Android’s security model and Wikipedia
January 29th, 2009 | by elisabeth | Published in Future of the Internet | 8 Comments
—By Elisabeth Oppenheimer
There’s been some recent discussion about a “rogue” Android app, MemoryUp, which was supposed to manage memory on the G1 phone, preserving battery life and allowing apps to run more smoothly. Apps are posted in the Android Market with user reviews, and many of the reviews for MemoryUp complained that it froze the phone, erased data, or corrupted the memory. The app’s maker, eMobiStudio, vigorously denies that the app did or even could have caused these problems.
ReadWriteWeb floats the theory that people holding a “grudge” against eMobiStudio faked the bad reports just to damage the company. Apparently the company disguised too much advertising as forum posting, and other members of the Android community weren’t pleased by what they saw as spam. And the app didn’t seem to be useful enough to rally users to defend it.
Now the app is off the market, but we don’t know who took it down. (We also don’t know whether it was taken off phones that installed it, but I haven’t seen any reports of a kill switch being used.) A Google spokesperson said that Google had investigated the app and determined that it couldn’t cause the kind of problems it was reported to cause. But the spokesperson “declined to comment” about who had removed it from the Market. This situation leads to several thoughts:
First, if Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.
Second, if—and it’s a big if—Google was willing to pull the app just based on unsubstantiated (and possibly faked) customer complaints, that’s a pretty abuse-prone system. It is also, as ReadWriteWeb points out, shortsighted on the part of people who fake claims: outcries about Android security flaws will drive people away from the OS and hurt everyone.
On the other hand, if Google plans to maintain any sort of control over apps with security problems—whether at the Market stage, or by pulling them off phones—they’ll have to listen to customer complaints to a certain extent. Google tested this app, but I don’t think they really want to be in the business of extensively testing apps for security breaches; the point of open-source is to outsource that function to users. But the implication that developers might use that power against each others is disturbing, and if true, Google (and anyone who wants to see Android succeed) will have to figure out what balance to strike.
The book is about dilemmas like these. Android is designed to be generative: it’s just a platform, and it can’t become brilliant until users innovate for it. Contribution costs are purposefully kept low, with a freely-distributed SDK and multiple distribution outlets. But profitable systems invite malware creation, and so people have been worried about Android security since it was first released—how can we let people enjoy and experiment with all this code without damaging phones they depend on? Will we have to trade (some) generativity for (some) security, as Apple has done with the iPhone? In the book, Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.) Yet, the story of MemoryUp illustrates that user ratings alone may not be enough, if some users want to manipulate the system.
This problem a little bit similar to the problem Wikipedia faces—how to keep the malicious few from subverting the work of the benevolent many—but with a different commercial motivation, and perhaps more panic on the part of those who fear their phones will be compromised. In Wikipedia-land, there’s a core of people deeply committed to making the model work—a group of good Wikipedia citizens who supplement the more ad hoc work of the larger group. And there are some primitive, but transparent, hierarchical controls. As Google tinkers with Android’s security design, it may find it can best encourage generativity by moving from a purely open, egalitarian model to something more nuanced, like the Wikipedia model.


January 29th, 2009 at 4:55 pm (#)
This is a good read, but you get one thing exactly wrong…
It isn’t that a core community of Wikipedians “supplements” the work of a larger ad-hoc group. Ad-hoc, anonymous contributions supplement the work of the core community of dedicated editors. This is verified by both internal statistical studies and third party work by organizations such as PARC’s Augmented Social Cognition research group.
January 31st, 2009 at 4:18 pm (#)
I might have found something interesting on your page but black type on a dark blue background is unreadable. Have you ever tried to read it yourself? This is the kind of design flaw one expects to find only in homemade amateur websites.
January 31st, 2009 at 4:50 pm (#)
I’m a fan of the book, and I saw Prof. Zittrain speak at last year’s PdF.
I’m also fairly heavily involved with Android. While I agree with much of your post, I wanted to clarify some things:
“If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store”
There’s still the fundamental difference that the iPhone App Store is a focused monopoly: it is the *only* way to get apps on an iPhone. You mention “alternative distribution methods” parenthetically later in the paragraph, but it’s really central to Android’s openness. What happens in the Android Market has some impact on a publisher, but it is not the death-knell that being kicked out of the App Store is.
