I'm not saying that Google is malicious, but if this NY Times article is true that it is pure spin. Andy Rubin is VP of Engineering at Google and he started Android. He should know that there are private API's in Android and somebody should call him out on it at Google IO.
As for the screen off API being a security threat. I see what you are saying about a malicious app protecting its self by turning off the screen repeatedly. I think this is much less a threat then allowing apps to send SMS messages. I recant my statement about it not posing any threat, but it should be relatively easy to add an Intent Permission for this. If necessary add a DDos prevention as well. Android development is going at a break neck speed, arguably too fast. They should have time to sure-up the existing API and several people have asked for this feature, not just me (see comment above). If timing is really the only issue here, then just let developers know when the feature is coming in the interest of being "open". We can be patient; just let us know when. The fact that you can't turn the screen off based on the proximity sensor is ridiculous. This use-case is obvious and you should be able to do that the completely open system that Andy is describing. PS The Gmail account authentication API is private as well right? Did I just make that up? David Shellabarger http://www.goldfishview.com On Apr 27, 6:03 pm, Mark Murphy <[email protected]> wrote: > GodsMoon wrote: > > But I don't see how you can argue that the API to turn the screen off > > is not ready for prime-time or that is a security risk. > > IMHO, it is a security risk. There most certainly are applications > where, if malware decided to turn off the screen (and keep it off > through repeated calls), the user would be significantly impaired -- > phone calls and navigation come to mind. > > Heck, done right, they could even effectively force a hard reset. Just > keep turning off the screen every few hundred milliseconds, and the user > couldn't enter their lock code. Only way to deal with that would be a > hard reset, or a pinch of luck (hope you can reboot, unlock the screen, > and nuke the offending app before it gets BOOT_COMPLETED). > > Now, that specific attack vector could be dealt with using DDoS-style > defenses (e.g., an app can only ask to shut off the screen once per X > period of time). But I don't think they have that defense in their now, > and therefore I think it is premature to say it's ready for the SDK. > > > I suppose you could agree that they aren't "secret" because its an > > open source project and you can call them with reflection but this > > seems to go against the completely open principle he is talking about. > > IMHO, you're attributing maliciousness for something that probably isn't > the case. In addition to the security, in addition to the fact that > Android was built before there even was an SDK, etc., there's the teeny > little issue of time. > > APIs are not added to the SDK until the core Android team is committed > to them. While there have been some deprecations, generally, the SDK has > remained fairly stable from 0.9 onwards. > > There is also a finite amount of engineering time. Time spent confirming > that nobody anticipates a change in such-and-so API, adding it to the > SDK, and running regression tests is time taken away from advancing the > platform in other areas. > > Hence, we see these sorts of under-the-SDK things promoted to the SDK in > bits and pieces. You may consider that to be evil. I consider it to be > sensible engineering in the face of limited staffing. Whether or not it > is "secret" lies in the eye of the beholder. > > My main problem with the quoted stuff was the claim that Gmail is on > equal footing with other SDK apps. Since Gmail is proprietary, it is > difficult to tell. But since the open source stock Android apps aren't > written to the SDK (and, generally, predate the SDK), I'll be fairly > surprised if Gmail is written to the SDK. > > -- > Mark Murphy (a Commons > Guy)http://commonsware.com|http://twitter.com/commonsguy > > Android App Developer Books:http://commonsware.com/books > > -- > You received this message because you are subscribed to the Google Groups > "Android Discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group > athttp://groups.google.com/group/android-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Discuss" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-discuss?hl=en.
