's Comments on "Dangerous"

Vulnerability in Google's Android OS

Please discuss this on the Forums

12 February 2009

There are stories going around the 'net of a "Dangerous" security flaw in Google's Android Operating System (OS).  Some are saying that this bug is so dangerous that you should not even use the Web from your T-Mobile/HTC/Google/G1/Dream/gPhone/Whatever you call it phone.

It is true that there is a bug.  It's also true that it is fixed in Google's software repositories.  It's true that Google has not pushed the fix out to customers, or even made it available for download (other than in source form).  It's true that Google did push out an update since this bug was exposed and corrected, but that update ignored the flaw.  Lastly it's  true that early in Android's life cycle, it did have a really, really, simple, dumb, and serious flaw.  But what I do not believe is the rumored seriousness of this new bug, or the implications that Google is being slow, or negligent in their response.

If this bug were viewed with a Microsoft Windows mentality, it would be serious.  It is exactly the sort of bug that can turn Windows PCs into spam zombies or keystroke loggers just by visiting a website. But Android isn't Windows.  It isn't even “just” Linux.  It's Linux with almost phobic security features layered on top.  The creators of Android at Google probably had exactly this sort of error in mind when they developed Android.  Let's get a little technical, and we will see why it is much less of an issue on Android.  Then we can explore why some may be saying it is so serious.

OK, So Android runs on top of a pretty much standard Linux kernel.  I do not plan on explaining Linux security here, but suffice it to say that Linux prevents rouge, or exploited programs from being able to affect the system the way such programs can in Windows.  If a web browser was run as root (I.e. as a super user, or super administrator) on Linux such a flaw would allow the entire system to be taken over.  If anything, it would be easier to do pretty much anything on the Linux system, since Linux lacks the concept of “zones” to restrict the browser's behavior.  Linux is also more likely to have mail servers, compilers, and file transfer services all built-in and at the attackers disposal once he/she finds an exploitable flaw.  In fact some mobile products do run everything as root.  Even the iPhone (which is based on BSD – Linux's “older cousin”) ran every program, including the browser, as root in its first incarnation. Apple changed this in one of the first iPhone software updates.  Most Linux-based consumer products have learned from the past, and now run most functions as another, imaginary user that does not have administrator privileges.  This user may be named “mobile”, or just “user”.  This means that even a successfully exploited flaw in the browser cannot make fundamental changes to the OS, or install new software.

Google has taken it a step farther.  Each individual application in Android runs as not only a separate Linux process, but it is running as a different fake user.  In other words, when you are using your G1, there are actually several, or perhaps dozens of “virtual users” logged into its underlying Linux foundation. Each user is doing 1 separate task.  What one “user” does cannot affect the others, just like you can't read my email, and I can't read yours.  Programs pass data back and forth to each other by tightly controlled conduits that restrict exactly what can be sent back and forth.  Further more, each program is running inside a separate incarnation of a  virtual machine.  The virtual machine isolates the running application from even affecting it's own Linux process.  The analogy here is running Windows XP on a virtual machine on a Mac.  Even if the virtualized Windows XP session is successfully attacked, simply quit the Virtual Machine and the Mac OS machine is not in any way comprised or affected.

Let's look at this particular bug.  The flaw is in OpenCore, which is an open source media server, not in the browser.  It would have to be exploited with a bogus MP3 sound file.  So if a user surfs to a site attempting to exploit the  flaw, the browser calls OpenCore to play the sound.  The browser and the player are running as not only separate Linux processes, but are run by separate users, in separate incarnations of a virtual machine. Note that the advisory says it is potential, in other words NOT demonstrated, arbitrary code execution, and it does not take into account the concept of OpenCore running in a separate Virtual Machine.  It is very unlikely that it could corrupt anything outside the media playback mechanism, even the browser session that launched it.  It's a little like saying if you play an infected MP3 on your PC, my PC is going to get a virus.

If the allegations are true, just provide a proof of concept web page that harmlessly demonstrates it.  Craft a page/file that reboots the phone.  If you claim it can steal passwords or cached data from the browser, prove it.  List out the last 3 sights a user visited, or with their permission, snarf a password.  Harmless demonstrations like this have been setup many times in the past for exactly such issues.  But we don't see such a demonstration for this issue.  What does that tell you?

So why would someone bring up this already patched issue, and why right now (Feb 12) ?  Guess what happens on Monday, February 16th? -- Mobile World Congress (MWC), Spain 2009 – The mobile phone industry's biggest annual event.  It's kinda like Macworld or CES for mobile devices.  It's the first such event since Android products have been released, and Android will likely be getting lots of attention. Want some quick headlines, talk, and web hits?  Yup -- perfect timing.

Note also that one of the contributors to the article offers for sale Anti-virus products for Android devices.

Understand also that Android is, for the most part, truly open source.  Every one can see the code, including bug fixes, open issues, and code commit dates.  The openness and visibility, again makes it an easy target for attacks -- not from hackers, but from the media.  If we could peer into Apple's iPhone master software source trees, or Windows Vista's what would we see?

The fix for this bug is out there, and is being vetted through the normal processes of testing and peer review.  Google, T-Mobile, and other active members of the Open Handset Alliance will roll out updates to users on their schedules just like Apple, Microsoft or any other vendor would.  Looking at publicly available code on a public website, and then writing sensationalized “news” articles on already disclosed, and patched issues does not gain you much respect from the  community.  It does however lend an opportunity to explain some of Linux and Androids inner workings, and I thank you for that.


Note:  The article at ReadWriteWeb has been updated.  The update points out some of exactly what I described above.

Disclaimer:  I am a registered Google Android Developer.  I do not speak for Google, or any Hardware or Software vendor.
 Please post comments, etc. to the Linuxslate Forums.

submit to reddit
This article is (c) 2009.


Article on ReadWriteWeb
CVE page for CVE-2009-0475
Android Open Souce Project
Mobile World Congress Website

Other Reading
The Green Guy with an Identity Crisis - More recent commentary on Android.
Kathryn has no Time for Linux - Article about Linux in consumer electronics.


All trademarks/tradenames are the property of the companies that own them.