October 27, 2008, 1:46 PM — Researchers at Independent Security Evaluators say they've discovered a security flaw in the Android browser that could make users of phones with the browser vulnerable to attack.
Android, Google's open-source software that is currently only running on one phone, HTC's G1, is based on outdated open-source components, the researchers say. As a result, the vulnerability they have discovered was previously known and fixed, but Google didn't incorporate the fix into Android, they say.
The G1 went on sale last Wednesday from T-Mobile USA, and Google published the source code behind Android on Tuesday. Other manufacturers, including Motorola, are expected to also release phones running Android in the future.
On a Web page for ISE, Charlie Miller, Mark Daniel and Jake Honoroff wrote that they won't reveal much about the vulnerability until Google fixes it. However, they say that Android users who visit malicious Web sites may find their sensitive information stolen. That's because an attacker could access any information the site uses, including saved passwords, information entered into a Web application form and cookies.
The researchers also say, however, that the impact of the attack is limited because of Android's security architecture. An attacker can't, for example, control functions of the phone such as the dialer.
Google said it is developing a solution to the problem. "We are working with T-Mobile to include a fix for the browser exploit, which will soon be delivered over the air to all devices, and have addressed this in the Android open-source platform. The security and privacy of our users is of primary importance to the Android Open Source Project -- we do not believe this matter will negatively impact them," the company said in a statement. It did not say when it expects to push out the update.
The researchers say that they notified Google of the issue on Oct. 20.
The incident raises questions about potential difficulties that the Android community might face in the future. Because Google has adopted an open model with Android, many vendors and operators in the future may offer a variety of phones, each potentially with slightly different versions of the operating system. If vulnerabilities are found in the future, phone makers and operators will have to determine if their version of the software is affected and then coordinate the distribution of a fix to users.