One year ago, I blogged on Android security. I recently received a comment asking if my impression had changed now that Android actually exists, even on devices.
Well, no. Not at all.
I have browsed again through the API, and I have searched for the SIM word. There aren’t that many instances of it, and most of them illustrate automated uses of the SIM by the operating system (e.g., the SIM can override the default MSISDN string). Actual interactions with the SIM are limited to the android.telephony.gsm package, which is now basically limited to a SmsManager and SmsMessage classes (with an obvious use), and a new GsmCellLocation class, which is just as obvious.
So, as we can expect, nothing has changed, and Google keeps ignoring the SIM. Since then, I have looked at the iPhone API, and it is not any better. The SIM is considered purely as an authentication token for the GSM networks, which controls some network-related information. There are at least two possible reasons for that:
- Technical/naive reason. Android, like the iPhone, has been designed in a place where GSM is far from obvious, and only represents one of the choices for mobile telephony. It is therefore not a great idea to allow applications to use the SIM, because it will then mean that such applications will only be deployable on SIM-equipped phones. Of course, this remark does not hold in Europe, or in fact in most of the world, where SIM cards are present on every mobile phone. In Europe and in other places like South America, even Java Card is present on almost all phones (well, in their SIM cards). Of course, our view of the world is quite different.
- Business/political reason. Android, like the iPhone, has been designed independently of operators by a company with a very strong image. It is not in Google’s interest to allow operators to get control over the phone through the SIM. The interests of Google and operators are quite different, and the only reason that I could see to push Google toward the SIM is the contract that links operators with Google in the countries where Android-based phones are deployed.
So, don’t expect too much from Google about SIM cards. There are nevertheless a few reasons to hope. First, Android is an open source operating system, so we just have to get our act together and write the missing parts. After all, the low layers of the OS must be able to exchange a few APDU’s, so we just have to send a few more. Then, with smart card Web servers apparently on the rise, there may soon be a very easy way to access your SIM card from many devices, including Android devices. Once again, this represents a few lines of code, and even Vodafone can write them if they really want.
And anyway, the real problem is: who cares? If SFR brings us the “G2″ to France, I am seriously thinking of getting one to replace my old Windows Mobile phone. SIM access or not. The real important thing is for our industry to keep innovating, so that actors like Google feel compelled to allow mobile applications to use SIM-based services.