Friday, February 13, 2009

Android Vulnerability: Is the phone Web Browser really dangerous ?

Sarah Perez writes 
"Android Vulnerability So Dangerous, Owners Warned Not To Use Phone's Web Browser". According to Washington DC Security researcher, a new vulnerability in Google's mobile OS Android allows hackers to remotely take control of the phone's web browser and related processes. 

But, wait let's take a closer look at how an Android phone can be compromised.  If an Android user does not utilize the media server functionality when using its web browser, can he still be at risk?  According to Rich Cannings, Android Security Engineer, the Android mediaserver uses OpenCore and works within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS and the dialer.  He further notes that the Android vulnerability is limited to the mediaserver and could only exploit actions the mediaserver performs such as listen to and alter some audio and visual media.

"Both vulnerabilities could have been prevented if Android had the ability to block malicious code from executing in memory."  One of the ways, this can be prevented is by the use of a class file verifier similar to the J2ME verifier, which could ensure that the Android bytecodes (.dex files) do not contain illegal instructions, cannot be executed in an illegal order and do not contain references to invalid memory locations, etc.

Bookmark and Share

1 comment:

deccandude said...

This is interesting news, especially for a QA engineer like me - I would have loved to uncover this hole. Unfortunately I was not testing G1 phones - deep in my heart, I wish I was. I am positive that G2 might have a fix to this vulnerability or else folks might just stick with their blackberries or iPhones.