Android Security Flaws Nipped in the Bud

Two security flaws recently uncovered in Android 1.5 could have enabled malicious denial of service (DoS) attacks on users of the mobile platform, according to an advisory released last week by oCERT, the Open Source Computer Emergency Response Team.

The first of the flaws, which affected Android’s handling of SMS, could have allowed a malformed message to disconnect the mobile phone from the cellular network, creating a remote DoS condition, oCERT reported.

That problem was fixed in July, not long before a similar — and more severe — issue was identified in Apple’s iPhone platform.

API Issue

The second flaw affects Android’s Dalvik application programming interface. Specifically, it was found that a malicious application could potentially be crafted so that if it were downloaded and executed by the user, it would then trigger the vulnerable API function and restart the system.

Google never actually had any evidence of the existence of such an application, Google spokesperson Jay Nancarrow told LinuxInsider.

The same condition could also occur, however, if a developer were to unintentionally place the vulnerable function where the execution path led to that function call, oCERT reported.

Either way, the result could lead to denial of service, the group asserted.

The patch for the API problem was committed to the open source Android repository in July, and the fix was released to users on Oct. 1.

The SMS issue was fixed in Android versions 1.5 CBDxx, CRCxx and COCxx, while the API issue is addressed in Donut DRC79.

Profit-Driven Motives

The No. 1 motivation behind most attacks seeking to exploit such flaws is pure mischief, Johannes Ullrich, chief technology officer at the SANS Institute, told LinuxInsider.

However, there are also potential profit-driven motives, Ullrich said.

“We’ve already seen denial of service attacks for profit on traditional phones, such as to shut down a competitor’s phones,” he noted.

The same could potentially be done to shut down a competitor’s cellphones at a trade show, for example, to cut off their ability to take orders, he explained.

Exploiting Trust

Another possible motivation is extortion, Ullrich said.

Online gambling sites have already been affected by such attacks: The attacker threatens to shut down their site on a heavy-traffic day unless they pay a certain sum, he noted. So, again, the same could be done using cellphones instead.

Alternatively, denial of service attacks can also be used to try to exploit trust relationships, Ullrich added.

In such a case, the attacker could shut down a trusted party’s phone and then redirect users to a different line and impersonate the trusted party in the process, he explained. That type of exploit could be used to impersonate those who provide validation or entry to a building, for instance, or who reset passwords.

Automatic Updates

Users of Android devices typically receive security updates automatically, Google’s Nancarrow pointed out.

“There is a little bit of variability between devices, but for the most part what you’ll see is that users would receive a notification on their device about the update,” he said.

Downloading the update would then fix the problem on their device.

The Open Advantage

Users of closed platforms — mobile or otherwise — are already intimately familiar with security vulnerabilities.

Given Android’s status as an open source mobile platform, however, its security track record will be scrutinized closely, with a particular focus on how it compares with that of its closed competitors.

“I think there’s valid arguments on both sides,” 451 Group analyst Jay Lyman told LinuxInsider, “but in the end, I think the open approach tends to allow a more effective, rapid response.”

Faster Fixes

Indeed, Android’s open source nature enables faster fixes to problems, agreed Chris Hazelton, research director for mobile and wireless, also with the 451 Group.

When the SMS problem in Apple’s iPhone was revealed at the Black Hat conference in July, for example, it took some time before the issue got fixed, Hazelton told LinuxInsider.

“I don’t know how good the communication was between Apple and the hacker-consultants, but if that was open source, they could have put their proof out in the open,” Hazelton explained, “and you’d have a bunch of different users and groups of users with different motivations for keeping that system secure.”

‘One Will Jump In and Fix It’

When a single device vendor also owns the operating system, its priorities — perfectly valid though they may be — “don’t mesh with those of users as well as an open source device that’s actually run by users,” Hazelton said.

Then, too, there’s the idea that the more eyeballs you have focused on a system, the better the security.

“Device vendors, carriers and app developers all want everything to work,” Hazelton explained. If a problem arises, “one will jump in and fix it — and they all can because it’s open source,” he added.

Depending on where Android users download their applications, there’s the potential for security issues to arise in that area, SANS Institute’s Ullrich noted.

“In the desktop world, many exploits happen by tricking users into downloading malware,” he noted, “so it will depend on how much checking is done.”

Fixed ‘in a Matter of Days’

Nevertheless, Google is “a big proponent of open source,” Google’s Nancarrow asserted.

“What we’ve found is that one of the great benefits of open source is that code can be scrutinized on another level,” he explained.

After Android’s SMS flaw was discovered by security researchers, for example, “we were able to fix within a matter of days,” he said.

An Increasing Threat

Some still have concerns, however.

“An open system can be much more vulnerable to attack both for the device software and the customer data,” said telecom analyst Jeff Kagan. “I am sure it will be mostly secure, but there are always customers who will be victims of attacks before the patches are created.”

If nothing else, then, it’s clear that companies “will have their hands full trying to keep the system secure,” Kagan told LinuxInsider.

“We have surprisingly seen very little in the way of these attacks in the wireless world,” he noted. “With the explosion of smartphones accelerating, I think we all expect that threat to increase.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels