Security Holes In Google's Android SDK

Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform. From the article: 'Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF, and BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image-processing libraries, other were introduced by native Android code that uses them or that implements new functionality.'"

yawn

[QuantumG]

Security holes in beta software you say? Wow.

Re:yawn

[Fleet+Admiral]

Outdated software != beta software Please RTFSummary before posting

Re:yawn

[AKAImBatman]

He was referring to Android, not the libraries. :-/

Re:yawn

[nawcom]

"In all, Core Security lists eight different vulnerabilities identified in the Android SDK, which is currently in beta."

Outdated software != beta software Please RTFSummary before posting

Tell yourself that.

This SDK hasn't been completed. Nothing to read here.

Re:yawn

Security holes in beta software you say? Wow.

That would be a valid retort if it weren't for Google's perpetual beta mentality.

Re:yawn

[nacule]

| Security holes in beta software you say? Wow. Maybe this is why they kept gmail in beta till now. Perfect excuse for security holes

Re:yawn

[AmaDaden]

This is why they have a perpetual beta mentality. They know better then to call newly written software done. Public usage with a warning label is a good thing.

Re:yawn

[microbee]

Except that Google's software is always in beta.

Re:yawn

[Nullav]

They know better then to call newly written software done.

So three and a half years is early in the development process? I guess that means Hurd's only 'slightly behind schedule'.
Really, in the hands of Google, the 'beta' tag is only a way to keep things sounding 'hip and new' and to avoid liability when something screws up.

Re:yawn

[Mark3eb]

Isn't Google's software usually in Beta?

Re:yawn

[ceeam]

I don't think that, unlike, for example, WebMail service, you can release a phone model with "Beta" label attached.

Re:yawn

[AmaDaden]

Did you hear what the plans are for android? It's an OS that is designed to fit nearly any phone hardware, to be configurable to anyones liking, AND can run home brewed Java apps. Four years is not a bad time, It is a MASSIVE undertaking. Personally I think that ALL software is severely under tested. It tends to be pushed out the door not because it's ready but because the higher ups want to start making money on it. How many times did you use software that is 'done' but swamped with bugs? That is beta software, even if they don't admit it.

Re:yawn

[hey!]

Except this isn't even beta.

I disagree with the assumption that security holes in beta software aren't serious. Beta -- in software at least -- means that real live users are using it.

However, at this point the software is not available to users; if the problem is that the system uses obsolete implementations for some of its APIs, the open source process has worked the way its supposed to. If the problem is inherent in some important APIs, that's a different kettle of fish.

Still, I expect Android to be a very important mobile platform, so it's news, but it's nothing to crow about/wring your hands over.

Re:yawn

[hal9035]

But we LOVE Google....... cut them slack......

Re:yawn

[Jeremiah+Cornelius]

True.

Also probably planned.

Google is practically a subcontractor for the NSA. Expect a Google phone to be a hotline to the datamine.

Re:yawn

[somersault]

And google mail has been 'beta' for how long? I'm sure nobody will mind a few security holes there, since it's a beta and all. This article isn't a problem as long as they sort it out quickly, but if they do a Microsoft and leave it in for the next few versions, that's when there's a problem.

Re:yawn

and to avoid liability when something screws up. lol, when is the last time you've heard microsoft held liable for their commercial and enterprise products failing?

Re:yawn

[devilspgd]

It looks like they're trying to compete directly with the iPhone, image library buffer overruns and all! Sweet.

I'm not exactly sure how phone software works...

[ZanySpyDude]

If this had been in the final version that was released, is it an easy fix for google or is it a pain in the ass for end consumers to get a fix/upgrade from google?

the point being?

[markybob]

who cares? there are exactly zero phones running android in public (meaning outside of pros testing)...so how does this affect anyone? must be a slow news night

Re:the point being?

[LowlyWorm]

It is true that the issue would not currently matter but smart phone technology will soon be big. Very big. It remains to be seen if Google can successfully make the transition into this area with so much competition from names like Apple, Research In Motion, Nokia, Palm and who knows who else by the time Android goes public.

IMHO Google has done a fairly good job in its software development (which is to say, I have personally had few issues). Being open source at least lets people know there is a problem. They will surly address the issue but there will likely be lots of such problems along the way.

Re:the point being?

[snl2587]

I can't wait until telemarketers start using exploits to take over mobile phones to make mass calls. I can see the phone bills now...

Re:the point being?

[AndGodSed]

And being open source these problems will be sorted out sooner and more effectively.

The exciting thing to me is that this Google project will introduce not only open source software, but open source thinking and open source culture to the masses.

And knowing Google, it will be successful, and being successful it will clear up many of the uninformed stigmas that cling to open source software - hopefully beginning with the kind of FUD that MS spouts.

