Gphone vs. iPhone: The security debate begins

It wasn't long after Google announced its long-anticipated mobile plans this week that a debate emerged about the prospective security of the project's Linux-based platform.

Can the open-source model for the platform, now known as Android, produce secure code? Will phones based on Android, dubbed "Gphones" by many, be more or less secure than Apple's iPhone, which has been developed using proprietary software? What will Android's developers be able to do to stop authors of malicious code from capitalizing on its openness?

Security vendor McAfee, which produces proprietary security software for mobile devices, has been quick to defend open-source practices for developing mobile code.

McAfee is a member of the Linux Mobile (LiMo) Foundation, a group of companies formed to develop an open mobile-device software platform. Many of the companies in the LiMo Foundation have also become members of the Open Handset Alliance (OHA), which Google has formed to develop and promote Android.

Jan Volzke, global marketing manager for McAfee Mobile Security, said that Linux is not new to the mobile arena and maintained that secure coding practices can successfully be built into the Android development process.

"Japan has a large deployment, with 60 percent of phones powered by Linux. McAfee protection has been integrated in the majority of these mobile Linux phones for many years," Volzke said. "For any mobile-device platform, security should not be a developer option but a mandatory requirement. Consumers--as well as operators--expect devices to be safe from the outset, with no effort required from them."

Volzke said security can be built in from the beginning of the development process by collaboration between security companies, although at the moment McAfee is the only security player in the LiMo Foundation.

Open coding practices nonetheless seem ripe for abuse. Making source code available to everyone inevitably invites the attention of black-hat hackers.

"Linux has so far been used on the enterprise-server side, with most deployments being professionally IT administrated," Volzke said. "Due to a number of industry initiatives, especially the LiMo Foundation--and now also the Open Handset Alliance--Linux will become more widely available in the consumer space. As a result, visibility to already experienced hackers increases. Open means open to everyone--with (both) good and malicious intent."

Where bugs most likely breed
The debate about the relative security merits of open source as opposed to proprietary software development has been long-running. Open-source software development has the advantage of many pairs of eyes scrutinizing the code, meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one disadvantage of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits.

The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering. However, as fewer people see proprietary source code, critics argue that code is more likely to be buggy. Some observers also claim that once vulnerabilities have been found, updates are slower to be pushed out, especially by large multinational software companies.

Most security vendors try to avoid commenting on whether open-source or proprietary software is more secure, often arguing that it is like comparing apples to oranges.

Volzke said it wasn't possible to compare the security of development practices for Android-based devices and Apple's iPhone handset, which will be released in the U.K. on Friday. "Apple's iPhone has nothing to do with open source. Instead Apple will provide a software development kit," Volzke said. "Comparing the security challenges for an open-source device platform versus a device-specific software development kit will result in different conclusions."

One security vendor was willing to make a prediction, albeit gingerly. Ben Whitaker, head of security at mobile-security development company Masabi, came down cautiously on the side of open source. "Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone," Whitaker said. "It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer (of both the iPhone and Gphone) won't be secure when the first product comes out."

Whitaker said that given the iPhone's record of vulnerabilities and its full, smartphone Internet connectivity, it would be more vulnerable than a strictly Java-based mobile platform, which he classified as "semi-smart." It will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based.

In the case of the iPhone, "with any brand new Web browser, malicious Web sites will take advantage of Ajax, JavaScript, and ActiveX vulnerabilities," Whitaker said. "The less smart a phone is, the less vulnerable it is. (Android) developers should stick to a semi-smartphone platform because the Java sandbox can protect against the normal kinds of attacks."

Whitaker added that, like the iPhone, Gphone devices will have vulnerabilities. "The Gphone could allow full apps to run on it, which would open it to keyloggers," Whitaker said. "At the moment, the Gphone platform doesn't run on an encrypted file system and has a vulnerable log-in. It's so stealable that (an encrypted file system and a secure log-in) should by default be included."

With much development work yet to take place--and the U.K. market still waiting for both the Apple and Google-based devices to arrive--the jury remains out for the definitive ruling on which model will be most secure. But one thing is for certain: no device that connects to the outside world can be totally secure, and neither the iPhone nor Gphone will prove to be the exception.

