06 November, 2013

FOSS security: Why the FUD-spreaders are wrong

Ever wonder why the Google Play store has had the malware it's had in the past? Of course, Google has gone to great lengths to make sure this doesn't happen again. They've removed malware from the Play Store AND remotely deleted it from users' devices. They've introduced Bouncer — not that it's done a great job in the past — and went on to update it's definitions continuously. Well, people seem to think that because Android is insecure, all FOSS must be insecure, right? Wrong.

Android has a serious problem that makes it's software inherently insecure: the Apache License. Unlike the GPL, the Apache License is permissive. This means that Android can be Tivoized, which is why carriers lock bootloaders on Android devices. It also means that Android can be forked without the need to open up the source code of the forks, which is why manufacturers like Samsung, HTC, and others can get away with keeping TouchWiz, Sense, and other custom UIs proprietary. This of course also provides a boon for malware distributors: now, they have an app that they can add malicious code — for example, a backdoor, a keylogger, or spy code — to, and they can get away with keeping that added code proprietary so that no one knows it's malware until it's installed.

In contrast, most mainstream Linux userlands — KDE, GNOME, XFCE, Unity, LXDE, and the like — have a security stronghold: the GPL. Unlike the Apache and BSD licenses, the GPL is a copyleft license. This means that the license uses the power that is copyright law to *require* developers who make changes to the code to open those changes up, and irreversibly agree that the changes stay in the public domain. Meaning, of course, that hackers and malware distributors end up in a sort of Catch-22: Either comply with the GPL and get busted by the government, or violate the GPL and get busted by the FSF.

Also, there's another provision of the GPL that is easily capable of preventing locked bootloaders. It states that if GPL software is installed on a certain machine, that machine cannot implement hardware restrictions that hamper the freedom of users to modify said software without violating the GPL. Locked bootloaders, such as those that carriers install on Android powered smartphones, no doubt fall into that category.

So, the next time Microsoft or Apple tries to spread FUD about the open source model, refer to this blog post. There's no denying that the propaganda these corporations spread is almost in line with the propaganda spread by the Chinese and North Korean governments, and if users have any reason to believe what these people are saying, they've got their facts skewed to the brink of dystopianism.