Security hole in first Google Android phone
By Nicole Kobie,
The first mobile phone based on Google’s open source Android platform features a security vulnerability, researchers have claimed, days before the T-Mobile device is set to launch in the UK.
Researchers from Independent Security Evaluators (ISE), said the problem occurred because Google didn’t use the most up to date versions of the open source packages that make up Android.
“In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version,” wrote the researchers, Charlie Miller, Mark Daniel, and Jake Honoroff.
This is similar in origin to a vulnerability found in Google’s Chrome browser just after it launched, which saw previously fixed holes make it into the final product after old code was used.
According to ISE’s study, the Android security hole has left the web browser vulnerable to exploit if users visit malware-loaded pages. "It's a standard client-side flaw, where the malicious attacker needs to get the user to go to a site that they control," Honoroff told IT PRO.
But the researchers said Android’s well-constructed architecture limits the impact of the breach. While attackers will be able to access the same information the browser can – such as cookies, saved passwords and autocomplete data – they can not control the phone itself. "It has to do with sandboxing, where different processes are not allowed to step on each other... so just because you can control the browser doesn't mean you can do anything else," Honoroff explained.
In the research note, ISE added: “This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised.”
The researchers said they would not release any further information until the hole had been patched, adding Google was alerted to the problem last week and is working with the researchers on a fix.
A Google spokesman said: "Google is working on a browser software patch for Android. We are coordinating with T-Mobile on a plan to soon deliver this update over-the-air to customers' G1 devices. For people currently using the phone, we do not believe this matter will negatively impact their experience with the device."
Last month IT PRO got a first look at the T-Mobile G1.
Sponsored Links
advertisement
Latest Mobile Analysis & Insight
Welcome to the stay-at-home Olympics
Inside the Enterprise: The Government has warned of disruption, and the Civil Service is practising working from home. Could IT yet save businesses from chaos on an Olympian scale?
- What should RIM do to recapture the attention of businesses?
- What can Intel bring to the smartphone market?
- OK, computer
- A data shock warning for Orange customers
- Is there such a thing as a secure tablet?
- Top 10 tech winners and losers of 2011
- 2011: The year in news
- BYOD: Old or new, good or bad?
- If retailers build it, will the shoppers come?
Latest Mobile Reviews
BlackBerry Bold 9790 review
Rating: 
The Bold 9790 is the latest BlackBerry to run RIM’s new BlackBerry 7 OS, but does this budget offering for business users cut too many corners to compete? Julian Prokaza finds out.
advertisement
Most popular
- Ubuntu vs. Windows 7 on the business desktop
- York researchers heat storage to speed up data
- BlackBerry Bold 9790 review
- OneNote hits Google?s Android
- O2 trials Olympic-scale remote working
- Will someone rid me of these troublesome Macs?
- Lenovo beats expectations again
- Who to trust after the VeriSign hack?
- Google to promise fairness after Motorola buy
- Report: Google cloud storage coming soon
Latest News Videos in Mobile
IT PRO Podcast: CES 2011
PlayIn the first podcast of 2011, we talk with Adam Griffin of Dell and Barry Collins of PCPro about tablets, the cloud and all the other exciting...
Register for IT PRO
You'll get exclusive member benefits including free whitepapers, downloads, Webinars and weekly newsletters full of the latest IT PRO news, reviews, insight and expertise.
