Already burned by the discovery of serious security vulnerabilities in its SDK, the Android Security Team emerged from the shadows this week with an appeal to the security community for help fixing flaws in the Linux-based mobile platform.
In a note posted to several public mailing lists, the open-source group published a detailed FAQ covering its security philosophy and process and made a direct request for hackers to use responsible disclosure (.pdf) ethics when vulnerabilities are discovered.
- As you may expect, building and maintaining a secure mobile platform is a difficult task. The Android platform team has put a great deal of work into trying to design a platform that balances our goal of open development and user choice with the unique challenges of securing a consumer-focused mobile system.
- While we have found and fixed many of our own bugs as well as flaws in other open source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable. That is why we would like to introduce ourselves today and let the security research community know how they can reach out and work with us.
The group provided an e-mail address for reporting bugs in Android (security-at-android.com) and a promise to respond to bug reports and keep reporters informed of the progress of an investigation.
- We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch. Help from security researchers in the form of usable bug reports and responsible time lines will greatly assist us in securing the ecosystem of Android devices as quickly as possible. Our vulnerability bulletins will credit responsible reporters of any flaws.
The Android security team, which is part of the Open Handset Alliance, plans to release more details of the security features of the Android platform over the next several months.