Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw In Android Web Browser

Posted by timothy on from the more-information-would-be-nice dept.

r writes "The New York Times reports on a security flaw discovered in the new Android phones. The article is light on details, but it hints at a security hole in the browser, allowing for trojans to install themselves in the same security partition as the browser: 'The risk in the Google design, according to Mr. Miller, who is a principal security analyst at Independent Security Evaluators in Baltimore, lies in the danger from within the Web browser partition in the phone. It would be possible, for example, for an intruder to install software that would capture keystrokes entered by the user when surfing to other Web sites. That would make it possible to steal identity information or passwords.'"

6 of 59 comments (clear)

  1. Hmm by tsa · · Score: 5, Insightful

    It seems Mr. Miller doesn't like the Google Phone much. He should have notified Google of the bug and give them time to fix it before going public (as Google states in TFA).

    --

    -- Cheers!

    1. Re:Hmm by Shemmie · · Score: 5, Informative
      I was about to agree with you. However, upon reading their page:

      The Android security architecture is very well constructed and the impact of this attack is somewhat limited by it. A successful attacker will have access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc. They may also change the way the browser works, tricking the user into entering sensitive information. However, they can not control other, unrelated aspects of the phone, such as dialing the phone directly. This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised. For more information on the security of the iPhone, visit ISE's site describing the first exploit of an iPhone security vulnerability here.

    2. Re:Hmm by Shemmie · · Score: 4, Informative
      Oops, left out:

      Working with Google
      Google was notified of this issue on October 20th, 2008. We are working with them to try to get a fix as quickly as possible.

  2. Re:This would be an easy fix... by Anonymous Coward · · Score: 4, Informative

    Erm, the entire source code for Android is now available, so yes, you can download it, fix it, compile it, then flash it onto your phone, or maybe a different phone.

  3. Re:This would be an easy fix... by Anonymous Coward · · Score: 5, Funny

    Did mothafuckas believe they'd be able their own encrypted VPN VoIP applications?

    I think you accidentally a whole verb.

  4. iPhone weak like other smartphones? by alphad0g · · Score: 5, Interesting

    It would be interesting to hear more about this hack as they seem to make a pretty bold and bogus claim in the article:

    "Unlike modern personal computers and other advanced smartphones like the iPhone, the Google phone creates a series of software compartments that limit the access of an intruder to a single application."

    The iPhone is very compartmentalized. That is why there is no cut and paste - all apps are limited to their own directory. Anyone that has jailbroken an iPhone is familiar with how one app can NOT access data in another apps directory unless permissions are changed.

    Anyone else know more about this comment? It is true for WinMo smartphones - no perms at all, but I am pretty sure that the iPhone does not apply. Is this just a dig at apple?