Over the weekend at the Schmoocon hacker conference in Washington D.C., security researcher Charlie Miller presented a new vulnerability in Google’s mobile OS Android which allows hackers to remotely take control of the phone’s web browser and related processes. If a phone became compromised, the hackers could gain access to the saved credentials stored in the browser and browser history. They could also snoop on your web transactions, even if encrypted.
Sponsor
About This Exploit
The current vulnerability is contained in code written by the software company PacketVideo who contributed an open version of their Core multimedia application framework to Android, where it became the multimedia subsystem for the Android web browser.
Once discovered, Miller notified Google of the flaw on January 21st. When Andy Greenberg reported on the issue for Forbes last week, he quoted a Google spokesperson as saying that a fix will be issued “as soon as it becomes available.”
Strangely though, a fix is currently available and has been since February 7th. However, Google has not pushed it out to Android phones. Instead, the patch sits here in Google’s source code repository which, says Miller, is “irrelevant” as “what matters is what Joe Consumer is carrying in his pocket.” He also wonders why Google waited for PacketVideo to contribute the code when it was something Google could have very easily – and quickly – fixed for themselves.
So, No News is Good News, Right?
If you’re wondering why you haven’t heard about too much about this new exploit until now, it’s not because it’s only marginally dangerous. Since it would allow a hacker full control over the browser and related processes, Miller recommends that Android owners actually “avoid using the browser until a patch is released. If this is not possible, only visit trusted sites and only over the T-Mobile network (avoid Wi-Fi).”
To get a second opinion, we checked in with James Blaisdell, CTO of Mocana, a company who provides embedded security solutions for a litany of devices, including Android. His company recently became the first to provide enterprise-level security solutions to the Android platform with the launch of their NanoPhone Suite for Android, a software package that lets developers add in security into their devices and applications. His company also puts out an anti-malware tool for Android. In other words, he gets Android security.
Says Blaisdell, this current vulnerability is “very serious” and the breach “could have catastrophic consequences for users.” He also agrees with Miller’s assessment that the best thing for Android users to do to protect themselves is to not use the Android web browser until Google issues a security patch.
Android’s Security Issues So Far
As noted in the Forbes article, Android is, in some ways more secure than other OS’s. Its architecture uses a “sandbox” approach, which stops malicious code injected into the browser from accessing and taking over other parts of the mobile OS or applications.
However, in other ways, Android needs to do more. According to Blaisdell, most of the security problems found so far, including this one, have been serious. He also makes note of another critical problem in Android – that of applications being signed with “self-signed” certificates, which is “inherently untrustworthy,” he says. A hacker could easily create a piece of malware and then trick you into trusting it and installing it onto your phone.
Another issue worth mentioning is Android’s permission-based security model. While most security between the system and the applications is enforced through standard Linux facilities, additional, finer-grained security features are provided through a “permission-granting” mechanism that ultimately relies on the user to make a decision as to whether or not an app should be trusted. As with most security systems, it’s the human element in this equation that introduces risk.
You can think of this as sort of a mobile equivalent to Vista’s UAC (user account control) which appears when an application needs elevated privileges. Except unlike UAC, which usually prompts you upon installing an application – something you either did or did not intend to do – Android’s prompts are a bit more specific. As technology writer Wilson Rothman says: “Is it bad that an app I don’t know well can ‘modify global animation speed’? Honestly, I don’t know.”
For Charlie Miller, who has been making a name for himself in Mac hacking, this latest Android security issue was not his first discovery of weakness in Google’s platform. In October, days after the release of the T-Mobile G1, Miller and his team found a similar vulnerability to this new one which Google ended up patching in early November. Both vulnerabilities could have been prevented if Android had the ability to block malicious code from executing in memory.
As of today, the patch is still sitting in the source code repository. Google has not sent it out to anyone’s device yet. Although they did send out an updated firmware last week (RC33), the vulnerability remains unpatched. If and when we receive a response from Google, we’ll update this post.
Update: Google has responded only by pointing us to the following advisory published by oCERT for more details: http://www.ocert.org/advisories/ocert-2009-002.html.
Image Credit: Android Authority
Related posts:
- A New Twist to the Adobe Vulnerability If you think it is safe to download PDF documents...
- Wikitude Launches User-Generated Augmented Reality Browser for Android Users, iPhone Soon Austrian augmented reality startup Wikitude announced today that it has...
- Wikitude Launches User Generated Augmented Reality Browser for Android Users, iPhone Soon Austrain augmented reality startup Wikitude announced today that it has...
- How to Hack Your Android Phone (and Why You Should Bother) Do you want to take control of your Android phone?...
- Mobile News: Yahoo Mobile, Skype on Cell Phones, Second Android Phone, and More This week, the mobile computing world revolves around the Mobile...
Related posts brought to you by Yet Another Related Posts Plugin.