Researchers have disclosed bugs in Google's Android mobile operating system that allow attackers to surreptitiously install malware on users' handsets. The most serious of the two flaws was poignantly demonstrated on Wednesday in a proof-of-concept app that was available in the Google-sanctioned Market. Disguised as an …
Security maturity of Android?
Well, at least I'm hoping that this signifies that most of the bugs are being ironed out... It does reduce my eagerness to buy an Android phone, however.
Meanwhile, whenever I'm basically forced to use Windows, I wonder how many undisclosed bugs would be discovered by any competent security analyst who actually got access to THAT big steaming pile of source code. Just the random blind probing seems to be finding a number of bugs every month (that Microsoft acknowledges by patching). Is there a statistician in the house who can estimate how many bugs are really out there based on the visible rate of extermination?
I hope no one picks the pockets of my Android phone (whenever I do work up enough trust to buy it).
This a very serious vulnerability
And possibly quite obvious as well, since apparently they discovered it just by inspecting the code. So we must assume that Google, in spite of being the self-proclaimed best engineering team in the world, either don't have security experts reviewing the code or their experts are crap. Anyway, I won't be caught dead with an Android phone, there are lots of alternatives, iOS, WinMo, MeeGo, Symbian, BlackBerry OS, QNX...
but secure ones?
Closed-source OS's survive by "security through obscurity" as the OP said. If research teams had the iOS/Windows/WebOS/etc. source, they'd likely find equally critical security issues.
True, Google should feel a bit embarrassed, but at least groups like this are able to find and report such issues.
Re: This a very serious vulnerability
" I won't be caught dead with an Android phone, there are lots of alternatives, iOS, WinMo, MeeGo, Symbian, BlackBerry OS, QNX..."
... and of course none of them have any bugs. I think you'll find security is one area where it's best not to be too smug about someone else's misfortune.
And the fact the source code was publicly available for inspection means this bug has been found, and can be fixed. That's a good thing, in case you were wondering.
Wrath of the droidbois!
Careful now...you'll upset the droidbois with comments like that...I think what you meant to say was:
"Droid is wonderful, beautiful and it is absolutely faultless and perfect in every way - while IOS is the spawn of satan"
Anything *not* on those evangelical lines will get you downvoted...
Yay - 2 downvotes already for me...I incurred the wrath and I have been foresaken!
Expecting to incur the wrath of the rabid gang, I think an issue may be that Apple, Microsoft and Palm all have tight control over software updates in the sense that they can publish an update and be confident it'll be available to all users almost immediately. Google are in the unfortunate position that they don't control software updates further down the channel. So the position is, for many Android phones, that the source code is available allowing people an extra means to find one or more of the many faults that are all but unavoidable in a project of that size, but that pushing fixes is extraordinarily difficult. Look at the number of handsets for which manufacturers have so far failed to supply 2.2. Even high profile devices like the Galaxy S have yet to receive it (next week, apparently), though it hit the Nexus One in June.
I can see the smug smirk. It is not pretty.
I doubt it
He's probably crapping himself...he's got more apps in his walled garden than Android, and now he's wondering if any of those are doing things they shouldn't do...but how can he be sure?
Apples Walled Garden (app store) is still the best for peace of mind for the user (who mostly aren't technically minded), and a model Google probably grudgingly admires (Cue Droidboi downvotes) for this reason - but it only takes one very-public security scare to shake/destroy that public confidence in Apples app store.
Nah - I recon Jobs is definitely worrying about this, or at least about the trend of where it's going (Cue Fanboi downvotes).
Re: I doubt it
"Apples Walled Garden (app store) is still the best for peace of mind for the user"
<Cough> Cydia </Cough>
Cydia, Yeah right
I trust the goons at Apple more than a bunch of hackers who are offering all manner of stuff that may, or may not be infected in some way
If Cydia is installed
the walled garden has already been bulldozed, and Apple's control defeated. Which is why it's done, of course.
And it can be a security hazard - people installing sshd and not changing the default passwords, for example.
Droidbois to the rescue?
Wonder what fanboi-esque rationalization the droidbois will use for this one? And they say apple fanbois are bad...
Slate the apple walled garden all you like, but you certainly don't hear about iPhones getting rootkitted. google needs to nip this in the bud and quick...once one of these security/malware stories hits the general press, it won't do androids market share any favours.
True, but not iOS
That's about MacOS not iOS. Still it does prove the point that there are no 100% systems.
>That's about MacOS not iOS. Still it does prove the point that there are no 100% [safe] systems.
