Google’s Android team extended an olive branch last week when it rolled out a new software development kit and a development road map to application programmers of the much ballyhooed mobile operating system.
Android advocates also omitted two key APIs from the mix for security reasons, but failed to detail what those were Aug. 18.
Well, enquiring developers wanted to know, so Google brought in Google security gurus to explain why the Android team removed GTalkService and Bluetooth API from the 0.9 beta SDK and why they also won’t appear in the Android 1.0 SDKs.
The disclosure comes a few months before Google is expected to release the finished Android 1.0 mobile operating system. The first device, the HTC Dream, has been cleared for a Nov. 10 release, just in time for the holidays. Google is banking on Android phones to help it target consumers and mobile workers with search, applications and mobile advertising.
Despite canning two key APIs, the good news is the Android team said it will develop a safe, device-to-device Remote Procedure Call as a replacement for the GTalkService API. Moreover, the team said Version 1.0 of Android and the first Android devices, presumably the HTC Dream, will support Bluetooth wireless technology.
To wit, Google security researcher Rich Cannings said that the GTalkService API, which provides an interface to let users send messages via Google’s Talk IM (instant messaging) software, has some fundamental security problems.
Cannings said one of the reasons is that while Google Talk friends can contact each other at any time via IM, seeing each other’s e-mail addresses and even real names, Android users won’t necessarily want that. Indeed, the lack of anonymity is problematic enough to be a deal breaker for the SDK. Cannings wrote:
““For example, imagine a really cool mobile Massively Multiplayer Online Roleplaying Game using GTalkService. You would have to add all the players to your Google Talk friends list in order to play with them. Next time you log in to Google Talk from your desktop or on the Web, you would notice that you have many new “friends.” You may not want to chat with these friends-and perhaps worse, you may not want them to know what your real name or e-mail is.”“
I can’t quarrel with that, but surely there is a way to make this work? Google’s security team would have to mull that one over some more to solve the problem. Unfortunately, the Intents subsystem made this untenable.
Google Android Team Comes Clean on Omitted Google Talk, Bluetooth APIs
Intents are designed to send GTalkService messages within an Android device. When Intents come from other devices, the Intent subsystem cannot determine what application sent the Intent.
Cannings also said an Android application using GTalkService would be reachable from all of the user’s Google Talk friends, and a flaw in that application could pose an inviting target to a malicious “friend” or automated malware.
In the end, the Android team vowed to scrap GTalkService to avoid the risk and compatibility issues with a more secure version of the feature in the future. Google plans to build a new system that more closely hews to Android.
Android Engineer Nick Pelly meanwhile had a different story for why the Bluetooth API was shelved.
In short, Pelly said the Android team removed the API from the 1.0 release because it ran out of time:
““The Android Bluetooth API was pretty far along but needs some cleanup before we can commit to it for the SDK. Keep in mind that putting it in the 1.0 SDK would have locked us into that API for years to come.”“
Read some examples of the Bluetooth issues in this blog post here.
The other option was for the Android team to ship a broken API that the team knew was going to change a lot. You didn’t think that was going to happen did you?
Bluetooth is a big deal. I had one reader tell me in a comment here that “they shouldn’t even bother to release it [Android 1.0] if it does not have a useable Bluetooth API.”
Pelly seems to agree:
““I would love nothing more than to start seeing some neat third-party applications and games over Bluetooth. In my opinion, Bluetooth is completely underutilized on most mobile platforms and I’m excited to someday see what the developer community can do with Android.”“
I agree. A next-generation mobile operating system with no Bluetooth support? Unthinkable. Accordingly, Google said Android 1.0 and the first devices will support Bluetooth headsets, although Pelly admitted “we don’t know exactly when that will be.”