Android hit by security bug

James Middleton

October 28, 2008

2 Min Read
Android hit by security bug

The recent debut of Google’s much hyped mobile operating system, Android, has been marred by the exposure of a known security flaw.

Security experts, Charlie Miller, Mark Daniel, and Jake Honoroff of Independent Security Evaluators, claim to have identified and exploited a security vulnerability in the Open Handset Alliance (OHA) platform.

Android is an open source, Linux-based platform, which user over 80 different open source packages in its construction. The vulnerability is believed to have arisen because the OHA did not use the most up to date versions of all these packages.

In other words, this particular vulnerability was known and fixed in the relevant software package, but an older, vulnerable version was used in Android. Independent Security Evaluators aren’t prepared to reveal any more until Google has released a patch to plug the hole.

But because the first Android-based device, the G1, only launched in the US last week, the experts claim that the first batch of phones will have shipped with the vulnerability present and will continue to do so until an update becomes available.

As for the impact of the bug, the researchers claim that Android users surfing the web with the default web browser could be redirected to a malicious page, where malicious code could be run.

On a positive note, the danger created by the flaw is not very far reaching. The researchers sang the praises of the Android OS, and the developers’ decision to use an application sandboxing feature to limit such attacks only to the application in question.

“The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc.However, they can not control other, unrelated aspects of the phone, such as dialling the phone directly. This is in contrast, for example, with Apple’s iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised,” the researchers said.

Given that a fix already exists, it shouldn’t be too long before the Android guys are pushing out an update. The G1 received its first software update just one day after launch, showing that a working patching system is already in place and working.

About the Author(s)

James Middleton

James Middleton is managing editor of | Follow him @telecomsjames

You May Also Like