“Just days after the T-Mobile G1 smartphone went on the market, a group of security researchers have found what they call a serious flaw in the Android software from Google that runs it,” John Markoff reports for The New York Times.
“One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers,” Markoff reports.
“Mr. Miller, a former National Security Agency computer security specialist, said the flaw could be exploited by an attacker who might trick a G1 user into visiting a booby-trapped Web site,” Markoff reports. “The G1 — the so-called Google phone — went on sale at T-Mobile stores on Wednesday.”
Markoff reports, “The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.”
Full article here.
[Thanks to MacDailyNews Reader “HMCIV” for the heads up.]
MacDailyNews Note: Back in mid-January, The New York Times’ John Markoff reported that Apple CEO Steve Jobs was “skeptical about Google’s decision to develop smartphone software. ‘Having created a phone its a lot harder than it looks,’ he said. ‘We’ll see how good their software is and we’ll see how consumers like it and how quickly it is adopted. I actually think Google has achieved their goal [of seeking not to get locked out of the mobile phone world] without Android, and I now think Android hurts them more than it helps them. It’s just going to divide them and people who want to be their partners.'”
Oh yeah. Next time post some reasons for your viewpoint and not just pure speculation.
“Way to ignore most of my argument and pick out one insignificant piece of it to comment on”
What, the piece where you’re totally ignorant about security in the iPhone OS and completely wrong in your comments? Sorry, I thought that was the most relevant piece.
“Jailbreaking” an iPhone requires you to have physical access to the device. To think that you can “jailbreak” an iPhone via a Mobile Safari exploit demonstrates that you have little, if any, actual technical knowledge on the subject.
To help counter, ahem, More Misconceptions
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />, this article helps dispel the “Unavoidable Malware” myth, and this article from back on August 29th is why the discovery of serious security flaws in Android came as no surprise to me (starting at section “But Wait, There’s More (And Less)”).
More Misconceptions,
Actually, I never even used the word “security” in any of my posts. I disagreed with your assertion that Steve Jobs and Apple never intended to create an iPhone SDK. You made a baseless claim and then never backed it up. I assert that a SDK was always in the works – Apple just never talked about it in advance like many things that they do.
“To think that you can “jailbreak” an iPhone via a Mobile Safari exploit demonstrates that you have little, if any, actual technical knowledge on the subject.”
Which explains why in August 2007 researchers were able to exploit a flaw in Safari to run arbitrary code on the iPhone in much the same way as this Android exploit. if you understand the jailbreaking process, the first step is to find a way to execute arbitrary non Apple approved code on the phone and expand your access from there. That’s exactly what a browser flaw that lets you execute arbitrary code will allow you to do.
The one difference is once you’re in on the iPhone you can do whatever you like. On Android you can do whatever you like within the browser’s sandbox. Android is much better thought out in this area than the iPhone.
if you think this jailbreaking vector is hypothetical bullshit, you might want to google and read about http://www.jailbreakme.com
Gabriel, you’re the one who doesn’t understand what’s possible. But feel free to keep showing your ignorance.
Wow… I’ve never seen anyone post here under that many names at the same time.
I don’t think the M$ 15,000 buck payment works that way pal.
processes don’t run anymore as root. They run now under the user account “mobile”
It’s working that way since version 1.1.4
Get informed first dude!
“Get informed first dude!”
Get Informed yourself!
I think that no one has mentioned the ‘KILL SWITCH’ that each iPhone contains, I wonder why they installed one? or maybe I don’t! DO YOU? wonder why?
Is there a kill switch in the Android software? If not, why not?
Is Java a secure platform? If it is, why has Apple inc. consistently refused to allow it onto the iPhone? If this is an over sight by Apple inc. why do you think it is?
If Apple inc do not take advice from the Microsoft’s CEO with regards to licencing their iPhone OS and OSX, considering how much money Microsoft have made of the back of an OEM is that a mistake Apple inc. can afford? If they cannot afford to make mistakes (AAPL) how come they are now better capitalized than Microsoft?
iTunes is the World’s largest online retailer, if iTunes OS is based on OSX & Safari is based on OSX + Webkit as is the iPhone, if you can access & make purchases from iTunes via the iPhone, how come not even one persons account details have been hacked or accessed from iTunes? or from the iPhone?
