Feeds

back to article Researcher outs Android exploit code

A security researcher has released proof-of-concept code that exploits a vulnerability in most versions of Google's Android operating system for smartphones. M.J. Keith of Alert Logic said he released the attack code to expose what he characterized as inadequate patching practices for the open-source mobile platform. Rather …

COMMENTS

This topic is closed for new posts.

Network's fault?

Many of the network's are slow to allow their contract customers to get the latest versions of the OS and when finally they do release it, it's crippled with branding toss.

I think the network's either do not realise how important updating the OS can be or just don't give a damn.

7
0

Not just the networks

The Android platform source code isn't being patched for current releases. That is the main issue.

Also, then you get an additional delay due to manufacturers and networks hacking about with the updates.

I would argue that you are more secure on Android if you are rooted and have a well maintained custom ROM installed, like CyanogenMod.

0
0

Branding toss...

Branding toss is something you're going to have to put up with, if you want five hundred quids worth of phone for nothing but a small monthly subscription and call charges. It'd be nice not to have it, but personally I go for the "free" phone option...

0
1
Boffin

title

I think his point is that android needs a system for patching that doesn't involve upgrading the whole OS in the same way windows update or apt-get upgrade works.

This would allow phone manufacturers or google themselves to release security updates without having to wait for the networks' marketing departments deciding what default wallpaper and crummy apps they want to push on users.

In theory there shouldn't be anything stopping the latest webkit code going into android 1.5 etc.

I'm a bit surprised google didn't plan for this from day 1 as selling phone manufacturers subscriptions to a security update service is an obvious way for them to make money from hardware sales.

1
0
FAIL

I work on IT

So when I leave the office I don't want any more headaches, I want something that works and is secure out of the box. BIG HUGE FAIL for Android. Call me a fanboy if that's the only argument you have...

0
3
Thumb Up

It's funny that...

My contract Desire HD from "three" came with no upfront cost, unbranded and unlocked,

Looks like a stock HTC phone.

So not ALL networks are as bad as Vodafail (Sorry! i mean Vodafone)

1
0
Coat

Muppet

Before you get all smug about your iphone http://www.techeye.net/mobile/iphone-too-insecure-for-a-life-of-crime

I'll get my coat, its the one with HTC desire in the pocket....

0
1
Flame

what floats your boat I guess

I'd rather take the paid for version of the phone on an installment plan. Not only it's branding-free, I'm also free to pop in any SIM I want into the phone- useful for going on holidays and not having to put up with roaming charges (protip: Prepaid cards are typically cheap to own in Asian countries and you can dispose of them once you've depleted your call time and are leaving the country).

0
0
Silver badge
Boffin

@Fraser

Do the sums, Dude! The so-called "free" phones generally cost a couple of hundred quid more than buying SIM-free and getting a SIM-only deal from the network operator of your choice. And so you are paying for the priviledge of getting all the network branding and operator lock-in.

Makes no sense to me at all. If you can't afford the phone, take out a bank loan to pay for it, it'll still work out cheaper.

GJC

1
0
jco
Boffin

Whose patching?

I own an HTC Desire and my wife a Samsung Galaxy S. I see the quality of the software maintenance differs incredibly between those two vendors.

Since both of them use proprietary software or heavy customizations on top of (or inside) Android, I can't see what Google could do to release patches quickly.

Personally, considering Android's fragmentation, I think the only thing Google can do to improve software patching by the various vendors is putting pressure on them on a political (or maybe economical) level...

JMTC, jco

0
0
Anonymous Coward

I just

I just wrote a post without reading yours but I did answer your question.

"I can't see what Google could do to release patches quickly."

With Gingerbread, they're moving an unknown amount of the "default" applications into the Market. Much like how Google Maps now comes pre-installed but can still be updated through the Android Market.

When this happens, application vulnerabilities will be able to be patched as quickly as the vendor can write the code and press 'Publish' in the Android Market.

Core OS vulnerabilities will still need an OTA firmware update and thus the operators to pull their fingers out.

0
0

Android is the windows mobile of 2007

There is nothing you can do. Only way is to do something like Windows Phone 7. Networks don't have the technical expertise and the fragmentation is perpetuated. Unfortunately a mobile is not a PC and locking down certain futures helps the customer.

0
4
Bronze badge

Re:

"Core OS vulnerabilities will still need an OTA firmware update and thus the operators to pull their fingers out."

Another part of Gingerbread/3.0 is the dislocation (not the technical term, but I like it) of the UI from the OS, allowing OEMs to rebrand but not then requiring months of tech work everytime Google release updates.

Strangely, I don't think Google initially expected OEMs to make changes to the UI (HTC's first Sense was like a parasite on to the OS - in a good way), so these changes should benefit everyone.

0
0
Silver badge
Happy

Let's hope Google gets the message and makes Android watertight

These security outings are good - it will either prioritize these shortcomings or shame others into fixing the problems.

Coders shouldn't complain, it's free QC.

0
1
Silver badge

Reinvent the wheel

and you reinvent potholes, detours, traffic jams and all the other problems most operating systems worked out years ago. It happens to Windows every time they need a cash boost.

