Google developed a new approach to mobile phone security with its open source Android operating system. Android developer Rich Cannings says there must be a balance between being open and being secure. Instead of eliminating all risks, Google aims to minimize what attackers can do should they gain access to a device.
Google used the Web for inspiration, looking at Web applications that are protected by the "same origin policy," which prevents one Web site from exchanging information with another Web site the user may have open. To adapt this approach for an operating system, Google treated each mobile phone application as a different user of the device. If an attacker infects the phone's Web browser, he or she will not be able to access the address book or another application.
Google also limited each application's access to the phone unless it asks for permission from the user, since many applications do not need Internet access. Android's developers also isolated pieces of code commonly targeted by attackers, such as the software that runs audio and video on a Web browser, and isolated it in a separate media server that is detached from the browser. If the media software is compromised it cannot access the passwords and cookies stored in the browser.
Security researchers note that Android's security system has one flaw in that Google does not control the phone. If a vulnerability is reported, Google may update the system immediately, but it has to rely on the phone's carrier to push the patch through to users.
From Technology Review
View Full Article
Abstracts Copyright © 2009 Information Inc., Bethesda, Maryland, USA
No entries found