Welcome | Sign In
CRMBuyer.com
Bugs

Android Security Flaws Nipped in the Bud

Print Version
E-Mail Article
Reprints
Android Security Flaws Nipped in the Bud

By Katherine Noyes
LinuxInsider
Part of the ECT News Network
10/13/09 4:00 AM PT

Mobile networks are fast becoming the stomping ground of cyberattackers interested in exploiting vulnerabilities for fun or profit, and Android is not exempt. Google recently patched two flaws in the operating system, thwarting their use in carrying out denial of service attacks.


eMarketer Whitepaper: Optimizing the E-Commerce Experience
From the Web to the Contact Center, are you prepared to proactively engage and keep your savvy customers? Read how e-commerce leaders are optimizing their sites with ratings, reviews, live help, Web analytics, mobile and more.

Two security flaws recently uncovered in Android 1.5 could have enabled malicious denial of service (DoS) attacks on users of the mobile platform, according to an advisory released last week by oCERT, the Open Source Computer Emergency Response Team.

The first of the flaws, which affected Android's handling of SMS, could have allowed a malformed message to disconnect the mobile phone from the cellular network, creating a remote DoS condition, oCERT reported.

That problem was fixed in July, not long before a similar -- and more severe -- issue was identified in Apple's (Nasdaq: AAPL) iPhone platform.

API Issue

The second flaw affects Android's Dalvik application programming interface. Specifically, it was found that a malicious application could potentially be crafted so that if it were downloaded and executed by the user, it would then trigger the vulnerable API function and restart the system.

Google (Nasdaq: GOOG) never actually had any evidence of the existence of such an application, Google spokesperson Jay Nancarrow told LinuxInsider.

The same condition could also occur, however, if a developer were to unintentionally place the vulnerable function where the execution path led to that function call, oCERT reported.

Either way, the result could lead to denial of service, the group asserted.

The patch for the API problem was committed to the open source Android repository in July, and the fix was released to users on Oct. 1.

The SMS issue was fixed in Android versions 1.5 CBDxx, CRCxx and COCxx, while the API issue is addressed in Donut DRC79.

Profit-Driven Motives

The No. 1 motivation behind most attacks seeking to exploit such flaws is pure mischief, Johannes Ullrich, chief technology officer at the SANS Institute, told LinuxInsider.

However, there are also potential profit-driven motives, Ullrich said.

"We've already seen denial of service attacks for profit on traditional phones, such as to shut down a competitor's phones," he noted.

The same could potentially be done to shut down a competitor's cellphones at a trade show, for example, to cut off their ability to take orders, he explained.

Exploiting Trust

Another possible motivation is extortion, Ullrich said.

Online gambling sites have already been affected by such attacks: The attacker threatens to shut down their site on a heavy-traffic day unless they pay a certain sum, he noted. So, again, the same could be done using cellphones instead.

Alternatively, denial of service attacks can also be used to try to exploit trust relationships, Ullrich added.

In such a case, the attacker could shut down a trusted party's phone and then redirect users to a different line and impersonate the trusted party in the process, he explained. That type of exploit could be used to impersonate those who provide validation or entry to a building, for instance, or who reset passwords.

Automatic Updates

Users of Android devices typically receive security updates automatically, Google's Nancarrow pointed out.

"There is a little bit of variability between devices, but for the most part what you'll see is that users would receive a notification on their device about the update," he said.

Downloading the update would then fix the problem on their device.

The Open Advantage

Users of closed platforms -- mobile or otherwise -- are already intimately familiar with security vulnerabilities.

Given Android's status as an open source mobile platform, however, its security track record will be scrutinized closely, with a particular focus on how it compares with that of its closed competitors.

"I think there's valid arguments on both sides," 451 Group analyst Jay Lyman told LinuxInsider, "but in the end, I think the open approach tends to allow a more effective, rapid response."

