Android and anti-piracy

> Google Android evangelist Tim Bray responded to Case’s concerns in a [post](http://android-developers.blogspot.com/2010/08/licensing-server-news.html) on Google’s official Android blog. He says that the sample verification code supplied with the LVL framework wasn’t really intended to be used unmodified. Because it was created to demonstrate how to use the framework, it was deliberately written with an emphasis on simplicity rather than robustness. Bray also contends that the sample applications compromised by Case didn’t use robust code obfuscation, which would have made it considerably more difficult to compromise the software. > > “The licensing service provides infrastructure that developers can use to write custom authentication checks for each of their applications. The first release shipped with the simplest, most transparent imaginable sample implementation, which was written to be easy to understand and modify, rather than security-focused,” Bray wrote. “Some developers are using this sample as-is, which makes their applications easier to attack. The attacks we’ve seen so far are also all on applications that have neglected to obfuscate their code, a practice that we strongly recommend. We’ll be publishing detailed instructions for developers on how to do this.” > > Bray’s points suggest that LVL offers more effective protection when it is used properly and developers don’t just copy and paste Google’s contrived example validation code, but he also acknowledged that the framework is not mature yet and still has room for improvement. Same old story from the Google evangelists: “Nothing is our fault. Everything is your fault.”

This, I believe, is yet another reason why developers are not flocking to Google. And I’m not convinced Google cares.

Essentially, what Google is saying to developers is the same thing it has always said: Everything is your responsibility. If you want security in your apps, build it yourself. We’ll hand you some sample code, but the heavy lifting is up to you. We don’t care if people pirate your intellectual property. As long as they click on ads.

Understand, Tim Bray is a key spokesperson for Google, not some low-level idiot with a Twitter account. And he literally said that the security code for Android “was written to be easy to understand and modify, rather than security-focused.” The security is not security-focused?

And people still take Android seriously?

Whatever you may think about the future of mobile technology, I can assure you that security is going to be THE issue in a couple of years. Hackers are already starting to target all the major mobile platforms; Google is handing them the keys instead of installing new locks.

Apple, in stark contrast, locks down the security of iOS so hard that it often gets criticized for being a complete control freak. And that is probably true, but still. At least as a user, I get the sense that they care a little about me.

I’m not a developer (though I do some work for one), but when given the choice between a security protocol that’s baked into the platform that I essentially get for free (minus a few hassles), and one that I have to create myself from scratch—that’s a pretty easy financial decision.

This notion that Google is going to sell a billion Android phones and then suddenly a market for software will appear is complete craziness. And as I said before, I don’t think Google even cares. They want ads, and ads in apps are proving very ineffective, anyway. What Google really wants is to drive everyone to the browser again, which is clearly not what the users want.

So again, someone remind me how Google is supposed to win this battle in the long run? They are poised to be the least cohesive, most insecure platform with the least appealing apps. And their phones aren’t even cheaper than the competition. So where’s the world domination part come in?