2
0
Thumb Down

Opera Mini

I don't like Opera Mini, but I've just set it to be my G1's default browser. Bah.

0
0
Anonymous Coward

#Opera Mini

>I don't like Opera Mini, but I've just set it to be my G1's default browser. Bah.

Why not just update your G1 to Froyo? CyanogenMod supports it for instance.

0
0
Silver badge

Stupidity, thy name is Samsung. Amongst others.

More reason to pester phone manufacturers to update the free operating system that they don't even have to develop themselves.

0
0
Go

Orange update to 2.2 pretty fast.

And it has a good security model.

1
1
Anonymous Coward

A Comment

This guy's point seems to be based around the patching method used to upgrade the firmware more than anything to do with the vulnerabilities themselves.

“They do a good job of repairing future releases, but I think a better patching system needs to be set up for Android.”

During Google IO 2010, Google stated that with Gingerbread they will be splitting many applications from the OS so that they will be updated through the Android Market separate to the OTA firmware updates. This is intended to help with fragmentation. There was no mention of the browser specifically, but it would be a prime candidate.

My guessing is this guy has seen this and thought "here's my chance". He hasn't said anything new and if the browser is separated in Gingerbread, then his point becomes invalid for Android at least. Does Safari on the iPhone update separate to iOS? (genuine non-iPhone-user question, not flame bait.)

"The bigger point, Keith said, is that most users have no idea their devices are vulnerable to bugs that were patched long ago on other platforms."

Like most Windows users then? (Had to get the boot in somewhere.)

0
0
Badgers

#A comment

>Does Safari on the iPhone update separate to iOS? (genuine non-iPhone-user question, not flame bait.)

Certainly needs to right about now.....

http://blogs.sans.org/appsecstreetfighter/2010/11/08/insecure-handling-url-schemes-apples-ios/

0
0
FAIL

Class action lawsuit?

When this was brought up on Slashdot, someone suggested that in the US people might get together and force the operators/handset manufacturers to provide Android upgrades for longer, by claiming they have suffered harm as a result of the lack of security patches. I find this possibility quite exciting.

These phones aren't anything like the dumbphones the operators are used to selling (where they can just sell you a box with a contract, and two years later sell you another box with a contract) - they are full handheld computers and thus should be supported with security patches at least for an average contract length of time.

1
0
Thumb Up

I LOL'd

Nokia 6510 with a third party battery upgrade for the win.

0
0
Flame

Time to replace the Android icon with a colander

C'mon you know you like 'em flames...

1
1

or

Or a calendar

1
0

There's an opportunity here..

For a developer to write a browser pre-processor to filter out segments of code that are published as known exploits...

0
0
FAIL

Already not news.

As said by others the patching problem has already been addressed by Google using the same methodology that will cure fragmentation, over the next couple of releases Android will become a collection of smaller apps that will all update through the market.

And for anyone saying Android is the new WinMo, you obviously never used WinMo as even the old 1.5 Android actually works out of the box, unlike many of my old WinMo phones.

1
0
Stop

Good point

Actually this bloke makes a good point. With desktop Windows, you have free* patch maintenance and you know you'll have it for years after you purchase the product.

With Android it's a guessing game. I'm still on 1.6, the only way I can upgrade is to do it manually with an unofficial ROM. Vodafone tell me Google control the updates and I occasionally hear rumours that 2.2 is on the way, but then nothing happens. This is the problem with Google branded phones, maybe the situation is better for Android phones that use the manufacturers ROM.

Basically, Google need to clearer about the update process, how long a certain phone will be supported for etc. The updated OS is a strong selling point, but if those updates don't appear then people are going to be put off. It's just too amateur at the moment.

*As in you don't usually need to pay anything on top of the initial price.

0
1
Gold badge

OEMs

Isn't that the point of Android? to shift the burden of maintenance and support onto the OEM.

It's the OEM that builds your Android ROM, licences the Google apps and market place. Google don't have anything to do with your phone (unless you have a Nexus).

Putting the OEMs in charge is good for Google but bad for the phone user. The OEMs spend time building the ROMs, designing the hardware and so on. They get their profit when you buy the phone, after then they get nothing else. So it is not in their interest to prolong your use of the device for any longer than they need to (and certainly not any more than their direct competition).

The difference with the competition is they build the ROMs. Apple build the ROMs for iPhone and Microsoft build the ROMs for Windows Phone 7. So with WP7 your updates are not at the mercy of the OEM. With Apple you get around 2 years of updates based upon the lifespan of the iPhone 2G.

Therefore the two platforms that seem to have a pretty clear update policy are WP7 and iOS. It is only Android which needs to get its act together.

0
0
Zap

Google should thank Apple

Google really should thank Apple. If all of the bugs in Android have formerly appears in Apple it should be much easier to develop a programme to get rid of all the bugs Apple has had. Does anyone know if Windows 7 Mobile is based on the same code!!???

0
0
JDX
Gold badge
Joke

So...

Is this Apple's Fault, or MS'? Or as an outside shout, Adobe... we all know everything is their fault somehow :)

0
0
This topic is closed for new posts.