Exposed Android Security Flaw Makes Browsing Dangerous

By February 17, 2009 3 comments

Security researcher Charlie Miller advised Android handsets users on Saturday of a code flaw at the Schmoocon hacker conference in Washington D.C. The vulnerability on Google's open source mobile operating system allows ill-intended hackers to remotely control the phone's web browser and related processes. They then could gain access to credentials, history, and encrypted Web transactions. Miller warns about the significant danger: "avoid using the browser until a patch is released.  If this is not possible, only visit trusted sites and only over the T-Mobile network (avoid Wi-Fi)." This problem is contained in code written by San Diego-based PacketVideo, writers of OpenCore, the multimedia subsystem for Android. The software enables media features for other developers to build their devices on, including playing, streaming and recording images, video, and other media.

Just after Android's October 2008 release, Miller and colleagues at Independent Security Evaluators found a similar browser vulnerability. A patch was made available in early November, but another problem arose. Users complained of a bug where the system failed to distinguish between typed words and system commands: typing the word "reboot" actually restarted the phone.

Regarding the current security flaw, Google spokesman Jay Nancarrow said in an e-mail to Forbes that the PacketVideo flaw will be patched and will reach users in an update through the T-Mobile network.

Despite the multiple necessary security updates, ReadWriteWeb says that the Android OS is more secure than other operating systems. With their "sandboxing" approach, malicious code that has been accessed by the browser is separated from the system functions or other applications. Because of this, the flaw that Miller discovered would be limited only to browser resources, but not to contact list information or other calling and texting data, as was the case in earlier iPhone and other smart phone attacks.

Page top

3 Comments

[...] switched 180 degrees when I reported  him that the MOS of his Mobile, Google’s Android has a security flaw, I could collect a lot of information too.  After he realised that he was defending a system he [...]

Submitted by Google and net neutrality – Google Watch series, episode 01 (not verified) - on February 25, 2009 at 09:45 am

[...] Security Flaw in Googles Android (Moblile Operating System) Makes Browsing Dangerous by Ivory King 17 February, 2009 — Daniel Verhoeven Published on 17 Feb 2009 on L’Atelier [...]

Submitted by Security Flaw in Googles Android (Moblile Operating System) (not verified) - on February 19, 2009 at 11:51 am

[...] switched 180 degrees when I reported  him that the MOS of his Mobile, Google’s Android has a security flaw, I could collect a lot of information too.  After he realised that he was defending a system he [...]

Submitted by Google and net neutrality « common ground (not verified) - on March 21, 2009 at 03:18 pm

Legal mentions © L’Atelier BNP Paribas