There was a thought-provoking post yesterday from Chris Palmer, Technology Director at the Electronic Frontier Foundation (EFF). He specifically calls out Google Android, for being an open source platform but not being open about security fixes. I agree this looks bad – I’ve been following a couple of threads on the Android Security Discussions group on this topic, waiting for an answer from Google staff, but none has been forthcoming.

I don’t really blame Google for not announcing the details of fixed security vulnerabilities though; the reasons are clear, and pointed out in the EFF post (inability to patch operator-customised ROMs). The Symbian Foundation faced the same dilemma, but didn’t recklessly say they were going to announce fixed security vulnerabilities in the first place! Google should at least be honest about their policy.

That said, I disagree with the EFF on two points: Read the rest of this entry »

We’ve been trying to get a Security Strategy Working Group going, and thus far it hasn’t really taken off. Chatting with various people about this, we’ve decided that, following Symbian’s principles of open governance, we should be brave and open the discussions to the world at large.

Do please note that this is not a commitment to full disclosure of unfixed security vulnerabilities; the point of this working group is, among other things, to discuss what the right policy should be for dealing with vulnerabilities. I (Craig) favour responsible disclosure, but that’s up for discussion.

If you have an opinion on the work items (and you really should, they will affect device manufacturers, security researchers, network operators, package owners and committers, security tools vendors and anyone who even uses a Symbian Platform device) then please sign up for the mailing list!

We are forming a working group to decide what the Symbian community’s strategy should be in dealing with security issues on the Symbian Platform. This is an example of Symbian’s commitment to open governance, and membership of this working group is open to any Symbian Foundation member.

There are some interesting challenges, both in the operation of this working group and in the operation of whatever processes the working group decides should be put in place, arising from the tension between the desire for openness in our dealings with the community and the harm that could be caused by disclosing security vulnerabilities to the world before a fix or workaround is available.

Full details of the remit of the working group are on the Symbian Developer wiki. We already have several working group members signed up, and if you are a Symbian Foundation member and would like to participate, please go ahead and join in!

[sorry this ended up being so long, I couldn’t see a good way to split it into smaller posts!]

I am often asked whether I think that publishing the complete source code to the Symbian Platform will result in more security vulnerabilities being exploited by the “bad guys” (Internet fraudsters, malware writers, software pirates, etc.)

The short answer to that is: No. I’m confident that the advantages of collaborative open source development will more than outweigh any disadvantages of potential attackers getting easier access to the implementation details of the Symbian OS security mechanisms. There is however a longer answer explaining why I think that, which is what I’d like to share in this blog post. Read the rest of this entry »