Android SDK Officially Released
For all of the positive aspects of the SDK, one element of the SDK that has me concerned regards the implementation of the SDK's security model. According to the web site, "At application install time, permissions requested by the application are granted to it by the package installer, based on checks with trusted authorities and interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user."
Eek!
Essentially what this means is that if a user is tricked into installing some kind of malicious application, once it is installed it basically has the run of the system.
Is anyone else concerned by this?
Ok, so this isn't much different than what we have today where if you attempt to install an application on top of Windows (for example). If you confirm to the UAC that you want to let the application install, it does so and you could potentially have introduced any level of malcode to your system.
If this is no different than what we have today, then why care?
As we continue to open more technologies and platforms to make them easier to use and more adaptable, let's make sure that we are not further perpetrating a poor security model. There is a natural general divergence between ease of use, the addition of features, and security. Even though it is impossible to please all of the people all of the time, it is a poor ongoing practice to not find a middle ground between these 3 and to continue to allow for the open use and distribution of new technology without also heavily considering the security model is irresponsible.
