The trouble with Android 'forks': Experts fear security, privacy breaches

The CCI has ordered Google to allow Android forks, but many believe that this may make the software vulnerable to security risks

With the Supreme Court denying any interim relief to Google in complying with the orders of the Competition Commission of India (CCI), which include allowing devices based on Android “forks” along with apps compatible with it, many are wondering what this will mean for the tech giant.
 
Google has said in a statement that it will cooperate with the CCI on the way forward, in parallel with its appeal. One of its concerns is on forking and the resultant security threats.
 
Forking in open-source software development refers to importing a copy of source code from one software package or application, or even an operating system, and building a unique piece of software.

 

Google India, in a blog post titled ‘The Heart of the Matter,’ says forking Android could increase risks to security and user safety, online harm, data theft, cybercrime, bugs, and malware. Devices built on incompatible “forks” would prevent Google from securing them, as these software versions will not support the security and user safety features that Google provides, the company said.
 
Sivarama Krishnan, partner and leader, cybersecurity, at PwC India, says forked software has limitations when it is exposed to a commercial environment. “If some programmer picks up a large source code and incrementally adds some new use-case to it without checking the entire code quality, it may open a new back door or a security vulnerability. Many times, when someone doesn’t understand the architecture of the software, they end up creating gaps. The moment we start using it commercially, hackers and perpetrators enter the system, and thus misuse and vulnerability identification happens.”

 
Krishnan adds that forked software, when commercialised, gives rise to a question of ownership of responding to incidents.
 
“There has to be an engine of correction, fixing, updating and patching of the programme. Thus, people argue that forking might be good for the academic environment, but it is bad for the commercial environment. Commercialisation of open-source comes with accountability and responsibility,” he says.
 
Open-source software code is available to the public, free for anyone to use, modify, or inspect. So it is generally considered to be more secure than legacy proprietary software, due to its transparency. Still, security researchers warn that the threat landscape is constantly updated through new malware and spyware, advanced phishing methods, and new social engineering techniques which increase security vulnerabilities.

 
Saurabh Sharma, senior security researcher at the global research and analysis team of cybersecurity solutions firm Kaspersky, says “Performing timely updates of key components to the company’s OT network, applying security fixes and patches, or implementing measures to compensate as soon as it is technically possible, is crucial to preventing a major incident that might cost millions due to disruptions to the production process.”
 
He adds, moreover, that “pretty much every developer uses some third-party libraries. But using somebody else’s code means trusting the developers of that code. Kaspersky does not discourage using open-source products, and we advise staying very alert and careful when relying on them.”

 
The Android ecosystem has two types of forks — compatible and non-compatible. Compatible Android forks are based on the Android Open-Source Project (AOSP) that offers the information and source-code needed to create custom variants of the Android operating system. Those who comply with this are part of the Google ecosystem or the Play ecosystem. In other words, there is only the Google ecosystem and handset manufacturers have to include all the Google apps on their phones.
 
Examples of non-compatible forks include Amazon’s Fire OS, ColorOS by OPPO, OriginOS by Vivo, and Magic UI by HONOR, which create their own ecosystem. However, Google has certain binding agreements with manufacturers which restrict the installation of forked Android operating systems. Implementation of the CCI order may help new versions of Android to scale up.

 
Hemant Adarkar, technology advisor and resident senior fellow at Artha Global, a policy research, consulting and network facilitation organisation, says that the productisation of forked software could be challenging owing to financing models of the open-source developing community.
 
“Open-source software does not have very satisfactory financing models as of now, and therefore, forks can be vulnerable. Developer groups need to have the wherewithal to plug in all the patches to protect the software against various new malware and vulnerabilities,” he says.
 
The ability to provide security checks and regular updates to the software is closely related to the revenue model of the platform, he adds.

 
“A typical product company has a person to look after the product roadmap and the versioning of it. The basic thing is, who holds support and the right checks? In open-source or fork, there is no central control, and the developing group may not have the complete wherewithal related to non-functional requirements like security and performance,” says Adarkar.
 
Google’s blog post says that small developers will be forced to prioritise which of the various incompatible Android “forks” they write and maintain apps for, as their costs will increase with each additional version they support.
 
However, Rohan Verma, the co-founder and chief executive officer of MapmyIndia, which specialises in geospatial software, says forking has historically benefitted software developers.

 
“The base Android is open source, which is a fork of Linux. The APIs (application programming interface) built on top of Android were forked from Java. Android itself is a beneficiary of fork. As an app developer, you use the libraries or APIs of the operating system. So, for developers, it is good to have forks,” Verma explains.