Google, T-Mobile too mum over Android security?

When it comes to telling customers about security weaknesses, there's a fine line between alerting customers and inviting attacks. With T-Mobile G1, the first phone to run Google's Android operating system, I think the companies are erring on the side of inadequate disclosure.

I've been testing a review model of the G1, and an update arrived first on November 1 and then a second a week later. Only by dint of much pestering and more than a week of waiting did I find out from Google what was in those two Android patches.

News.com Poll

Detailing Android fixes
Google and T-Mobile fixed security issues with the G1's Android software but have been studiously quiet about details. How would you like to be notified? Chime in with comments below.

Tell me before I update
Patch ASAP, details later
No worries, I trust you
Other

View results

And T-Mobile has been pretty quiet, too. (I'm waiting for comment from the company about its choices.)

I'm not the type to blithely ignore patches. Sure, I'm not convinced the security patches I download for Adobe Reader, Microsoft Windows, and Firefox are flawless, but I think the odds are good enough they'll be an improvement that I install them.

But with the Android phone, I couldn't even tell if the patches were security related, much less how important they are, much less what they actually do. The closest I could come was figuring out what operating system build I had installed, then using that nugget of information to snoop around the T-Mobile forums, the Android bug-reporting system, and assorted Web sites to see if I could piece together what was going on.

In short, even if companies are generally looking out for their customers' best interests, I think it behooves them to keep the customers better informed. It prevents us from feeling like disempowered pawns. It helps us make intelligent choices with our products. And it can even make us happy, when pesky bugs are stamped out or useful features are added.

Even Microsoft, which hardly has a reputation for coddling its users, does a better job of keeping people in the loop. It gives a heads up a few days in advance about what's coming on its next monthly "patch Tuesday" upgrades.

In a pickle
Google writes the patches but relies on T-Mobile to disseminate them to its customers and to communicate with its customers, said Rich Cannings of Google's Android security team.

"We won't disclose the issue until all our users have been at least asked to update their phone," Cannings said.

T-Mobile's site says delivering over-the-air updates to G1 customers takes several days, with users selected in random order. Given the philosophy of not disclosing details until everybody has a chance to update, it would be impractical to include update details along with the update itself. Early recipients could simply publish details online.

Microsoft takes a different approach, though, publicly releasing details even before all computers have been patched.

Those who dig around T-Mobile's forums can find posts from a T-Mobile administrator named Will. "The first rule of updates is: you do not talk about updates," he joked in one post confirming that T-Mobile had begun sending out the TC30 patch, then only offered a hint about what was in the patch. He was more forthcoming in an earlier post, though.

The G1's request to update its Android software doesn't share any details about what's changing or how important it is. (Click to enlarge.)

(Credit: Stephen Shankland/CNET News)

Cannings said Google will release all the gory details about Android vulnerabilities eventually; the security announcements are automatically sent to the Bugtraq and Full Disclosure security mailing lists, for example, he said.

But that process doesn't take place on the same schedule as the patches T-Mobile distributes. It's been 11 days since I received the RC29 patch, and there's still no word published on the Android Security Announcements group. The only note is an August 18 introductory note with this advice: "If you would like to receive security patch announcements for Android, please join the android-security-announce Google Group."

The security fixes also take place behind closed doors, despite Android's open-source nature. After the report of the root-console bug that would cause a G1 phone to reboot if a user simply typed "reboot", Google's Dan Morrill added a note, "Marking as security problem, which will hide this issue until the fix is public," though it wasn't actually hidden.

Google has taken the same approach of hiding security issues with its Chrome browser, and updates are installed automatically with no option for users to approve the process. Again, it takes the approach that Google knows best, and users are best to trust the company to do the right thing.

Should I lighten up?
But here's the question: am I wrong to bridle at this somewhat paternalistic attitude? Given that the future no doubt holds updates for car engine firmware, home wireless network routers, universal remote control, and Internet-enabled stuffed animals, we'll all have to get more used to them. After all, security is a grave matter, and vulnerabilities lead directly to spam-sending botnets and other serious issues. Should I just relax and go with the flow?

Vote in the poll and share your thoughts in the comments below.

[IsaiBarajas]

The attitude that Google is taking about security is something to be critic about.
When there is an update to security or performance you get from most companies a detailed description of what is going on, which gives you a better perspective about what will go on in your device or if the update may interfere with any software or hardware you might be using. But taking the matter into complete secret gives you many doubts about why an open source platform keeps stuff hidden from the user is not coherent. I wouldn`t buy any device which uses a software created to be entirely open when it keep information hidden from the user, since this demonstrates a double moral in it?s actions.

[n3td3v]

Tell me before I update.

[dhavleak]

Good article Stephen!

You're right to be critical of Google and T-Mobile here. Disclosure is definitely an important part of security patching. Nobody's looking for exact details of the patch - just affected files and a two-line synopsis is sufficient. That way, if I'm an app developer for Android, I'll at least have an idea of what testing I need to do to make sure my app doesn't get broken by the patch.

It sounds like Google at least have an opt-in screen before applying the patch to a user's phone - so they got that part right. But the other part is that before agreeing to a patch, a user needs some basic information to make a decision (at the very minimum -- is this a security update, or not?).

Lastly, considering the state of readiness of the Android platform, Google might actually be fixing broken stuff on the fly that should have been fixed pre-release, and the secrecy might help cover-up a premature release of Android. Again, users have a right to know. It might cost Google some sales in the short term, but in the long run their users will definitely thank them.

[zextron]

We have the right to know what's in a patch.

[chewt0y]

At least in the US T-Mobile are sending out the patches... Here in the UK they haven't even started sending out the first update yet, let alone the fixes in RC30.

I can understand the need to keep the details of the flaw secret until the patch is ready; however once the patch is there more transparency is needed.