February 12, 2009

Android Kill SwitchReadWriteWeb’s Sarah Perez points out a Forbes story about a security hole in the Android OS platform that is so severe, multiple security experts are claiming that the Android web browser had best be avoided until a fix is sent out to users.

A fix that, Sarah Perez claims, has been available for some time, sitting in Google’s source tree repository since February 7th.

According to the original Forbes piece, the security flaw is supposedly found in code that Packet Video contributed to the Android project’s web browser.  The flaw would allow a malicious website and hacker to take over the Android browser to the extent that login IDs and passwords could be compromised.

In any event, no reported cases of this security flaw being exploited have been reported so far that we are aware of.  Personally, this isn’t enough to keep me from using the G1’s browser, but Android users should consider themselves properly warned.  It has been suggested that if browser use is required, users should stick to trusted sites and use T-Mobile’s network rather than open WiFi data.

Update: Google’s Rich Cannings responded to responded to the article on ReadWriteWeb.com, and his response is listed in Update 2 in the article (located near the bottom).  Part of his response is available below:

Media libraries are extremely complex and can lead to bugs, so we designed our mediaserver, which uses OpenCore, to work within its own application sandbox so that security issues in the mediaserver would not affect other applications on the phone such as email, the browser, SMS, and the dialer. If the bug Charlie reported to us on January 21st is exploited, it would be limited to the mediaserver and could only exploit actions the mediaserver performs, such as listen to and alter some audio and visual media.

Show 156 comments