Welcome | Sign In
LinuxInsider.com
Bugs

Android Security Flaws Nipped in the Bud

Print Version
E-Mail Article
Reprints
Android Security Flaws Nipped in the Bud

By Katherine Noyes
LinuxInsider
10/13/09 4:00 AM PT

Mobile networks are fast becoming the stomping ground of cyberattackers interested in exploiting vulnerabilities for fun or profit, and Android is not exempt. Google recently patched two flaws in the operating system, thwarting their use in carrying out denial of service attacks.


Time to upgrade your existing phone system?
Which solution will best suit your business? This free 4-part guide will help you evaluate whether your current phone system is suitable for your needs and how it may impact future growth. Learn more.

Two security flaws recently uncovered in Android 1.5 could have enabled malicious denial of service (DoS) attacks on users of the mobile platform, according to an advisory released last week by oCERT, the Open Source Computer Emergency Response Team.

The first of the flaws, which affected Android's handling of SMS, could have allowed a malformed message to disconnect the mobile phone from the cellular network, creating a remote DoS condition, oCERT reported.

That problem was fixed in July, not long before a similar -- and more severe -- issue was identified in Apple's (Nasdaq: AAPL) iPhone platform.

API Issue

The second flaw affects Android's Dalvik application programming interface. Specifically, it was found that a malicious application could potentially be crafted so that if it were downloaded and executed by the user, it would then trigger the vulnerable API function and restart the system.

Google (Nasdaq: GOOG) never actually had any evidence of the existence of such an application, Google spokesperson Jay Nancarrow told LinuxInsider.

The same condition could also occur, however, if a developer were to unintentionally place the vulnerable function where the execution path led to that function call, oCERT reported.

Either way, the result could lead to denial of service, the group asserted.

The patch for the API problem was committed to the open source Android repository in July, and the fix was released to users on Oct. 1.

The SMS issue was fixed in Android versions 1.5 CBDxx, CRCxx and COCxx, while the API issue is addressed in Donut DRC79.

Profit-Driven Motives

The No. 1 motivation behind most attacks seeking to exploit such flaws is pure mischief, Johannes Ullrich, chief technology officer at the SANS Institute, told LinuxInsider.

However, there are also potential profit-driven motives, Ullrich said.

"We've already seen denial of service attacks for profit on traditional phones, such as to shut down a competitor's phones," he noted.

The same could potentially be done to shut down a competitor's cellphones at a trade show, for example, to cut off their ability to take orders, he explained.

Exploiting Trust

Another possible motivation is extortion, Ullrich said.

Online gambling sites have already been affected by such attacks: The attacker threatens to shut down their site on a heavy-traffic day unless they pay a certain sum, he noted. So, again, the same could be done using cellphones instead.

Alternatively, denial of service attacks can also be used to try to exploit trust relationships, Ullrich added.

In such a case, the attacker could shut down a trusted party's phone and then redirect users to a different line and impersonate the trusted party in the process, he explained. That type of exploit could be used to impersonate those who provide validation or entry to a building, for instance, or who reset passwords.

Automatic Updates

Users of Android devices typically receive security updates automatically, Google's Nancarrow pointed out.

"There is a little bit of variability between devices, but for the most part what you'll see is that users would receive a notification on their device about the update," he said.

Downloading the update would then fix the problem on their device.

The Open Advantage

Users of closed platforms -- mobile or otherwise -- are already intimately familiar with security vulnerabilities.

Given Android's status as an open source mobile platform, however, its security track record will be scrutinized closely, with a particular focus on how it compares with that of its closed competitors.

"I think there's valid arguments on both sides," 451 Group analyst Jay Lyman told LinuxInsider, "but in the end, I think the open approach tends to allow a more effective, rapid response."

Faster Fixes

Indeed, Android's open source nature enables faster fixes to problems, agreed Chris Hazelton, research director for mobile and wireless, also with the 451 Group.

