Google's Android team extended an olive branch last week when it rolled out a new software development kit and a development road map to application programmers of the much ballyhooed mobile operating system.
Android advocates also omitted two key APIs from the mix for security reasons, but failed to detail what those were Aug. 18.
Well, enquiring developers wanted to know, so Google brought in Google security gurus to explain why the Android team removed GTalkService and Bluetooth API from the 0.9 beta SDK and why they also won't appear in the Android 1.0 SDKs.
The disclosure comes a few months before Google is expected to release the finished Android 1.0 mobile operating system. The first device, the HTC Dream, has been cleared for a Nov. 10 release, just in time for the holidays. Google is banking on Android phones to help it target consumers and mobile workers with search, applications and mobile advertising.
Despite canning two key APIs, the good news is the Android team said it will develop a safe, device-to-device Remote Procedure Call as a replacement for the GTalkService API. Moreover, the team said Version 1.0 of Android and the first Android devices, presumably the HTC Dream, will support Bluetooth wireless technology.
To wit, Google security researcher Rich Cannings said that the GTalkService API, which provides an interface to let users send messages via Google's Talk IM (instant messaging) software, has some fundamental security problems.
Cannings said one of the reasons is that while Google Talk friends can contact each other at any time via IM, seeing each other's e-mail addresses and even real names, Android users won't necessarily want that. Indeed, the lack of anonymity is problematic enough to be a deal breaker for the SDK. Cannings wrote:
""For example, imagine a really cool mobile Massively Multiplayer Online Roleplaying Game using GTalkService. You would have to add all the players to your Google Talk friends list in order to play with them. Next time you log in to Google Talk from your desktop or on the Web, you would notice that you have many new "friends." You may not want to chat with these friends-and perhaps worse, you may not want them to know what your real name or e-mail is.""
I can't quarrel with that, but surely there is a way to make this work? Google's security team would have to mull that one over some more to solve the problem. Unfortunately, the Intents subsystem made this untenable.