Android's Security Policy Is: "All Or Nothing"

This is the essay about the biggest and the most successful infosec profanation campaign in the world. It undermines the very idea of security awareness in each and every aspect, and it does so very subtly too. Initially I wanted to tell you how this profanation works and why it would be successful at cleansing users' minds from any security related thoughts; today I have upgraded my test-bunny Android device and realized that my «prediction» is getting late — Android has entered the final stage of the campaign: after the applications succeeded at damaging users' security awareness, the core system itself openly stepped into the battle, to commit the final blow.

Google Play Store Politely Asks You To Deactivate Your Basic Security Policy


Asks. Very politely asks. Provided that it holds your smartphone by the balls. Quote:
Google Play Store needs background data to be enabled
Where background data is a euphemism for:
allow ALL applications to send and receive whatever they want without asking my permission to do so, while pretending the application is INACTIVE.
Well, you may say, applications do normally exchange tons of data and this is their primary purpose in a nutshell. True, but irrelevant. It is not the data exchange causes the problem, it is the COERCION that pisses me off, and it must piss you off too. An application, exploiting its exclusive status in the system, threatens you to stop working unless you allow something GLOBALLY to ALL OTHER applications in the system. Besides that, it devalues the meaning of the application status inactive (I hate misnomers, despite they are the basis of the modern days IT discourse and the Security Theatre). And if you still think that it is OK, and I am ranting about some minor non-problem, then I must congratulate Google for the successful destruction of security awareness.

You asked me for a hot beverage? — drink this boiling water!


Hysteria + Sadism constitute the Android Security Subsystem, learned helplessness is the goal:
We give you some «security related» controls, but we make you suffer if you dare to use them.
This is the Android's approach to infosec in a nutshell. The permission system is specifically designed to be PAINFULLY useless for any reasonable user, while pretending to answer to users' demands. It does not only strawman the idea of users' responsibility for their security, but also stimulates careless behavior and punishes those who care.

All Or Nothing Level 1
An application demands over 9000 access privileges. What choice do you have? «Do not install». Android allows you for merely binary response to a question of arbitrary complexity. If you disagree with the application's demand, however slightly, you are forced to respond «Do not install». Even if you really need this application, even if this application has no analogues, even you merely want to keep your phone book secret, even from a flashlight application. There is no way give a sensible response to an application's request — all or nothing — it is not even a request, it is just a routine «accept our terms» dialog — they don't ask you if you want to give them access privileges, they inform you what they will take.

All Or Nothing Level 2
An application demands access to your phone book. «What kind of access?» — you ask. «It's not your business» — Android replies. How dare you are to see any difference between read and write access to your phone book! Just give me ALL.

This is not a bad design. This is a very good design, carefully crafted to look as bad as possible. Google does deliberately teach you HELPLESSNESS. Android takes the idea of antisecurity way further than the former champion, Windows, did. Windows did simply exposed your system «naked in public» — brutal enough, worked well at the time, but it caused many users to rebel — Windows had sold you antisecurity forcefully. Android takes the next step, it makes you think that the state of «public nudity» is somehow preferential for your system — Android lures and coerces you to «choose» antisecurity.

0 comments

Only registered users can comment.