Re:the point being?

[ajs318]

Except that isn't how Google work. Google only like software being Open Source when it has been written by other people.

Google wouldn't release so much as a single byte of Source Code, if it wasn't for the GPL making them do so. (Where's the Source Code for Picasa? Or Google Earth? Or any of the other "free" [as in, "this dog is free from lice"] software they give away?) In fact, I'm even surprised they're basing Android on Linux and not one of the BSDs. I guess it could just be an image thing, because Linux is much better known.

If Google ever sponsor a GPL project from the ground up, it is only because they want to be able to claim copyright on the code and therefore release it as Caged Software.

Re:the point being?

[LowlyWorm]

Although they are generally tight lipped about it, carriers have traditionally handled responsibility for such exploits. As it becomes easier to "reach out and touch someone" anywhere in the world it will be interesting to see where the axe falls next.

Re:I'm not exactly sure how phone software works..

[AKAImBatman]

It would probably be a bit painful. Many cell phones require you to hook up a transfer cable to install a new set of firmware. Of course, this is a fancy new smartphone OS, so it's possible that Google has devised a software update procedure. However, if they have designed an update procedure, what's to stop attackers from attacking the update procedure? (Methinks that an unauthorized GSM base station is all that's needed for a man-in-the-middle attack...)

Re:Re-using, Re-using, Not re-inventing the wheel,

[QuantumG]

Re-implement it and you'll likely have the exact same problems as this.. or worse.

Who The Hell Is Still Using BMP?

[ewhac]

Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP)

Having had the ignominious privilege of writing a BMP image parser some years ago, I can state without fear of meaningful contradiction that it's one of the worst image file formats ever devised by creatures claiming to be Man, and that it needs to die die die!

PNG does everything BMP does, and does it better. Just throw away the BMP library and save yourself the maintenance headache. No one will miss it.

Schwab

Re:Who The Hell Is Still Using BMP?

[totally+bogus+dude]

But then we couldn't have fun watching images load from the bottom up! It looks so cool and is totally worth a few extra (mega)bytes!

Re:Who The Hell Is Still Using BMP?

[JNighthawk]

It's a fantastic way to learn how to parse and render an image. You get all the basics, plus you get to try and find out why your texture is rendering upside down :-)

Re:Who The Hell Is Still Using BMP?

[Bearhouse]

Why was this modded funny? Give him some 'insightful' points as well guys.

Re:Re-using, Re-using, Not re-inventing the wheel,

[Sentry21]

Re-implement it and you'll likely have the exact same problems as this.. or worse. Specifically, the 'worse' problem you'll have is compatibility with broken implementations and corrupted data.

I've heard it said, as an example, that only 20% of the code in Gecko is to implement a reliable, standards-compliant rendering engine, and the other 80% is to implement workarounds for (sometimes horribly) broken HTML, and recover from what should rightfully be critical errors. I'm not sure if this statistic is accurate (or, if it was when I heard it, if it still is now); however, at a previous position, our (large-scale) software product, developed over the course of the last decade, large, complex, and convoluted, had a similar statistic. Over 80% of the code that we had in our core product was there to deal with bugs in previous code, bugs in other people's products, bugs in how different vendors implemented the standards (i.e. poorly), bugs with corrupted images, and so on.

Think about that for a second; anyone can re-implement a PNG library by reading the specifications and learning how to do the math on the algorithms; there are probably people at Google who could write a complete PNG library in C inside of a week (they DO have some pretty brilliant people working for them). What they CAN'T do is go out and feed into that library all of the broken, corrupted, or just-a-little-bit-off PNG images that are out there on the web that require little tweaks and adjustments (or horrific workarounds) to process, and find all the fixes to all the glitches that end-users might see.

The extensive experience that the libpng developers have had over the lifetime of the project cannot be simply re-implemented from a textbook. THAT is why simply re-writing it is impractical, and THAT is why code re-use is a good thing. Expand that from PNG images out to every other shared library in the project, and 'not invented here' syndrome turns simple and straightforward bllet-point requirements for Android into a large-scale programming project, and makes the whole thing impractical.

Re:Re-using, Re-using, Not re-inventing the wheel,

[AKAImBatman]

Unless you reimplement it in Java. Which Android happens to run. (For the most part, anyway.)

While it's neither here nor there in relation to this story (and wouldn't perform very well, anyway), I just thought it was an interesting observation. Perhaps one day developers will stop looking at Java as a nice sandbox environment for tiny applications and start realizing that there are real benefits to deploying a high-performance JVM. Especially when HotSpot has already been ported to mobile devices...

