Conversation with Thomas Cannon on Android Security, Part 1
Thomas Cannon, a security researcher, made news last month when he discovered a vulnerability on the Android OS that could make its devices susceptible to data theft. After finding the threat, Cannon alerted Google. In his blog, Cannon points out, “responsible disclosure would normally prevent me from publishing the advisory while there is a chance the users will get a fix in a reasonable time frame. However, despite the speed at which Google has worked to develop a patch I don’t believe this can happen. The reason is that Android OS updates usually rely on OEMs and carriers to provide an update for their devices.”
VPN Haus speaks with Cannon about his thoughts on Google’s patch, what it means for the future of the Android OS, and the open platform.
VPN Haus: The Android vulnerability that allows malicious Websites to access contents stored on the SD card occurred for a multiple reasons, including because the Android browser doesn’t show prompts before it downloads a file or opens an HTML file. Is t
Thomas Cannon: I had to leverage multiple weaknesses to create an actual exploit, and some of those weaknesses are present on other platforms, but the crux of the attack is due to the way Android applications share data with each other using URIs. Google’
VPN Haus: From your standpoint, would you say their initial patch was an adequate fix? What would they need to make the fix for Android 2.3 (Gingerbread) solid? (Feel free to keep this high-level for security reasons)
Cannon: The initial patch does address the exploit as presented but doesn’t seek to address all underlying issues. To fully address this issue it will take more work as it is complicated by applications which rely on some of the behavior we are exploiting
Next week, we’ll talk to Cannon about Google’s response, enterprise security concerns for the Android, and the challenge for issuing security patches for mobile devices .