Project

General

Profile

Replicant is a good idea but...

Added by Enzyme - about 6 years ago

I'm curious, have you folks heard that security researchers believe Android is especially vulnerable to malware due to its being based on Java?
I believe they were claiming that quite a lot of the free apps on Google Play contain exploits too, thanks to Google's failure to analyze submitted apps.
However my question is, why attempt to replicate the Java/Dalvik aspects of Android at all?
Making Replicant a carbon copy of Android (but free) is like saying, "We like hamburgers, therefore let's copy McDonalds' hamburger making sure to include the pink slime, soy filler, bug parts, cow feces and especially the meat originating from 1000 cows."
I'm saying, why not just do Replicant right and leave out the gunk?


Replies (14)

RE: Replicant is a good idea but... - Added by Linus Drumbler about 6 years ago

I am not a developer of Replicant, but I hope my opinions on this may be considered.

Replicant does not use the Play Store. It comes pre-installed with F-Droid, an "app store" that offers only free and open-source apps. The advantage of such software is that anyone can look at the source code. If you believe an app may be spying on you, simply analyze the code to see whether it is. The point of the Replicant project is to create a phone without proprietary software, so if you don't want malware on your device, don't install anything proprietary on it.

Replicant already removes much of the "junk" that comes with Android: Google's key-logging in the search bar, the proprietary Google apps such as Chrome and Gmail, the lack of root access to one's own device...

So what "junk", exactly, remains? How would you propose we create a device without proprietary software — rewrite the entire system from scratch (which is well beyond the grasp of the small number of two developers this project has), or use a large existing codebase that works perfectly and remove the proprietary parts?

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

@Linus Drumbler

I'd be willing to spend time coding replacement parts. As far as I'm concerned any phone that uses closed-source might as well be on loan from the NSA. And since we now know that government agencies other than them are producing and deploying malware with the intention of subverting phones, an insecure technology like Java is just as bad a closed-source.

As I understand it, Java is used to implement Android's daemons and most of the application framework for Android. I propose doing away with Java/Dalvik entirely and writing new parts in C++, Objective C, or plain C.

Java is an ongoing security risk that will never be secure. Security experts discourage the use of it.

If a thing is freedom-supporting but risky it is not much better than something that is not free. BTW I said "gunk" not junk :)

RE: Replicant is a good idea but... - Added by Rodger Fox about 6 years ago

Enzyme -

First, I think you misunderstood Linus's reply. He was not suggesting using a system without proprietary software, but asking which way to create the device is better.
Dalvik is not proprietary.

Anyway, security is one of the main reasons to use free software, so if you know something specifically wrong with Dalvik let us know.
Please be more specific with your security concerns or at least cite the "security experts" who discourage using it, particularly Dalvik. My guess is you are conflating popular criticisms of Oracle's record for handling security concerns and patches for its JVM with the quality and security of the totally separate Dalvik JVM, which I don't know to have even had its sandbox broken in any version.
Frankly, if you're not more specific, no one can tell if you know something we don't or if you are just forwarding rumors, paranoia, or disinformation.

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

@Roger Fox

First search the web for articles about Android malware and you will find many articles
and alarming reports. Recognizing the general problem then consider whether it is wise to simply decide that none of
the malware problems of Android arise from vulnerabilities in Dalvik specifically,
or JIT compilation, or the design of any part of Android that is coded in Java that would be replicated
in Replicant. Waiting for someone to offer up a list of specific vulnerabilities
is just a form of denial, sort of like a chain smoker waiting for a 10 year health study to complete
showing a health risk before she stops smoking.

In fact I can take that analogy one step farther: Just as you're free to risk your own health
by smoking (your choice) so long as you don't put my health at risk with secondhand smoke,
so you should be able to put your data at risk by using malware-attracting software
as long as I don't have to have mine at risk too because of your choice.
I don't want to be exposed to your secondhand Java.
Therefore any Java used in Replicant should be entirely optional.

