Security flaw spotted in G1 Google phone
Researchers at Independent Security Evaluators say they've discovered a security flaw in the Android browser that could make users of phones with the browser vulnerable to attack.
Android, Google's open-source software that is currently only running on one phone, HTC's G1, is based on outdated open-source components, the researchers say. As a result, the vulnerability they have discovered was previously known and fixed, but Google didn't incorporate the fix into Android, they say.
The G1 went on sale last Wednesday from T-Mobile USA, and Google published the source code behind Android on Tuesday. Other manufacturers, including Motorola, are expected to also release phones running Android in the future.
On a Web page for ISE, Charlie Miller, Mark Daniel and Jake Honoroff wrote that they won't reveal much about the vulnerability until Google fixes it. However, they say that Android users who visit malicious Web sites may find their sensitive information stolen. That's because an attacker could access any information the site uses, including saved passwords, information entered into a Web application form and cookies.
The researchers also say, however, that the impact of the attack is limited because of Android's security architecture. An attacker can't, for example, control functions of the phone such as the dialer.
Google said it is developing a solution to the problem. "We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. The security and privacy of our users is of primary importance to the Android Open Source Project -- we do not believe this matter will negatively impact them," the company said in a statement. It did not say when it expects to push out the update.
The researchers say that they notified Google of the issue on Oct. 20.
The incident raises questions about potential difficulties that the Android community might face in the future. Because Google has adopted an open model with Android, many vendors and operators in the future may offer a variety of phones, each potentially with slightly different versions of the operating system. If vulnerabilities are found in the future, phone makers and operators will have to determine if their version of the software is affected and then coordinate the distribution of a fix to users.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Sending spam violates the
Sending spam violates the Acceptable Use Policy (AUP) of almost all Internet Service Providers. Providers vary in their willingness or ability to enforce their AUP. Some actively enforce their terms and terminate spammers' accounts without warning. Some ISPs lack adequate personnel or technical skills for enforcement, while others may be reluctant to enforce restrictive terms against profitable customers.Sanctum
The love of truth, the love of sanctum. I love the way the sky looks back at me when i kiss the camera. I fall into the wonders of the cave of truth, the cave of awareness. I try not to cry as the bird flys past with a flower in it's mouth. I couldn't believe my eyes when i found a nice fresh salmon laying against the water, by the waves side, by the love of destiny. Watermelon could be displayed with a value $1.89 a peice. The love of truth, the love of sanctum.PIE
PIE... P is for pie. I is for is. E is for DeliciousBut with great pie, comes tasty responsibilty.