This is about social engineering. You can't compare a cell phone to a desktop computer. Cellphones are an encapsulated nexus of highly sensitive information.
Yes you can, and no they're not.
No you can't, and yes they are. You're being deliberately obtuse about this, but I know why. You don't want to be told what you can't do. Plain and simple. You don't really care how it affects the general public... you just want to be able to do it. I can see you raging against the FCC and its limits on pirate radio stations. Seriously. Let me break this to you in as clear a way as possible:
WHY YOU CANNOT COMPARE MOBILE PHONES AND COMPUTERS:
#1. First, look at the way Android breaks down access permissions. Users must explicitly OK any new application to access each of numerous groups of capabilities. Why is that if they're comparable?
#2. Secondly, mobile devices are about communication, and as such work over wireless cellular lines for voice and cellular data. In many instances, these services are capped, and incur immediate additional charges for their usage. Are any COMMON readily available services on your computer connected to a separate billing arrangement for their use?
#3. Most modern cellphones can track where you are at this EXACT MOMENT. Do most modern computers have built-in GPS or cellular triangulation capabilities?
Honestly, you list these examples all day.
Imagine putting a pre-teen on a cellphone and another on a desktop computer. Both devices containing a certain piece of critical information...
I can virtually assure you that a piece of malware on the cellphone could find the data much more quickly than similar malware on the computer. Moreover, even MORE data is available in much more standard formats and through much more standard methods than on a computer (contacts, web browsing behavior, camera photos, audio recordings, etc). Your latest photos can easily be identified and uploaded en masse on an Android device.
My laptop contains a heck of a lot of more of highly personal/sensitive information than my cellphone. And I do a heck of a lot more of highly personal/sensitive tasks on my desktop.
All of this is true, but you're missing the point entirely. Re-read the sentence before you zeroed in on what I was saying. Here it is: "This is about social engineering." On your computer, you can have all sorts of different applications that store your information in various ways. On a mobile device, numerous pieces of information are stored in VERY standard ways, right? Doesn't that make a MUCH more attractive target? Re-read my comments about apps that UPLOAD your contacts. There was an example discussed somewhere else, where this happened, and the company identified the user's phone number, and called them back for "follow-up" purposes. I'm sorry, on what desktop system do you use that such a thing is even considered by the most insensitive companies?
The notion that somehow cellphones must be protected by all means and turned into closed computing environment is as ridiculous as that old carriers' (and Steve Jobs) argument - "allowing 3rd party apps on cellphones would jeopardize the cell tower network"
Data consumption habits on iPhone's have pretty much single-handedly given AT&T a black-eye on service. At conventions, people often note that the convergence of cellular data users often times maxes out available spectrum. The "spectrum gap" is not some fairy tale invented by carriers and the FCC to hog tie users to the fallacy of limited wireless resources. I honestly believe carriers need to step it up. Sprint seems to be way ahead in having a network capable of taking a lot of load. Verizon seems to do well too. Don't pretend however, that MASSIVE load caused by a cellphone botnet couldn't take down a network.
When a major carrier responds to a request for c
omment on its latest outage with: "After investigating the cause, we have determined that a backend system software error had generated abnormal congestion on the network." Ah... but its SERVER software you say. Mobile apps from multiple users can't cause similar congestion? Let's
look to the FCC for comment:
"With the iPad pointing to even greater demand for mobile broadband on the horizon," the pair write, "we must ensure that network congestion doesn't choke off a service that consumers clearly find so appealing or frustrate mobile broadband's ability to keep us competitive in the global broadband economy."
And, this is NORMAL usage, remember... this isn't about "rogue applications" (or faulty ones that are poorly programmed to use massive bandwidth for little reason).
Somehow, the cell tower networks have so far survived the Android, and so will we.
Really? Because Android does what? Gives you a handful of more options? The concern is NOT a "handful of more options". The main concern is badly written apps and malware having access to profoundly sensitive information. You remember when people jailbroke their iPhones and accidentally left the root SSH password as Alpine, and someone just sniffed around, and started remotely logging into iPhone's left and right?
