Android mobile has a security vulnerability
The first vulnerability for the Android based T-Mobile G1 has been disclosed, only a few days after T-Mobile put the long awaited device on sale. Security experts from Independent Security Evaluators (ISE) found a serious security risk in the software developed for it by Google. A visit to a crafted web site with an Android mobile phone could enable an attacker to inject his own code and run it. ISE claims to have developed a reliable exploit to take advantage of this vulnerability and says the cause of the problem is that Google used an outdated version of a particular open source package, but as yet it has not yet given more details.
The injected code only runs with browser rights, so an attacker doesn't get complete control of the phone. The approach followed by Google with its Android operating system is to separate each application from the main system by making it run in its own sandbox, thus isolating possible security vulnerabilities. ISE says despite that, a trojan can be installed in the browser's memory space, a derivative of WebKit, giving an attacker "access to any information the browser may use, such as cookies used for accessing sites, information put into web application form fields, saved passwords, etc."
Google has been informed of the problem, and says it has already eliminated it in an open source version of the browser. G1 customers have not been alerted of the problem by T-Mobile, but Google say they will be preparing an update for the T-Mobile device.
- Exploiting Android, report by Independent Security Evaluators