Sorry I went ahead of myself! Security for native applications on the iPhone were never in any of Apple inc.’s plans!!!!!!!!!!!!!!!!! Or so some would have us believe!
“One of the researchers, Charles A. Miller, notified Google of the flaw this week and said he was publicizing it now because he believed that cellphone users were not generally aware that increasingly sophisticated smartphones faced the same threats that plague Internet-connected personal computers,”
What he meant to say was “I wanted to publicize myself as being the first one to hack an Android phone and if I waited someone might have beaten me to it”
It is with Google’s Android where security was an after thought.
Why there is only one store for iPhone Apps? Why is it that no Apps are allowed to run in the background? Why developers have to have their Apps signed? Why the “kill switch”? Why is iPhone a closed platform? Why sandboxing? Why why why???
Andriod = Windows, it’s a matter of time before that thing gets infested will malware, crapware and viruses. With Android even criminals are allowed to have their nasty Apps in the Androids Market, no vetting for you. It is entirely possible that when there are tens of thousands of Apps some malware could take weeks if not months before they get picked up by the Android community putting users at risk.
If you can about security, get an iPhone, Android is a “Swiss” cheese OS.
Oh wow, the first flaw in the Porno Phone, this is not going to be good.
“Is there a kill switch in the Android software? If not, why not?”
Yes, apparently there is.
“Is Java a secure platform? “
What do you actually know about the design goals of Java? You can’t be seriously suggesting that more thought was given to security and safe language constructs in C, C++ and Objective C than in Java?
“why has Apple inc. consistently refused to allow it onto the iPhone?”
By it’s nature it would not require the app store, and that would cut into Apple’s revenue. The same reason is why Flash or any other language that you allow you to download non app store code is forbidden. Lets face it if you’re allowing people to write Objective C code, you certainly can’t claim allowing them to write Java code for the platform would make things any worse from a security perspective.
“how come not even one persons account details have been hacked or accessed from iTunes? or from the iPhone”
This is not so, a proof of concept attack, remotely through a Safari flaw was shown that gave full access to the iPhone contacts list and any other data on the phone.
“Security for native applications on the iPhone were never in any of Apple inc.’s plans”
Do you know who Dottie Alpine is? google the name, the result WILL suprise you. Then come back and talk about how much thought the boys at Apple gave to security.
Apple totally underestimated the hacker community, then when it looked like they were going to lose control over the future of iPhone development, rushed out a native SDK.
“how come they are now better capitalized than Microsoft?”
Not unless Microsoft dropped to a 3rd of it’s value today they aren’t.
“Why there is only one store for iPhone Apps”
So Apple can get their 30% cut. It has nothing to do with security.
“Why is it that no Apps are allowed to run in the background”
That has everyone mystified. It’s certainly not for security reasons, and will be rectified no doubt in future SDKs.
“Why sandboxing?”
Because defense in depth and containing the scope of any exploit is good practice. Lack of sandboxing or any effective compartmentalization of apps in the iPhone is a bad thing, not a good thing.
“Android is a “Swiss” cheese OS.”
It’s just laughable to suggest that the iPhone’s OS design is more secure than Android’s, just laughable. About as funny as claiming that Java was designed without security in mind. But keep the chuckles coming.
Sooooo…that was an interesting read of arguing. Guys seriously you can argue till the world ends about this, whether Mac is better than Windows, whether Obama or McCain will be a better president…blah blah blah, etc. It doesn’t change the fact that YOU ALL ARE GETTING NOWHERE with your argument. An arguement is only useful if it persuades the other to change their mind if it has no affect you wasted your time. That’s why I have stopped arguing with strict Windows supporters they ain’t changing and neither am I, it’s a waste of my time. Let life take its course.
@ Dottie Alpine, Thank you for your reply. Apparently does not equate to definitely. Google have had the benefit of hindsight from Apple’s development plus the use of Apple’s Webkit. (Google’s CEO sits on Apple’s board, of you know this!).
A Proof of concept is not an attack if no iPhone/iTune customer has suffered financial loss from their personal information collected and misused.
What value can you attribute to property in today’s economic climate as opposed to cash in the bank?
Does Apple inc. allow franchises to open up shops in their name & image like McDonald does? So why should they franchise the app store model?
