There is no reason to say "likely," the article comes out and says that android was the easy platform:
"Shira Weinberg, the team’s Program Manager, explained that the less strict security model of the Android platform is well suited for deploying early stage technology previews."
I am not a mobile developer so when I read the statement I was not sure if it was an underhanded slap at andriod or a valid assessment of mobile platforms. Can anyone comment?
I think the security thing is BS. It's the ability to run arbitrary background services on Android versus strictly limited background tasks on other platforms that matters here.
_less strict_ does not mean insecure. iOS for example has very strict rules about when apps can run, how long they can run, and the resources they use. Everything is a tradeoff and in general Android leans in the direction of power and freedom.
Rules restricting the range of passwords that may be used in an arbitrary fashion can markedly decrease the search space for an attacker.
A strict rule count by itself is neither good nor bad. Well, arguably, it's bad, as it increases system complexity, side effects, loopholes, and trains users to thwart restrictions. Ideally you want a small number of sane rules (mostly based on role and access), tightly implemented, with strong auditability.
Going back to passwords: the simple check of denying the use of any known password (there are collections of millions now from various site compromises) would be an audit check, not strictly a rule, though it might result in a rule of "known passwords will be denied".
It's less a matter of security and more a matter of consistency. MS's/Apple's rules are geared towards ensuring apps don't affect battery consumption too wildly while in the background. Android has no such restriction, and any app you have installed can decrease your battery life significantly even if you do not open it.
The advantage of this, of course, is platform flexibility. The disadvantage is inconsistent app behavior (battery is drained by background apps).
Semantics. The strictness of a security model says little about the security of a security model, especially when comparing different security models. (And not all security is wrapped up in a security model either! I wouldn't trust an Android or iPhone conversation to remain private, fortunately there's PGP.)
That's assuming the security models being compared are strict about the things that matter.
For instance, I can be very strict about PDFs on your computer: no PDF allowed. If you have addressed the risks posed by other more vulnerable attack vectors, OK, then my rule reduces the uncertainty of less strict but more complicated rules that would address the vulnerabilities of PDF readers. Otherwise, for example if I'm allowing the auto-execution of apps on removable devices, my strict PDF rules don't increase security.
And might even decrease security in practice if people end up working around your strict rules via an even less secure path (e.g. sending around Word documents instead of PDF, perhaps).
"Shira Weinberg, the team’s Program Manager, explained that the less strict security model of the Android platform is well suited for deploying early stage technology previews."
I am not a mobile developer so when I read the statement I was not sure if it was an underhanded slap at andriod or a valid assessment of mobile platforms. Can anyone comment?