Sophos Cloud Optix
Information security professional Thomas Cannon disclosed a new vulnerability in Google’s Android operating system this week on his blog. Unlike many of the recent high profile disclosures, Cannon made an effort to work with Google and simply make the public aware of the bug and what they might do to protect themselves.
Cannon contacted the Android security team last Friday and they responded to him within 20 minutes. That’s the start of what can make security work. Another success? Android’s security model of sandboxing applications by default limits the damage that can be done by the flaw Cannon discovered. Baking security into the recipe from the start is clearly an advantage for the Android platform.
Now for the #fail. Android, like Windows Phone, is largely designed to be an open platform. Windows Phone does require licensing, but supports many handset makers similar to the Android strategy. What do I mean by this? Many carriers and manufacturers of handsets are encouraged and able to use the operating system and adapt it to just about any form factor they can imagine. HTC, Samsung, Motorola, Acer and others each can make interesting, innovative devices and customize the operating system to meet their needs.
This sounds like a good thing, right? It is awesome if you are a consumer and want the maximum amount of choice and flexibility. The problem comes in when you have to patch or maintain the software that drives these devices when they only have the most basic components in common. This is the security nightmare that Android is beginning to face. Every device on every carrier has a slightly unique configuration that requires that phone’s manufacturer and carrier to update its software independent of what Google may have provided.
Many applications are embedded into the operating system itself like the browser, contact manager and calendar. This means you must upgrade the OS to patch any flaws discovered in these programs. Currently this is the fatal flaw in Android’s security model. Older devices like the HTC Dream (G1) are only able to run version 1.6 because of memory limitations. New browser flaws like the one Cannon disclosed cannot be fixed for these devices under the current updating schema.
Google has developed a fix for this flaw and has stated they will fix it in a maintenance release for the upcoming Gingerbread (2.3) release. That’s great, but means even the most modern of devices will be exposed to attack for a month or more and older Android phones may be vulnerable in perpetuity. Apple and RIM do not face these types of issues because they have a limited selection of hardware shipping and provide OS updates only for devices they manufacture.
What can you do if you are an Android user? For now the only option is to choose 3rd party applications that are updated through the Android Market instead of using the embedded applications. Android Market provides an auto-update mechanism that is independent of the operating system and offers common alternatives for browsing such as Opera Mobile. Firefox 4 portable is also currently available in beta form and will be able to be updated independent of Android OS.
Until/if the details of Cannon’s discovery become public it is impossible to say whether other Android browsers are susceptible to the bug he discovered, but one thing is for sure. . . The default Android browser certainly is.
Creative Commons image of mobile data theft courtesy of Kioan’s Flickr photostream.
The details of the vulnerabilty are already public.
Too simple for words.
It is dead easy to read anybody’s files on an Android device.
My HTC Desire got a security update yesterday over the air. The update process was quite invasive, as it involved uninstalling some apps to free up some memory and rebooting the phone.
I hope that manufacturers and operators stand up to their responsibilities and issue regular updates to all their phones, and don't "end of life" some models leaving them vulnerable.
You, uh, might want to fact-check everything. The HTC Dream (T-Mobile G1) is quite capable of running Froyo. Mine is running CyanogenMod 6 (Froyo-based) just fine. And no, it's not memory-optimized for the G1. There's still tons of kills on unnecessary services at startup, but switching to a slimmer launcher and deleting unnecessary apps that came with the mod fixed that. Now the apps that would've been killed aren't there, and it's running like a dream. T-Mobile just wants you to buy newer phones, is all.
Can't quite see the logic in this:
"Apple and RIM do not face these types of issues because they have a limited selection of hardware shipping and provide OS updates only for devices they manufacture."
So because Apple and Rim supply OS and Hardware it's some how different from Google building a core os, then handset manufcaturers supplying the OS and Hardware.
HTC, Samsung, Sony or whoever are in exactly the same position as Apple or Rim, they choose to supply updates for their handsets or not, the fact that Google may do the donkey work to fix the issue may make it slightly easier and less costly,
At some point Apple (say) will stop providing updates and patches to older devices, user of those devices will also face an issue.
Interesting that you compare to Apple, who have dropped security support for their first-generation iPhones. I dunno what RIM’s position on obsolete hardware is though.
Note that it is not actually the fragmentation of the Android landscape that is the real problem, the real problem is the way the Google Android OS distribution is set up.
It is just that we are so conditioned to think about phone OS updates in terms of ROM-images, that we find it hard to think about it in another way.
Microsoft Windows is distributed by many device manufacturors like Dell. Dell adds its background and assortment of crapware to the base Windows and then ships me the box. But when an exploit is found in Internet Explorer, I don't have to wait to get it a fix through Dell, I get it right through Windows Update, I am only dependent on the agileness of Microsoft for getting the fix before I become part of a botnet.
It should be the same for Android, it is just an OS which consists of a bunch of files stored on my phone, Google should have provided a path where it could sent updates for the components it makes.
Sander.
Sander’s got it right essentially as far as support for Android is concerned. What’s more troubling to me though is that Google seems mostly disinterested or unconcerned regarding Android’s vulnerability to JavaScript type attacks/hacks. That seems to me to be a bit less than responsible to it’s users and/or the public at large, Android user or not. Now I know that Google has some very execellent security experts on staff, I know a couple of them, so this seemingly less than responsible attitude isn’t coming from them. Must be either a been counter driven attitude or a upper level managment driven problem.