The T-Mobile G1 Android-based smartphone may have hit stores only last week, but a researcher is already warning about a flaw in the phone’s Web browser that could compromise users’ online activity.
Charles Miller, principal analyst at security consultancy Independent Security Evaluators (ISE), said the vulnerability enables hackers to control and redirect browser activity and gain access to data such as cookies used for accessing sites, information typed into Web page fields and passwords. Miller reported the issue to Google on Oct. 20.
T-Mobile, the G1’s exclusive carrier, and Google — chief backer for the open source Android platform — are working on a software patch that may be delivered over-the-air to customers’ G1 devices, they said.
“We treat all security matters seriously and will carefully work with our partners to investigate and update devices periodically to reduce our users’ exposure,” a Google spokesperson told InternetNews.com. “The security and privacy of our users is of primary importance to the Android open source project, and we do not believe this matter will negatively impact them.”
Miller’s warning comes as the success of the G1 — and its open source operating system — is being closely watched by the mobile industry and software developers. The Android project is designed to rival platforms like the Apple iPhone and Research in Motion’s BlackBerry by fostering an open, common operating system for mobile devices that encourages application developers to create and support advanced features.
Yet the root of the vulnerability may be in one of the very open source components that Android uses. The G1 includes 80 opens source packages, and Miller did not disclose which contained the flaw.
“If they had used the most up-to-date version of the software, the G1 wouldn’t have a bug,” he said, adding that he would publicly reveal which piece of software contained the vulnerability once a patch has been released.
Handset maker HTC did not return calls by press time, and a spokesperson from T-Mobile also played down the potential impact.
“For people currently using the phone, we do not believe this matter will negatively impact their experience with the device,” the T-Mobile spokesperson told InternetNews.com.
Still, Miller recommended that G1 users avoid Web browsing until the fix is available, which could take several weeks.
Miller’s security alert was published last Friday, two days after the HTC G1 formally debuted on Oct. 22.
Miller said he first noticed the potential for the vulnerability when the Android SDK was released and verified it as soon as he was able to test a handset.
“They should have found this during testing and certification,” Miller said. “This was a known flaw. There will always be bugs [in smartphone platforms] but if they had used the most recent version it wouldn’t be an issue.”
“Users have to realize phones are susceptible to the same security issues as PCs, but they don’t seem to understand that as yet,” he added.
Doubts cast on open source?
The open source platform promises to deliver a big boost to application development on smartphone platforms, experts and supporters have said. The Android system was developed by the Open Handset Alliance (OHA), which is led by Google.
The G1 flaw is Miller’s most recent discovery of a vulnerability in a major smartphone. He discovered a similar flaw in Apple’s initial iPhone shortly after the device debuted in June 2007. He notified Apple and the flaw was fixed with a software patch in three weeks, he said.
Page 2: Risks of open source versus closed systems
Page 2 of 2
The news also comes on the heels of a sweeping series of updates Apple applied to its own Mac OS X operating system, which is also based on open-source — and which, like the G1’s vulnerability, had flaws that stemmed from older versions of the open source software packages it used.
Miller said the vulnerability in the G1 does not indicate that open source mobile platforms are less secure than closed systems like or Research in Motion’s BlackBerry platform.
“Flaws in open source applications is not necessarily a bad reflection,” Miller said. “In fact, an open system might make security better overall as there are typically more people involved and reviewing things.”
Security in smartphones hasn’t been a big issue as no major issues have hit mainstream, another expert said.
“G1 and its openness may indeed have vulnerabilities … the question is, how is the customer protected?” telecom analyst Jeff Kagan told InternetNews.com.
“Going forward, we may have to install protection on our devices, as the networks will provide protection from their end,” Kagan said. “Surprisingly, we have not seen a major issue, but that does not mean we should not be ready. It will occur. The question is, will we be ready?”
Another expert noted that open systems may allow for greater discovery of security glitches.
“Open or proprietary, every OS suffers some security challenges, especially in the first versions,” industry analyst Jack Gold, of J.Gold Associates, told InternetNews.com. He also agreed that open source systems include more potential for uncovering flaws early, and added that he believes that in proprietary development, flaws take longer to be exposed.
“I don’t think this makes open source necessarily any more or less secure,” he said. “It just means the warts are there for all to see and can’t be easily hidden.”
But another industry watcher noted that such security flaws could indicate that open handset systems, at least for now, are not sufficiently secure for enterprise deployment.
“Google and its partners will need to invest additional engineering and marketing resources to build a greater level of trust,” Carmi Levy, an analyst at AR Communications, told InternetNews.com.
“You don’t build a reputation overnight and the OHA has to expect a bit of a bumpy road before businesses take their new offerings seriously,” Levy said.