I’m just investigating the security and control of the Linux platform in comparison to Android.
In Android there seems to be a huge development around security – Applications are required to ask for system permissions, and if the user grants that permission, then the system allows that application to execute with those granted privileges.
It isn’t like that on vanilla Linux. Applications can access anything they want, albeit not granting them to modify files, but nevertheless. Users simply don’t know how applications work, and what information – sensitive information – they take and what they do with that information (upload it to a database and sell it to 3rd parties).
So what is this dealt with?
I’d imagine the Linux kernel has to be modified so it accepts access tokens per application basis or something similar.
Windows at least has some type of security system with it’s built in firewall and local authority service. (I know little about Windows.)
2
The goals of Android security are different than was traditionally with desktop operating systems like Linux or Windows.
Until recently, all systems assumed the administrator and user know and trust the applications they install. Or if the user can’t be expected to know, they need the administrator, who is presumably more knowledgeable, to do it for them. Security ensured primarily that users can’t read or damage each others data or prevent each other from working. That’s still the case of Linux and Windows in desktop mode.
For mobile phones the case is different. Mobile phones are single-user, but they don’t have administrator and are expected to be used by non-tech-savvy users. So the mobile phone (and tablet) security is supposed to give user some level of protection against malicious application, especially now the application shops provide thousands of applications.
The traditional security of isolating users is well understood after more than 30 years of experience. It is also well understood how to re-purpose the security mechanisms to separate services on server to limit damage that can be done by exploiting bug in one of them. The mechanisms for this end were greatly improved over time leading to very powerful and flexible SELinux, but it still requires a knowledgeable system administrator to set up.
On the other hand securing user against trojan horses (malicious applications they are fooled into installing) is new, largely unexplored and still severely lacking. The major problem is that if you (rightfully) don’t expect the user to be able to judge whether the application is trustworthy, you can’t really expect them to know what the permissions they are confirming mean and what the implication of granting them to the application are. Apple and Microsoft work around this by tightly controlling content of their application shops, but that has it’s own issues (it’s surprising no anti-trust bureau have forbidden it yet), Google mostly ignored it until lately and implemented some form of monitoring now. It should also be noted that the permission system exists at least since Symbian.
It should be noted that the Android security system uses the same underlying mechanisms as the one for desktop Linux. The difference is in how it is set up, not how it works.
1
Android security is almost a joke. Consider the “read phone state and identity” permission – this is nearly always used by apps to send your phone details to advertisers so they can target ads at you (and earn a little revenue by the app maker). Does the app really need access to all your sensitive data on the phone just to get a unique id off you? Apparently so!
Then there’s the way that the permissions are used, currently there’s been a bit of malware on the App Store where an legitimate app requested some permission, and subsequently updated the app to add some malware that exploited that permission – and no-one noticed as the permission was already granted.
I think the Android security model, that means you have to give permission to various settings up-front, and in such coarse-grained ways, means that no-one really looks at what the apps requires, you have to accept all security permissions to use the app.
I’d say all users don’t know how Android apps work either – once you’ve given an app network and file access, it can send all your files to a 3rd party without needing to trouble you for permission – you do have a file manager app on your phone what already has been given these permissions don’t you?
You can’t build security in in a way that stops all bad things without also stopping all the good things – security is more about run-time permissions and restricting apps from accessing parts of the system that it shouldn’t have access to. Now Linux security is mainly based around filesystem security in that you prevent 1 user’s running apps from accessing another user’s files (as a multi-user system, this is important, and even for a single-user system, you don’t want a rogue app from accessing sensitive ‘root’ system files).
BTW, Linux has iptables – a ‘built in’ firewall, and if the standard security system isn’t good enough, you can set SELinux going, which was designed by the NSA.
3
There is SELinux project which allows to fine-tune the interactions between processes (and filesystem). The system of permissions is a bit more flexible then Android at cost of increased complexity. Other possibility are, among others, TOMOYO Linux and AppArmor. There are desktop distributions which have them enabled by default like Fedora.
However my guess is that on Linux the applications are trusted and protection is done rather to:
- Minimize the effect of security holes (for example to prevent hijacked Apache process from messing with PostgreSQL)
- Don’t allow user to get outside his/her boundaries and access other users’ data
It is somehow justified as most of applications are open source and well-known so it is likely that such code would be discovered.
1