RE: Replicant is a good idea but... - Added by Rodger Fox about 6 years ago

I have read about some Android malware, however all of it that I have come across depends on the user installing untrustworthy software and giving it permissions under their own control. In fact, that's part of the point of Dalvik, protecting those permissions from apps you don't trust. And, as I said, I never heard of it breaking until a user gives a suspect app too many permissions. I agree that giving permissions to proprietary software is risky, but you are claiming that Dalvik itself is a risk.

Why? Why not the kernel? Why not the roof over your head right now? You better get out of there otherwise it would be like if you didn't quit smoking back before people knew it caused health problems. Why wait for information or reasons when you can be scared now?

Can you cite information about some malware that takes advantage of Dalvik or any part of Android in a way besides a user's installation of affected software?
Otherwise, it's not alarming because it's not news. It's just one of the reasons Replicant and other Free Software is needed.

If you're trying to be helpful, cite sources instead of asking me to go on a wild goose chase across the internet trying to figure out why you're scared of Java.

RE: Replicant is a good idea but... - Added by Paul Kocialkowski about 6 years ago

I agree with Linus' point: if you don't use proprietary software, there is no reason to be worried about malwares. It is obvious that any proprietary software is insecure per-se, there is no doubt to have about that.

I understand that your point is that the Android java architecture makes it easier for malwares to escalate privileges. However I strongly believe that the security conception that dozens of Android developers had when creating all this is much more solid and reliable than whatever you'll be able to come up with:
However, I think that the security mechanisms in Android were carefully thought (one user per application, strict separation of resources and access, SELinux) by competent people and while it's obviously not perfect, there are many security researchers and a strong community working on patching the holes in it. That is, without mentioning the fact that rewriting the whole java codebase of Android will take ages, break compatibility with all of the existing applications (oh but wait, the applications themselves are java too, so they should be rewritten too). In the end, what you're suggesting is to completely rewrite what makes Android, well, Android. And that is with no guarantee that what you come up with is actually technically better for security. You may want to look at Ubuntu Touch or Firefox OS which will likely be closer to what you're looking for. In any case, we are certainly not going to drop the java codebase of Android because it is supposedly weaker because of Java (I'm not even sure that makes any sense at all, it's probably what they created upon java that has holes in it, not java per-se). Every system has security issues at some point or another and starting from scratch every time is not a good solution. Rather, people should (and do) work on fixing the vulnerabilities. And these vulnerabilities are of course only a problem with proprietary software running, that comes without saying.

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

@Paul

"And these vulnerabilities are of course only a problem with proprietary software running, that comes without saying."

That's an interesting claim. FLOSS has had vulnerabilities just as much as closed source.
Open-source code has had vulns that have persisted for years e.g. because
no one noticed that a char was used where an unsigned char was needed.

There are some differences that I see between FLOSS and closed-source:

0. Consumers dislike that closed-source purveyors limit their freedoms,
but this doesn't logically imply that closed-source code has more bugs or that
purveyors are less willing to fix bugs because they are closed-source. Corporate mismanagement
and production schedules are the actual cause of big companies putting out buggy software,
it seems to me, and this is true whether their code is closed-source or open.

1. In theory because FLOSS projects are open, more eyes are examining the code. This isn't a
proven thing however. It's just a claim. Some FLOSS code is written in an unreadable way
e.g. with cryptic naming and without comments, which discourages code reviews.
This is why some bugs have persisted in FLOSS code for a long time.

2.
But anyway Replicant has very limited human resources to deploy toward code reviews anyway,
so how can you promise that security flaws will be found and dealt with?
Maybe flaws in the kernel are being searched for and worked on, but what about those in
Replicant's code? It seems wiser, given limited human capital, to not put out a "me too"
product but to design the most secure solution possible.

3.
FLOSS has a somewhat greater potential for becoming bloated than closed-source.
The reason is that every eager person wants to contribute to FLOSS and people tend to throw things in,
and make trivial changes that lead to bugs, which may be why Linus Torvalds was
recently complaining about his workload being too much. The continual
changing of software for arbitrary reasons (not to fix security flaws) is a major
cause of security flaws. Complexity is inversely proportional to security.

