[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Cryptography] What everyone is saying about mobile OS security is wrong
- From: Natanael <natanael.l AT gmail.com>
- Subject: Re: [Cryptography] What everyone is saying about mobile OS security is wrong
- Date: Mon, 26 Mar 2018 01:02:45 +0000
- Arc-authentication-results: i=1; mx.google.com; dkim=neutral (body hash did not verify) firstname.lastname@example.org header.s=20161025 header.b=ADEA9UTL; spf=pass (google.com: best guess record for domain of cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com designates 2001:470:30:84:e276:63ff:fe62:3500 as permitted sender) smtp.mailfrom=cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:to:message-id:date:from :mime-version:dkim-signature:delivered-to:arc-authentication-results; bh=CTs+7xYaxOYcPZi+r8T4L6CgSsjZx+aLo/i8uMIOUuc=; b=ddH6YkpGA3NFpaoY9Ly6o5nJ3K9erNZEsslO+FKn6jL4HlIuIFk7vovRBsh8ziZhDb XzaJN3s3b0vZXUMtHjjFhoCWc5h+cHsoG94JlJl35BZmCU2JKaytqEEMJIb6HSPVnzOG 3PKyPdiy9upSi2ldyloPp8WoVil3AnZdHyBKwO/3hJIv9EpcuTIwNAZaDRQbdnp8DOi3 qf3GafBc+kKbCwdsKgenMDLvgk0Jpau4TJDiAiB+RvPp4kY7qe3go548HdupkGP1DdDf fYrPQDBCMhLzgrZHg2ICiHJ7T48N2bsq05iENrB5W2XgW24c+gSHbwLqYWDoo/SB3BGH Ljcw==
- Arc-seal: i=1; a=rsa-sha256; t=1522038521; cv=none; d=google.com; s=arc-20160816; b=x6SIJx7oXGQkP+jt02S6QDJP1bTet+eL3OOPkbBjQAx4LTmIMzp8/aVOgZM4lxAQQe M8iUhlavtRA5K1eCJ7Z1inYO0DfdxfASFXm9aMvbCrtxMX2YUpzpA4mfofZw9LTLMHa0 YaI7z+Sn2yBfYNtC4YHvO+mp6pYZuux5hmi/vWZ9iU8+cGqPTYbXbIhHmDEUtQoJECEv Fwnz9ZmlolYbvuQJmNB+XdxPk7Kyt0QwsqeNW7qtYtLO03dGabWmnjIKXq6paBtdOwuc E7ejuS8BYPGSZNWg5AsAkIRcLYYLLwxcxGy71bT91EwWCHX/dN4PCnIJhYLOMkqOl+1d 8TKQ==
- Cc: Cryptography Mailing List <cryptography AT metzdowd.com>, cypherpunks AT lists.cpunks.org
- List-archive: <http://www.metzdowd.com/pipermail/cryptography/>
- Sender: "cryptography" <cryptography-bounces+ben=bentasker.co.uk AT metzdowd.com>
- To: Ryan Carboni <ryacko AT gmail.com>
It is extremely trivial for Google to make Android more secure, [...] require security updates within one month of the issue being discovered for Google Play access, etc.
This would cause all OEM:s to do an Amazon and ditch Google, because even if they could afford it they would consider it unprofitable compared to the option of selling their devices with alternative app stores and services.
Google is already applying as much leverage in terms of security as they can. Trying to be stricter would make them lose the grip.
Samsung already have copies of pretty much every important service or tool Google has for Android. Too hard requirements from Google would make it worth it to ditch Google and put more funding into their own competing services. Samsung even has their own OS, Tizen. LG also has WebOS.
You should look into project Treble. Google has officially parted the Android userspace from the kernel and HAL in Android 8.0 with standardized API:s in a way that makes updates much easier. They're reducing the cost of developing updates.
Once every new device ships with Treble, then Google will finally be able to put more pressure on issuing updates more frequently without too much resistance from OEM:s, because then the profitability calculations will finally be in favor of security.
So if nothing has changed in about a year or two from now, then your criticism would be completely fair. But right now it's not taking market dynamics into consideration.
The cryptography mailing list
cryptography AT metzdowd.com