Android SDK, Best Served Insecure

Posted on Thu 25 February 2016 in Technology

The internet has spent several days excoriating Linux Mint for insecure software distribution practices. Fortunately, the potential damage is limited to the vanishingly small population of people who 1) use desktop Linux, 2) bothered to install Linux Mint, and 3) downloaded an ISO for Mint over a fairly small window of time.

The rage seems out of proportion to the offense; it certainly did not merit a line item on the Yahoo! home page:

Really, Yahoo?

It's also not as if everyone else is doing any better. On a recent excursion to the Android developer site, I was confronted by this:

Good job, Google

Yes, Google (supposedly the best software shop in the world), developer of Android (the most popular operating system in the world) is serving executables over HTTP, validated by unsigned checksums also served over HTTP.

Honestly, if Google can't distribute sotware securely, what hope do the rest of us have?