As for the issue of rewriting code to avoid use of Java, you have to
have priorities. If the design of Android is going to be a source of security concerns
then you have to choose a different design. Don't waste hours/days/weeks working on replicating
someone else's mistakes.

RE: Replicant is a good idea but... - Added by Paul Kocialkowski about 6 years ago

That's an interesting claim. FLOSS has had vulnerabilities just as much as closed source.
Open-source code has had vulns that have persisted for years e.g. because
no one noticed that a char was used where an unsigned char was needed.

What you are talking about are "malwares" and privileges escalation which are only an issue when the applications are proprietary, as far as the java part is concerned. If the applications are free software, then the chance that the application is doing nasty stuff is trivial and it can be fixed anyway.
Other vulnerabilities such as the ones that involved remote control are separate things that have nothing to do with Java being using in Android.

In theory because FLOSS projects are open, more eyes are examining the code. This isn't a
proven thing however and it's just a claim without evidence. Some FLOSS is written in
an unreadable way e.g. with cryptic naming and without comments, which discourages code reviews.

This is clearly not the case here. Android is being reviewed by a large community and experts.

But anyway Replicant has very limited human resources to deploy toward code reviews anyway,
so how can you promise that security flaws will be found and dealt with?
Maybe flaws in the kernel are being searched for and worked on, but what about those in
Replicant's code?

There are many security researchers and a large community working on Android, so that's how I think that security flaws are likely to be found.

As for your point 2. it seems like experience proves you wrong. And in any way, there is no other way to do security than free software, else it simply cannot be secure.

As for the issue of rewriting code to avoid use of Java, you have to
have priorities. If the design of Android is going to be a source of security concerns
then you have to choose a different design.

My point is that in practical terms, I doubt you'll end up doing anything better: the task is so huge that you'll probably give up before it is anywhere near usable, but even for the sake of the argument, let's say that you succeed at completely writing something new in a way that outsmarts every tech engineer working on Android's security. Then how can you actually tell that what you did is better security-wise just because you used a language that is not Java? Isn't the expertise of dozens of security experts and a wide community more trustworthy? If you can convince the whole community that there is a need for what you are suggesting, then it may succeed, but it will probably be a colossal waste of time as you can work on fixing the individual issues since any system comes with security holes anyway, at some point or another.

Don't waste hours working on replicating someone else's mistakes.

We are spending time reverse engineering proprietary software that is crucial to make the device's hardware work. That seems a whole lot more important than starting a new system from scratch because java is supposedly weaker than other languages. I think that's how you can achieve real security and I would call what you are suggesting wasting hours.

I don't think what you are suggesting is actually serious and could be done in practice. This has every chance to fail. What you'd need to do is to talk with the persons who are actively working on Android's security and convince them that this is somehow the only way to achieve security (which I think it is not).

RE: Replicant is a good idea but... - Added by Linus Drumbler about 6 years ago

Regarding security, I should mention there is an excellent app available from F-Droid called AppLocker. It can password-protect any app on your phone. I have protected the following sensitive system applications: F-Droid, the package installer, Settings, Dev Tools, SuperUser, Terminal Emulator, the root file manager, and finally AppLocker itself. This makes your device equivalent to a GNU/Linux computer, where a root password is needed to perform sensitive tasks.

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

Paul Kocialkowski wrote:

There are many security researchers and a large community working on Android, so that's how I think that security flaws are likely to be found.

I'm not an expert on Android, so perhaps you can tell me: In your opinion why is there an epidemic of malware on Android, other than Android being a more interesting target for malware writers? What is the technical reason for so much malware in your view?

My point is that in practical terms, I doubt you'll end up doing anything better: the task is so huge that you'll probably give up before it is anywhere near usable, but even for the sake of the argument, let's say that you succeed at completely writing something new in a way that outsmarts every tech engineer working on Android's security.

It's not a question of outsmarting, but keeping software simple. More complexity means more security risk.

We are spending time reverse engineering proprietary software that is crucial to make the device's hardware work.

I applaud the effort to write FLOSS drivers. But there is more in Android that is closed-source than drivers. I would be curious to learn how much code you are going to have to rewrite. Could you give a list of parts that need replacing?

RE: Replicant is a good idea but... - Added by Paul Kocialkowski about 6 years ago

I'm not an expert on Android, so perhaps you can tell me: In your opinion why is there an epidemic of malware on Android, other than Android being a more interesting target for malware writers? What is the technical reason for so much malware in your view?

What you are suggesting is that the great number of malwares is a proof that Android is flawed and no good. While this may be true, I think that we still end up in a better situation letting experts patch the issues one by one rather than attempting to write everything from scratch.

It's not a question of outsmarting, but keeping software simple. More complexity means more security risk.

I don't see how this has any relevance in concrete terms. The software you are going to write will be huge and complex, there is no way around it. Again, I don't really see what you are concretely referring to when saying that Java is bad in itself. I know there has been issues with the Masterkey and zip implementation, but AFAIK this wasn't because of java. Please direct me to more concrete evidence of your sayings (and I don't mean that you tell me what to type in Google to know). It seems to me like you are suggesting we should drop all the work that has been done on Android based on a vague feeling coming from the fact that you heard Java is not secure. This cannot be taken seriously if you don't give your arguments validity with precise statements and links to detailed reviews exposing the issue.

I applaud the effort to write FLOSS drivers. But there is more in Android that is closed-source than drivers.

Are you really sure about that? I think I'm really aware of what's going on there and I can tell that the only proprietary parts that are really required to run Android on devices are the hardware-related blobs (that you may want to call drivers).

I would be curious to learn how much code you are going to have to rewrite. Could you give a list of parts that need replacing?

You seem to be under the impression that Android is actually proprietary software. AOSP, which is the full Android codebase minus the blobs that are required to make it run on devices is fully free, to the exception of the broadcom wifi firmwares (and a few other minor firmwares that are redistributable and part of AOSP's repos). There is no big part of the framework to rewrite and we haven't spent a single second doing that when working on Replicant. And by the way, our system actually runs, and it does since a couple of years now, so we are not " going to have to rewrite ", we started the work about 3 years ago and already have some pretty decent results.

I don't mean to seem offending here, but you may need to get your facts straight before coming with such headlines.

RE: Replicant is a good idea but... - Added by Rodger Fox about 6 years ago

This Enzyme character is obviously a troll.

Enzyme - wrote:

I applaud the effort to write FLOSS drivers. But there is more in Android that is closed-source than drivers. I would be curious to learn how much code you are going to have to rewrite. Could you give a list of parts that need replacing?

This is my favorite part. He makes an obviously false claim and then asks you to prove it.

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

Paul Kocialkowski wrote:

Please direct me to more concrete evidence of your sayings

OK, let me look more into it. It would benefit me to learn more anyway.

You seem to be under the impression that Android is actually proprietary software.

Not quite. I know much of it is open. But some of it is closed source e.g.
some drivers. I was under the impression that other parts were closed, too. Not so? OK.

But to be clear, your typical Android phone may have software that was based on FLOSS however
what ends up on the phone may be something different depending on what the manufacturer
thought they could get away with e.g. Motorola's uploading of user passwords to a server.

Without the code being FLOSS and compiled by the owner of the phone, one doesn't
really know for sure that it is derived from FLOSS source code. This is why
an effort like CM or Replicant is important.

I don't mean to seem offending here

Don't worry, I'm not offended at all. Nobody knows everything. The point of discussing this
for me is that all parties can hopefully learn something and question their assumptions.

RE: Replicant is a good idea but... - Added by Enzyme - about 6 years ago

I would add that IMHO if the goal is to produce a new variant of
Android that respects software freedom, then merely copying large
parts of Android from Google does not accomplish that
in a big way. Granted making the non-free parts free is laudable,
but blind imitation is not freedom, it's subservience.

    (1-14/14)