RealTime IT News

The G1 & Security: A Paradox in Play?

The arrival Wednesday of the T-Mobile G1, the first Android smartphone, marks the debut of the most open mobile operating system yet.

Android's creators – the Open Handset Alliance (OHA), Google and T-Mobile – have pledged to fully support third-party application development, promising no one will dictate what users can download to the G1, or what developers can upload to the Android Market storefront.

Such openness is aimed at advancing mobile applications, fostering innovative services and, of course, becoming the 'game changer' in a competitive and crowded smartphone market.

Google (NASDAQ: GOOG), handset maker HTC and T-Mobile have essentially squared off against leading smartphone players, Apple (NASDAQ: AAPL) and Research in Motion (RIM), to grab market share and user adoration.

Apple's success with its popular consumer-friendly iPhone, and RIM's (NASDAQ: RIMM) leading enterprise device, the BlackBerry, are proof that tight development and security controls can prove successful.

In fact, RIM's co-CEO noted today at the vendor's first developer conference that BlackBerry is known as "the" secure enterprise device.

Android leaders don't dispute security is a critical smartphone aspect. Google has put a 'kill switch' clause within Android's Market service agreement that states Google can and will remove applications that have a "malicious intent."

But the search giant and its Android partners have also made it clear they won't be policing and patrolling applications as closely as Apple or RIM. At the G1 product launch event last month the companies said they would not prohibit third-party Skype applications that would allow voice communications away from T-Mobile's network.

That hands-off approach may not translate to success, according to experts. That's especially true if G1's advocates hope to push into the enterprise at some point, noted one industry analyst.

"For IT today security is the number issue in everything, from laptops to smartphones," Ramon Llama, senior research analyst with IDC told InternetNews.com. "The last thing they want to deal with is a virus or some malware from something a user downloaded," he said.

Any type of security problem could prompt users to replace the device, change network providers and stall platform and application development, explained Llama.

Llama recounted an issue Apple experienced early on with its iPhone application effort. Despite strict governance of development an application landed in the iTunes storefront this past summer that caused a slight user furor. The "I Am Rich" application, priced at about $1,000, simply placed a ruby colored icon on iPhones and did nothing else.

While Apple removed the application, it had users questioning who was minding the iTunes store, said Llama.

"It wasn't malicious but it exposed that something got through and drew attention. People wondered if Apple was on the up and up," recalled the analyst.

Balancing an open development environment with security is a matter of control levels, said James Blaisdell, CTO of Mocana, a provider of embedded security software.

"Openness is good, but it needs to be controlled and balanced," said Blaisdell. "Unfortunately, there are always going to be bad characters who will target vulnerabilities, bake vulnerabilities into devices, and write legitimate looking Trojan horse applications," he said, adding that "without balance we end up with several security problems."

Those problems could range from installation of inappropriate ring tones or files, file deletion, stolen passwords, traffic sniffing, zombie phones spamming contact lists and the opening of backdoors into corporate networks, he explained.

"There are far worse attacks that can be launched against a phone than a laptop, and the attacker's trail is much easier to hide due to the mobile nature of phones," said Blaisdell.

The solution, he said, is putting a "guardian angel" in place.

"You need to fortify the platform and legitimate applications from attack," he said, by using tools that verify applications are safe and technology that secures device interaction with networks and systems.

"Security done right is invisible and non-interfering for correct behavior," said Blaisdell.

"We all own security. Lack of security affects us directly as consumers of devices, but the stake holders are the carriers and enterprises," he added. Enterprises can be quite unforgiving when it comes to security issues, said the CTO. The first incident could mean banning the smartphone culprit from corporate servers and networks.

"Ultimately even the development community stakeholders will suffer, since consumers will flee from unreliable platforms," said Blaisdell. "The mobile phone maker market is very volatile and fickle. What's hot today can easily be in disarray tomorrow."