Topic: Android

Research firm: Google Android SDK has multiple vulnerabilities

Summary: Google's Android SDK is facing multiple vulnerabilities that are remotely exploitable, according to Core Security Technologies.In an advisory, Core Security noted heap and interflow overflow issues with Android and reserved eight CVE identifiers.

By Larry Dignan for Zero Day | March 4, 2008 -- 13:45 GMT (05:45 PST)

Follow @ldignan

Google's Android SDK is facing multiple vulnerabilities that are remotely exploitable, according to Core Security Technologies.

In an advisory, Core Security noted heap and interflow overflow issues with Android and reserved eight CVE identifiers.

Core noted:

Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality.

Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor.

The company also outlined a proof of concept exploit with technical descriptions of each. It's worth a read. However, Android is a work in progress so fixes for these vulnerabilities are likely to be implemented.

More reading:

eWeek's Ryan Naraine on Android's vulnerabilities.
Jason Chen on the Android Developer's Blog noting that the most recent update fixed "a security issue involving handling of image files."
Ed Burnette on Android from a developer's view.

Topics: Android, Google, Mobile OS, Open Source, Security, ARM

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments

Log in or register to join the discussion

Exciting Stuff!

You beat me to it Larry, this is great stuff! The CORE guys are real solid, so it's not a surprise to see them jump on this earlier.

By the way, you will see far more of this. As these mobile devices become more like computers and have more robust APIs, these types of flaws become more prevalent.

Currently I'm researching flaws on the iPhone and Windows Mobile OSs, but perhaps I need to add Android to that list. Of course, if you find something, you have to write ARM shellcode... ugh.

-Nate

nmcfeters
4 March, 2008 13:52

Reply Vote
Great that the project is open.

If this were closed, like MS, there would not be any binaries available yet, let alone source code, and we would not get anything but rosy reports from the developer about how great it was going to be. They for sure would not be telling us about any vulnerabilities, even if they knew about it.

DonnieBoy
4 March, 2008 14:43

Reply Vote
Fine. But maybe a tad premature

[url=http://talkback.zdnet.com/5208-12691-0.html?forumID=1&threadID=45144&messageID=834128&start=0]See DonnieBoy's remarks[/url]

I would add that Ryan Naraine's article's last paragraph reads:

[b]"In a Vendor Statement section of the advisory, the Google-backed Open Handset Alliance says there will be many changes and updates to the platform before Android is ready for users. These changes are expected to include full security review."[/b]

D T Schmitz
4 March, 2008 17:26

Reply Vote
Androids? I thought Google was building Androids

But I find out the CIA who funded the founding of the Googleplex is leaving back doors for escheleon to pwn your phone which is much scarier than Google building Androids The Googleplex is following in the footsteps of Billy Gates Microsoft windows print function bug that allows the NSA to view everything on any windows running wired computer Billy got lucky when IBM got around monopoly laws and gave him the OS that has made him teh monies And we all know IBM got its big start in designer german tatoos with their punchcards back in the day. Horahye for the surveillance state androids in this dystopian technocratic serfdom under King Google. When will an LSD frenzied MK Ultra Kazynski following mass of peons storm the Bastille and set us free from the control grid of Monarchy Nouveau in this disinformation age

auto461780@...
4 March, 2008 22:52

Reply Vote
- Back Doors and bad Bugs are a good thing!
  
  It's keeps the myth alive that everyone is a programmer. We used to call most of these kids Coders, if they where any good, in a few years they might be promoted to being a programmer.
  
  We used to have System Analyst and above them System Architects.
  
  Now we have Kids who do not even have the discipline to check for the use of known BAD code. Who have NO apparent sense of even the basic needs of software security.
  
  Welcome to the reality of Googleplex!
  
  dragon@...
  5 March, 2008 08:09
  
  Reply Vote
M$ researchers?

The only research M$ makes is about how FUD works!
Android is securred.

Linux Geek
5 March, 2008 07:55

Reply Vote
At least Google wont

charge you for any viruses on their phone

GuidingLight
5 March, 2008 17:46

Reply Vote
RE: Research firm: Google Android SDK multiple vulnerabilities

quote: While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries other were introduced by native Android code that use them or that implements new functionality.

So Google are using outdated Libraries, and building new functionality on top of them. It stands to reason that the Google phone API will be inherently insecure. Shame on you Google.

tracy anne
20 August, 2008 14:25

Reply Vote
"vulnerabilities stem from using open source libraries"

One more proof open source improves the quality of your software. Anyone interested in paying 200$ for that?

LBiege
27 October, 2008 12:08

Reply Vote