Franklin Veaux (tacit) wrote,
Franklin Veaux

  • Mood:

Is this evil?

When you buy a phone, especially a smart phone, you don't really have a lot of control over what software goes on your phone or how your phone is used.

That's a fact. It's always been that way, and it will likely continue to be that way for the foreseeable future.

Apple has taken a lot of (well-deserved, in my opinion, and I say this as an iPhone user) shit for their weird app control-freakery. No porn, no apps developed using tools other than Apple's own Xcode, no apps they find "controversial" or "offensive"...and the whole app approval progress is as opaque as Glenn Beck's sense of ethics.

So a lot of folks are turning to Google's Android phones, in the misguided and poorly-founded belief that the fact part of the Android stack is open source somehow means Google doesn't exercise just as much control over the platform. This despite the fact they have on a few occasions now refused to host apps that various telcos have asked them not to.

I'm not in the market for a new smartphone, so I've been watching the whole thing from the sidelines. But something did catch my eye recently, and it's got me thinking down a path that zaiah thinks is evil.

Last week, a security researcher released a Google app that claimed to be a preview of the new Twilight film--you know, the one about lame-ass sparkly vampires or something, written by a conservative Mormon woman who wanted a nice Christian alternative to the evil witchcraft that's woven all through the Harry Potter saga like evil anchovies on the pure pizza of God, so she wrote about stalking and violence and rape instead. Because, of course, the main theological debate facing scholars in the dawn of the 21st century is "who would Jesus rape?" But I digress.

Anyway, the app secretly contacted his server in the background and downloaded (innocuous) code. He wanted to see how easy it would be to persuade people to download an Android app that could install a rootkit, and how easy it would be to get such an app onto the Google app marketplace.

The answers turned out to be "a whole lot" and "easier than opening a bag of Cap'n Crunch, apparently.

When Google found out, they vaporized all the copies of his app from all the Android smartphones out there.

Now, Apple also has a remote-kill switch. This is part and parcel of the state of the smart phone biz. A smart phone carrier or software vendor can reach out remotely and vaporize apps or files from your phone, without you being able to do anything about it. That's the way it is.

But when Google vaporized this research app, the researcher discovered something interesting--Google also has the ability to remotely ADD an app to a user's phone without the user knowing it. Google can remotely install software on Android phones over the air.

And that opens an interesting can of worms, oh yes it does.

The courts have ruled on several occasions that a company that has the ability to do something may be compelled to do it by a court order, whereas it is far more difficult to compel a company that does not have the capability to do something to add that capability.

Take Amazon and the Kindle (please!). Amazon revealed that it can remotely nuke a book from Kindles all over the world when someone started selling bootleg copies of George Orwell's 1984, and Amazon reached out and wiped them.

Amazon then tearfully confessed that doing so had been an error in judgment and swore it would never do it again, but at this point they no longer have that option. Since they have demonstrated the ability to do it, the next time someone's intellectual property is stolen and distributed for Kindle, the rights holder may be able to get a court order to force Amazon to nuke the offending files whether Amazon wants to or not.Amazon made that bed and might not have a choice about sleeping in it.

So here's the conundrum I'm pondering. Since Google has the ability to remote install apps, what would happen if Google were forced by court order to use it? What would that do to the cell phone industry? Would people start staying away from Android in favor of other platforms without that ability? More important, would it lead to social dialog over what kind of power we should be willing to cede to the phone operators?

I'm considering writing an Android app that runs in the background and sends the GPS coordinates of the phone to a server every few minutes. I am also thinking about approaching a bunch of police departments and saying "I've written this app. I will not distribute it to anyone except law enforcement. If you get a court order to put it on someone's phone, I'll give it to you and you can compel Google to install it remotely."

Might not ever get used. But the first time it did get used, I have a feeling it'd generate quite a shitstorm. And open a conversation that I think probably needs to happen.

zaiah says that doing this would be evil. What say you, Oh Interwebs?
Tags: computer security, philosophy
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
← Ctrl ← Alt
Ctrl → Alt →
← Ctrl ← Alt
Ctrl → Alt →