Reflections on Trusting Trust

[Aabidano]

The Android thread got me thinking of this again, in the context of folks downloading apps, images or whatever to their phones that have been developed with an SDK of unknown provenance or haven't been checked by a responsible third party.

The paper at the link is a great read.

http://cm.bell-labs.com/who/ken/trust.html

I've read this week that the built in application level "kill switch" for Android has been used a couple times against software that doesn't meet with Google's approval, similar to Amazon's remote removal of books form customers' Kindles. In Google's defense rightly so in the couple cases listed.

What's unknowable is if that same mechanism exists in the third party apps\builds. Who's going to be liable for that $1500 bill to Latvia?

[Fairweather Pure]

The Amazon example was fucking bullshit. It was George Orwell's 1984 too. Jesus. However, we're all slaves to the distributer in the digital age. The consumer is 100% on thier terms. They hold the keys to the castle and we're all just renting.

Company's love bait and switch tactics. I still remember when we were told that CDs were so much cheaper to produce and almost impossible to scratch and that they would eventually come down in price after they became popular! I feel like all digital downloads are going to fuck the consumer over in the end. When everything is pure download only, video games will still cost 60$ despite no case, booklet, physical disc, label, need to distribute the item, or % of profit going to a 3rd party for retail. The savings will be straight profit for the developer. The consumer will not see any significant savings at all (unless it's on Steam!) They already do this with movie downloads.

[Aabidano]

The Amazon deal was BS, agreed. Google did something good in this instance however.

http://www.fiercedeveloper.com/story/go ... source=rss
http://www.zdnet.com/blog/projectfailur ... -evil/1078
http://www.engadget.com/2010/06/25/goog ... h-for-the/

Great quote form the initial URL

The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.

[Aabidano]

At a guess those are far from the only apps doing this:

--Google Android Apps Reportedly Stealing Data (July 30, 2010) Dozens of wallpaper apps being sold for Google Android devices have been found to be gathering personal information and sending it back to the apps' developers. Google has suspended one of the applications, which appears to send collected data to a server in China, while it investigates the situation. The application is called Jackeey Wallpaper and contains stolen copyrighted content. The issue underscores the importance of downloading applications only from known and trusted sources.

http://www.telegraph.co.uk/technology/g ... -data.html

http://www.sfgate.com/cgi-bin/blogs/ybe ... y_id=68990

[Winnow]

Android and its Apps have a looooooooong way to go to catch up to iOS4/Apps.

It's definitely amateur hour over at google.

[Boogahz]

Don't discount the Citibank iPhone app storing data it shouldn't have too: http://www.tuaw.com/2010/07/26/citibank ... rity-flaw/

[Winnow]

Don't discount the Citibank iPhone app storing data it shouldn't have too: http://www.tuaw.com/2010/07/26/citibank ... rity-flaw/

Shouldn't be banking with them! Doesn't count!

[Aabidano]

It's definitely amateur hour over at google.

I agree, people have mostly been indoctrinated that loading random_software is bad from an unknown origin is bad. That Google selling it to them makes me giggle.

Though it seems a lot of the point of jailbreaking an iPhone is so you can do the same thing to yourself.

[Soreali]

Android and its Apps have a looooooooong way to go to catch up to iOS4/Apps.

It's definitely amateur hour over at google.

Thats because google doesn't give a shit what people want to make and lets them upload anything.. yes I agree most of the apps are fucking pointless and retarded, but the ones that aren't and actually get rated well are as good as apple apps.

[Winnow]

Thats because google doesn't give a shit what people want to make and lets them upload anything.. yes I agree most of the apps are fucking pointless and retarded, but the ones that aren't and actually get rated well are as good as apple apps.

I disagree, at least for the apps I was able to use that I also had on the iPhone. iStockmanager and Official Yahoo IM Apps weren't even close to being as polished and in the Yahoo app's case, was a complete failure, crashing constantly.

Android is running into compatibility issues, serious issues between the many Android phones. There's also the point to be made that some of the most professional apps aren't available at all on Android because of the craptastic Android Marketplace store which is horrible.

Apple may rule with an iron first but that also helps with quality (even for the fart apps) and their iTunes proven store with (actual search ability!) proven functionality promotes a healthy marketplace for their apps.

Android OS itself is pretty nifty except for the poor battery draining multitask issues.

[Aabidano]

...Once installed, the Trojan begins sending SMS messages to premium-rate numbers without the owner’s knowledge or consent. Victims wind up with a huge bill while the cybercrooks behind the scheme earn a slice of the income. There have been isolated cases of devices running Android getting infected with spyware since last year, but this is the first occasion that an SMS-spewing Trojan, common in the world of mobile malware, has affected devices running Google's operating system.

http://www.theregister.co.uk/2010/08/10 ... ms_trojan/