Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Holes In Google's Android SDK

Posted by Zonk on from the patchy-the-leaky-robot dept.

Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform. From the article: 'Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF, and BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image-processing libraries, other were introduced by native Android code that uses them or that implements new functionality.'"

22 of 77 comments (clear)

  1. yawn by QuantumG · · Score: 4, Insightful

    Security holes in beta software you say? Wow.

    --
    How we know is more important than what we know.
    1. Re:yawn by AKAImBatman · · Score: 2, Informative

      He was referring to Android, not the libraries. :-/

      --
      Javascript + Nintendo DSi = DSiCade
    2. Re:yawn by Anonymous Coward · · Score: 5, Insightful

      Security holes in beta software you say? Wow.

      That would be a valid retort if it weren't for Google's perpetual beta mentality.

    3. Re:yawn by nacule · · Score: 2, Funny

      | Security holes in beta software you say? Wow. Maybe this is why they kept gmail in beta till now. Perfect excuse for security holes

    4. Re:yawn by AmaDaden · · Score: 2, Insightful

      This is why they have a perpetual beta mentality. They know better then to call newly written software done. Public usage with a warning label is a good thing.

    5. Re:yawn by Nullav · · Score: 4, Insightful

      They know better then to call newly written software done.
      So three and a half years is early in the development process? I guess that means Hurd's only 'slightly behind schedule'.
      Really, in the hands of Google, the 'beta' tag is only a way to keep things sounding 'hip and new' and to avoid liability when something screws up.
      --
      I just read Slashdot for the articles.
    6. Re:yawn by AmaDaden · · Score: 4, Insightful

      Did you hear what the plans are for android? It's an OS that is designed to fit nearly any phone hardware, to be configurable to anyones liking, AND can run home brewed Java apps. Four years is not a bad time, It is a MASSIVE undertaking. Personally I think that ALL software is severely under tested. It tends to be pushed out the door not because it's ready but because the higher ups want to start making money on it. How many times did you use software that is 'done' but swamped with bugs? That is beta software, even if they don't admit it.

  2. I'm not exactly sure how phone software works... by ZanySpyDude · · Score: 3, Interesting

    If this had been in the final version that was released, is it an easy fix for google or is it a pain in the ass for end consumers to get a fix/upgrade from google?

  3. Re:I'm not exactly sure how phone software works.. by AKAImBatman · · Score: 2, Insightful

    It would probably be a bit painful. Many cell phones require you to hook up a transfer cable to install a new set of firmware. Of course, this is a fancy new smartphone OS, so it's possible that Google has devised a software update procedure. However, if they have designed an update procedure, what's to stop attackers from attacking the update procedure? (Methinks that an unauthorized GSM base station is all that's needed for a man-in-the-middle attack...)

    --
    Javascript + Nintendo DSi = DSiCade
  4. Re:Re-using, Re-using, Not re-inventing the wheel, by QuantumG · · Score: 3, Insightful

    Re-implement it and you'll likely have the exact same problems as this.. or worse.

    --
    How we know is more important than what we know.
  5. Who The Hell Is Still Using BMP? by ewhac · · Score: 5, Funny

    Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP)

    Having had the ignominious privilege of writing a BMP image parser some years ago, I can state without fear of meaningful contradiction that it's one of the worst image file formats ever devised by creatures claiming to be Man, and that it needs to die die die!

    PNG does everything BMP does, and does it better. Just throw away the BMP library and save yourself the maintenance headache. No one will miss it.

    Schwab

    --
    Editor, A1-AAA AmeriCaptions
    1. Re:Who The Hell Is Still Using BMP? by totally+bogus+dude · · Score: 3, Funny

      But then we couldn't have fun watching images load from the bottom up! It looks so cool and is totally worth a few extra (mega)bytes!

    2. Re:Who The Hell Is Still Using BMP? by JNighthawk · · Score: 2, Funny

      It's a fantastic way to learn how to parse and render an image. You get all the basics, plus you get to try and find out why your texture is rendering upside down :-)

      --
      Wheel in the sky keeps on turnin'.
  6. Re:Re-using, Re-using, Not re-inventing the wheel, by Sentry21 · · Score: 5, Insightful

    Re-implement it and you'll likely have the exact same problems as this.. or worse. Specifically, the 'worse' problem you'll have is compatibility with broken implementations and corrupted data.

    I've heard it said, as an example, that only 20% of the code in Gecko is to implement a reliable, standards-compliant rendering engine, and the other 80% is to implement workarounds for (sometimes horribly) broken HTML, and recover from what should rightfully be critical errors. I'm not sure if this statistic is accurate (or, if it was when I heard it, if it still is now); however, at a previous position, our (large-scale) software product, developed over the course of the last decade, large, complex, and convoluted, had a similar statistic. Over 80% of the code that we had in our core product was there to deal with bugs in previous code, bugs in other people's products, bugs in how different vendors implemented the standards (i.e. poorly), bugs with corrupted images, and so on.

    Think about that for a second; anyone can re-implement a PNG library by reading the specifications and learning how to do the math on the algorithms; there are probably people at Google who could write a complete PNG library in C inside of a week (they DO have some pretty brilliant people working for them). What they CAN'T do is go out and feed into that library all of the broken, corrupted, or just-a-little-bit-off PNG images that are out there on the web that require little tweaks and adjustments (or horrific workarounds) to process, and find all the fixes to all the glitches that end-users might see.