No, just a clique of people who think they use one.
Meanwhile, in the real world...
And that was yesterday.
@ Loyal Commenter
I call Red Herring on that reference.
a) From what I see (and what other commenters noted on that article) this is a feature, not a bug
b) the 3rd party app being called would need to still need to be malware, which (theoretically) should have been captured by the walled garden gate keepers (ie Apple)
c) The user would still actually need to install the 3rd party app him/herself
But more importantly - what relation has this got to do with Android being root-kitted, or un-vetted apps being installed without user permission? Because ios is "bad" makes it's ok for Android to be *even worse*???
Allow me to clarify:
Firstly, what has been demonstrated is not an Android rootkit. If I understand it correctly, there is a flaw in the permissions token system (which has been patched already) which allows one application to use the tokens from another. The attacker would require control of both apps.
In the case of the iPhone vulnerability, malicious code on a web page can cause an installed app to perform actions which bypass security checks altogether. As a proof of concept, they used an Iframe on a web site to cause Skype to call a phone number (whch costs the user money). It could equally apply to ANY third party app. The vulnerability bypasses the controls in that app.
Whilst this is not the same vulnerability, I'd say it was similiar in both type and severity.
My point is this; both systems have flaws. The one in Android has been addressed and patched. The one in iOs has not. Just because Apple claim that it's not a flaw does not actually make it any less so.
As a practioner of the dark art of programming myself, I can assure you that any software of non-trivial complexity will have bugs. The sort of 'my choice of software has fewer bugs than yours' mudslinging that goes around is often disingenious. What a software company should be judged on is its response to the discovery of such vulnerabilities, specifically what they do to address them, and how quickly.
NB; this bug was found in Android BECAUSE it's open source, the iOs bug was found DESPITE it being closed source. As a rule of thumb, open source software will have had greater scrutiny than closed source, so for every bug found in closed source software, there are statistically likely to be more others still to be found than there would be in the open-source equivalent. This wikipedia article quite nicely covers the principles here:
Re: AC: @ Loyal Commenter
@ a) It's a feature not a bug? you sound like M$, the same could be argued on the Android bug/issue/flaw/feature as it's using a valid function for an invalid purpose
@ b) No it wouldn't (did you read the article?) it can call a 3rd part app (any of http://handleopenurl.com/scheme?page=1) and get it to do things you may not want, and example would be to call a premium rate number or spam people adverts on skype.
@ c) No it wouldn't (did you read the article?) it exploits Safari iFrames just by visiting a website which has arbitary html on it, although I completely accept that you'd need to visit a compromised or malicious website (which are to be fair all too common)
>>But more importantly - what relation has this got to do with Android being root-kitted, or un-vetted apps being installed without user permission? Because ios is "bad" makes it's ok for Android to be *even worse*???
These are not identical platforms, therefore it's not a comparison of better or worse (and that is in fact a matter of opinion) what it highlights is that all OS's have potential issues, of varying degrees, the iPhone and iOS is an exceptional combination with a solid support base, but it's not perfect, with issues around antenna, ability to make unauthorised calls on a locked handset, safari issues etc. (and of course the premium you pay for it) what is an absolute fact is that if the iPhone was more "open" it would have more issues, this is where Android is, being more "open" it has the potential for more issues, although long-term, Android should be better, it just doesn't have the benifit of security through obscurity that a closed source (like iOS) has.
Don't forget the iPhone design dates back to 2006, the 4G is basically the same phone as the very first iPhone, they've had a lot of time to get it right, just imagine how far Android phones will advance in 5 years.
Given the "age" of Android...
Wiki says the initial release was 21 October 2008. Given its age, a little over two years "in the wild", I think we ought to forgive it some issues. And yes, some of these issues will be serious. So long as it moves forward in the future to improve, for correct me if I'm wrong but 2 years is less than most IE version cycles, less than Windows version cycles, less than...
...get the point?
Disclaimer: I'm not an Android fanboi, don't have anything running it nor have I ever used it. To be frank, I doubt I will for a *long* time, as I find the only thing of any value on a smartphone is the ability to run a web browser so I can check my mail. Other than that, it's... you know... supposed to be a phone.
How many years is enough?
Just shows that the combination of a closed development cycle and a kernel tree separate from the main Linux tree results in holes. Its a development process that has none of the advantages of open source. No peer review until it is too late (you want bugs to be found prior to release) and development under control of one group who may rush it to get it out of the door.
