Hi Dianne, I am just wondering, in a scenario if a user does not have a data plan but uses a public wifi to install an application from market. After which he/she will disconnect from the wifi connection. But the installed apllication may be a malicious application that could send out SMS of private data (contacts,sms messages) to a third party or even make long distance calls. For these functions, there is no need for a data plan, as long as the user is using any pre-paid or post- paid SIM, he/she is compromised.
This is also related to my previous post on how Google can remotely remove application if a user is not connected to wifi or have a data plan. Similarly how does Google push down updates if user is not connected to wifi or have a data plan? Regards, Perumal On Aug 11, 10:19 am, Dianne Hackborn <[email protected]> wrote: > Updates don't need to be done OTA. That is however the preferred way, since > you are going to update a much greater % of the devices by pushing the > update to them rather than relying on the user to know about the update and > deliberately get it and install it. > > Currently the Android CDD requires some kind of data connectivity for the > device. People can build Android devices without data connectivity (Android > is open source they can do whatever they want with it), but this will not be > a compatible device as per the CDD and thus not able to have Market and > outside the purview of what we can consider. > > Also... being concerned about security vulnerabilities for a device that > doesn't have data connectivity... doesn't that seem a bit pointless? If > you don't have data, you don't have web browsing nor ability to use Market > to install apps, so... what do you need to be secure from? > > > > > > On Tue, Aug 10, 2010 at 6:09 PM, perumal316 <[email protected]> wrote: > > Hi All, > > > Thanks for the inputs. Currently all the updates are done Over The Air > > (OTA). Is it the only way to do updates or patch a vulnerability? What > > if the user does not have a data plan? > > > Regards, > > Perumal > > > On Aug 11, 6:13 am, Dianne Hackborn <[email protected]> wrote: > > > This has nothing to do with special UI candy coating, and with the > > > manufacturer maintaining the build for their devices and being > > responsible > > > for maintaining them, including QA of any updates. This will not change. > > > > On Tue, Aug 10, 2010 at 2:03 PM, Duane Blanchard <[email protected] > > >wrote: > > > > > It still seems that each hardware manufacturer has to confirm that the > > > > new update won't mess up their specialized UI candy coating, and that > > > > if this is the case, that Android is still splintered, though > > > > artificially so. Truly, other *nix platforms face similar issues, e.g. > > > > KDE, GNOME, and others could be negatively impacted by some > > > > update/change to the Linux kernel, but the onus to resolve any impact > > > > probably falls only on the desktop environment community, not on the > > > > Linux kernel community. Granted, if the kernel update contains a bug, > > > > that falls on the kernel devs, but I think it is clear what I'm saying > > > > here. > > > > > We have some flexibility with Android due to the Android Open Source > > > > Project making the code, and many tools available to everyone, and due > > > > to key players in the community being able to build distributions for > > > > a variety of devices, with and without MotoBlur and HTC Sense. Those > > > > willing/able to root their devices have the choice to install just > > > > Android, or Android plus a UI add-on. However, there is still an > > > > artificial barrier to fresh updates for most users because only their > > > > carrier can push updates to their devices, and users cannot pull > > > > updates directly from the Open Handset Alliance. > > > > > The terms of the Apache license allow for all this, but I wonder > > > > whether the current model of carriers pushing updates to devices will > > > > be sustained, or whether there will come a point at which people > > > > expect updates to come directly from the OHA (or from Google, since > > > > many people seem to think Google is the sole party behind all of > > > > Android). > > > > > D > > > > > On Tue, Aug 10, 2010 at 12:41 PM, Dianne Hackborn <[email protected] > > > > > wrote: > > > > > A system update *is* a patch. It may be small (fix one vulnerability > > in > > > > web > > > > > kit) or large (update everything to Android 2.2). > > > > > > On Tue, Aug 10, 2010 at 12:23 AM, perumal316 <[email protected]> > > > > wrote: > > > > > >> Hi All, > > > > > >> I am just wondering how does Android do patching? For example how do > > > > >> they push down software patches to solve security vulnerabilities > > etc? > > > > >> Or it is only system upgrade. Like from 2.1 to 2.1 update 1 to 2.2. > > So > > > > >> is there is no patches pushed down in the interim period. > > > > > >> Thanks In Advance, > > > > >> Perumal > > > > > >> -- > > > > >> You received this message because you are subscribed to the Google > > > > Groups > > > > >> "Android Security Discussions" group. > > > > >> To post to this group, send email to > > > > >> [email protected]. > > > > >> To unsubscribe from this group, send email to > > > > >> [email protected]<android-security-discuss%[email protected]> > > <android-security-discuss%[email protected]<uss%252bunsubscri�[email protected]> > > > > > . > > > > >> For more options, visit this group at > > > > >>http://groups.google.com/group/android-security-discuss?hl=en. > > > > > > -- > > > > > Dianne Hackborn > > > > > Android framework engineer > > > > > [email protected] > > > > > > Note: please don't send private questions to me, as I don't have time > > to > > > > > provide private support, and so won't reply to such e-mails. All > > such > > > > > questions should be posted on public forums, where I and others can > > see > > > > and > > > > > answer them. > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > Groups > > > > > "Android Security Discussions" group. > > > > > To post to this group, send email to > > > > > [email protected]. > > > > > To unsubscribe from this group, send email to > > > > > [email protected]<android-security-discuss%[email protected]> > > <android-security-discuss%[email protected]<uss%252bunsubscri�[email protected]> > > > > > . > > > > > For more options, visit this group at > > > > >http://groups.google.com/group/android-security-discuss?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups > > > > "Android Security Discussions" group. > > > > To post to this group, send email to > > > > [email protected]. > > > > To unsubscribe from this group, send email to > > > > [email protected]<android-security-discuss%[email protected]> > > <android-security-discuss%[email protected]<uss%252bunsubscri�[email protected]> > > > > > . > > > > For more options, visit this group at > > > >http://groups.google.com/group/android-security-discuss?hl=en. > > > > -- > > > Dianne Hackborn > > > Android framework engineer > > > [email protected] > > > > Note: please don't send private questions to me, as I don't have time to > > > provide private support, and so won't reply to such e-mails. All such > > > questions should be posted on public forums, where I and others can see > > and > > > answer them.- Hide quoted text - > > > > - Show quoted text - > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<android-security-discuss%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. > > -- > Dianne Hackborn > Android framework engineer > [email protected] > > Note: please don't send private questions to me, as I don't have time to > provide private support, and so won't reply to such e-mails. All such > questions should be posted on public forums, where I and others can see and > answer them.- Hide quoted text - > > - Show quoted text - -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
