Old Software a G1 Security Glitch

T-Mobile is quietly deploying an over-the-air software patch provided by Google that fixes a Web browsing flaw in the Android G1 smartphone.

But the Android software development kit (SDK) still houses the vulnerability.

The G1 vulnerability, reported to Google on October 20 by a security researcher, lets hackers control and redirect a G1 user’s Web browsing session and access confidential data such as cookies and password information.

“Google has created a browser software patch and T-Mobile began the staged roll-out of the solution to customers’ T-Mobile G1 phones last week via an over-the-air update,” a spokesperson told InternetNews.com. T-Mobile declined to name how many G1s need to be updated and if on-the-shelf shelf devices were being fixed prior to the sale. It would also not comment on the how the security glitch came into play.

The Google patch is not a typical fix.

It is actually just an updated version of WebKit, an open source Web browsing engine and one of 80 open source applications used in Android, said Charles Miller, principal analyst at security consultancy Independent Security Evaluators (ISE), which reported the issue to Google.

Google used an older, flawed WebKit version which was patched back in April, said Miller.

“This G1 patch came very quick, within two weeks of being noted, and certainly the fix was quick as it was due to upgrading software,” Miller told InternetNews.com.

As of late today, Miller said, the flaw was still within the Android source code currently available for download at the Android developer site. Google did not respond to e-mail inquiries about the source code issue by press time.

The G1 flaw is Miller’s most recent discovery of a vulnerability in a major smartphone. He discovered a similar flaw in Apple’s initial iPhone shortly after the device debuted in June 2007. After he notified Apple, the flaw was patched in three weeks.