I am a fan
You know these things occur from time to time in all systems. The question is how they handle it. A patch may be developed, but if they only release it as part of 2.3 that wont be good. I showed off my htc desire to the Missus and she was conned into a Erricsson, which is still on 1.6 :-(
At the moment Android is held hostage to the handset makers, plus the carriers. So if anything bad does happen, how easy will it be for google to deploy counter measures.
Its in Google's best interest to sort this out NOW. I'm interested in seeing what transpires.
Yes google is creepy, but once you've lost your virginity...
"As always, we advise users to only install applications they trust."
Hehehe right I know the I like most people want the latest ,best quickest flashiest thing available and I want it YESTERDAY!!!!!!!!!!!!!!!!
" a Google spokesman said. "As always, we advise users to only install applications they trust."
As we say in New zealand Yeah Right!
Beer glass MMMMmmm Beer
Is still on 2.1 even though froyo's been out for months. I wonder if I phone 'em up and ask if they'll accept responsibility for me getting pwned they'll hurry up with the upgrade - or should I just take the plunge and root. Since Google are giving all their staff a nice rise and Xmas bonus' perhaps they should accept responsibility for anyone getting infected and pay out for any losses.
Also, anyone know if those antivirus apps for android caught those rogue apps, or are they as useless as I suspected all along.
RE: Tony Paulazzo
"Since Google are giving all their staff a nice rise and Xmas bonus' perhaps they should accept responsibility for anyone getting infected and pay out for any losses."
It's got nothing to do with Google, it's your phone maker.
Google made the updates available months ago, if you don't have it then blame your network or the manufacturer for not passing the upgrades to you.
I'm still waiting for 2.1 because of Sony Ericsson taking their time!
Googles response is pathetic, 'we advicse users to only install applications they trust' and how are we supposed to do that? Is google saying not to trust their own Market place?
Not so happy with my Desire HD anymore.
So I guess a fix will be rolled out by O2 in 2014 then? ;)
How do google plan to roll out a fix? Will it involve patching handsets?
I have a Samsung I7500 Galaxy (is there a Samsung product that doesn't contain the word Galaxy in it?!) but it's still on Android 1.5 because Samsung refuse to update it. If some kind of update to handsets is required I'll certainly not get it.
That's interesting, my Galaxy (Portal/Spica/Lite) had an official 2.1 upgrade, maybe it's your network provider rather than Samsung (or maybe you missed the memo?).
Android security might be the kicker the networks need
I'm usually a rabid Android fanboi but this highlights the platform's major shortcoming - the lack of a viable OS update mechanism like Apple's and Microsoft's (well, for their new OS anyway). This may or may not be a serious issue but there will be others, and unlike Apple users can't update their phones to fix all of them.
Operators and manufacturers need to get out of the mentality that these phones are just boxes they can sell/give away with a contract and then forget about. They're mini computers and security updates should be provided for their expected lifetime.
Google have tried to mitigate the problem somewhat in 2.2 by modularising more of the OS, so you can update certain system components via the marketplace. However this isn't going to be able to fix core OS vulnerabilities that might arise in future. They really need to be thinking about ways of allowing OS upgrades in full - now Android is in the public eye and mindset, and people have an investment in it (through app purchases and now being in Google's ecosystem wrt contacts and calendars etc) it's an ideal time to force the operators and manufacturers to play ball.
Ah, the Cassandras of software development
The only perk of being a security-conscious developer working in a commercial environment is being able to say "Told you so" when all the vulnerabilities you warned about get shipped anyway to meet a market window.
Works for blog comments too.
Hopefully this means they will encourage the phone manufacturers to release updates for all handsets to 2.2.
Some how I doubt it though, so looks like my Hero is stuck on 2.1 unless I install a generic ROM from somewhere.
The real problem
The real problem here is not that there is a bug in the software, but in reality it is very very unlikely to be fixed in the majority of handsets out there. I have an Orange Sanfrancisco running 2.1, the chances of Orange UK releasing an update to 2.2, or even a bugfix for 2.1, pretty much zero from what I can see. Thankfully we are in contact with the manufacturer and there are also non-orange uk releases so it may be that the hacking community can save the day on this one, but the retailers and manufacturers really need to think properly about supporting what in effect is a desktop OS in the wild.
It's trivial for GOOGLE to fix, in the current build, possibly in previous builds as well. Handset manufacturers then have to update their code, on phones they already no longer support, and then that code has to propagate through the carriers.