Would you work for nothing? If you created a product to which you had the patent, would you give it to the world free? The creator of Linux tried, but he had to enforce his rights to prevent an individual from taking them and charging a licence fee for Linux.
Apps running in the background equate to lower battery life, also, you may accidentally run a product that would run up a very high fee for staying online.
Sandbox…..Is that not a form of security? while you are developing an open system that is secure? The sandbox as you have misunderstood it was a way for developers to create software for the iPhone using Safari before the SDK was tried, tested & complete.
As for your Google check, I did and this is what I came up with, hardly an endorsement for your argument is it? It just confirms that unless your iPhone has been jailbroken, you cannot perform the hack that you suggest is possible, they tried & tried & tried. http://www.modmyi.com/forums/os-x-specific-modding-discussion/14293-unknown-root-password-its-not-dottie-alpine.html
“Google have had the benefit of hindsight from Apple’s development plus the use of Apple’s Webkit.”
Actually it’s the world’s Webkit, Apple didn’t start from scratch.
And as you say, Google had the benefit of hindsight (or some would argue just better sight) to develop a more secure platform.
This is not a discussion about which company’s phone you prefer.
It’s clear you have a brand preference for iPhones. It’s one about which is a more secure design secure, and that’s Android.
As to Apple’s business models, proprietary vs open, well the market will pass judgment on that, maybe for, maybe against.
As to a vulnerability not being an attack, the only difference is the intent of the person who discovers it. Back before you went to jail for hacking people would launch attacks to show their prowess, now you present your attack at a conference, or if you’re planning to use it for criminal purposes, keep very quiet.
“The sandbox as you have misunderstood it was a way for developers to create software for the iPhone”
It’s pretty clear that you misunderstand the technique and how the word is used in the context of security. Applets in browsers are a form of security sandboxing, but then the iPhone doesn’t support applets in the browser, does it? I don’t know anyone who regards viewing a remote page in a browser with all code run on the server as a security sandboxing technique.
“Apps running in the background equate to lower battery life”
Is it your argument that things that use a lot of batter on the iPhone should be banned? A background app that wakes up every 5 minutes and checks somethign is not going to use anywhere near the battery and data of Google Maps or Google Earth running in the foreground with the GPS on. So perhaps if battery use is the real problem (it’s not) to protect customers, apps that make the battery go down at more than a certian rate should be banned, whether they run in the foreground or background.
In that case lets get that resource and bandwidth hog Google Maps off the phone tomorrow.
Personally I’d rather have the option of running a background app that used a little more battery, or even needs to be hooked to a car charger (like Google Maps does if you want to use it continuously) yet did something that was impossible otherwise.
“while you are developing an open system that is secure?”
No, I’m developing for the iPhone dumbass, I’m just not trying to pretend it’s something it’s not.
It is possible to use a platform and appreciate that it has strengths and weaknesses. I understand that’s probably a completely foriegn idea to you. But try it, you’ll come across as being smarter when you can intelligently discuss the pros and cons of a platform.
@ Dottie Alpine. The WorldWideWeb was made accessible to the public using NextSteps software.
Who was behind Next & NextStep? Who was were the puck should be before it got there?
Intelligence is nothing if applied badly!
“The WorldWideWeb was made accessible to the public using NextSteps software.”
Not really, a few researchers may have used it that way, in total only 50,000 Next machines were ever sold.
The breakthrough was Netscape on Windows. That’s when millions started using the web. So Netscape stole the puck from Next and actually scored.
Apple then spent a decade or so pucking themselves.
Over that decade, Microsoft took the lead from Netscape, proving that in the end, if you own all the rinks, it doesn’t matter where anyone is skating.
Anyway what does that have to do with iPhone security? The iPhone can break new ground for a mobile device and still be not as well designed from a security point of view as Android.
Please excuse the marketing plug, but I think this is relevant to the discussion. My company, Mocana, just announced a security SDK for Google’s Android platform so that developers can build robust encryption, authentication, VPN, antivirus and antimalware features into Android Handsets. If interested, there’s more here about NanoPhone: http://mocana.com/NanoPhone-Android.html. Thanks for your indulgence.
@ Dottie Alpine, A few researchers??? Do you even know who designed the protocols that all web designer’s & providers have to follow? The protocols that Netscape used? and everyone else is using and still has to use??? Do you know what IPV stands for? Do you know how many versions of IPV are in existence?
