Monday, October 27, 2008

T-Mobile Android Has a Vulnerability

Stop the presses. Call your mother. Google Android Mobile (a la T-Mobile G1) has a security issue you say?

Good news first...
  • Google wrote Android with security in mind (we'd like to think) and its applications run within an isolated "sandbox" type environment
  • So... trojan'ing the browser (which is WebKit-based) means you don't get acces to the entire system
  • The wording from the body that discovered the flaw (Independent Security Evaluators, ISE) indicates that there is an existing fix for the flaw (which exists in one of the many open-source packages used)
Now the bad news...
Since most people use the browser on their phone for nearly everything, this means that you can't trust the browser in your phone - thus defeating a vast majority of the functionality people crave.
Perhaps it was the rush to market, or perhaps it was the lack of attention to security - I won't speculate; what I can tell you is that it's obvious security researchers couldn't wait to find a flaw in Android... it sure didn't take long.
Does it mean that you shouldn't buy one? Probably not.
Does it mean that Google's security is bad? Probably not.
Does this mean that Android is just another piece of consumer-ized gadgetry? Absolutely.

No comments: