Get the best tech support and pay the lowest price on any Web hosting package with Avantex. Click here for more information.


SureMail™ is the most reliable email service there is. Get less spam and less email virusses. Unlimited autoresponders. Learn more by clicking here.



SureMail™ is the most reliable email service there is. Get less spam and less email virusses. Unlimited autoresponders. Learn more by clicking here.


Save thousands of dollars by building your own Web site. No programming skills necessary. No software to download or install. Learn more by clicking here.
Design flaw discovered in Google's Android operating system

Add to del.icio.us     Digg this story Digg this

Get a great Linux dedicated server for less than $4 a day!

Share on Twitter

August 7, 2011

Operating system researchers have discovered a design flaw in the Android OS that could be used by hackers to steal information via various phishing schemes or by even advertisers to bring up annoying pop-up ads to smartphones and tablets.

Whether all versions of Android are affected is still unknown for now.

Advertisement
Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.

Android mobile app developers can create applications that appear to be innocuous at first, but which can display for example a fake bank app log-in page when the user is using the legitimate bank app, Nicholas Percoco, senior vice president and head of SpiderLabs, said ahead of his presentation on the research at the DefCon hacker conference yesterday.

Apps that want to communicate with the user while a different app is being viewed just push an alert to the notification bar on the top of the screen.

But there is an API (application programming interface) in Android's SDK (Software Development Kit) that can be used to push a particular app to the foreground, Percoco added.

"Android allows you to override the standard for hitting the back buttons," said Sean Schulte, SSL (Secure Sockets Layer) developer at SpiderLabs.

"Because of this, the app is able to steal the focus and you're not able to hit the back button to exit out," Percoco said, adding that they've named the issue the Focus Stealing Vulnerability, or FSV for short.

The researchers have also created a proof-of-concept tool that is a game but also triggers fake displays for Facebook, Amazon, Google Voice, and the Google e-mail client.

The tool installs itself as part of a package inside a legitimate app and registers itself as a service so it comes back up after the phone reboots, Percoco said.

In a demonstration showing a user opening up the app and seeing the log-in screen for Facebook, the only indication that something odd has happened is a screen blip so quick many users wouldn't notice it.

The fake screen completely replaces the legitimate one, so a user wouldn't be able to tell that anything is out of order, at least not at first glance.

With this OS design flaw, game or app developers can create targeted pop-up ads, Percoco added.

The ads could be merely annoying, like most pop-up ads are anyway, but they could also be targeted to pop up an ad when a competitor's app is being used, he added.

They could also spread malware and viruses as well if that's what the malicious developer wanted it to be.

"So the whole world of ads fighting with each other on the screen is possible now," said Percoco, who demonstrated an Android rootkit at DefCon in August 2010.

But the functionality wouldn't raise any red flags in the permissions displayed when the user downloads the app since it is a legitimate function for apps to check the phone state in what is called the Activity Service, according to Percoco.

He added that the researchers spoke to someone at Google about their findings a few weeks ago and that the individual acknowledged that there was in fact an issue and said the company was trying to figure out how to address it without breaking any functionality of legitimate apps that may be using it.

When contacted for comment, a Google representative said he would look into the matter, but didn't say when he would follow up on the design flaw.

The fact that this security flaw in the Android operating system was discovered is a good thing in and by itself, and goes on to demonstrate one of the important features of annual events and gatherings such as DefCon and other similar security conferences.

But it also stresses the importance of an operating system that needs to be well designed, with minimal chances of hacking the OS or causing some actions for which the system isn't designed to do. As good as Android is, nothing is perfect, and it's up to Google or whoever the creator of the operating system is to make certain that such things don't happen in the future.

Source: Nicholas Percoco.

Add to del.icio.us     Digg this story Digg this

Get a great Linux dedicated server for less than $4 a day!

Share on Twitter


Get the best price and the most reliable service for your colocated server. Learn more by clicking here.

home | news archives | advertise with us | contact

Copyright © OS Today.   

All logos or service marks on this website are the property of their respective companies.