[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] What everyone is saying about mobile OS security is wrong

Den sön 18 mars 2018 07:54Ryan Carboni <ryacko AT gmail.com> skrev:

It is extremely trivial for Google to make Android more secure, [...] require security updates within one month of the issue being discovered for Google Play access, etc.

This would cause all OEM:s to do an Amazon and ditch Google, because even if they could afford it they would consider it unprofitable compared to the option of selling their devices with alternative app stores and services. 

Google is already applying as much leverage in terms of security as they can. Trying to be stricter would make them lose the grip. 

Samsung already have copies of pretty much every important service or tool Google has for Android. Too hard requirements from Google would make it worth it to ditch Google and put more funding into their own competing services. Samsung even has their own OS, Tizen. LG also has WebOS.  

You should look into project Treble. Google has officially parted the Android userspace from the kernel and HAL in Android 8.0 with standardized API:s in a way that makes updates much easier. They're reducing the cost of developing updates. 

Once every new device ships with Treble, then Google will finally be able to put more pressure on issuing updates more frequently without too much resistance from OEM:s, because then the profitability calculations will finally be in favor of security. 

So if nothing has changed in about a year or two from now, then your criticism would be completely fair. But right now it's not taking market dynamics into consideration. 
The cryptography mailing list
cryptography AT metzdowd.com