When the SMS problem in Apple's iPhone was revealed at the Black Hat conference in July, for example, it took some time before the issue got fixed, Hazelton told LinuxInsider.

"I don't know how good the communication was between Apple and the hacker-consultants, but if that was open source, they could have put their proof out in the open," Hazelton explained, "and you'd have a bunch of different users and groups of users with different motivations for keeping that system secure."

'One Will Jump In and Fix It'

When a single device vendor also owns the operating system, its priorities -- perfectly valid though they may be -- "don't mesh with those of users as well as an open source device that's actually run by users," Hazelton said.

Then, too, there's the idea that the more eyeballs you have focused on a system, the better the security.

"Device vendors, carriers and app developers all want everything to work," Hazelton explained. If a problem arises, "one will jump in and fix it -- and they all can because it's open source," he added.

Depending on where Android users download their applications, there's the potential for security issues to arise in that area, SANS Institute's Ullrich noted.

"In the desktop world, many exploits happen by tricking users into downloading malware," he noted, "so it will depend on how much checking is done."

Fixed 'in a Matter of Days'

Nevertheless, Google is "a big proponent of open source," Google's Nancarrow asserted.

"What we've found is that one of the great benefits of open source is that code can be scrutinized on another level," he explained.

After Android's SMS flaw was discovered by security researchers, for example, "we were able to fix within a matter of days," he said.

An Increasing Threat

Some still have concerns, however.

"An open system can be much more vulnerable to attack both for the device software and the customer data," said telecom analyst Jeff Kagan. "I am sure it will be mostly secure, but there are always customers who will be victims of attacks before the patches are created."

If nothing else, then, it's clear that companies "will have their hands full trying to keep the system secure," Kagan told LinuxInsider.

"We have surprisingly seen very little in the way of these attacks in the wireless world," he noted. "With the explosion of smartphones accelerating, I think we all expect that threat to increase."

Print Version E-Mail Article Reprints More by Katherine Noyes

Talkback: Be the first to comment on this story.

More by Katherine Noyes

Phone-Hater Linus Torvalds Blesses Nexus One
February 09, 2010
Linus Torvalds isn't very interested in using the Nexus One as a phone, but he calls its combination of Google search capability with turn-by-turn navigation a "killer app." The Linux founder has had several phones over the years, but the Nexus One is the first to overcome his prejudice against the devices. His wife may get one too. 		Endeavour Lifts Off to Fit ISS With Giant Observation Deck
February 08, 2010
Endeavour enjoyed a flawless liftoff Monday morning as it began its mission to install the Tranquility node and attached cupola on the ISS. Only four more shuttle missions are scheduled before the program folds later this year. "The space shuttle program was a mistake from the beginning," said Randa Milliron, CEO and cofounder of Interorbital Systems and Trans Lunar Research. 		Open Symbian: New World Order or Big Yawn?
February 08, 2010
Is Symbian finding its way back through FOSS? "Symbian is on its way out," says Martin Espinoza, a blogger at Hyperlogos. "Even Nokia knows it, which is why their flagship product -- the N900 -- is based on Linux." On the other hand, the news "is a fine example of a near monopoly graciously sharing with the world in order to compete fairly and with better products," says blogger Robert Pogson.
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
E-Commerce Times
TechNewsWorld
White Papers | Case Studies | Reports
9 Proven Techniques to Double your Sales. Sign up for the free eBook!
From Laid-Off to Entrepreneur: Launching a Web Biz on a Shoestring
The Year in Mac Security 2008
Entering European Markets: A Challenging but Real Opportunity
Rewriting the Startup Handbook
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Secure Your Datacenter
Mitigate risk and maximize the benefits of virtualization. Get the free eBook today.
Data Deposit Box Online Storage
Sign up for a 2 week free trial and start earning recurring revenue today.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2010 ECT News Network, Inc. All Rights Reserved.