Android 2.1 or Earlier Devices at Risk of Major Security Breaches
(Page 1 of 2 )
In early November the UK newspaper the Financial Times reported that it received a summary report from code analysts Coverity revealing that Google’s Android operating system (OS) suffers from a whopping 88 "high risk" defects that have "significant potential to cause security vulnerabilities, data loss, or quality problems such as system crashes.” According to Coverity’s study, these major programming errors leave devices completely vulnerable to hackers, who as a result of the defects, can easily access e-mail messages and other important, confidential information.
According to the IT website THINQ, Coverity's research was carried out using the publicly-available version of the kernel for Android 2.2 installed on HTC's Droid Incredible phone, but the researchers behind the report seem to suggest that similar security flaws could easily exist in other Android handsets.
Obviously, this is incredibly unhappy news for Google, whose Android platform has severely struggled to find a home in business and government. It appears as if the market that Google so desperately wants their Android OS to tackle is already dominated by competitor Research In Motion's BlackBerry devices. BlackBerry devices are known for being safe and secure, and Coverity’s findings will only make it more difficult for Google to take their next crucial step as the go-to device for those in the business world.
It’s become apparent that it wasn’t Coverity’s intention to bring Google down in any way. As a matter of fact, the analyst firm’s co-founder, Andy Chou, recently told THINQ that after discovering the findings, Coverity passed on the details of the flaws to Google and the Droid’s handset maker, HTC. “We want them to fix the problems,” Chou said. “We are trying to follow the model for responsible disclosure.”
Unfortunately, shortly after Financial Times reported the story about Google’s Android OS’ 88 high risk defects, things took a turn for the worse for Google.
Android Backdoor Threatens Users
According to THINQ, just one week after the UK’s Financial Times revealed Google’s multiple high risk defects, security researchers discovered a new vulnerability in Google's Android platform -- distinct from the previous 88 security issues -- that can give a remote attacker the chance to gain access to the system, which leaves their smartphones and tablets vulnerable to attack by hackers.
According to the site, the flaw stems from an already publicized vulnerability in the WebKit browser platform. WebKit is an open-source KHTML project developed by Apple. Not only did it act as the outline for Apple’s Safari browser, but it also formed the basis of Google Chrome. WebKit is also the built-in default browser on Android-based devices, but the problem is that it has a number of problematic long-standing issues that were once only believed to affect desktop-based implementations of the browser engine. As it turns out, this is not the case.
Unfortunately for Google, an online security news website called The H Security recently reported that a security researcher at Alert Logic, an IT security company, has discovered that the WebKit flaw “can be used to spawn a remote shell on vulnerable Android handsets -- giving a remote attacker full access to the inner workings of the device.”
According to THINQ, despite the fact that the Alert Logic researcher has published public exploit code for the vulnerability, it hasn't had a great deal of testing. So far, the exploit is only known to work on Motorola's Milestone and Droid in the US, including handsets running the stock 2.0.1 version of Android and the updated Android 2.1. It has been reported that as a result of running the code, other handsets have crashed.
According to THINQ, it is believed that devices based on Google’s latest Android 2.2 release are safe from the flaw. It seems as if Google can’t catch a break, however, because it’s estimated that a majority of consumers who utilize the Android OS are still running version 2.1 or below on their devices. This leaves an estimated 63 percent of users vulnerable to these possible security attacks.
Even worse -- for those 63 percent of consumers running an older version of the Android OS (older than 2.2) there is absolutely no way around these problems, and worse yet, this flaw can be attacked just by visiting a virus-ridden or “maliciously-crafted” web page. It appears as if Google has a lot of work to do, unless they want what is quickly turning into a PR nightmare on their hands.
KEITHLEE2/home/servers/www.devhardware.com/www/zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.php/home/servers/www.devhardware.com/www/zdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set: status off
