Android, iPhone, and Open Source Code Review

Summer is the season for security conferences, and one hot topic making news is the (in)security of smartphones.  In recent weeks it has been revealed that many applications in the Android Market are in reality trojans that are used to steal personal data off your phone.  Some examples of this are several wallpaper applications stealing data from Android phones and sending it to servers in China, Kaspersky Lab's recent outing of an Android app that silently sends txt's to premium numbers, and the BBC showing how easy it is to create and distribute rogue smartphone apps (I'm not sure why the BBC is doing security research).

When the iPhone app store launched, critics immediately (and continue) to slam the market as being closed, and praised Android's open app market.  Steve Jobs said one of the reasons for the closed nature of the iPhone app store is security (although one would be hard pressed to not see the major business advantage Apple has gained though their closed marketplace).

Open or closed, the fact remains that Apple reviews the source code of each application that is submitted for sale though the iPhone app store, a thing that has largely shielded iPhone users from trojan apps.  There is no entity charged with code review for Android, and the fallout is inexperienced users mistakenly putting their data at risk.  This blind installation of applications from unknown sources is the same problem that turned Windows into an cesspool of malware.

What's the solution?  Should Google could start reviewing all Android app code?  This would be a step in the right direction, but there is a better solution that has existed for decades, Free and Open Source Software.  By opening the source for all smartphone apps, it gives the world a chance to review what that app may or may not be doing.  With more eyes reviewing potential vulnerabilities, or blatant attempts to steal user data, there would be a drop in smartphone malware.

Of course, I don't expect every non-technical user to start poring over thousands of lines of code before downloading an app, but someone out there will, and all users benefit from this review.  Android's open marketplace is a great thing, and by opening things one step further we will see a safer and more robust smartphone experience.

Posted: Aug 11, 2010