Sick_Android

Using Android pre 2.2? Feel Like You’re Being Watched? Could Be.

November 8, 2010 - Written By Chris Yackulic

The question that you need to ask yourself as you read this article is, “Do I see the glass as half full or half empty?”  I would like to begin by thanking Robert McMillan with ComputerWorld for bringing us this important information.  This past Thursday at HouSecCon security conference in Houston, researcher M. J. Keith with Alert Logic stated that he had written code that utilizes a bug in the WebKit browser engine that Android utilizes.

This coding could be used to attack devices that are on Android OS 2.1 and earlier; seeing as how Android 2.2 is only on 36.2% of devices this could demonstrate a little bit of a threat.  Why is Froyo (2.2) only on 36.2% of devices?  Well that is a story for a whole ‘nother article, but the idea is that in a competitive market each carrier must do something to differentiate themselves from the other.  What has that created?  Our HTC Sense, Samsung TouchWiz, and MotoBlur for Motorola, also known as fragmentation.  Because giving updates to our devices is the responsibility of the carriers and phone developers rather than a central company (Google), phones receive these updates at different rates and many older phones may not receive 2.2 or later at all.

What is this WebKit that Android uses for its browsers?  WebKit is open-source software that is used by many browsers.  The most popular are Chrome and Safari.  Although this WebKit flaw is just recently coming to light in the Android world, it has already been existent and publicly disclosed.  Keith simply altered it and aimed it at Android.

You may be thinking what I thought the first time I read about this subject; “What did that innocent little green Android guy do to him?”  Well, it may seem counterintuitive, but he created this attack on Android browsers to help further Android development (what better way to learn how to get somewhere than to get lost?).  The hope is to create the problem and make it accessible, then carriers and Google themselves won’t have a choice but to fix the issues, thus keeping us all a little safer in the long run.

How could your phone become infected with this bug?  Keith developed the code so that he could run a relatively simple command line shell in Android when a victim visits a website that contains his attack coding.

How dangerous does this have the potential of being?  The good news is that the way that the Android OS is designed, it walls off different parts of the operating system from each other.  For instance, since this is a browser-based hack it will not have access to your text messaging or your calling abilities, or root access for those of us that are using rooted phones.  It does however take full access of web history and viewing, also your entire SD card is fair game for access.

This past week Coverity did a security audit of the source code of Android’s Linux operating system kernel, turning up a total of 359 potential defects. A quarter of them were high-risk defects that could leave the phone open to an attack similar to Keith’s.

It may be difficult to see the silver lining at this point, so let’s take a look at a few key points.

  1. Natural Progression:  Windows and other operating systems’ security have been getting scrutinized under a magnifying glass for years.  It can only mean good things for the Android operating system to be getting this much and this type of attention.
  2. Realize that although this is a dangerous manipulation of the operating system, it was realized and shown for a good reason. Better it come to light to get a solution in the works rather than have it stay in the dark with a true malicious hacker using it.
  3. More weakness created by fragmentation, anyone?  Android enthusiasts have wanted Google to take a stronger stance over Android’s implementation differences for quite some time, removing some of the carriers’ options.  This would reduce fragmentation, thus reducing security risks and making for easier application development, amongst other things.

This isn’t the most pleasant of subjects for Android enthusiasts, but it’s a necessary evil.  I would love to hear any opinions or input you may have on this subject, leave a comment!  Is the glass half full or half empty?  Did Keith approach this the right way?  Is this going to damage the public view of Android?

Again thanks go to Robert McMillan at ComputerWorld for supplying this important information!