Internally, with CVS and other systems, code is easy to modify. However, when a 3rd party alters code your library is not directly supporting (or has moved past with newer releases of your own) integrating (or even FINDING) the necessary code changes in THEIR code to incorporate into your modified version is very difficult. Not impossible, but its complicated, time consuming, and can introduce many many new issues and an array of testing, and worse can impact dozens of handsets.
Apple uses a single OS base with minor module or API differences. A fix in a core function is easily ported across all systems. Google's base code is easily modified, but porting that modification across hundreds of unique models, each using an array of hardware, and little of it even compatible with the latest release version, is a mess. There are still dozens of handsets fully compatible with 2.1 or 2.2 that don't have it. Many will NEVER have a 2.x version. If this fix is populated only through lets say N-2 revisions and Google chooses not to patch all the way back to 1.0.
With the open code base, finding a bug is easy. That also means for hackers as well as coders that fix the bug. Apple can release a patch for all iPhones in days, or less if it was REALLY critical, and all anyone needs to do is plug in and it gets it (including a full backup). OTA code updates whack data that is not protected, restore of android apps post upgrade is a PITA, and that update might take WEEKS to get to your handset even if google has the patch today.
Also, people "generally" trust what's in the google marketplace, as it is a policed market on SOME level. That means apps there typically get installed without question, but this is very false security. Apple looks VERY deep into the program operation, including directly questioning why some APIs might be included if there's no obvious NEED 9not just a reason, but a NEED), google skims the surface. Apple can pull a app quick and then only jailbreakers could still get it, Google pulls one and its available tomorrow in another marketplace, under a new name, still with the same virus in it.
I think Android is a far more powerful platform, more flexible, i think it even looks better (though it needs some UI love and some better design). However, because Google has no direct patch authority, and because carriers are not FORCED to maintain current code bases on all released devices, and push patches within acceptable time frames, having an Android device is very dangerous. Worse, its literally PUSHED on thousands of consumers who have no business having a device as powerful as it is. There really should be an Android "lite" (or a hidden PRO mode that has to be activated and comes with warnings).
Hackers KNOW planting a virus on Android can take weeks to eradicate, and on some devices will never be removed. Multiple viruses have already gotten through googles defenses, and the frequency is increasing quickly. Apple is not only harder to get past (deep code inspection), and quicker to patch (no middle men to worry about), but they're also half the market segment now too. Also, putting an app in apple's store means VALIDATED background checks and easy trails for cops to follow, not so much in Android marketplaces... putting viruses on iOS is dangerous for the hacker, and a much more limited and difficult target. Its not security through obscurity, it's security through trouble and risk and very real protections, and rapid response. Its not worth hackers trouble with such a rich and easy to exploit target as an alternative.
If ALL device mfrs were required to guarantee continued update support, within 1 week of a google patch release, for all devices sold for +2 years from last date of sale, and forced carriers and device makers to port all "compatible" features of new OS releases (as Apple does, 4.2 runs on everything except gen 1 which is now more than 3 years old, just not all the bells and whistles of it) within 30 days of Google release, then we'd have a platform with better security, and less fragmentation.
Still, even if they got all the manufacturers in line, modularized the entire thing for 3.0 (breaking all existing apps), all they'd do is drive up the cost, and limit the model availability.
My real reason for not diving in though, Sun.... I have a sneaking suspicion we'll be seeing a cease and desist order from a court here, possibly within the year, ordering all code development on Android to stop short of removing every line of Sun's code, and a 1-2 year set back in android development, and a multi-billion dollar fine, and removal of many core features or functions. Android is very much in violation of very strong patents, it's not a minor sleight, and its clear and obvious, entire sections of code copied and pasted.... It could very well be pulled from the market entirely. I can't take that risk.
I wonder if Android has a serious future?, Google seems update Android every 4 months and honestly believe every Android handset out there is upgraded to the latest and greatest version of the OS. In reality, Android handsets are released and rarely upgraded, usually only getting 1 version bump before being classes as old. Mobile phone contracts are normally 18 to 24 months and so users are left exposed to all sorts of issues whilst they wait for their contract to renew/expire.
With Android appearing on cheap tablet computers (like Next's one) it's only a matter of time before people (normal non-techical people) are going associate Android with low quality and no support. Google need to get a grip on their OS before Android is considered a poor persons Ipad/Iphone/Windows phone.
oooh, you dared to question the Droid...downvotes for you!
Perfectly reasonable post IMO, but since when does that matter?
Wait - I just did it again too...more downvotes for me!
Re: Cue downvotes
Oh please stfu and stop your downvote whingeing you sad, pathetic fanboi loser.