As for the number of NEXT computers that were sold, that is not the issue here, just as the number of OEM’s that Microsoft sells does not equate to the same level of profit that Apple inc attains. The fact is that without NEXT & NextStep, the internet would have come to existence later, very much later.
The point though, because you will not get it even if you sit on it is that those protocols that govern web page development were based on the way NextStep worked.
Do you know how NextStep worked?
“Do you know how NextStep worked?”
Badly, that’s why it’s extinct.
Do you know what SGML is? Do you know the real origins of HTML? Do you know what a simple protocol HTTP is? Do you know you can write a Berners Lee level httpd in about a page of C code? Do you know other then providing an initial primitive implementation how unimportant Next was to the development of the web? To equate the modern web to Berners Lee’s original work would be like comparing your obviously drug addled and walnut sized brain to that of a normal human.
@ Dottie Alpine. You now show your true colours!
I suppose in your opinion Graham Alexander Bell’s invention is primitive & thus unimportant, would the same apply to Marconi? & Paul Gottlieb Nipkow, John Logie Baird, Alexander Flemming, Sir Frank Whittle and finally Charles Babbage.
@ Dottie Alpine, I feel sorry for you so here is some spoonfeeding to keep you healthy! From Wikipedia.
Influence
The first web browser, WorldWideWeb, was developed on the Nextstep platform. Some features and keyboard shortcuts now commonly found in web browsers can be traced to Nextstep conventions. The basic layout options of HTML 1.0 and 2.0 are attributable to those features available in NeXT’s Text class.[1] The game Doom was also largely developed on NeXT machines,[2] as was Macromedia FreeHand, the modern “Notebook” interface for Mathematica, and the advanced spreadsheet Lotus Improv.
About the time of the 3.2 release, NeXT teamed up with Sun Microsystems to develop OpenStep, a cross-platform standard, and implementations of that standard (for Sun Solaris, Microsoft Windows, and NeXT’s version of the Mach kernel), based on Nextstep 3.2. The implementation for NeXT’s version of the Mach kernel was called “Openstep for Mach”; the 4.0 release of that was the successor to Nextstep 3.2. Following an announcement on December 20, 1996,[3] on February 4, 1997, Apple Computer acquired NeXT for $427 million, and used the Openstep for Mach operating system as the basis for Mac OS X.[4]
“I suppose in your opinion Graham Alexander Bell’s invention is primitive & thus unimportant,”
That illustrates a key point about Berners Lee, Next and and the Web, it’s hardly unique workor work that required a Next machine. For the telephone Elisha Gray was doing the same thing at the same time with other hardware.
Next’s involvement in the process was as critical as the part that sandhills played in the progress of powered flight.
“would the same apply to Marconi?”
Perhaps the residents of Pontecchio should be credited with that invention because that’s where it occurred.
“Paul Gottlieb Nipkow”
The people of maybe Lauenburg where he was born should be credited with that one.
“John Logie Baird”
Lets give the credit for that one to the owner of his favorite restaurant.
“Alexander Flemming”
Well that was just an accident.
“Sir Frank Whittle”
The credit for that goes to Coventry.
“Charles Babbage”
Well there’s no question that Babbage invented the Mac, because on planet Crabapple we credit the invention to the first person who did something remotely related to the field, or the inhabitants of the place where something was invented.
Btw congratulations to Ada Lovelace for inventing Objective C and the iPhone SDK.
Congratulations! Augusta Ada King, Countess of Lovelace is indeed the first ever computer programmer.
If Charles Babbage had built his computer, her algorithm would have been able to calculate Bernoulli numbers!
The fact that The US defense department named the computer language they created after her does not mean her algorithm was Objective C, you could at an incredible push claim that her algorithm was the basis for the development it but you would be hard pushed to prove it since it was written for a mechanical computer as opposed to vacuum tubes, transistors and chips.
As for where she lived, you will be interested to know that that was the birth place of William of Ockham of Occam’s Razor outlined in the fourteenth century. He also happened to be a mathmatician as was the Countess of Lovelace five century’s later.
I think you are an intelligent person as you provide credible background to your arguments. Here is a tip for you:- putting words into somebody else’s mouth as a means to descredit their argument only reflects badly on you, it portray’s a restless mind that lacks temperament.