Android security hole no big deal after all

When is a serious security hole in a mobile OS not so serious? When it's in Google's Android, experts say. While the problem in Android publicized by security researcher Charlie Miller at the recent SchmooCon hacker conference in D.C. seemed dangerous at first, the actual ramifications for Android G1 users are pretty small due to the way the OS is architected. And now, even Miller has backtracked from his initial dire warnings.

eWeek reports that Miller changed his mind about the bug's severity when he considered the sandbox approach Android takes with its applications. Each application runs in its own space, or sandbox, completely separate from every other application. Miller's bug affects some open source code developed by PacketVideo within Android's multimedia subsystem. In a traditional mobile OS, such a vulnerability could easily lead to a compromised browser, hence the dire warnings. But not so with Android, Miller says:

“While the bug can be activated by the browser, the actual code that would be executed by a successful attack would run in the media player, not the browser,” he said. “This means it would live in the media player sandbox and not the browser sandbox, and would presumably have different capabilities. I haven't actually investigated the media player sandbox at this point so I can't say for sure. This makes the bug less dangerous than I thought,” he concluded.

And that explains Google's less than harried response to the bug. According to a timeline provided by Google to ReadWriteWeb, Miller informed Google of the hole on Jan. 21, and Google informed PacketVideo, who in turn came up with a patch on Feb. 5. Google patched the open source Android two day later, just in time for Miller's scheduled talk at the hacker conference. But still, the patch has yet to go out to the general public. Google says it's leaving that part up to "T-Mobile's discretion." T-Mobile is currently distributing the latest firmware update to the G1, so it probably has its hands full right now, but the expectation is that the carrier will send out the patch as soon as possible.

The upshot? Android users are probably safe, as long as they exercise some commonsense in the interim. As the AndroidGuys advise:

If you have to question something, then don’t mess with it. Don’t open email from people you don’t trust and don’t visit sites you aren’t too keen on. And for Android apps, don’t install a card game that wants to access your phone book, unless you know why.

Good advice, even after the patch arrives.

* * *

Like this post? Visit the Google Subnet home page for more news, blogs and podcasts.

More blog posts from Google Subnet:

Sign up for the weekly Google newsletter. (Click on News/Google News Alert.)

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)