“But Android users ought to know who pulled the app, and why.”
I wouldn’t quibble if this information were made available, but it’s unclear why you feel it’s a consumer right. If your local grocer switches suppliers of eggs, or discontinues selling some breakfast cereal, there is usually no notice to you that such a lineup change has been made and why. If your local shoe store stops carrying Timberland shoes, they probably won’t put up a poster explaining why. If your local computer store stops shelving TaxACT, they do not owe you a justification for this move. It is unclear why the Android Market would be any different.
Again, it is different with the iPhone App Store due to the monopoly status the App Store holds vis a vis iPhone apps. Apple pulling a product from the App Store removes 100% of distribution (akin to forcing a product off all stores’ shelves, not just a single store).
Now, had you phrased this as more of a “here’s what Google gets by opening up this information”, as you allude to in the second-to-last paragraph, that would have been excellent. As it stands, though, the current phrasing is couched more in terms of a right than “merely” a really good idea, and at least I’m not ready to make that leap just yet.
BTW, a typo: in the second-to-last paragraph, you have “MemberUp” instead of “MemoryUp”.
February 1st, 2009 at 2:54 pm (#)
Let’s assume the App was not designed to harm: we don’t even have to have an opinion about whether the app was actually bugged and harmful — simply that the developpers could not identify the problem and resolve it, be it defamation or an unforseen interaction with another buggy app.
What would have been the developpers best option? To avoid any buzz: remove the App silently and have no communication around what happened until they can safely offer a better and trustable product. It would be in Google’s interest to explain things clearly, but they might have decided to favor the developper’s reputation.
> the point of open-source is to outsource [testing apps for security breaches] to users
Wich explains why the only users of Linux are marginal geeks. ;^)
Seriously, no — and it’s a crucial point: the point of Open source it not to let anyone do the dirty work, because most aren’t able. The point is to let anyone decide he can certify software, based on his expertise, so that the (id10t) user can have choices about who he trusts. Not having certification around Open source is ineffective, and those certification can be dictatorial if it is the choice of their initiator.
February 8th, 2009 at 5:27 pm (#)
@Steven Walling:
If I understand your comment correctly, you are stating that the “Gang of 500″ (actually 524 users, from Jim Wales’s lecture at Stanford) provide the majority of Wikipedia content, while the global community acts as a supplement to that.
Aaron Swartz (www.aaronsw.com) recently conducted research that came to the conclusion that while the core users provided a majority of the edits to Wikipedia, the ad-hoc community provided an overwhelming majority of the content.
Granted, his survey set wasn’t the entirety of Wikipedia, but I believe it was large enough to infer a larger pattern of behavior.
–
If I misunderstood your intent, and we are arguing the same point, then /salute ;)
February 9th, 2009 at 4:26 pm (#)
@Ben
It’s not actually a gang of 500 anymore. Now it’s between one and three thousand. :)
A lot of people trot out Aaron Swartz (likely since he’s one of the first serious hits in a Google search on the topic), but two serious problems are neglected when he is brought up:
1. A little slice of the pie does not show an accurate picture of editing behaviors, because those behaviors vary wildly based on the exact slice you take. Based on subject matter, size of the article, how and/or whether it has ever been peer assessed, or any number of other factors show radically different editing patterns. A Featured Article candidate gets edited in an entirely different way that say, Zittrain’s bio. To draw a really broad conclusion about who does the editing, you must look at the whole project and average it out.
2. Aaron’s numbers are from 2006. Considering that the community has shown exponential growth and grew by the thousands in just 06-07 alone, his numbers are no longer accurate.
3. Swartz is just one guy. PARC’s stats on who does editing are not only based on much more recent data, but they were compiled by a pretty brilliant team of scientists.
February 16th, 2009 at 10:54 am (#)
[...] tout nouveau système d’exploitation Open Source pour les appareils mobiles. Et déjà une première controverse se dessine peut-être à l’horizon pour [...]
March 22nd, 2009 at 10:47 pm (#)
[...] Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain’s "Future of the Internet" blog, writes: [...]