RealTime IT News

Security Flaw Strikes G1 Android Phone

The T-Mobile G1 Android-based smartphone may have hit stores only last week, but a researcher is already warning about a flaw in the phone's Web browser that could compromise users' online activity.

Charles Miller, principal analyst at security consultancy Independent Security Evaluators (ISE), said the vulnerability enables hackers to control and redirect browser activity and gain access to data such as cookies used for accessing sites, information typed into Web page fields and passwords. Miller reported the issue to Google on Oct. 20.

T-Mobile, the G1's exclusive carrier, and Google -- chief backer for the open source Android platform -- are working on a software patch that may be delivered over-the-air to customers' G1 devices, they said.

"We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users' exposure," a Google spokesperson told InternetNews.com. "The security and privacy of our users is of primary importance to the Android open source project, and we do not believe this matter will negatively impact them."

Miller's warning comes as the success of the G1 -- and its open source operating system -- is being closely watched by the mobile industry and software developers. The Android project is designed to rival platforms like the Apple iPhone and Research in Motion's BlackBerry by fostering an open, common operating system for mobile devices that encourages application developers to create and support advanced features.

Yet the root of the vulnerability may be in one of the very open source components that Android uses. The G1 includes 80 opens source packages, and Miller did not disclose which contained the flaw.

"If they had used the most up-to-date version of the software, the G1 wouldn't have a bug," he said, adding that he would publicly reveal which piece of software contained the vulnerability once a patch has been released.

Handset maker HTC did not return calls by press time, and a spokesperson from T-Mobile also played down the potential impact.

"For people currently using the phone, we do not believe this matter will negatively impact their experience with the device," the T-Mobile spokesperson told InternetNews.com.

Still, Miller recommended that G1 users avoid Web browsing until the fix is available, which could take several weeks.

Miller's security alert was published last Friday, two days after the HTC G1 formally debuted on Oct. 22.

Miller said he first noticed the potential for the vulnerability when the Android SDK was released and verified it as soon as he was able to test a handset.

"They should have found this during testing and certification," Miller said. "This was a known flaw. There will always be bugs [in smartphone platforms] but if they had used the most recent version it wouldn't be an issue."

"Users have to realize phones are susceptible to the same security issues as PCs, but they don't seem to understand that as yet," he added.

Doubts cast on open source?

The open source platform promises to deliver a big boost to application development on smartphone platforms, experts and supporters have said. The Android system was developed by the Open Handset Alliance (OHA), which is led by Google.

The G1 flaw is Miller's most recent discovery of a vulnerability in a major smartphone. He discovered a similar flaw in Apple's initial iPhone shortly after the device debuted in June 2007. He notified Apple and the flaw was fixed with a software patch in three weeks, he said.

Page 2: Risks of open source versus closed systems