Forgot your password?
typodupeerror
Cellphones Businesses Google Security The Internet Handhelds Hardware

Security Flaw In Android Web Browser 59

Posted by timothy
from the more-information-would-be-nice dept.
r writes "The New York Times reports on a security flaw discovered in the new Android phones. The article is light on details, but it hints at a security hole in the browser, allowing for trojans to install themselves in the same security partition as the browser: 'The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.'"
This discussion has been archived. No new comments can be posted.

Security Flaw In Android Web Browser

Comments Filter:
  • It'll be interesting to see how fast Google reacts to this. Their quality assurance has been questioned recently in the light of GMail going down, oddities with Google Ads, and so on. With luck they'll become software heros, but they also risk a huge backlash if they don't pay attention to quality issues in the face of others that are trying.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Quality has never been a concern for google. They are a culture of academics. They just want to make a proof-of-concept, and that's good enough. (Just like writing a paper, you only need to make it work ONCE.)

      All of their ventures display that. None of them get, as they say, "productized."

      Do a job interview with them (I never have, but know several who have). All they care about is algorithms. If you even mention practices, you get turfed. They're a bunch of cowboy coders with no discipline.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        I liked you better when you were throwing chairs, Mr. Ballmer.

  • Hmm (Score:5, Insightful)

    by tsa (15680) on Saturday October 25, 2008 @04:20PM (#25511579) Homepage

    It seems Mr. Miller doesn't like the Google Phone much. He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

    • Here's why. (Score:3, Insightful)

      by Anonymous Coward

      He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

      ..according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore

      It wouldn't have given him a name. Now, when the CIOs are reading the tech highlights on their Crackberries, what they'll see is Miller-Independent-Security-Evaluators-Baltimore-finds-security-flaw. And then think ... must hire next time I need security advice.

      In this incredibly competitive world where you're competing with everyone all over the World and there's plenty of folks who'll do it cheaper, you have to find ways to stand out. Never compete on price because there's always someone who'll do it che

      • Yeah, well now he will be seen as somebody who doesn't know how to do a simple security related bug report. Yeah, I totally want his advice.
    • Re:Hmm (Score:5, Informative)

      by Shemmie (909181) on Saturday October 25, 2008 @04:50PM (#25511795)
      I was about to agree with you. However, upon reading their page: [securityevaluators.com]

      The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here [securityevaluators.com].

      • Re:Hmm (Score:5, Informative)

        by Shemmie (909181) on Saturday October 25, 2008 @04:51PM (#25511807)
        Oops, left out:

        Working with Google
        Google was notified of this issue on October 20th, 2008. We are working with them to try to get a fix as quickly as possible.

      • This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised

        When that exploit was published, it was the infamous TIFF exploit in the iPhoneOS 1.0-1.1.1. At the time the iPhone ran everything as root, so compromising Safari immediately granted root access. Since 1.1.3 however Apple has gone to granular permissions, most applications run as the limited "Mobile" user, for example. With that

    • by Chlorus (1146335)

      It seems Mr. Miller doesn't like the Google Phone much. He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

      When the hell would any slashdotter extend that courtesy, to say, M$ or Sun?

  • by alphad0g (1172971) on Saturday October 25, 2008 @04:45PM (#25511757)
    It would be interesting to hear more about this hack as they seem to make a pretty bold and bogus claim in the article:

    "Unlike modern personal computers and other advanced smartphones like the iPhone, the Google phone creates a series of software compartments that limit the access of an intruder to a single application."

    The iPhone is very compartmentalized. That is why there is no cut and paste - all apps are limited to their own directory. Anyone that has jailbroken an iPhone is familiar with how one app can NOT access data in another apps directory unless permissions are changed.

    Anyone else know more about this comment? It is true for WinMo smartphones - no perms at all, but I am pretty sure that the iPhone does not apply. Is this just a dig at apple?
    • Re: (Score:3, Informative)

      by Anonymous Coward

      It is true for WinMo smartphones - no perms at all, but I am pretty sure that the iPhone does not apply.

      Not quite... Windows Mobile has security based on privilege levels (e.g. user vs. admin in the desktop world), so I don't think it's fair (or accurate) to say "no perms at all." You can assign access rights to resources (files, registry keys, etc.) associated with your application, so other apps must be appropriately signed to initeract with your data.

      Contrast that with the iPhone: Everything that ships

      • Contrast that with the iPhone: Everything that ships on an iPhone runs as root, and not in a compartment. Period. If you hack the browser (or any other in-ROM app), you've hacked the entire device with root level access (how do you think jailbreak works?).

        FYI, the iPhone has not run user apps as root since version 2.0 came out. They run as a secondary non-privileged user. Of course, your personal data is also owned by that user, so it's still not anything like the Android sandbox.

    • bullshit! how do you think the jailbreak works? the browser runs as root. iPhone = least secure phone EVER!!!

      • Just in the interests of accuracy, I note that the "navigate to a site that hacks your browser and jailbreaks your phone" jailbreaker has been dead for quite a long time. Modern jailbreakers work by exploiting the phone as it's connected to the computer over the USB cable. I think they perform a software restore and convince it to load a hacked OS, but I'm not sure.

        None of this detracts in any way from your overall point, though. The "hack your browser" jailbreaker no longer works because Apple patched the

      • Re: (Score:1, Informative)

        by Anonymous Coward

        The jailbreak doesn't happen through the browser. It requires flashing the OS through the USB cable. Has anyone here actually used an iPhone?

      • MobileSafari has not run as root since version 2.0. It now runs as the 'mobile' unprivileged user.
  • Fix Speed vs Apple (Score:2, Insightful)

    by CritterNYC (190163)

    It will be interesting to see how quickly Google fixes this compared to how long it took Apple to fix the security issues in Safari on the iPhone (a couple months, I believe, was their slowest).

    • Yeah, it's a sad position for Apple. Either they fix their security vulnerabilities quickly and everyone cries about how they are killing jailbreaking because everyone knows they just want complete control over the iPhone... or they leave the door open a while and all of the sudden they are slow at plugging security holes.
      • by Miseph (979059)

        Of course, they could just fix the security holes without imposing draconian controls on what's installed or how... but I guess that would run afoul of their stated interests.

    • by Superken7 (893292)

      from TFA:

      He said that the company had already fixed an open-source version of the software and was working with its partners, T-Mobile and HTC, to offer fixes for its current customers.

      so anybody who is impatient enough should be already able to replace the browser with a custom build. :)

  • by THESuperShawn (764971) on Saturday October 25, 2008 @07:29PM (#25512985)
    NOW do you see why we call everything we do a "beta"? Sheesh! Your Friend, Google
  • newsflash: new software has bugs

  • Shameless commerce, but relevant: My company, Mocana, just announced a security SDK for Googleâ(TM)s Android platform that readers of this article might be interested in investigating. With it Android developers can build robust encryption, authentication, VPN, antivirus and antimalware feature into Android Handsets. Itâ(TM)s called NanoPhone, and you can learn more at http://mocana.com/NanoPhone-Android.html [mocana.com] -Kurt
  • This is good in a way similar to the iPhone Safari attacks, while it is bad as any security flaw is, this might pave a way for unlocking, etc.

Swap read error. You lose your mind.

Working...