Security experts are torn in their opinion of open source platforms. For some, open source platforms offer better security because these can be scrutinized for potential threats and attack points. To some, open source platforms are less secure because these can easily be manipulated toward a malicious entity’s gain. This is exactly the case with Android, or at least some analysts would like to think so.
In a speculative post by John Hempton at the Bronte Capital Blog, he opines that Android as a platform is at risk of being corrupted, simply because of the ease by which the software can be modified. Take for instance the example of China, where Android forks do not provide access to Google Play, the official Android app repository, for the simple reason that the government bans access to the service. As such, manufacturers offer apps through hundreds of other alternative app marketplaces. But try to think of it the other way around: there is a risk that developers can be manipulated into incorporating spyware into smartphones and tablets in this scenario.
Open source is a force for good or evil and in this case it was evil. Google could distribute “good Android” and the oppressive authorities could force their phone companies to distribute “bad Android”.
The clear solution here, of course, is to modify your Android device yourself, if you live in fear of being spied upon. You can root your device and install an alternative ROM, which could either be the stock ROM from the manufacturer or a custom one like CyanogenMod, AOKP or any other ROM from a reputable source. But rooting and ROM flashing are not for everyone, and only a very small minority of users are comfortable with even tinkering with their phones’ advanced settings.
We’ve heard time and again about Android being a target for malware, simply because of the ease by which users can be fooled into installing dubious APKs. Even Google Play had hosted malicious apps time and again before eventually removing these apps. Of course, we would rather attribute this to numbers (Android has become a big target because of the sheer size of its user base). But this one goes far deeper.
The premise of Hempton‘s article is valid, although bordering on sensationalist, because he speculates that Android could be dominant in China because of its potential to be used as a platform for oppression. This means the Chinese government may be planting bugs and backdoors into the likes of MIUI, Baidu Yi or other Chinese Android derivative. But would they need to? Chinese ISPs are already monitoring traffic and filtering anything that might be against the government’s liking. Heck, even American carriers and law enforcement agencies are likely to be doing this, to some extent, too. Oftentimes, we mobile users even betray our own privacy by posting too much on social networks, to the extent of geo-tagging our photos and posts.
If at all, this could be an aha moment for anyone interested in turning mobile devices into spying gadgets. If the Chinese government is adamant at spying on its citizens by embedding spyware on Android itself, then what’s stopping them from requiring manufacturing plants in China that produce smartphones from embedding spyware on the hardware itself, including the infrastructure, even those that are meant for other markets?
Knowing that your ISP or government could be spying on you, what should you do then? If you’re not really doing anything wrong, then there might be no point in worrying too much, unless you have something to hide. And if you’re doing something potentially subversive (or illegal) with your mobile device, then you should at least consider using encryption apps like Silent Circle.
It’s not Android, per se, that’s a privacy and spyware risk. The open-source nature makes it an easy target, but by no means the only one.