Android Flaw Made Public, Google Not Very Happy
Posted in Google Android by admin on October 28th, 2008 The T-Mobile G1 smartphone has only been around for a short while, but its been long enough for a group of security researchers to pick apart, and find what they say is a “serious flaw” in the Android operating system.
One of the group’s researchers, Charles A. Miller, told Google about the flaw last week, and has taken the step of publicising it because he feels that mobile users are not generally aware of the risks of using smartphones, and the threats they face.
Miller, a former National Security Agency computer security specialist, said the flaw could e exploited to trick a user into visiting an infectious website.
Google acknowledged the issue, but said that the phones security features would limit the extent of the damage that could be done by an intruder, compared to computers and other mobiles these days.
Unlike today’s modern computers and advanced handsets such as iPhone, the G1 phone creates a series of software compartments that limit the access of an intruder to a single application.
“We wanted to sandbox every single application because you can’t trust any of them,” said Rich Cannings, a Google security engineer.
He said that the company had already fixed an open-source version of the software and was working with T-Mobile and HTC to offer a patch for its current customers.
Generally, modern computer operating systems try to limit access by creating a partition between a single user’s control of the machine and complete access to programs and data, often referred to as administrative access.
The risk in the Google design, according to Miller, lies within the web browser partition in the phone. He believes that it would be possible for an intruder to install software that would capture keystrokes entered by the user when surfing to other web sites, making it entirely possible to steal passwords and other security information.
Miller is an accomplished security expert. He recently won a contest that gained him $10,000 and a free laptop when he found a vulnerability in Apple’s Safari browser.
However, Google are not so happy with him, as they believe that he has violated an unwritten code between companies and researchers that is intended to allow time for vulnerabilities to be fixed, before they are publicised. Miller said he would withhold technical specific, but said that consumers have a right to know when a product has shortcomings.