Tom Espiner of ZDNet UK reported from London.

[hawkeyeaz1]

One more thing

With proprietary, neglecting version X, Y, or Z, the platform is the same--you can guarantee the vulnerability exists with a very small number of conditions (i.e. it's been patched because it's known or the feature is turned off).

With Open Source, the 5-10% of the community who will want to poke around their code, and will distribute the changes to the community, will result in 20-25% of the community having different sets of vulnerabilities, when and if a vulnerability is found (they are there, but then again, large portions of the code, is mature, while other portion are new, thus a large number of the potential vulnerabilities are ironed out).

But then again, iPhone runs everything as root, while Android is unlikely to do so, as security (including permissions and SELinux--which is a large security aid in and of itself) are there to prevent (most) exploitation. Apple could use similar features and tools, but they don't want to.

But Google has had to deal with security for years too, as they are a prime target for hackers and DDOS attacks.

So, time will tell. We will know in a few years to some degree.

[lrd123]

gPhone vs. iPhone

I own an iPhone. Where the hell is a gPhone? Talk about vaporware!!!

[lrd123]

gPhone vs. iPhone

Let me edit my previous comment:

1.4 million of us own an iPhone

Zero people own a gPhone. It's that simple. No one owns vaporware- you can't contain it stupid.

[epcraig]

I must wonder...

When there has been no security issue with any Linux on any platform yet, how is it that we need be concerned on phones?
So far not even adware has been ported to Linux on any platform.

[Sol arion]

It is dead horse don't beat it

Apple is also based open source.The iPhone code itself not open but you can dig around in the OS, just like Linux.
I think Apple will adopt gPhone and create iGPhone, (i God Phone), instead if former reference Jesus Phone. It will be secure, they will be secure.
I found it at snapvoip if the comments allow links; here it is;
http://snapvoip.blogspot.com/2007/11/iphone-vs-gphone-will-lead-us-to.html

[flickrz]

iPhone vs. Vaporeware

Stop talking about vaporewares.....Let them first come out with a gPhone then and ONLY THEN we can compare.

[umbrae]

OpenMoko phone due out next year...

The Neo1973 is already available as a pre-release development kit. Regardless of gPhone, Linux phones are hardly vaporware, and are currently available if you don't mind beta testing.

In fact, the Neo1973 and information about its functionality have been around a while before the iPhone was announced. With the functionality being so similar its not a stretch to say the iPhone concept was stolen from the Neo1973.

[_t3h]

Functionality brings attacks?

"The less smart a phone is, the less vulnerable it is. (Android)
developers should stick to a semi-smartphone platform because
the Java sandbox can protect against the normal kinds of attacks."

Uhh. Sure it's true, but removing features because it's more secure
is a stupid idea...

[sselliotts]

what hacker's target

Many hackers are only interested in a challenge. An open source project like this Linux Mobile is not going to interest that kind of hacker because it is too easy. Apple's stupid proprietary crap on the other hand is begging hackers to break it. On, the other hand, there are some hackers who just like to hurt as many people as possible (a power trip) which is why you find so many more viruses on Microsoft Windows based machines than you do on Apple PCs. Apple holds about 5% market share in desktop PCs. What power-trip hacker would want to target 5% of the population instead of 95% ? It cracks me up that Apple blatently advertises on national TV that their OS X is more secure than Microsoft Windows and that is why theier are virtually no viruses on machines running OS X. Is it more secure or do power trip hackers prefer hurting as many as possible? And the reason that viruses do exist for OS X, obviously the doing of the hackers who like a challenge and not necessarily to hurt as many as possible. The market share point begs another question - why does Apple only control 5% of the market? Several Reasons: 1 - using proprietary hardware as they have for for decades leads to three things - (1)higher prices for the poor consumers (which only less intelligent "Apple fan boys" would pay for - which leads to number 2). (2)lower performance than mainstream competetion - Find me a Mac that can run even 75% as fast as as a same time period open PC (which cost less too). And (3)availability of compatible hardware and supporting software. Almost all of the software available for a Mac is developed directly by Apple (which of course means higher prices since there is no competition, but Apple fan boys obviously don't mind throwing money away so no problem, I guess). And can you buy a Nvidia Gforce 8800GTX for a Mac? No! Why? Proprietary is not the way to go Steve. Now how are you supposed to play the most amazing games if you can't even buy an 8800GTX? Apple, it's eventually going to bite you.

