MADISON, Wis. – The electronics industry is acutely aware of the growing fragmentation of Android devices. But what about a forked form of Android OS that appears to be proliferating in China?
On one hand, this shows the ingenuity of Chinese smartphone vendors. They’ve grown more aggressive in creating their own variations on the open-source Android OS. On the other hand, security experts are concerned about safety and security for corporate data as the BYOD (bring your own device) trend expands among employees working at multi-national corporations.
George Hsu, CTO of PNI Sensor Corp. (Santa Rosa, Calif.), recently told EE Times, “Chinese smartphone vendors used to worry about Google’s dominance on the smartphone operating system. But not so much anymore, as the fragmentation in Android becomes widespread.”
Hsu noted that Chinese smartphone vendors today are much bolder — and more creative – in making their handsets behave certain ways. For example, rather than waiting for Google to stipulate particular features for always-on applications such as Google Now, Chinese vendors are adding their own hardware, such as sensor hubs, in order to integrate unique context-aware features in new smartphone models.
Forked but incompatible
Meanwhile, there is an unmistakable push in China to develop “a forked but incompatible version” of Android OS. A case in point is the Yun OS from Alibaba Group Holding’s subsidiary AliCloud. Reportedly, Alibaba developed the Yun OS in an effort to drive users to Alibaba’s e-commerce applications and other services.
When Alibaba announced last month a $590 million investment in Meizu, one of China’s smaller smartphone vendors, some Chinese industry experts described Alibaba’s motive as a fight over the OS. They explained that Alibaba is hoping to push Yun OS deeper into mobile.
At this point, it’s not known how many Android smartphones developed and made in China are actually passing Google’s compatibility test suite (CTS) and complying with Google’s compatibility definition document (CDD). Security experts caution that without compliance to Google’s CTS or CDD, devices can be shipped with known security vulnerability (prevented in Google certified versions).
The issue came into sharp focus when Bluebox, a San Francisco-based security firm funded by Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim, issued a report this month claiming Xiaomi was pre-installing malware on its Mi 4 smarpthone.
According to the original Bluebox report, Xiaomi was shipping the Mi 4 with a rooted ROM and came pre-installed with tampered versions of popular benchmarking apps. It also claimed that Xiaomi’s own identifier app showed that the phone was a legitimate Xiaomi product.
However, Bluebox acknowledged two days later that the initial report was based on a Xiaomi device that was actually counterfeit and “a very good one at that.”
But the fact remains that security experts were duped into treating a counterfeit model as legit and ended up with an erroneous report. This is an interesting story all by itself.
While the incident put Bluebox’s reputation on the line, it also provided the electronics industry with some valuable insights into what’s going on with a growing number of Chinese smartphones.
What did we learn?
Bluebox believes the whole experience validated several issues. Andrew Blaich, lead security analyst at Bluebox, told EE Times, “First, we can’t trust the device we’re using.” Despite its security expertise, it was not easy for Bluebox to confirm the authenticity of both hardware and software.
Blaich added, “Second, we now know even if it were a legitimate hardware, software could have been easily swapped out.” In other words, whether or not the device was counterfeit, “the fact remains that consumers are buying devices that have compromised ROMs (either in legitimate or counterfeit hardware) that put their data at risk.”
To be clear, Xiaomi takes pride in using what it calls an MIUI operating system on top of Android. The Chinese company sees this as a part of the reason why its devices are popular. Bluebox, however, had initially assumed MIUI was “a forked (not certified) form of Android and does not contain Google services.”
Later, Blaich acknowledged its mistake and said that after consulting with Xiaomi’s security team, Bluebox learned that Xiaomi “goes out of its way” to “follow all of the Android best practices.”
To read the rest of this article, visit EBN sister site EETimes.