Comments on: Google, T-Mobile too mum over Android security?

The companies are being quite paternalistic about withholding details of updates to the G1, the first phone to run Google's mobile operating system. Should I lighten up?

[IsaiBarajas]

The attitude that Google is taking about security is something to be critic about.
When there is an update to security or performance you get from most companies a detailed description of what is going on, which gives you a better perspective about what will go on in your device or if the update may interfere with any software or hardware you might be using. But taking the matter into complete secret gives you many doubts about why an open source platform keeps stuff hidden from the user is not coherent. I wouldn`t buy any device which uses a software created to be entirely open when it keep information hidden from the user, since this demonstrates a double moral in it?s actions.

[n3td3v]

Tell me before I update.

[dhavleak]

Good article Stephen!

You're right to be critical of Google and T-Mobile here. Disclosure is definitely an important part of security patching. Nobody's looking for exact details of the patch - just affected files and a two-line synopsis is sufficient. That way, if I'm an app developer for Android, I'll at least have an idea of what testing I need to do to make sure my app doesn't get broken by the patch.

It sounds like Google at least have an opt-in screen before applying the patch to a user's phone - so they got that part right. But the other part is that before agreeing to a patch, a user needs some basic information to make a decision (at the very minimum -- is this a security update, or not?).

Lastly, considering the state of readiness of the Android platform, Google might actually be fixing broken stuff on the fly that should have been fixed pre-release, and the secrecy might help cover-up a premature release of Android. Again, users have a right to know. It might cost Google some sales in the short term, but in the long run their users will definitely thank them.

[zextron]

We have the right to know what's in a patch.

[chewt0y]

At least in the US T-Mobile are sending out the patches... Here in the UK they haven't even started sending out the first update yet, let alone the fixes in RC30.

I can understand the need to keep the details of the flaw secret until the patch is ready; however once the patch is there more transparency is needed.