Re:Re-using, Re-using, Not re-inventing the wheel,

[QuantumG]

And someday people will stop thinking of Java as a panacea for security issues.

Re:Re-using, Re-using, Not re-inventing the wheel,

[AKAImBatman]

For this type of problem? You bet your horse it is. Buffer overflow problems are so 1970's. Can we please move on?

Re:I'm not exactly sure how phone software works..

[Firehed]

Look how the iPhone handles firmware updates - plug in, download, click install. I think it's safe to assume that a Google-supported device is going to be rather heavily standards-based (I can't say I know much about Android), and as such will have a mini-USB port. Why overcomplicate things? As much as I like the idea of having my Google-centric data accessible everywhere over the air, they really need better interoperability in terms of desktop data syncing (Gmail is pretty good that way, but Gcal requires third-party tools, docs - understandably so - is limited to exporting rather than just mounting your Google account as a network drive, and contact management is pretty much worthless as it exists online, let alone syncing to Outlook or Address Book). As such, it's safe to assume that people are going to want to be able to pull that non-syncable data from their computer to their phone which means plugging in or at least WiFi proximity. Handle firmware updates that way. I'd say it's almost easier to infect a computer with a bad HOSTS file pointing androidupdates.google.com to some bad addressed with an apparently-legitimate SSL cert than to carry around a portable cell broadcasting station, but neither constitutes that much of a threat.

Already fixed

[Zach978]

This is already fixed in m5-rc15 which was released yesterday...

Re:Already fixed

[microbee]

Now we know how slow Slashdot editors are.

Re:Already fixed

[initialE]

It's more likely that the hole was reported to the project maintainers before being publicly released, giving them a chance to fix it

Re:Already fixed

[definate]

And so we see the benefits in open source software, a bug was found before it was even out in the wild, and fixed.

Hoorah for google and open source software.

Re:Already fixed

[Zach978]

well, unfortunately the source for Android isn't out yet...so Hoorah for them when they release the source!!

Re:Already fixed

[bandersnatch]

As Marvin the Paranoid Android might say -- Don't Panic

Dumb

[RAMMS+EIN]

That's just dumb. Introducing vulnerabilities in newly developed software is unfortunate, but it happens. Using software with known vulnerabilities when these vulnerabilities have been patched is just dumb. Any clues as to why they did this?

Re:Dumb

[initdeep]

anybody who read the bugtraq submission of the flaws would no that google themselves responded with a comment that they knew they were using old version of the libraries adn that they were planning on updating them in the next release.

They also pointed out that this iss not BETA code, but merely a release of propsed code to allow potential devlopers to add their insights to the project on which direction the code should go on various portions.

The libraries have now been replaced (evidently) with the newer ones, which probably doens't mean a damn thing as there are no currently available public platforms running the software and won't be for a while.

calling this dumb is a bit overkill.

This was a though one

[cachimaster]

But it was fun, to show that even the all-mighty google can make mistakes.
Btw, i dedicate this bug to my Girlfriend that forgive me the long nights that tookme to find and exploit this bug.
I love you glow! :" (She read slashdot daily, my girlfriend is that cool)

This...

[Aegis+Runestone]

Needs more jiggawats.

Oh noes!

[aztektum]

My new smartphone is vulnerable to malicious haxx0rz! Oh wait, it runs Windows Mobile! I'm *so* relieved!!

that's why it's open source

[nguy]

That's why people make software open source.

I think the only thing that bothers me about Android is that the full source code has not been released yet, although Google claims they will be making that available.

you know what this means...

[mahju]

... we can now build a program to hack it and build are own programs! yeah!
I'm going to call it "Gaolbreak"

Re:Re-using, Re-using, Not re-inventing the wheel,

[Evil_Ether]

Do you work for Microsoft?

Re:Re-using, Re-using, Not re-inventing the wheel,

[El+Cabri]

That's why it would be good if many people would re-implement these libs directly from the specs. That would weed out incompatible files. That's one of the points of open architectures that content specifications not be tied to implementation.

People who need uncompressed images.

[achurch]

Sometimes you just don't want your data to be compressed; you want to be able to tell the OS to load the data from storage and have it right there, ready for you to use. Sometimes you just can't afford the overhead of decompression. But PNG, reasonably enough (I suppose) for network graphics, requires all images to be compressed; you can't say "no compression".(*) BMP, on the other hand, is uncompressed by default; aside from the line order problems (which are easily solved by pre-flipping the image), that makes it perfect for cases like these. So that's what PNG doesn't do that BMP does.

(*) You can play games by attaching fake compression headers, sort of like what was done to work around the GIF compression patents. In fact, I did. But at that point, you might as well just use something like BMP which is uncompressed in the first place.

