products and generously shared them with the rest of us. Individual developers are not at issue here. The issue is with the concept of building critical systems on an unsupported framework such as Android.

Having spent a good deal of time porting Android to our DevTouch Pro tablet (www.devtouchpro.com), I had the chance to take a deep look at the internals of Android and its underlying Linux kernel. I also had to support our team of developers in finding solutions to the myriad of issues that we faced.

Here are some of the difficulties that we encountered, that irremediably shook my belief that Android is a viable operating system:

  • The first major hurdle is that there is a split between the Linux Kernel and the Android Kernel. At some point in time, Linux Kernel developers decided to kick out Android developers for various reasons. Device developers ended up with two sets of source-code to deal with. Some functionality and fixes became available in one set but not the other.
  • The lack of centralized or properly maintained documentation is a real nightmare to both newcomers and experienced developers. Googling the Web trying to understand the source of an error or a crash produces tons of useless forum posts and mailing lists, outdated blog articles and incomprehensible developer jargon that never get you anywhere. To Google documentation for explaining the internals of the OS, or how to adapt it to a device, is either nonexistent or completely outdated.
  • On top of nonexistent documentation, there is no one to whom one can submit an issue or ask a question and expect a meaningful answer. Use at your own risk says the license, and the concept applies very well to Open Source Android.

Many developers have resorted to all kinds of hacks to resolve their issues – browsing through thousand of lines of source-code and applying workarounds here and there without ever knowing if there will be side-effects to the changes being made. The end result: Android phones that have to be rebooted 3 times a day, phones that refuse to start, applications that behave erratically and security issues that keep popping up here and there that make the headlines.

Many analysts have predicted a great future to Android. I am not sure these analysts have ever looked beneath the hood. I see Android as being doomed unless Google takes a serious approach to making it anything more than an experiment. Close down the code, do a complete review, charge a license fee, provide documentation and customer support. This is the only way that this system is going to survive.

Caveat Emptor!