Security Expert Warns of Android Browser Flaw 98
justice4all writes "Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. 'While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,' Cannon wrote. 'It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.'"
Sophos's Chester Wisniewski adds commentary on how this situation is one of the downsides to Android's increasing fragmentation in the mobile marketplace.
Re:Chester Wisniewski's point is invalid, IMO (Score:5, Insightful)
So let's say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.
Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it's really serious it'll probably pop up in the next Patch Tuesday. If it's hyper-serious then it might come out three or four days after the vuln was announced.
That's not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can't give you any patches because the HP customizations are a fork of MS's source; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.
Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you're lucky.
Oh, and some of them have implemented DRM that will trash your computer if you try to install vanilla MS Windows. And nobody makes the drivers for their custom hardware available anywhere outside of the binary blobs they distribute. Pretty much everyone except the hardcore nerds is just gonna be running whatever release of the OS came with their computer, or maybe the one update they got - even if they keep the machine for five years. Even if they want to try and update it.
So tell me, why is this a problem?
Re:Chester Wisniewski's point is invalid, IMO (Score:2, Insightful)
As opposed to what, Microsoft sitting on its hands for months or years because they won't fix or until they can't take the wailing and gnashing of teeth anymore?
At least then you're only waiting on MS to get off it's ass, not MS and then the manufacturer..
Re:linkbait (Score:3, Insightful)
Your description would naturally seem to be part of fragmentation.
If you have 20 vendors you can bet that some of them are going to be good about support, some are going to be ok, and some bad. If you have 50 android phones, you can bet some are going to be supported better than others. And so on. This, of course, has both positives and negatives, but it's absolutely part of being fragmented.
If google could rollout a patch to Android OSes that could be applied to any phone and any carrier instantly, then you couldn't call the situation fragmented. But Google can't do that...so...
Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4. When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone (which is now just shy of 4 years old). This system too has pluses and minuses. When apple decides a phone isn't supported, it's done.
Re:linkbait (Score:3, Insightful)
Since iOS and Android seem about diametrically opposed on this front, you can compare that there are a total of 4 models of iPhone -- iPhone, iPhone 3g, iPhone 3gs, iPhone 4.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
When Apple releases an update to iOS (eg the new 4.2.1), it applies to all phones except the original iPhone.
And the original ipod touch.
(which is now just shy of 4 years old)
It was launched almost 4 years ago, it wasn't DISCONTINUED almost 4 years ago.)
Given most people had to sign a 3 year contract to get one there are lots of original models still in use. There are lots of original models STILL UNDER CONTRACT.
But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage. If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??
If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores. 20 different development framekworks. Seriously. The fact that 19 out of 20 vendors chose to build on common foundations is a godsend, even if there is some variation between implementations.
Thank god we don't have 20 apples. One is quite enough.
Wrong, just 1st gen Touch and iPhone (Score:3, Insightful)
Since your post was so rife with inaccuracies, I felt I had to correct the misconceptions you were attempting to spread.
And a few generations of iPod touch as well... and the iPads. Ok... so more like a total of 8 or 9 models... of ios device...
Where did you get that from? The iPad and iPhone and Touch all run the same OS version now, 4.2. The only iOS device that cannot run 4.2 is the first gen iPhone or the 1st (and possibly second) gen Touch. That's not eight, it's around two. And both of those can be patched by jailbreaking, which happened within a few days of the PDF exploit.
Given most people had to sign a 3
No iPhone has ever had more than a two-year contract.
But the really silly thing is comparing Androids fragmentation to apple's going it alone with ios and concluding that the fragmentation is somehow a disadvantage.
Right, because the fact this vulnerability will take months to fix for 80% of Android users vs. something like it days to fix for 80% of iOS users, means nothing. Sure, you just keep saying that.
If each of 20 vendors write their own operating system from the ground up the way apple did, would that be somehow better??
In some ways, yes, because then they would each be on the hook to fix vulnerabilities, or not even have them with so many diverse implementations. But the simple truth is that they ALSO would have been better using Android in a way that Google would be the one pushing updates for things like the browser. That would have been the sane model, but Google decided to bow to the will of carriers and device makers and let them have all the control over updates.
If 20 manufacturers did what apple did, we'd have 20 distinct operating systems. 20 incompatible app stores.
How would that be different than what you are getting? You already have a few different app stores, including Verizon. Who is to say that in a few years the situation will not be exactly as you describe?
The real issue with fragmentation is that you don't HAVE Android anymore, all you have are variants with Android at the core.
Thank god we don't have 20 apples. One is quite enough.
Unfortunately, the market and consumers really need two but Google decided to take themselves out of the running; with any luck Microsoft has learned and can be the Other Apple.