[fred dunn]

How about the "Get a real life" Phone?

Anybody that needs their phone to organize their life, keep tabs on everyone they know, have 24x7 access to the Internet, and golly gee wiz don't forget to include movie clips and music either doesn't have a life (worth living) or just has too much time on their hands.

Either way it is sad.

Get a life.

[hounddoglgs]

Amen.

And anybody who would pay $600 for a fancy cell phone has more money than sense.

[secgauntlet]

iPhone Code

As many know the latest version of MAC OS are built on, well let?s see, BDS which is well let?s see open source. Let?s not kid ourselves; the use of open source software is VERY essential to mere existence of Proprietary Code because it?s the only way people like Microsoft will develop better and more secure code and Operating Systems

Cheers

[starcannon]

I'll take a Gphone please

Apple has just really shown their true colors with the iPhone, I have no desire to help fund a company that would brick their user-base's equipment. I could care less about the caveat that apple gave before the now infamous "upgrade". It was a mean spirited move that showed the apple company for what it really is. In light of apples "coming out" its no surprise that they went with one of the nations biggest enemies of freedom of speech, particularly concerning Net-Neutrality as well as what can and can't be said, sung, or depicted on their networks.
By a Mac/iDevice/AT&T service and contribute to the demise of the 1st Amendment.

[starcannon]

On Security and Open Source

I'm a full time Linux user, and have been for 3+ years now. I have yet to have any virus/malware/trojan/dialer on any of my 5 linux machines since I've made the switch. I installed Windows on a partition on one machine in my LAN, within 48 hours it was infected.

I'll take my chances with the open source community who build around the concept of security, and I'm sure that the fact that the source is readily available ensures that code is being written from day one with that transparency in mind. Security built in with no myth that black hats won't be looking for holes in code, as opposed to security being ignored based on the myth that black hats can't find holes in closed code.

This article is just so much F.U.D. and really useful only as bird cage lining, it has not discussed anything that hasn't already been talked into the ground and it has not proven closed source to be more secure than open source, in fact, if you talk to open source users, you'll find that we have a lot easier time sleeping at night than closed source users do.

I don't kid myself thinking the bad guys wont try to take a jab at open source, I pay attention to security even in this environment, but I must say that not having a single virus in 3+ years certainly hasn't been bad for my peace of mind.

[K.P.C.]

Why is this "Gphone vs iPhone"?

To date there are less than 2 million iPhones in user hands.
How many Windows Mobile phones are there?
The iPhone uses OSX . . . Just the iPhone and no other phone.
Windows Mobile and the (VaporeWare) [Gphone/Android] are for
all the other billions of phones in peoples hands.

The only reason to use iPhone as a comparison is to get hits on
your web site.

btw . . . When the iPhone hits Japan . . . I'm gonna get 1 ;)
So far I've only had the luxury of seeing the iPod Touch here but
the user interface beats the crap out of any "keitai" (cell phone)
I've owned in the 9 years I've lived here . . . and Japan is years
ahead of the US in cell phone technology.

[wbenton]

The Winner Will Be the Secure One

At present... there are no secure ones...

So what's the article about?

Perhaps choosing the more secure amongst the insecure ones? (* CHUCKLE *)

Walt

[imacpwr]

No debate since there's NO Gphone (yet)

You're just wasting everyones time by trying to create some sort of
debate between an iPhone and as of yet, some non-existent
Gphone..

[nnpptt]

Tough to compare, but still fun to try,

Yes... the gPhone is just vaporware and the iPhone is a wildly popular piece of hardware. But the Google vs Apple debate ALONE makes this comparison fun. Thank you for the information on security features. I put it on my page:

http://comparati.com/1076-iPhone-vs-gPhone

Please add more!

[iPhoneChats]

iPhone is the best toy I've ever had. You can't compare it with any phone on the market right now.

http://www.iphonechats.com

[kopietoto]

Yes. It's design is so cool.
http://iphone-unlocked.com