In China, Android might speak with forked tongue
On one hand, this shows the ingenuity of Chinese smartphone vendors. They’ve grown more aggressive in creating their own variations on the open-source Android OS. On the other hand, security experts are concerned about safety and security for corporate data as the BYOD (bring your own device) trend expands among employees working at multi-national corporations.
George Hsu, CTO of PNI Sensor Corp. (Santa Rosa, Calif.), recently told EE Times, “Chinese smartphone vendors used to worry about Google’s dominance on the smartphone operating system. But not so much anymore, as the fragmentation in Android becomes widespread.”
Hsu noted that Chinese smartphone vendors today are much bolder — and more creative – in making their handsets behave certain ways. For example, rather than waiting for Google to stipulate particular features for always-on applications such as Google Now, Chinese vendors are adding their own hardware, such as sensor hubs, in order to integrate unique context-aware features in new smartphone models.
Forked but incompatible
Meanwhile, there is an unmistakable push in China to develop “a forked but incompatible version” of Android OS. A case in point is the Yun OS from Alibaba Group Holding’s subsidiary AliCloud. Reportedly, Alibaba developed the Yun OS in an effort to drive users to Alibaba’s e-commerce applications and other services.
When Alibaba announced last month a $590 million investment in Meizu, one of China’s smaller smartphone vendors, some Chinese industry experts described Alibaba’s motive as a fight over the OS. They explained that Alibaba is hoping to push Yun OS deeper into mobile.
At this point, it’s not known how many Android smartphones developed and made in China are actually passing Google’s compatibility test suite (CTS) and complying with Google’s compatibility definition document (CDD). Security experts caution that without compliance to Google’s CTS or CDD, devices can be shipped with known security vulnerability (prevented in Google certified versions).
The issue came into sharp focus when Bluebox, a San Francisco-based security firm funded by Andreessen Horowitz, Tenaya Capital, and Andreas Bechtolsheim, issued a report this month claiming Xiaomi was pre-installing malware on its Mi 4 smarpthone.
According to the original Bluebox report, Xiaomi was shipping the Mi 4 with a rooted ROM and came pre-installed with tampered versions of popular benchmarking apps. It also claimed that Xiaomi’s own identifier app showed that the phone was a legitimate Xiaomi product.
However, Bluebox acknowledged two days later that the initial report was based on a Xiaomi device that was actually counterfeit and “a very good one at that.”
But the fact remains that security experts were duped into treating a counterfeit model as legit and ended up with an erroneous report. This is an interesting story all by itself.
While the incident put Bluebox’s reputation on the line, it also provided the electronics industry with some valuable insights into what’s going on with a growing number of Chinese smartphones.
What did we learn?
Bluebox believes the whole experience validated several issues. Andrew Blaich, lead security analyst at Bluebox, told EE Times, “First, we can’t trust the device we’re using.” Despite its security expertise, it was not easy for Bluebox to confirm the authenticity of both hardware and software.
Blaich added, “Second, we now know even if it were a legitimate hardware, software could have been easily swapped out.” In other words, whether or not the device was counterfeit, “the fact remains that consumers are buying devices that have compromised ROMs (either in legitimate or counterfeit hardware) that put their data at risk.”
To be clear, Xiaomi takes pride in using what it calls an MIUI operating system on top of Android. The Chinese company sees this as a part of the reason why its devices are popular. Bluebox, however, had initially assumed MIUI was “a forked (not certified) form of Android and does not contain Google services.”
Later, Blaich acknowledged its mistake and said that after consulting with Xiaomi’s security team, Bluebox learned that Xiaomi “goes out of its way” to “follow all of the Android best practices.”
Xiaomi publicly responded to Bluebox’ initial report by stating:
MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.
How to confirm authenticity
As Bluebox noted, the amount of effort required to confirm the authenticity of the Xiaomi device that the security firm used for testing “goes way beyond what a normal consumer can be expected to do to be assured their purchase is genuine.”
It turns out the version of the MIUI ROM loaded on this device has been modified to bypass authentication checks for the AntiFake app. As Bluebox Labs discovered in its original findings, “there is a hidden directory on the SD card called .apk. It is within this hidden directory that some APKs are sitting like CPU-Z and also a version of the AntiFake app.”
If a user tries to install an app on a phone that corresponds to one of these packages, the app on the SD card replaces the real app the user attempts to install. This is one method the ROM uses to bypass verification, according to Blaich.
Can your phone do Google Play?
Asked about the penetration of “forked” Android OS used in Chinese smartphones, Blaich said Bluebox has no hard data. His investigation was neither paid for by Google nor designed to target Chinese smartphones for policing functions.
It’s entirely possible that Chinese handset vendors, in hopes of building their own ecosystems, develop “drop-in services” that connect their branded phones to their own cloud services and app stores, explained Blaich.
Most Chinese smartphone vendors selling devices in China find no compelling reasons to follow Android CDD and CTS, because Google services are banned in China. Bluebox believes very few of those devices run a Google-certified version of Android.
Still, if those phones are used by Chinese consumers to whom Google services are not available, why worry about the lack of Google certification on Android phones in China?
For Bluebox whose business is in keeping enterprise data as secure as possible in mobile devices, Blaich said, “We need to be on top of the latest Android devices.” As the BYOD trend gets hotter in corporations, he stressed, “Employees working at a multinational company could easily use these phones and end up having the corporate data leaked.”
“You’re putting your personal, as well as corporate data, at risk (if used as a BYOD) by using such devices,” he warned.
Adding your own sensors
Bluebox’ Blaich agrees with PNI’s Hsu. As “drop-in services” get popular, “There are compelling cases where Chinese handset vendors find it advantageous to add their own hardware, modify the Android OS, and create their own support and services for such sensor data.”
Hsu observed, “Some Chinese handset vendors are becoming less dependent on Google, by specifying to us, ‘we want our phone to behave this way.’” Regardless of whether it’s a part of an applications processor or a standalone chip, the sensor hub is viewed as “a customizable area” where Chinese smartphone vendors can create differentiated apps and services to grow the customer base, he explained.
As the biggest trend among smartphones in the next few years is shaping up to be the “always-on handset with context awareness,” the find a “green pasture” in the sensor hub for getting more innovative, Hsu said.
— Junko Yoshida, Chief International Correspondent, EE Times