    The extensive experience that the libpng developers have had over the lifetime of the project cannot be simply re-implemented from a textbook. THAT is why simply re-writing it is impractical, and THAT is why code re-use is a good thing. Expand that from PNG images out to every other shared library in the project, and 'not invented here' syndrome turns simple and straightforward bllet-point requirements for Android into a large-scale programming project, and makes the whole thing impractical.
  7. Re:Re-using, Re-using, Not re-inventing the wheel, by AKAImBatman · · Score: 2, Interesting

    Unless you reimplement it in Java. Which Android happens to run. (For the most part, anyway.)

    While it's neither here nor there in relation to this story (and wouldn't perform very well, anyway), I just thought it was an interesting observation. Perhaps one day developers will stop looking at Java as a nice sandbox environment for tiny applications and start realizing that there are real benefits to deploying a high-performance JVM. Especially when HotSpot has already been ported to mobile devices...

    --
    Javascript + Nintendo DSi = DSiCade
  8. Re:Re-using, Re-using, Not re-inventing the wheel, by AKAImBatman · · Score: 3, Informative

    For this type of problem? You bet your horse it is. Buffer overflow problems are so 1970's. Can we please move on?

    --
    Javascript + Nintendo DSi = DSiCade
  9. Re:I'm not exactly sure how phone software works.. by Firehed · · Score: 2, Interesting

    Look how the iPhone handles firmware updates - plug in, download, click install. I think it's safe to assume that a Google-supported device is going to be rather heavily standards-based (I can't say I know much about Android), and as such will have a mini-USB port. Why overcomplicate things? As much as I like the idea of having my Google-centric data accessible everywhere over the air, they really need better interoperability in terms of desktop data syncing (Gmail is pretty good that way, but Gcal requires third-party tools, docs - understandably so - is limited to exporting rather than just mounting your Google account as a network drive, and contact management is pretty much worthless as it exists online, let alone syncing to Outlook or Address Book). As such, it's safe to assume that people are going to want to be able to pull that non-syncable data from their computer to their phone which means plugging in or at least WiFi proximity. Handle firmware updates that way. I'd say it's almost easier to infect a computer with a bad HOSTS file pointing androidupdates.google.com to some bad addressed with an apparently-legitimate SSL cert than to carry around a portable cell broadcasting station, but neither constitutes that much of a threat.

    --
    How are sites slashdotted when nobody reads TFAs?
  10. Already fixed by Zach978 · · Score: 5, Informative

    This is already fixed in m5-rc15 which was released yesterday...

    --

    "I told you a million times not to exaggerate!"
    1. Re:Already fixed by Zach978 · · Score: 2, Insightful

      well, unfortunately the source for Android isn't out yet...so Hoorah for them when they release the source!!

      --

      "I told you a million times not to exaggerate!"
  11. that's why it's open source by nguy · · Score: 4, Interesting

    That's why people make software open source.

    I think the only thing that bothers me about Android is that the full source code has not been released yet, although Google claims they will be making that available.

  12. Re:Re-using, Re-using, Not re-inventing the wheel, by AKAImBatman · · Score: 2, Interesting

    Several of the vulnerabilities in libPNG are exploitable integer overflow vulnerabilities. Java does absolutely nothing to stop those vulnerabilities.
    Bull. Java will overflow the integer, but how exactly will it result in an underflow or an overflow of a memory buffer if Java does not have pointers? All you have is a negative value. At best you'll cause an IndexArrayOutOfBoundsException when you attempt to access an invalid array location. At worst, the code will detect it as an invalid value and move on.

    And even if it does, much of the java runtime is written in C, and is just as vulnerable to buffer overflows.
    Oh noes! Not C! That must make it, like, automagically vunlnerables!

    Yeah.

    The JVM is a design that is logically proven to be 100% absolutely secure. If Java code can reach down and manipulate memory at the level of the JVM, then there is a serious flaw in the JVM's implementation. A flaw that means that it does NOT meet the Java spec. Thankfully, Sun has a Test Kit that checks for compliance before a VM can be called "Java". It does a pretty decent job of ensuring the correctness of a VM.

    People should stop thinking that somehow interpreted languages (Java, .Net, VB6, etc) are solutions to security problems. All they do is to raise the bar.
    Raising the bar is exactly what I'm talking about. Java is impervious to buffer overflows because it does NOT allow for memory management. Memory management is the responsibility of the JVM.

    Oh, and Java is not interpreted. Strike 3, you're out.

    --
    Javascript + Nintendo DSi = DSiCade
  13. Re:Dumb by initdeep · · Score: 2, Informative

    anybody who read the bugtraq submission of the flaws would no that google themselves responded with a comment that they knew they were using old version of the libraries adn that they were planning on updating them in the next release.

    They also pointed out that this iss not BETA code, but merely a release of propsed code to allow potential devlopers to add their insights to the project on which direction the code should go on various portions.

    The libraries have now been replaced (evidently) with the newer ones, which probably doens't mean a damn thing as there are no currently available public platforms running the software and won't be for a while.

    calling this dumb is a bit overkill.