Re: Re: Cue downvotes
Don't feed the troll
Move along, there's nothing to see here
So, a researcher posts a proof of concept app that highlights a vulnerability in Android that Google are now going to fix.
Sounds quite similar to the recent "weaponization" of the jailbreakme.com exploit that a researcher recently demonstrated as a proof of concept of how a rootkit could be installed silently and without user permission on range of fruit themed telephony devices, which a certain fruit themed manufacturer has already patched. (@ AC 01:19 GMT - see, you do hear about iPhones getting rootkitted! :) )
Seeing a pattern here? Exploit found, exploit published, exploit patched!
Security vulnerabilities exist on *all* platforms, and continue to exist until they are found and patched!
Finally, @AC 01:39 GMT - of course it's easier to find exploits in open source code! Doh! This is one area where closed source has an advantage, but with closed source code you've no idea how good or bad the code quality is whereas with open source you do and you can fix it!
"Android is the single most viable long term platform out there". Stop, you're killing me! Unless, by "long term", you mean the life-cycle of an Android handset before it stops receiving OS updates - you can normally count the number of seconds on one or less finger.
Android is just a poor mans iOS. And iOS as an operating system is pants to start with.
What are *you* afraid of?
"Oh, and for the iPhone fanboys trying to spread FUD about whether Android is a viable long term platform, what's wrong, are you just upset that Android pushed the iPhone into 3rd place last quarter"
I think that this is a perfectly reasonable question to ask of any platform - just ask anyone with a Microsoft KIN phone.
Google make no direct money from Android, so it's not inconceivable that they might just decide to stop development at some point in the future.
Fragmentation is a legitimate concern, just reading the comments on this story show people running everything from 1.5 to 2.2 and *not* due to personal choice, but due to manufacturers not making newer versions of the OS available.
If you want to see how bad that can get, look at Windows Mobile and Symbian.
Phones are not commodity hardware, if Google stop developing Android, but the community carries it forwards you might be able to buy a new handset and load the new version, but it's unlikely - and even if you can do it most of the other buyers won't being doing it, which puts you straight into the niche part of the userbase.
Most users aren't going out and asking for "an Android handset", they want the "large touchscreen phone that does e-mail and the internet and Facebook". Android phones currently provide that in an affordable package and a variety of designs, but next year that might be WM7 or Symbian^4.
And almost none of the current buyers of Android handsets or iPhones give a flying f*ck.
Take a trip back to 2004, almost no clamshell phones on the market and then Motorola launches the RAZR V3 - it catches the public's imagination and sells in huge numbers. By mid 2005 it's almost impossible to buy a phone that isn't a clamshell, but by 2006 the world is starting to lose interest. 2007, Apple launches the first iPhone and the whole cycle starts all over again.
Please tell me
In what way is Android like iOS?
It's just as clunky and frustrating in use.
That's the meaning about integration vs fragmentation
Unless Google has its own hardware to the mobile operator, it will stay in the PC model without standardized hardware. Is there somewhere a standard handset/tablet, something that even the PC manufacturers could produce as a commodity ?
Apple integrates everything until the user himself (since this one is just another kind of thing) but that also means that the product is entirely dedicated to its purpose.
You can't reach that with the PC model even standardized, cos you still offer a computer to people who just want to enjoy the contents.
That's the first meaning of the fragmentation : the hardware from there, the OS from there and the apps from elsewhere not mentioning the horrors from the mobile operators. It's not a matter of porting and recoding at the first place.
Didn't understand a word of that
"Android handsets are released and rarely upgraded, usually only getting 1 version bump before being classes as old. Mobile phone contracts are normally 18 to 24 months and so users are left exposed to all sorts of issues whilst they wait for their contract to renew/expire."
Smartphones are targeted at the Oooo shiny! crowd. As such they probably upgrade every year or 2 years anyway. People who want to do real work on the move buy a blackberry. People who just want to make phone calls buy a cheap nokia. The rest are just drooling idiots who frankly don't matter in the scheme of things because they'll always come back for me. And that applies to any smartphone user including the iphone.
You, my friend, are a bitter and twisted person. Why would you come into the comments section for an article about smartphones just to berate smartphones? You need to get a grip of your life and take a good look in the mirror before opening your mouth (or y'know, typing and that) to slate others.
I feel sorry for you that you don't know the joys of smartphone ownership.
Hey, look everyone!
It's a Blackberry fanboi!
You don't see many of these in the wild.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Driverless car SQUADRONS to hit Britain in 2015