• United States



by John E Dunn

Researcher keeps Android app security flaws to himself

Aug 16, 20112 mins
Cellular NetworksComputers and PeripheralsConsumer Electronics

Black Hat session by Privateer Labs pulled at the last minute

A security researcher is standing by the claim that his company has discovered security vulnerabilities in a dozen common Android applications, despite declining to reveal which applications are affected.

Riley Hassell of Privateer Labs had been due to give a presentation ‘Hacking Android for profit’ revealing the issues at last week’s Black Hat security conference but called off the session after deciding that the absence of fixes for the flaws might allow attackers to exploit the research.

What remains are only vague descriptions of the issues, starting with the pre-session descriptions mentioning ‘AppPhishing’, a bogus app that scrapes a user’s login using a fake screen, and ‘AppJacking’, where a malicious app hijacks the credentials of a trusted app.

“Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message,” Hassell told a third-party website by way of explanation.

What is unclear is the extent to which these or other issues found by him are original discoveries and whether they represent flaws in Android or only the apps themselves.

Jay Nacarrow of Google has reportedly said that the issues are not related to Android though without a fuller description this is hard to confirm.

What the minor controversy does suggest is that mobile operating systems, while more secure than the almost open door created by Windows XP in 2001, are turning out to be less secure by design than first assumed.

Serious exploits have been largely restricted to poor app vetting by Google and the re-engineering of applications posted to third-party download sites not covered by Google’s Market, especially in China. Despite its low-key response to the issues apparently discovered by Privateer Labs, Google has appeared flat-footed when it comes to listening to feedback from security companies.

Security company Trusteer recently pointed out flaws in the security-reporting system on Google’s Market.