Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Cellphones Businesses Google Security The Internet Handhelds Hardware

Security Flaw In Android Web Browser 59

r writes "The New York Times reports on a security flaw discovered in the new Android phones. The article is light on details, but it hints at a security hole in the browser, allowing for trojans to install themselves in the same security partition as the browser: 'The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.'"
This discussion has been archived. No new comments can be posted.

Security Flaw In Android Web Browser

Comments Filter:
  • Hmm (Score:5, Insightful)

    by tsa ( 15680 ) on Saturday October 25, 2008 @04:20PM (#25511579) Homepage

    It seems Mr. Miller doesn't like the Google Phone much. He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

  • Here's why. (Score:3, Insightful)

    by Anonymous Coward on Saturday October 25, 2008 @04:47PM (#25511773)

    He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

    ..according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore

    It wouldn't have given him a name. Now, when the CIOs are reading the tech highlights on their Crackberries, what they'll see is Miller-Independent-Security-Evaluators-Baltimore-finds-security-flaw. And then think ... must hire next time I need security advice.

    In this incredibly competitive world where you're competing with everyone all over the World and there's plenty of folks who'll do it cheaper, you have to find ways to stand out. Never compete on price because there's always someone who'll do it cheaper. Could he have told Google? Sure. But it wouldn't have made a splash in the media and when it got posted here on Slashdot, it would have said instead that "Google fixes security flaw" with no mention of Miller.

    So, that's is why Mr. Miller jumped the gun and published his findings.

    Being in business can really suck.

  • by fuzzyfuzzyfungus ( 1223518 ) on Saturday October 25, 2008 @04:47PM (#25511775) Journal
    You seem to be confusing Android with a particular Android device. Unfortunately, thanks largely to the delightsome world of the telcomms, phones are a disgusting mass of lockdown, including Android ones. OpenMoko excepted.

    Android itself is, IIRC, Apache licenced, which certainly qualifies as free software. Unlike GPL3 stuff, though, it does not enforce your freedom on particular devices. It would have been very nice if Android had done that, the world could really use more phones that live up to their computery potential; but I suspect that, had google done so, the response would have been fewer android phones, not freer android phones.
  • Re:Quality Issues? (Score:1, Insightful)

    by Anonymous Coward on Saturday October 25, 2008 @04:51PM (#25511805)

    Quality has never been a concern for google. They are a culture of academics. They just want to make a proof-of-concept, and that's good enough. (Just like writing a paper, you only need to make it work ONCE.)

    All of their ventures display that. None of them get, as they say, "productized."

    Do a job interview with them (I never have, but know several who have). All they care about is algorithms. If you even mention practices, you get turfed. They're a bunch of cowboy coders with no discipline.

  • by davester666 ( 731373 ) on Saturday October 25, 2008 @04:55PM (#25511837) Journal

    Are you sure you can flash new firmware onto the G1 based on the source, without the binary needing to be signed by T-Mobile?

    Being able to actually use personal builds doesn't necessary follow from the source being available.

  • Fix Speed vs Apple (Score:2, Insightful)

    by CritterNYC ( 190163 ) on Saturday October 25, 2008 @05:02PM (#25511889) Homepage

    It will be interesting to see how quickly Google fixes this compared to how long it took Apple to fix the security issues in Safari on the iPhone (a couple months, I believe, was their slowest).

  • by lysergic.acid ( 845423 ) on Saturday October 25, 2008 @10:04PM (#25513877) Homepage

    his point is that the troll's blatant flamebaiting:

    This would be an easy fix if users actually had access to things like source that they could compile themselves on the face. Unfortunately, Android is just as locked down and anti-user as anything by Apple, in spite of Google's "open platform" hype.

    is untrue.

    users do in fact have access to the source and can compile it themselves. whether your phone is currently supported or has open hardware is a different and unrelated matter. you're flaming him on a completely inapt issue. just because he can't compile the linux kernal himself doesn't mean that it's not open source. or just because my copy of Microsoft Word won't read ODF doesn't mean it's not an open format.

  • by im_thatoneguy ( 819432 ) on Sunday October 26, 2008 @05:21AM (#25515919)


    My AT&T phone lets me use any MP3 as long as it's less than 60 seconds long and a couple of sampling requirements. Which tells me it's related to the ringtone playback software not some lockdown. Also the Googlephone allows this.

    What's an "Actual network cost" I'm happy that 14 year old girls are subsidizing my actual network costs with their outrageous text messaging fees. With an unlimited data plan you can IM all you want through chat applications. For instance the Google phone's best feature is its notifications pane which does an amazing job of managing all your internet aware apps. So forget text messaging and just use GTalk or MSN or whatever IM clients it supports. Also with the google phone I think TMobile includes texting with the data plan so you could do that too.

    Again. Android has little to zero branding. IPhone has almost no branding. HTC Touch/TouchPro/Diamond don't seem very heavily branded or modified. Even my AT&T Phone looks like any other LG Phone except that it has AT&T up on the status pane. OH NO!

    How would this magical "no redundancy" network operate exactly? And how would they share space? "Oh sorry I already have a tower in downtown New York. Too bad for you! And if someone's tower coverage was poor who do you complain to? Who's tower was it? That sounds like a fantastic way to develop a network monopoly. I also don't see how this free for all would result in better coverage in rural areas. I'm suspicious that the only profit that they derive from those towers as it is--is from urban centers offsetting their costs and offering the rural areas to ensure their customers can roam.

    Considering all handsets tend to be carrier subsidized I'm not certain how all phones being sold at retail price would be considered "cheaper". It would certainly mean less lock-in but I don't know about cheaper. I'm not going to pay $600 for a smart phone I know that.

    Again. I'm not certain what draconian rules you're refering to. Let's take Android as an example. What draconian rules are being imposed? The only software I think that is banned is VOIP software. And that would probably be spectacularly spotty in quality over a wireless data link. VOIP requires nice low latency coverage. Low Latency and multi-point wireless broadband are not synonymous. This might be true of my AT&T LG phone. But the sky is the limit with just about every single Windows Mobile, Android or iPhone.

    I'm all about dumb fat pipe but I disagree strongly with how far from that we currently are. Furthermore. I also disagree that our cellphone networks are ready for a dumb fat pipe to work well.

  • by Superken7 ( 893292 ) on Sunday October 26, 2008 @06:32AM (#25516223) Journal

    You don't actually need to replace the entire firmware of the phone.

    The Application Framework is designed in a way that permits you to replace any application with your own application. Be it the dialer, contacts manager or web browser.

    That said, i would still like to know if there are already any efforts of trying to replace the entire firmware. I presume the HTC phone is designed (or android has been modified) in a way that prevents that kind of tampering, but i still have not heard of any hacking attempts.

    Hello reverse engineers ? :-)

BLISS is ignorance.