Android's Openness Doesn't Mean It's Less Secure
It's a sad fact of human nature that when we're confronted with something different or new, we tend to attribute its success or failure in the world to the feature that most sets it apart. President Obama's legacy, for example, will always be inextricably linked with his skin color; a female executive's track record will often still be seen as indicative of the capabilities of her gender.
So it is with Android. As it's by far the most visible and widespread consumer success story in the world of free and open source software, it's easy to assume that whatever is good or bad about the Linux-based mobile operating system is due to the fact that it's (mostly) open source.
This tendency is especially noticeable when a problem comes up, such as the recent ‘TaintDroid' study finding that some Android apps were sending more data to advertisers than users were aware of. Despite the fact that every other mobile platform has had at least as many similar problems, Android detractors predictably jumped on the recent news as evidence that openness is a problem.
Now, it's a given that no platform--open or closed--is perfect, whether for individual or business use. However, to say that an open one is less secure by definition is just plain false. Here's why.
1. Permissions, Permissions, Permissions
Just as Linux users are not typically given the "root," or administrator, privileges that would be required to let a virus do widespread harm, so Android applications are isolated in separate "silos," unable by default to read or write data or code to other applications. Each application gets a unique identifier and a corresponding set of permissions that explicitly govern what it can access and do.
Users are asked for those permissions up front, right when the app is installed. Whether they give that permission mistakenly is another issue altogether; the fact is that no other major mobile platform even gives them that opportunity. You can't blame the technology or its openness when it's the users who make the decision; if anything, there may be a need for developers to include more explicit declarations with their applications.
The bottom line, however, is that Android still does more for security here than its closed source competitors do. In a closed source environment, you have no idea who's doing what with your data--you can only hope the vendor is looking out for you.
2. Who's in Charge
Users of closed source systems, in other words, are completely dependent on the vendors of those systems to control security. With tens of thousands of applications in both the App Store and the Android Market, it seems highly unlikely that any company--no matter how large its staff--could do an adequate job at that.
With the relatively open Android platform, however, users, developers and IT admins the world over can and do scrutinize what's going on. Heck, that's even how and why the TaintDroid study was possible--because the code is open! No such study could ever be done on the iPhone unless it was one Apple commissioned itself, which is unlikely at best.
It's not going too far, then, to say that the recent TaintDroid findings are a testament to the power of open source--not evidence of its failings. Had the code not been open, the flaws may never have been found.
3. The Facts
It's important to remember that earlier fears about similar data breaches by the widely hyped Android wallpaper apps proved to be unfounded.
Not only that, but security research firm Lookout recently reported through its App Genome Project that Android applications are actually less likely than those for the iPhone to be capable of accessing a user's contact list or retrieving their location. It also found that nearly twice as many iPhone apps can access the user's contact data.
In short, using Android's openness as a scare tactic flies in the face of the data. It's nothing more than FUD.
Once again, there is no such thing as a perfectly secure environment, no matter what hardware platform you're working on. But to say that Android is less secure or less suitable for business use because it's open is just plain wrong.
Follow Katherine Noyes on Twitter: @Noyesk.