Can the open-source model for the platform, Apple's iPhone, which has been developed using proprietary software? What will be able to do to stop authors of malicious code from capitalizing on its openness?, produce secure code? Will phones based on Android, , be more or less secure than
Security vendor McAfee, which produces proprietary security software for mobile devices, has been quick to defend
McAfee is a member of the Linux Mobile (LiMo) Foundation, a group of companies formed to develop an open mobile-device software platform. Many of the companies in the LiMo Foundation have also become members of the Open Handset Alliance (OHA), which Google has formed .
Jan Volzke, global marketing manager for McAfee Mobile Security, said that Linux is not new to the mobile arena and maintained that secure coding practices can successfully be built into the Android development process.
"Japan has a large deployment, with 60 percent of phones powered by Linux. McAfee protection has been integrated in the majority of these mobile Linux phones for many years," Volzke said. "For any mobile-device platform, security should not be a developer option but a mandatory requirement. Consumers--as well as operators--expect devices to be safe from the outset, with no effort required from them."
Volzke said security can be built in from the beginning of the development process by collaboration between security companies, although at the moment McAfee is the only security player in the LiMo Foundation.
Open coding practices nonetheless seem ripe for abuse. Making source code available to everyone inevitably invites the attention of black-hat hackers.
"Linux has so far been used on the enterprise-server side, with most deployments being professionally IT administrated," Volzke said. "Due to a number of industry initiatives, especially the LiMo Foundation--and now also the Open Handset Alliance--Linux will become more widely available in the consumer space. As a result, visibility to already experienced hackers increases. Open means open to everyone--with (both) good and malicious intent."
Where bugs most likely breed
The debate about the relative security merits of open source as opposed to proprietary software development has been long-running. Open-source software development has the advantage of , meaning irregularities can be spotted and ironed out, while updates to plug vulnerabilities can be written and pushed out very quickly. However, one disadvantage of open-source development is that anyone can scrutinize the source code to find vulnerabilities and write exploits.
The source code in proprietary software, on the other hand, can't be directly viewed, meaning vulnerabilities need to be found through reverse engineering. However, as fewer people see proprietary source code, critics argue that code is more likely to be buggy. Some observers also claim that once vulnerabilities have been found, updates are slower to be pushed out, especially by large multinational software companies.
Most security vendors try to avoid commenting on whether open-source or proprietary software is more secure, often arguing that it is like comparing apples to oranges.
Volzke said it wasn't possible to compare the security of development practices for Android-based devices and
One security vendor was willing to make a prediction, albeit gingerly. Ben Whitaker, head of security at mobile-security development company Masabi, came down cautiously on the side of open source. "Gphone is open source, which means it can get a good kicking and shoeing, and can be worked on by just about anyone," Whitaker said. "It's starting out in a better way than the iPhone, which has seen vulnerabilities. However, any new consumer (of both the iPhone and Gphone) won't be secure when the first product comes out."
Whitaker said that given the iPhone's record of vulnerabilities and its full, smartphone Internet connectivity, it would be more vulnerable than a strictly Java-based mobile platform, which he classified as "semi-smart." It will not be known until the Android software development kit comes out on Monday whether the Gphone will be strictly Java-based.
Whitaker added that, like the iPhone, Gphone devices will have vulnerabilities. "The Gphone could allow full apps to run on it, which would open it to keyloggers," Whitaker said. "At the moment, the Gphone platform doesn't run on an encrypted file system and has a vulnerable log-in. It's so stealable that (an encrypted file system and a secure log-in) should by default be included."
With much development work yet to take place--and the U.K. market still waiting for both the Apple and Google-based devices to arrive--the jury remains out for the definitive ruling on which model will be most secure. But one thing is for certain: no device that connects to the outside world can be totally secure, and neither the iPhone nor Gphone will prove to be the exception.
Tom Espiner of ZDNet UK reported from London.