Android Vulnerability So Dangerous, Owners Warned Not to Use Phone's Web Browser: Updated
Over the weekend at the Schmoocon hacker conference in Washington D.C., security researcher Charlie Miller presented a new vulnerability in Google's mobile OS Android which allows hackers to remotely take control of the phone's web browser and related processes. If a phone became compromised, the hackers could gain access to the saved credentials stored in the browser and browser history. They could also snoop on your web transactions, even if encrypted.
About This Exploit
The current vulnerability is contained in code written by the software company PacketVideo who contributed an open version of their Core multimedia application framework to Android, where it became the multimedia subsystem for the Android web browser.
Once discovered, Miller notified Google of the flaw on January 21st. When Andy Greenberg reported on the issue for Forbes last week, he quoted a Google spokesperson as saying that a fix will be issued "as soon as it becomes available."
Strangely though, a fix is currently available and has been since February 7th. However, Google has not pushed it out to Android phones. Instead, the patch sits here in Google's source code repository which, says Miller, is "irrelevant" as "what matters is what Joe Consumer is carrying in his pocket." He also wonders why Google waited for PacketVideo to contribute the code when it was something Google could have very easily - and quickly - fixed for themselves.
So, No News is Good News, Right?
If you're wondering why you haven't heard about too much about this new exploit until now, it's not because it's only marginally dangerous. Since it would allow a hacker full control over the browser and related processes, Miller recommends that Android owners actually "avoid using the browser until a patch is released. If this is not possible, only visit trusted sites and only over the T-Mobile network (avoid Wi-Fi)."
To get a second opinion, we checked in with James Blaisdell, CTO of Mocana, a company who provides embedded security solutions for a litany of devices, including Android. His company recently became the first to provide enterprise-level security solutions to the Android platform with the launch of their NanoPhone Suite for Android, a software package that lets developers add in security into their devices and applications. His company also puts out an anti-malware tool for Android. In other words, he gets Android security.
Says Blaisdell, this current vulnerability is "very serious" and the breach "could have catastrophic consequences for users." He also agrees with Miller's assessment that the best thing for Android users to do to protect themselves is to not use the Android web browser until Google issues a security patch.
Android's Security Issues So Far
As noted in the Forbes article, Android is, in some ways more secure than other OS's. Its architecture uses a "sandbox" approach, which stops malicious code injected into the browser from accessing and taking over other parts of the mobile OS or applications.
However, in other ways, Android needs to do more. According to Blaisdell, most of the security problems found so far, including this one, have been serious. He also makes note of another critical problem in Android - that of applications being signed with "self-signed" certificates, which is "inherently untrustworthy," he says. A hacker could easily create a piece of malware and then trick you into trusting it and installing it onto your phone.
Another issue worth mentioning is Android's permission-based security model. While most security between the system and the applications is enforced through standard Linux facilities, additional, finer-grained security features are provided through a "permission-granting" mechanism that ultimately relies on the user to make a decision as to whether or not an app should be trusted. As with most security systems, it's the human element in this equation that introduces risk.
You can think of this as sort of a mobile equivalent to Vista's UAC (user account control) which appears when an application needs elevated privileges. Except unlike UAC, which usually prompts you upon installing an application - something you either did or did not intend to do - Android's prompts are a bit more specific. As technology writer Wilson Rothman says: "Is it bad that an app I don't know well can 'modify global animation speed'? Honestly, I don't know."
For Charlie Miller, who has been making a name for himself in Mac hacking, this latest Android security issue was not his first discovery of weakness in Google's platform. In October, days after the release of the T-Mobile G1, Miller and his team found a similar vulnerability to this new one which Google ended up patching in early November. Both vulnerabilities could have been prevented if Android had the ability to block malicious code from executing in memory.
As of today, the patch is still sitting in the source code repository. Google has not sent it out to anyone's device yet. Although they did send out an updated firmware last week (RC33), the vulnerability remains unpatched. If and when we receive a response from Google, we'll update this post.
