“Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it,” John Markoff reports for The New York Times.
“One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers,” Markoff reports.
“Mr. Miller, a former National Security Agency computer security specialist, said the flaw could be exploited by an attacker who might trick a G1 user into visiting a booby-trapped Web site,” Markoff reports. “The G1 — the so-called Google phone — went on sale at T-Mobile stores on Wednesday.”
Markoff reports, “The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.”
Full article here.
[Thanks to MacDailyNews Reader “HMCIV” for the heads up.]
MacDailyNews Note: Back in mid-January, The New York Times’ John Markoff reported that Apple CEO Steve Jobs was “skeptical about Google’s decision to develop smartphone software. ‘Having created a phone its a lot harder than it looks,’ he said. ‘We’ll see how good their software is and we’ll see how consumers like it and how quickly it is adopted. I actually think Google has achieved their goal [of seeking not to get locked out of the mobile phone world] without Android, and I now think Android hurts them more than it helps them. It’s just going to divide them and people who want to be their partners.'”
Well, it is an android, half of this, half of that without really being anything whole.
Gee Wally, didn’t the “experts” cry about this same serious flaw with the iPhone when it first came out? What could they be selling?
I don’t like Google. I remain deeply suspicious of their motives and business plans. I consider “Don’t be evil” is a marketing ploy for idiots like Cramer et al and not a “punch a dent in the universe” type of philosophy. However, this is a different issue. Maybe reading the entire article would help understand that Charles A. Miller, the exposer of this ‘flaw,’ is an attention seeking ‘expert.’ He pulled the same stunt against Apple earlier. I side with Google on this that he should have allowed Google a bit more time to rectify this issue before rushing to public with this. It’s just being a bad sport of the reckless kind.
Good news is, Apple is no longer alone in attracting these kinds of attention seeking twits.
Is Android UNIX based like the iPhone OS?
This type of security issue is possible with any OS. Apple deal with it in the iPhone by preventing installation outside of the App Store.
It is really done to the User to make sure they don’t do anything stupid. Provided that when an install is required the user as to give permission, this type of issue should be limit to people who have yet to learn about proper security.
The serious flaw found in Google’s Android phone OS is that it is NOT n iPhone.
I suspect that will be hard to fix
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
“Apple deal with it in the iPhone by preventing installation outside of the App Store.”
You think the app store insulates you from Mobile Safari exploits? The App Store truly is magical technology – in your mind.
i thought that the G1 web browser was based on WebKit, the same package upon which Safari is based.
@ Almost Unbelievable
This exploit for Android relies on the ability of a webpage to install a keystroke-capturing program that can constantly run in the background and capture anything you type.
Webpages can’t install software on the iPhone, so that’s one down. And while you could conceivably install a nefarious app from the App Store, apps can’t run constantly in the background on the iPhone. So this kind of exploit is, indeed, impossible on the iPhone.
Apple very clearly understood what they were doing from a security perspective when they designed the iPhone the way they did. Android’s problems are the result of the way Google designed it, and not an indicator that the iPhone is somehow magically also vulnerable to the same design flaws.
Damn security flaws! Always making it hard for us porn addicts.
@ dan
This has nothing to do with the use of WebKit – it’s a fundamental flaw in the way Google designed the browser and the system around the web browser in Android. (Mobile Safari doesn’t allow downloads, Android’s browser evidently does.)
heck… If it can beat my iPhone 3G by actually being able to talk to someone without contiually dropping calls, then it will be a good start!!!
A serious flaw in all locks is that someone might persuade you to unlock it for them. This is bollocks.
“install a keystroke-capturing program that can constantly run in the background and capture anything you type.”
Only within the browser, because it is sandboxed.
“Webpages can’t install software on the iPhone, so that’s one down”
Unless they exploit a bug in Mobile Safari, Duh. The andriod exploit uses a now fixed flaw in the Android browser to install itself.
“Apple very clearly understood what they were doing from a security perspective when they designed the iPhone the way they did.”
No, they did not. They gave NO thought to security in the iPhone version of Mac OS X because Steve told them there would never be a “real” SDK so they built it as if only Apple coded applications would ever be run on the platform directly. Android’s security model with sandboxed Java applications is much stronger than the iPhone’s. Part of the problem with the iPhone is that everything runs as root and can access everything.
So why not come back when you’ve learned something about what you speak of?
