Security hole in first Google Android phone

As the T-Mobile G1 is set to launch in the UK this week, security researchers discover a vulnerability.

The first mobile phone based on Google's open source Android platform features a security vulnerability, researchers have claimed, days before the T-Mobile device is set to launch in the UK.

Researchers from Independent Security Evaluators (ISE), said the problem occurred because Google didn't use the most up to date versions of the open source packages that make up Android.

"In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version," wrote the researchers, Charlie Miller, Mark Daniel, and Jake Honoroff.

This is similar in origin to a vulnerability found in Google's Chrome browser just after it launched, which saw previously fixed holes make it into the final product after old code was used.

According to ISE's study, the Android security hole has left the web browser vulnerable to exploit if users visit malware-loaded pages. "It's a standard client-side flaw, where the malicious attacker needs to get the user to go to a site that they control," Honoroff told IT PRO.

But the researchers said Android's well-constructed architecture limits the impact of the breach. While attackers will be able to access the same information the browser can such as cookies, saved passwords and autocomplete data they can not control the phone itself. "It has to do with sandboxing, where different processes are not allowed to step on each other... so just because you can control the browser doesn't mean you can do anything else," Honoroff explained.

In the research note, ISE added: "This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised."

The researchers said they would not release any further information until the hole had been patched, adding Google was alerted to the problem last week and is working with the researchers on a fix.

A Google spokesman said: "Google is working on a browser software patch for Android. We are coordinating with T-Mobile on a plan to soon deliver this update over-the-air to customers' G1 devices. For people currently using the phone, we do not believe this matter will negatively impact their experience with the device."

Last month IT PRO got a first look at the T-Mobile G1.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

Google Cloud unveils AI contact center focused on vaccine equity
artificial intelligence (AI)

Google Cloud unveils AI contact center focused on vaccine equity

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021

Most Popular

University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021