Update: Google has responded only by pointing us to the following advisory published by oCERT for more details: http://www.ocert.org/advisories/ocert-2009-002.html.
Update 2: Google's Rich Cannings, Android Security Engineer has now responded with the following statement:
"Charlie Miller, a security researcher at Independent Security Evaluators, contacted security@android.com on January 21st regarding a bug in PacketVideo's OpenCore media library that he intended to disclose on Feburary 7.
Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer. If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media.
The Android Security Team responded by contacting PacketVideo, T-Mobile, and oCERT, a public Computer Emergency Response Team. PacketVideo developed a fix on February 5th, and they patched Open Source Android two days later. oCERT assisted PacketVideo with coordinating the fix, and they published an advisory detailing this issue. We offered the patch to T-Mobile when it became available, and G1 users will be updated at T-Mobile's discretion.
We thank our partners PacketVideo, oCERT, and T-Mobile for their engagement and attention to this issue."
Image Credit: Android Authority
ShareRelated Entries
1 TrackBacks
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/10241
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Ouch - Android Vulnerability? no bueno.
Posted by: Enrique Gutierrez
|
February 12, 2009 9:31 AM
Don't you feel that Google became so big it's slipping small mistakes one after another due to human errors? As I understand it, they could've fixed the bug earlier, but someone hesitated, or maybe the decision was stuck in the processing queue? But Google is so big and influential, especially in the area of SaaS (how many millions of users are on G?) it could have a huge impact on every one of use. Remember the recent slip with the "This website may harm your computer"? How many $ were lost due to that..?
There's actually a security suite currently available for Android. It includes antivirus as well as remote wipe of sensitive data and the device can even be located via GPS. It's on Handango at http://www.handango.com/catalog/ProductDetails.jsp?storeId=2218&deviceId=2073&platformId=80&productId=247921
Yikes. If Google has released a fix, I would think they would want to be more vocal about, considering Android is leaving consumers vulnerable to identity theft.
He also makes note of another critical problem in Android - that of applications being signed with "self-signed" certificates, which is "inherently untrustworthy," he says. A hacker could easily create a piece of malware and then trick you into trusting it and installing it onto your phone.
YOU CANT HAVE AN OPEN PLATFORM IF SOMEONE HAS CONTROL OVER WHAT SOFTWARE CAN BE INSTALLED ON IT.
Why do people give Google a pass on crappy software? Why? This is horrible. If Microsoft or Apple had done this, they would have been crucified. But, somehow, because Google is the darling of ivory tower tech-bigots, we're all supposed to "put some ice on it" and forget about these screwups? No way. F- Google. I will never ever buy an Android device.
FYI, for those just tuning in: check the updates for Google's comment
Posted by: Sarah Perez
|
February 12, 2009 2:04 PM
Basically all this exploit needs is the perfect attack vector. A service that would allow for fast distribution of the malware link and guarantee a high number of mobile users who perhaps would be using the Android mobile browser? Sounds like Twitter would be the perfect vector. - Great article posted on our frontpage.
I am assuming this fix is not in the recent RC33 update, correct?
,Michael Martin
http://www.googleandblog.com/
Heh, that's not such a big deal. You just have to watch your browsing habits. Sure if you watch kiddie pr0n on your phone you might run into problems down the road...
Please read my comments/rebuttle on Linuxslate.com
http://linuxslate.com/Commentary_Android_Security1.html
Can I patch this myself? How could I swap out the bad browser for a patched one?
But, somehow, because Google is the darling of ivory tower tech-bigots, we're all supposed to "put some ice on it" and forget about these screwups? No way. F- Google. I will never ever buy an Android device.
muhabbet mIRC
What about using the alternate browser (in Android Market) called Steel? It's a good browser...would it have the same problem?
This article is sooooo inaccurate. You should be ashamed of yourselves.
This is a bug in the mediaserver application, which uses PacketVideo's open source libraries. Miller can't demonstrate an exploit, and it's likely that nobody will be able to, since it's a very strange overflow that only allows registers to be overwritten with information from a pre-defined table. THIS IS NOT A BROWSER BUG!
