research worker at Independent Security Evaluators say they ’ve find a surety defect in the Android browser app that could make users of phones with the browser app vulnerable to onrush .
Android , Google ’s undecided - source package that is currently only running on one sound , HTC ’s G1 , is based on outdated open - reference components , the researchers say . As a result , the vulnerability they have come across was previously known and ready , but Google did n’t incorporate the fix into Android , they say .
The G1 went on sale last Wednesday from T - Mobile USA , and Google published the rootage code behind Android on Tuesday . Other producer , including Motorola , are expected to also release phone run Android in the future .
On aWeb pagefor ISE , Charlie Miller , Mark Daniel and Jake Honoroff write that they wo n’t reveal much about the vulnerability until Google fixes it . However , they say that Android drug user who visit malicious World Wide Web sites may discover their sensitive information stolen . That ’s because an attacker could access any selective information the site uses , including bring through passwords , info entered into a Web lotion flesh and cookies .
The researchers also say , however , that the impact of the attack is limited because of Android ’s security department architecture . An aggressor ca n’t , for example , ascendency functions of the phone such as the dialer .
Google said it is developing a root to the problem . “ We are working with T - Mobile to let in a mend for the web browser app exploit , which will soon be delivered over the melodic phrase to all equipment , and have addressed this in the Android clear - germ platform . The security and privacy of our users is of elemental importance to the Android Open Source Project — we do not consider this matter will negatively affect them , ” the company suppose in a statement . It did not say when it expects to labor out the update .
The research worker say that they notified Google of the issue on Oct. 20 .
The incident raises enquiry about potential difficulties that the Android biotic community might face in the future . Because Google has adopt an open model with Android , many vendors and operators in the time to come may offer a motley of phones , each potentially with slimly different versions of the operating organization . If vulnerabilities are found in the future , phone manufacturer and operators will have to ascertain if their adaptation of the software is affected and then coordinate the distribution of a fix to drug user .
