khorben's Place

Why I will never use Android

Blog post by khorben on 21/03/2011 19:50:17
This post is a translation of an article I published there in French, with a slightly differing conclusion:

I would like to share a scary story with you today: what I just experienced with an Android device.

The background is simple: I am preparing an assignment with a customer, part of which is about assessing their Android application on the Market. So far so good, I figure it would be useful to download the application and have a first look at it, in order to rate its complexity and get the figures right.

I am not a regular Android user. I was merely given a compatible device a few months ago: an HTC TouchPro, originally running Windows Mobile 6.1. It isn't and never will be officially supported for use with Android: I am therefore using a community-based distribution, XD-Android: this detail makes the matter even worse.

So here I am, connecting to the Android Market from my regular workstation. As expected, Google requires me to authenticate. I enter my gmail credentials and manage to gain access. First issue though: the site complains that I am using a phone that wasn't activated for use with my account.

This first non-sense has become so common that people consider it normal these days: the web changes shape when you change your "User-Agent", a field of the HTTP protocol (behind the web) that just tells the server which browser you are using. I will not dig further into this matter, even though it damages the integrity of the web (breaking links, etc). So it is exactly this technique that I am about to use, as enforcement of the kind of restriction I am facing is usually implemented this way.

All too easy, I grab the user-agent of my phone while browsing my own website, and place it within the browser on my workstation, Mozilla Firefox (via the "User Agent Switcher" extension). Getting back to the Market, I have now access to my account as hoped, although with a degraded version; or should I say, a version more suitable for my smaller screen size: apparently 2560x1024 pixels at 86 DPI are not enough (CSS was never designed to do that, right?).

Anyway, first surprise: my browser is now asking me if I want to share my location. Besides the fact that "no, I do not", I cannot recall being asked about it on my phone. This is however exactly what Google is asking it, too. Is it silently accepted? A verification is required, but I suppose it is.

But there is way worse. My trick worked so well that now Google thinks I am browsing the Market from the web browser on my mobile phone. Then I think I won already, and click on the "Install" button, impatient to obtain the ".apk" file I was looking for. But nothing shows up, except a notice that "my application is being installed on my phone". What?

I double-check my list of files downloaded. Nothing is in there of course, it would be very surprising since I always force the prompt in my browsers. And all of a sudden, my phone screen lits. Even better, it proudly says that the installation of the application has successfully completed.

As you may have guessed by now, this means that Google has absolute and full control over your phone, remotely. It was enough to send a request to a server in Google's farm, with my credentials, to get software installed on my phone automatically. The security model of millions of mobile devices now entirely relies on the integrity of a single private company, which is:
  • neither a network operator,
  • nor a phone manufacturer,
  • nor a hardware distributor,
  • and usually not your employer either!

This design does not make me feel comfortable. Even less when you combine it to the complete lack of validation of the applications hitting the Android Market, with awful consequences already:

I expect much, much more from a company spending so much money and energy into IT security, and whose motto is "don't be evil". Yet, the behavior exposed here is a feature:

Technically, the risk of intrusions or other kinds of abuse gets much higher with such designs. A single XSS attack through gmail is enough to enter your phone; think about the consequences of a worm. Given how this whole Web 2.0 phenomenon works, I would not be surprised to see this happen before long.

Now Mozilla Thunderbird has just found the perfect conclusion to this post for me: "this should not be happening! arrgggggh!"