In a post by none other than Android Security Team member Nick Kralevich today, he and the rest of the Android team “strongly disagree” with headlines and commenters specifically on Engadget, but across the rest of these internets as well. Engadget says “Nexus S has been rooted, let the madness commence!”, while commenters spit “This is only possible because Android’s security is crap and it’s exploited easily to gain root priviledges [sic].” Nay! Says Kralevich, nay ineed, tis not it’s crappy security, it’s the fact that the Android team MADE them that way. Kralevich says that the Nexus S, just like the Nexus One that preceded it were designed to install custom OS – no surprise at all, says he, that Nexus S was rooted so quick – they meant it to be!
Kralevich links directly to the quick and easy fastboot oem unlock on RedmondPie and says that rooting is only the beginning, hopefully, of the changes you might make to the whole phone. Kralevich notes the fact that in Android, rooting your phone is a feature of the device, not the “active exploitation of a known security hole” it is in other operating systems.
Kralevich of course brings up the sandbox, telling all of the world that their sandbox method of keeping each bug and malicious evil attacking an app from infecting any others – blocked in like sand in a child’s sandbox – get it? He mentions how each app is required to declare the permissions they use (that little screen that pops up before you’re even able to access the app,) and he re-declares the idea that they’re constantly patching holes in security daily, linking to Adobe as proof that it’s not just he who’s singing their praises.
He goes on to note the sad state that must remain:
Unfortunately, until carriers and manufacturers provide an easy method to legitimately unlock devices, there will be a natural tension between the rooting and security communities. We can only hope that carriers and manufacturers will recognize this, and not force users to choose between device openness and security. It’s possible to design unlocking techniques that protect the integrity of the mobile network, the rights of content providers, and the rights of application developers, while at the same time giving users choice. Users should demand no less.
And signs off to leave us in the twisted and enjoyable world of hacking and staying safe in the world to ourselves. He walks slowly down the Android hallways, cackling as he does so, cackling into the night.
[Via Android Developers Blog]
Great article, every manufacturer and carrier should read it!
In fact, the Nexus S was not “rooted” in the security exploitation sense of that commonly used term. The phone gives the user the ability to access and replace OS components directly, but forces a wipe of the phone before that “window” (fastboot oem unlock) is opened. This wipe requirement is essential to keeping the user’s data safe and secure, and is commonly overlooked by the community.
We need to avoid the use of the term “rooted”.