Re:People who need uncompressed images.

But at that point, you might as well just use something like BMP which is uncompressed in the first place.

Tiff would be fine in that case

Re:People who need uncompressed images.

[repka]

Unlike TIFF, BMP is one of the easiest formats to read, on par with formats like PCX and TGA.
Which begs the question: how would you end up with a vulnerability in processing of such format, when validating of your inputs does not require much effort?

Re:People who need uncompressed images.

[LWATCDR]

Not being able to afford the overhead of compression is a pretty rare case. Often you can get around it by pre loading the image. Not saying that an uncompressed format would never be useful but it without a doubt a rare case and not one I can imagine comming up on Android.
But heck if you must use an uncompress format then just us IFF and be done with it :)

Re:Re-using, Re-using, Not re-inventing the wheel,

[AaronLawrence]

No, that would greatly increase the number of incompatible files as all those new implementations created fresh bugs and variations on ambiguous parts of the spec.

Yeah, sure.

You just keep fighting the tide there. Lemme know how it works out. And see if you can roll back to rotary phones too since they clearly have the least sophisticated electronics and therefore are hardest to hack.

Re:I'm not exactly sure how phone software works..

The three phones i've had over the past 10 years have all been reflashed wireless through the cell phone networks. You dial a number, select the upgrade firmware option, wait, the phone turns off, turns back on with new firmware installed. Why would you need to plug it? It is a wireless device, thats why its useful.

Re:Re-using, Re-using, Not re-inventing the wheel,

[LO0G]

Several of the vulnerabilities in libPNG are exploitable integer overflow vulnerabilities. Java does absolutely nothing to stop those vulnerabilities. And even if it does, much of the java runtime is written in C, and is just as vulnerable to buffer overflows.

The grandparent was right: People should stop thinking that somehow interpreted languages (Java, .Net, VB6, etc) are solutions to security problems. All they do is to raise the bar.

Re:Re-using, Re-using, Not re-inventing the wheel,

[AKAImBatman]

Several of the vulnerabilities in libPNG are exploitable integer overflow vulnerabilities. Java does absolutely nothing to stop those vulnerabilities.

Bull. Java will overflow the integer, but how exactly will it result in an underflow or an overflow of a memory buffer if Java does not have pointers? All you have is a negative value. At best you'll cause an IndexArrayOutOfBoundsException when you attempt to access an invalid array location. At worst, the code will detect it as an invalid value and move on.

And even if it does, much of the java runtime is written in C, and is just as vulnerable to buffer overflows.

Oh noes! Not C! That must make it, like, automagically vunlnerables!

Yeah.

The JVM is a design that is logically proven to be 100% absolutely secure. If Java code can reach down and manipulate memory at the level of the JVM, then there is a serious flaw in the JVM's implementation. A flaw that means that it does NOT meet the Java spec. Thankfully, Sun has a Test Kit that checks for compliance before a VM can be called "Java". It does a pretty decent job of ensuring the correctness of a VM.

People should stop thinking that somehow interpreted languages (Java, .Net, VB6, etc) are solutions to security problems. All they do is to raise the bar.

Raising the bar is exactly what I'm talking about. Java is impervious to buffer overflows because it does NOT allow for memory management. Memory management is the responsibility of the JVM.

Oh, and Java is not interpreted. Strike 3, you're out.

Re:Re-using, Re-using, Not re-inventing the wheel,

[ZorbaTHut]

The Web Developer plugin will give you information on every error encountered when rendering the page. I don't know if it has an option to do so loudly, but it certainly wouldn't be hard to modify.

vxWorks

We had a vxWorks sales dog and pony show from WindRiver the other day, and they bragged about their Google Android contract (apparently, Google uses vxWorks Linux - which can be modified to their own needs). I had my laptop open and opened this story just as when they talked about it!

Re:Re-using, Re-using, Not re-inventing the wheel,

Most of the underlying implementations for things like image formats actually use C libraries due to their speed.

That's why they're discussing Hotspot, moron. Hotspot >= Native Code

Bzzt. The same sorts of vulnerabilities are possible each time you take an input that is handled by 'unmanaged' code, like a library written in C and exported via Java classes to your app.

Thus the reason why the entire thread is about writing the fucking libraries in Java. Learn to fucking read, will you?

Re:I'm not exactly sure how phone software works..

[BadBadThing]

I know this is kinda off subject, but I could really use some help. A friends cell phone is showing text messages from my cell phone that I have never sent. I have even got a copy of the cell phone bill showing outgoing text messages and phone calls from my phone. I suspect my friend of 'phreaking' or hacking my cell phone to make this happen. Is this possible? Does anyone know how this could happen?"