Conversation with Thomas Cannon on Android Security, Part 2
VPN Haus continues its conversation with Thomas Cannon, a security researcher who made news last month when he discovered a vulnerability on the Android OS that could make devices susceptible to data theft. After finding the threat, Cannon alerted Google, receiving a response from their security team in 20 minutes. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable timeframe. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”
VPN Haus: Impressively, the Android Security Team responded within 20 minutes of your notifying them. But despite this quick response, you have concerns on how quickly users will get the patch since Android OS updates typically come through OEMs and carri
Thomas Cannon: If we look at the desktop computing industry we can see an industry standard for patching just hasn’t happened, and I feel it is unlikely to happen on mobile devices either. What would be the incentive? It would require the public to care e
VPN Haus: Do you think Android being an open platform can make developing a patch and maintaining the software a tricky business?
Cannon: I don’t agree that being open means developing a patch is tricky. Being open allows more people to understand the code and the patch. I don’t think being open is the cause of software maintainability issues either. That said, in the case of Androi
Next week, we’ll conclude this conversation with Cannon, talking about the Android’s future in the enterprise and key security concerns around open devices.