I don’t want to be the one to correct you but I am:
Steve knew all along they were going to eventually open up the platform, but regardless, safari is still an apple app! Of course that would have to be designed with security built in. Open platform or not.
“Part of the problem with the iPhone is that everything runs as root and can access everything.” Um, actually everything cannot access everything, if you would keep yourself informed of the iPhone platform you would learn that this is not how Apple designed it.
I’m done.
The real question remains, which phone is going to fall victim to a widespread exploit first. My guess is it will be the Democrats.
(Aww crap I’m confusing my rants again.)
” width=”19″ height=”19″ alt=”shut eye” style=”border:0;” />
“Um, actually everything cannot access everything, if you would keep yourself informed of the iPhone platform you would learn that this is not how Apple designed it.”
Not so, that’s the case only if you respect the rules of the SDK and the App store. Voluntary non use of private APIs doesn’t really count as a form of security. Anyway, even if it were, what’s your plan again for getting hackers to do that?
Cue commercial: “Mac vs. Windows”, substitute Android and cell phones.
@More Misconceptions,
“They gave NO thought to security in the iPhone version of Mac OS X because Steve told them there would never be a “real” SDK so they built it as if only Apple coded applications would ever be run on the platform directly…..So why not come back when you’ve learned something about what you speak of?”
Ummm, how do you know that Steve Jobs told the iPhone developers (ie. Apple employees) that there would never be a real SDK for the iPhone? I’m sure that you aren’t dumb enough to confuse Apple employees with third party developers, are you? Nowhere have I ever read such a statement from anyone who works at Apple, nor did Steve Jobs ever make such a statement. Actually, when he first discussed third parties developing web apps on the iPhone, he insinuated (and there were leaks from Apple confirming the same) that an iPhone SDK was indeed coming. I don’t think you or anyone else seriously believes that a SDK wasn’t always in the works.
So, YOU please come back when you’ve learned something about what you speak of.
I don’t think you or anyone else seriously believes that a SDK wasn’t always in the works.”
Believe what you want, but it’s clear security for native applications was one thing that was never part of the iPhone’s design.
You wishing that were different won’t make it different.
The real question remains, which phone is going to fall victim to a widespread exploit first.
It depends.
The iPhone has done pretty well so far, for being a high-profile and potentially high-value target. Knock on wood….
It’s not good for the G1 to have such a serious (and basic!) flaw discovered so soon after launch. Surely this should have been caught in testing.
But to be fair to Google, the sky isn’t falling, and I’m sure they’ll resolve things. Every new gadget has its birthing pains.
The iPhone has done pretty well so far, for being a high-profile and potentially high-value target.”
A similar exploit was shown on the iPhone back in August 2007.
“I’m sure they’ll resolve things”
Yes, they did, already. T-Mobile needs to publish that fix.
@More Misconceptions:
Doesn’t matter one bit if you can do things as root on your normal desktop computer. The iPhone is not a normal desktop computer.
Unlike a desktop computer, the only way to get an application on the iPhone without a jailbreak is to get it from the App Store. The only way to get on the App Store is to follow Apple’s rules, and Apple’s rules clearly include “no privilege escalation”, “no escaping the sandbox”, and “no accessing network ports outside the existing, provided APIs”.
Once you jailbreak the iPhone you’re on your own. You are responsible for your own security. Good luck with that.
So much for Google’s G1 phone.
Apple rules period.
“Once you jailbreak the iPhone you’re on your own”
Who said anything about requiring a jailbroken phone for that exploit I mentioned to work? It worked on the unbroken phone.
“only way to get an application on the iPhone without a jailbreak is to get it from the App Store”
Is it really? perhaps in a perfect world with no flaws in the iPhone software.
In fact that kind of the Safari exploit was a way by which you could jailbreak a phone. After all, what do you think Jailbreaking actually is? It’s using flaws in the iPhone software to gain control beyond what Apple wants you to have.
So as you now understand you can exploit a Safari Flaw to remotely gain full control of an iPhone, Zeke when this happens to you, you should send an email to the remote Hacker asking him to look after your iPhone security for you. After all you seem to think that asking people to play by the rules is a good way to ensure security.
But I doubt that they’ll be too accommodating.
More Misconceptions,
“Believe what you want, but it’s clear security for native applications was one thing that was never part of the iPhone’s design. You wishing that were different won’t make it different.”
Way to ignore most of my argument and pick out one insignificant piece of it to comment on. You wishing that my statements were incorrect won’t make them so.