Editorial: The only secure option is the one that lets us read the code

We're going to spend a bit of time talking security on Talk Mobile 2013 this week. A lot of the discussion is going to be about what you share online, with or without your knowledge, and ways we can keep our mobile devices secured when they leave our hands. It's all very important stuff, but there is one other thing I want to bring up, and that's what I like to call the transparency factor.

To put it simply, the only time you can trust any software is when you can read the code and see what it is doing. Maybe you (and often times, me as well) don't understand all of it, but rest assured someone out there does. And they are looking. Putting code online for peer review is the only way independent third parties can see what it is really doing. And that can be pretty damn important.

We've seen that there are several backdoors written into Windows, and that BlackBerry, Nokia and Apple appear to have built methods for the Indian Government to get in to their respective phones and tablets. I'm not talking about the recent NSA scenario, which may or may not open all your web services to third party snooping. I'm talking about the core functions of the OS itself. The software on these devices was allegedly written with a built-in way for someone else to have a look at what you're doing. The NSA reading your Skype messages means little if they already have a way inside your phone or computer because it was designed for their access.

Look at your phone. Is is running software that isn't open-source? Most are, including plenty of Android-based phones. You have no idea exactly what your phone is doing when you power it on. Is this a problem? Maybe. To a lot of people, it means little. They have nothing to hide, and aren't concerned about who has access to their phone software, or what they might be doing with it. That's OK. I'm not too concerned about what any government or military agency might find in my email or chat history, either. But I am a little concerned that they may be able to do it because the company I bought my phone from made it easy for them and didn't bother to tell me.

