VPN flaw reported in latest version of Android

Same vulnerability found that was found in Jelly Bean 4.3 allows malicious app to bypass VPN configuration and redirect communications

A VPN bypass flaw discovered last week in Android Jelly Bean 4.3 also exists in the latest version of Google's mobile operating system, KitKat 4.4, Israeli researchers say.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

Ben Gurion University researchers found the initial bug and then did further testing to determine its existence in KitKat. The researchers published their latest findings on the university's Cyber Security Labs blog.

Google did not respond to a request for comment, but security experts said Wednesday the bugs in both versions of Android should be fixed quickly.

"I believe this is a serious issue," Paul Henry, a senior security instructor at the SANS Institute, said.

Because of differences in the OS versions, the same exploit code cannot be used, the researchers said. However, what can be accomplished by malware is the same.

The flaws make it possible for a malicious app to bypass a VPN (virtual private network) configuration and redirect the secure data communications to a different network address. The data is rerouted before it is encrypted.

The KitKat flaw is somewhat similar to what the same researchers found last December in Samsung's Knox security platform. That vulnerability could let a malicious app intercept files on Samsung S4 devices before they are stored in a secure Knox container.

Google and Samsung dismissed the reported Knox flaw, saying in a statement that the researchers' exploit "uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device."

In essence, the researchers demonstrated a "class man-in-the-middle attack," which could be launched at any point on the network to capture unencrypted data, Google and Samsung said. The researchers did not exploit an actual vulnerability.

If the latest vulnerabilities prove to be real, then they should be fixed quickly, John Pirc, chief technology officer for security software tester NSS Labs, said. However, if Google finds that the flaw is in the network stack, "that is not trivial to fix."

[iOS vs. Android: Which is more secure?]

In addition, any patch on Android takes time to reach users because it has to be rolled out by wireless carriers and device manufacturers.

In the meantime, Henry advises businesses to set their mobile device management systems to alert IT staff of any changes in the security settings associated with the VPN of an Android smartphone or tablet.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline