Android "complete mis-understanding of the handset market"

http://tech.groups.yahoo.com/group/momolondon/message/3874

[ From a posting by David Hearn on the Mobile Monday London mailing list ]

What I saw from the Android developer event was, certainly from the UK market point of view, a complete mis-understanding of the handset market. In the UK, the vast majority of handsets are supplied and subsidised by the network, customised (and often mangled) to suit their requirements - particularly with security and features. Anyone remember Vodafone stopping MP3s being used as ringtones (so only the DRM'd expensive ringtones could be used) on handsets which, if bought sim-free, could do it out the box.

Orange with their smart phones, at the start, locked everything down so almost no applications could be installed. They've now gone down the model of opening it up a bit, but you still cannot install a non-trusted/self-issued CA key without Orange having to authorise and signing the key for you and sending you an executable to install it. They also don't trust the Microsoft certified global Mobile2Market certificate (issued by Geotrust and Verisign) for privileged execution (this is required for sending SMS, making calls or making a GPRS connection) - you must be an Orange partner to get that access.

Also the much publicised removal of VoIP clients by certain networks, which if bought sim-free would include it.

So, for Android to not have *any* trusted 3rd party security included seems great for the user, but completely ignoring the networks. The only signing they have, is self-signing, which Google admit, is not there for security, but to only allow application providers to group their software together and run under a single user.

It's almost as if they're aiming at the SIM-free, non-operator supplied market.

Too many of the questions asked on the day appeared to be answered with "trust us" and "that's not yet defined yet". Everything seems a bit vague considering handsets are meant to be coming out later this year. My question about malware applications which could claim to be and look like Google apps (or any other software provider out there) was responded with, I think, admittance that nothing stops that, and a dismissal that it isn't a problem. Signing applications with trusted 3rd party keys would at least allow people to be certain that an application does come from who you think. But Google have said that
they will not support this.

I cannot imagine that the networks will be comfortable with being unable to lock down the handsets. I understand that Open Handset Alliance members aren't allowed to do this, but I guess others can modify the code to do this, but a network operator isn't going to want to have to extend the OS to that degree. They'll probably go with handsets which support such things out the box.

I think that having open handsets is great for the consumer - you can decide what to put on the device (and what to remove!) - but for businesses using these devices, corporate police may mandate lock down - and networks love to restrict things.

Good luck to them - and as people have said - they've got everything to prove, and if anyone could do it, it would be Google - but I suspect it'll not end up as open as it set out to be.