Android: How security can work while failing

Screenshot of video using new Android exploitInformation security professional Thomas Cannon disclosed a new vulnerability in Google’s Android operating system this week on his blog. Unlike many of the recent high profile disclosures, Cannon made an effort to work with Google and simply make the public aware of the bug and what they might do to protect themselves.

Cannon contacted the Android security team last Friday and they responded to him within 20 minutes. That’s the start of what can make security work. Another success? Android’s security model of sandboxing applications by default limits the damage that can be done by the flaw Cannon discovered. Baking security into the recipe from the start is clearly an advantage for the Android platform.

Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating system to meet their needs.

This sounds like a good thing, right? It is awesome if you are a consumer and want the maximum amount of choice and flexibility. The problem comes in when you have to patch or maintain the software that drives these devices when they only have the most basic components in common. This is the security nightmare that Android is beginning to face. Every device on every carrier has a slightly unique configuration that requires that phone’s manufacturer and carrier to update its software independent of what Google may have provided.

Many applications are embedded into the operating system itself like the browser, contact manager and calendar. This means you must upgrade the OS to patch any flaws discovered in these programs. Currently this is the fatal flaw in Android’s security model. Older devices like the HTC Dream (G1) are only able to run version 1.6 because of memory limitations. New browser flaws like the one Cannon disclosed cannot be fixed for these devices under the current updating schema.

Google has developed a fix for this flaw and has stated they will fix it in a maintenance release for the upcoming Gingerbread (2.3) release. That’s great, but means even the most modern of devices will be exposed to attack for a month or more and older Android phones may be vulnerable in perpetuity. Apple and RIM do not face these types of issues because they have a limited selection of hardware shipping and provide OS updates only for devices they manufacture.

What can you do if you are an Android user? For now the only option is to choose 3rd party applications that are updated through the Android Market instead of using the embedded applications. Android Market provides an auto-update mechanism that is independent of the operating system and offers common alternatives for browsing such as Opera Mobile. Firefox 4 portable is also currently available in beta form and will be able to be updated independent of Android OS.

Until/if the details of Cannon’s discovery become public it is impossible to say whether other Android browsers are susceptible to the bug he discovered, but one thing is for sure. . . The default Android browser certainly is.

Creative Commons image of mobile data theft courtesy of Kioan’s Flickr photostream.