Thankfully, there are alternatives. Android, as written by Google is open-source, as are some other mobile operating systems like Ubuntu Touch and Tizen. Any backdoors built into the code on devices running this software would quickly be ferreted out by people smarter than us, and you would read all about it at every major web publication. I thoroughly enjoy using plenty of closed source software. Now that iOS has broken it's dependence on iTunes a little, I think it's a fine offering. I've used Blackberries for years. I also think the new Android phones from Samsung and HTC are pretty damn spiffy. But I don't pretend to think that they are secure, because I just don't know. And truthfully, neither do you. Maybe Richard Stallman is right.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Transparency is also the problem with electronic voting. The companies that contract with governments to provide electronic voting consider their closed-source software intellectual property and won't provide the source for examination. Open-source is also a better solution in that arena.
  • Yeah sometimes not even open source means 100% open but it is good that changes can be made if you know how to code. You are given a choice.
  • People willing to give up their rights because they "have nothing to hide" make me sick. Posted via Android Central App
  • While I too have nothing to hide, I completely agree.
  • +11
  • Funny, people who wear tin foil hats make me sick too.
  • Ha that is try for me as well. Posted via Droid RAZR M on the Android Central App
  • *true Posted via Droid RAZR M on the Android Central App
  • It's not quite as simple as that. The government is going to do whatever it does, and unless you're ready to storm the white house with a large militia that is heavily armed (which is probably the only real solution for taking this country back), it's not like you really have a choice. In case the government is reading this, I am not advocating violent revolution, so don't put me on your watch list :P I'm just saying that it's not like I can write my congressman and make this go away tomorrow. Trust me, if there was an opt out list for being tracked, I would be on it. Otherwise, WTF do you want me to do? I didn't vote the assclowns into office that make this stuff legal.
  • Why? When you have real life situations and problems to deal with, do the fact that the government may or may not try to look at your information makes you really mad? I mean, I don't really care. I have nothing to hide. Its the people who have things to hide and make a big hoopla about it is what scares me. Its the U S of A govt. Its our government. You have a better way of keeping an eye on over 300,000,000 people? Please share. Posted via Droid RAZR M on the Android Central App
  • People that claim to have "nothing to hide" are either stupid or have absolutely no life whatsoever and think they have nothing to lose (hint: it is the former).
  • Open source is not the solution. Human Rights include property rights. They're inseparable. Proprietary software is a result of that. There should be choice of course. Alternatives. Transparency is needed here. Posted via Android Central App
  • Open source gives way to peer review which inherently makes things more secure because it allows flaws to be discovered quicker. Property owners deserve the monetary benefits of closed source software but inherently leave their software susceptible to zero-day attacks. Hackers in the open source community tend to announce their findings whereas crackers the closed source software tend to keep it quiet and reap the benefits of their hack. It is not always the solution but for transparency its a damn good one.
  • Anyone remember the Carrier IQ debacle when it came to light that telecomm carriers were using products to "help" the user experience with their mobile devices. While what was turned on wasn't really that bad... it would have only take a small OTA to log user interactions and report out on stuff that no one would want reported. And it would be done without really notifying you what changed.. you weren't downloading it from the Play store or anything. We sometimes have too much faith in technology. The honest truth is that unless you work in the specific industry as a developer you have no real way to know exactly what that device/code is doing.. so yes we take a lot on faith. Look at automobiles today.. I can't work on half of the stuff that goes wrong with my car because its all transistors and microchips. I liken this to my phone and tablet. I can build a PC, I can put software on it, I can protect it to the best of my ability. I have no real way to know what that software is actually doing because I can't see it... so I end up trusting my vendors that I do choose not to hurt me.
  • Open Source goes a long way, but it is not the same as complete trustability. Ken Thompson (the primary designer of Unix) did a clever hack / demo back in the day to demonstrate this. The way the gag worked is that Ken had hacked the binary compiler that was included on the system, so that if it could recognize two pieces of code to be compiled. The first was a particular application that he wanted to subvert. The second was the compiler itself. If the user attempted to compile their own compiler, the tainted compiler already on the system made the newly compiled compiler tainted as well. If the compiler was used to compile the target app, it got rooted. The result? You could read the source code for the compiler and the application all you wanted, but it was too late, because you had little choice but to trust the original compiler. Real security is damn hard.
  • Short of building it yourself, how do you verify that the bits on your phone match the source code on their website?
  • Here's the article Ken Thompson wrote describing the hack: http://cm.bell-labs.com/who/ken/trust.html
  • Guys. Don't read to much into this. The "I have nothing to hide gang" and the "tin foil hat gang" are in the same boat. The only way to be sure you are not been snooped on is to ditch your phone in a bin and never use one again. Any data been sent out from your phone without you knowing is for the most, marketing reasons. This helps the vendors and networks "target and market" see what's been used and what everyone has and sell on that. Maybe government's are watching. But they cannot process that amount of data in a go. And why would they? Who cares who had what for breakfast (I'm looking at you Facebook users) So key words like BOMB and so on are triggers for a watch list. But any terror group worth their salt don't use words like that so its all pointless. So I think it really is all down to marketing and stats. If it helps make better apps and tech then read away. If asked I would let them have all the data they want. I will now get of my soap box and go back to my dark hole. (To marketing. Network signal sucks in this dark hole. But you already know this due to secret data collecting. Just saying) Posted via Android Central App
  • >"To put it simply, the only time you can trust any software is when you can read the code and see what it is doing." Yep- so I laugh at seeing people use these Android "password database" apps that are closed source. For all you know, that app funnels every one of your passwords straight to the developer or someone else. And even if the source is available, if you didn't compile it yourself, it could STILL be doing something nasty in the binary :(
  • By the title of this article, I was expecting an if the fearconcerning the NSA's contribution to AOSP. Even given the article's true subject, in surprised you didn't mention it. Posted via Android Central App
  • This is the primary reason for root. I have been saying it for years now!
    Extra features are nice, but a secure, reviewed OS is paramount.
    Just because someone loads ex: Cyanogen, so what if they cant read the code.
    ~30,000 other guys out there do. And their keeping an eye out for all of us! Open = Win (always)
  • Well put, Jerry! Posted via Android Central App