Remember the story that put Digg on the map?
http://macdevcenter.com/pub/a/mac/2005/01/01/paris.html
Exactly HOW did Paris Hilton's phone book get hacked? Well, if it were her computer, this wouldn't have happened. It occurred because T-Mobile's servers got hacked, and these servers provided a backup of her emails and address book (and phone numbers). Now, AT&T was recently hacked, exposing the identities of numerous iPad 3G purchasers. This all feeds into the whole issue with Windows and how people find more vulnerabilities because its so popular. Android HAS NOT been very popular until this year, so its "OPEN" system has hardly been tested. iPhone's (and the iOS) on the other hand, are EXTREMELY high profile (so finally Apple is getting a taste of what real hacker attention feels like).
Using social engineering, if the popular iPad (or its non-Apple twin, gaining the same attention, sales and profile) was running Android TODAY... someone could have easily used the AT&T breech to "handshake" with a popular Android Marketplace app that does something amusing, light-hearted, topical, and engaging.
Read a message from the Android security team:
http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html
The remote application removal feature is one of many security controls Android possesses to help protect users from malicious applications. In case of an emergency, a dangerous application could be removed from active circulation in a rapid and scalable manner to prevent further exposure to users. While we hope to not have to use it, we know that we have the capability to take swift action on behalf of users safety when needed.
This remote removal functionality along with Androids unique Application Sandbox and Permissions model, Over-The-Air update system, centralized Market, developer registrations, user-submitted ratings, and application flagging provides a powerful security advantage to help protect Android users in our open environment.
But, note comments like "centralized market". These aren't "desktop" concepts. "Remote Kill"? Why would desktops need such "big brother" tactics? Chiefly because mobile users are at the mercy of BAD SOFTWARE designed to trick, fool, and swindle them out of private data and sensitive identity information.
hitekalex, take a time-out for a moment and recognize where we are in this world right now. Think about the rash of identity theft, and the proliferation of spam and Nigerian scams to steal things SO much more useful than your credit card number.
As Android Market's deleted Banking apps from earlier this year showed... just think if you'd been fooled into thinking your "Bank of America" application was official, and that the developer didn't say "Bank of America", because they'd likely contracted the app out. You log in, and the app merely "processes" the "Bank of America" site into a mobile form automatically for you. Not very good, but it does the job. Later, you find to your horror that your bank account has been emptied, and your receive a message from Google stating that the app you'd purchased has been remotely deactivated due to fraudulent activity reported by users. You contact Bank of America, but they have no answers. You run to Google and the forums are filled with angry customers.
http://articles.moneycentral.msn.co...vacy/bank-fraud-there-is-an-app-for-that.aspx
The trend is still in its infancy, but there have already been instances of potential fraud. In January, Google pulled 50 applications from its Android Market in response to concerns that they might be malicious. All apps were uploaded by the same developer and claimed to offer access to bank accounts from a variety of institutions, from big names such as JPMorgan Chase, HSBC, U.S. Bank, USAA and ING to local credit unions.
"Smart phones are extremely prolific right now, and there is opportunity there for criminals to be seeding stores with applications intended to capture personal information," says Nick Holland, a senior analyst at Aite Group, a market research firm. "We're on the tip of an explosion in terms of bad apps."
I'm sorry. Don't tell me you'd rather wait and see the fruits of their labor. Personally, we ALL need to be talking about this in DEPTH, and understanding the nature of risk. Right now, Google's security precautions read VERY OPAQUE to me. Moreso than Apple's. The problem with Google's model, is that they have allowed something Apple expressly prohibits. Namely... Apps in the marketplace, can download additional code that CHANGES ITS NATURE after its been installed (code that does NOT go through Google's checks and balances for protection). They only need to access the Internet, and they're golden.
~ CB