Even if somebody gets an exploit to work, it's going to be limited by Android's sandboxing to the mediaserver user. It cannot affect the browser, log keystrokes, etc...
This is a bug in an non-Google open-source MP3 library that currently is only a crasher, and people are talking like it's the end of Android. Get a grip people. Sarah, you need to find some reliable experts to explain these issues before you embarrass yourself like this. People who sell "Android anti-virus" are not independent observers.
I also feel this "bug" has been blown out of proportion. Everyone, especially those who hate all large corporations (We can all thank MS for this outlook on life) is going to start out skeptical about Android and this just fuels their fire. Android is very new and bugs are bound to happen. What matters is that Android is not being built, sold and left to ferment like Windows Mobile is.
It makes you wonder what other flaws are part of this OS. THere's an interesting article here.
ven if somebody gets an exploit to work, it's going to be limited by Android's sandboxing to the mediaserver user. It cannot affect the browser, log keystrokes, etc...
very nice post thank you
The Android Security Team responded by contacting PacketVideo, T-Mobile, and oCERT, a public Computer Emergency Response Team. PacketVideo developed
It's nice, I am learning, thank you
www.mIRCTime.oRg herkezi bekleriZ
The World Series of Poker is a 39 year old annual event where thousands of professional and amateur poker players fight through 40 tournaments for tens of millions of dollars in prize money. The event is different this year, because Twitter has come to the world of poker and it's changing the way the whole industry relates to the game.
Thesis Writing AND Dissertation Writing AND Term Paper Writing
To further fuel the fire, Toshiba has been reported to be getting ready to announce at CES (The Consumer Electronics Show) a new HDDVD player in the sub-two hundred dollar range. If these reports hold to be true, Sony's Blu Ray hopes may be dashed in even more markets than just that of the video-game arena.
Thesis Writing AND Dissertation Writing AND Term Paper Writing
SOHBET
BURSA SOHBET
ISTANBUL CHAT
ISLAMI CHAT
IZMIR CHAT
ANKARA ARKADAS
ALMANYA CHAT
TURKEY CHAT
MYNET
SITENE EKLE
VIDEO KLIP IZLE
thanks very good
To usurp the RDBMS you need a scalable EAV/CR solution that leverages platform independent pointers, so that you can point to Entities, Attributes, Values, Relationships, and Classes across DBMS, Application, Operating System, and Network boundaries (the "holy grail" of data access and data management).
thanks..
Even if somebody gets an exploit to work, it's going to be limited by Android's sandboxing to the mediaserver user. It cannot affect the browser, log keystrokes, etc...
migrating to, and why? Tell us in the comments. Welcome You Fine Google Notebook Users [Evernote] Google Notebook Import
thank you for telling us this information. so kind....
what's wrong.........?
great news to learn,,,,,,,,,,,
The event is different this year, because Twitter has come to the world of poker and it's changing the way the whole industry relates to the game.
thanks for sharing; hahha
tnakss hahaha
tnkss video
شات سعودي
tnkss video
tnakss hahaha
That's a shame of Google. It is why they tend to build a totally new operation system called Chorme OS.
This is a bug in the mediaserver application, which uses PacketVideo's open source libraries. Miller can't demonstrate an exploit, and it's likely that nobody will be able to, since it's a very strange overflow that only allows registers to be overwritten with information from a pre-defined table. THIS IS NOT A BROWSER BUG!
This is great news. Best of luck for the future and keep up the good work.
Thanks for posting about this, I would love to read more about this topic.
Since it's a very strange overflow that only allows registers to be overwritten with information from a pre-defined table.
thanks
It's likely that nobody will be able to, since it's a very strange overflow that only allows registers to be overwritten with information from a pre-defined table.
Can I patch this myself? How could I swap out the bad browser for a patched one?
thank you
thanks you pleas :S is what the and ? ;R
1 2 Next