Faster Fixes

Indeed, Android's open source nature enables faster fixes to problems, agreed Chris Hazelton, research director for mobile and wireless, also with the 451 Group.

When the SMS problem in Apple's iPhone was revealed at the Black Hat conference in July, for example, it took some time before the issue got fixed, Hazelton told LinuxInsider.

"I don't know how good the communication was between Apple and the hacker-consultants, but if that was open source, they could have put their proof out in the open," Hazelton explained, "and you'd have a bunch of different users and groups of users with different motivations for keeping that system secure."

'One Will Jump In and Fix It'

When a single device vendor also owns the operating system, its priorities -- perfectly valid though they may be -- "don't mesh with those of users as well as an open source device that's actually run by users," Hazelton said.

Then, too, there's the idea that the more eyeballs you have focused on a system, the better the security.

"Device vendors, carriers and app developers all want everything to work," Hazelton explained. If a problem arises, "one will jump in and fix it -- and they all can because it's open source," he added.

Depending on where Android users download their applications, there's the potential for security issues to arise in that area, SANS Institute's Ullrich noted.

"In the desktop world, many exploits happen by tricking users into downloading malware," he noted, "so it will depend on how much checking is done."

Fixed 'in a Matter of Days'

Nevertheless, Google is "a big proponent of open source," Google's Nancarrow asserted.

"What we've found is that one of the great benefits of open source is that code can be scrutinized on another level," he explained.

After Android's SMS flaw was discovered by security researchers, for example, "we were able to fix within a matter of days," he said.

An Increasing Threat

Some still have concerns, however.

"An open system can be much more vulnerable to attack both for the device software and the customer Increase Customer Sales with Email Marketing -- Free Trial from VerticalResponse data," said telecom analyst Jeff Kagan. "I am sure it will be mostly secure, but there are always customers who will be victims of attacks before the patches are created."

If nothing else, then, it's clear that companies "will have their hands full trying to keep the system secure," Kagan told LinuxInsider.

"We have surprisingly seen very little in the way of these attacks in the wireless world," he noted. "With the explosion of smartphones accelerating, I think we all expect that threat to increase."

Print Version E-Mail Article Reprints More by Katherine Noyes

Talkback: Be the first to comment on this story.

More by Katherine Noyes

FOSS and the Google Question
November 19, 2009
How FOSSy is Google, really? "I find it kinda funny that folks tout that Google uses Linux when the most useful tool they have developed -- the Google FS -- they keep internally and therefore don't have to share the code!" observed Slashdot blogger hairyfeet. "So how exactly is Google different from MSFT and Apple, who have both in the past locked up free code for themselves?" 		Can T-Mobile Get Its Groove Back?
November 18, 2009
T-Mobile may have a hard time pulling itself out of a swamp of customer discontent if it doesn't reverse course soon. The wireless carrier has been having some bad luck that has only been compounded by some poor decisions. "It takes a long time and much effort to build customer confidence, but a very short time to lose it," remarked telecom analyst Jeff Kagan. 		Microsoft Goof - One Small Snag in a Code-Licensing Quagmire
November 17, 2009
Microsoft will open source the code to a Windows 7 tool in order to rectify the erroneous inclusion of code licensed under the GPL. Redmond's response to the problem "does indicate a growing maturity with respect to free and open source licenses," said RedMonk analyst Stephen O'Grady.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> Inside CRM Buyer
CRM Buyer
E-Commerce Times
TechNewsWorld
LinuxInsider
MacNewsWorld
Today's CRM Buyer Sponsors
Vertical Response Email Marketing!
Sign up for your Free Trial today and send 100 emails on us!
Complimentary Webinar
How Much is 'Free' Costing You? DaveRamsey.com’s 567% ROI with Enterprise Analytics
Avaya Aura™
Save up to 40% on calling costs with Avaya Aura™
Trend Micro Smart Protection Network(TM)
Lower your content security management costs by up to 40%.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.