I recently migrated from my venerable Palm Treo 700 to a Blackberry Storm II. In between I had a brief fling with a Droid, but jettisoned it after about a day. There were two problems. First, it's too much like having a laptop instead of a phone, IMHO. Second, I don't like the security model.
When we talk about the "Droid security model" we're really talking about the Android operating system and not about any particular phone. The exact phone I had isn't as important as the mechanisms that are undoubtedly common to all Droids.
The basic problem is that it's too vulnerable to malware like viruses, worms, or Trojan horses. This is a feature of its openness, but not a feature I personally crave on my cell phone. My phone serves a little as an electronic wallet, and I don't want malware in there, even if it limits my choice of apps.
The security model indicates how hard (or easy) it might be for a subverted app, like a virus or worm, to flourish on your smart phone. Phone vendors like Palm, Blackberry, and Apple take steps to ensure the integrity of the apps they offer, and they make it easy to find and download their approved apps. A virus writer would have to get their app endorsed by the vendor's app store in order to get it onto peoples' phones.
The practical mechanism involves a digital signature
affixed by the vendor after verifying the app. If a worm or virus infests the app either before or after downloading, it breaks the digital signature. The worm can't replace the digital signature because it's derived from secret information (the private key
) held by the vendor. The phone checks the digital signature using a corresponding public key
stored in the phone.
The Droid accepts self-signed apps
. The app's author affixes a digital signature to attest to the app's integrity, and then provides the public key for checking the app. This might work OK if certain things hold true:
- If I can directly choose which vendors are accepted. There mustn't be a way for me to pick up a new app without realizing it's from an unfamiliar vendor. Otherwise there's nothing to keep a self-signed worm or virus from infesting my phone.
- If I generally buy apps from a small number of vendors I've found to be trustworthy. This means I use a small number of public keys repeatedly. Each time I reuse one, I reinforce its trustworthiness, assuming the vendor is in fact trustworthy.
- If the phone will warn me if it receives a new public key and if it detects that alleged owner is the same (or similar) to owners named on other keys I've accepted. I don't want a virus writer to masquerade as Ilium Software, author of my favored password application (eWallet). Nor do I want a malware author to provide a key belonging to "Illium Software" (two 'L's), which I might mistake for Ilium Software (one 'L').
Now it's possible that the Droid handles all these things in a clear, intuitive manner that makes mistakes unlikely to happen. If so, then it's the first such thing in the history of computer security. I'm not even sure that my specification of needs (the bullet list above) is stated with 100% accuracy or is complete.
This is a hard problem. The bondage-and-discipline approach of other smart phone vendors doesn't guarantee app integrity, but it presents a much higher fence for malware authors to climb.