RSS FeedSecurity
Researcher keeps Android app security flaws to himself

Researcher keeps Android app security flaws to himself

Black Hat session by Privateer Labs pulled at the last minute

By | Techworld | Published 15:35,

A security researcher is standing by the claim that his company has discovered security vulnerabilities in a dozen common Android applications, despite declining to reveal which applications are affected.

Riley Hassell of Privateer Labs had been due to give a presentation 'Hacking Android for profit' revealing the issues at last week's Black Hat security conference but called off the session after deciding that the absence of fixes for the flaws might allow attackers to exploit the research.

Also in this channel
Related Articles

 

Virtualisation, Big Data and BYOD

Check out our Business IT Hub for opinions and briefings. Read more

What remains are only vague descriptions of the issues, starting with the pre-session descriptions mentioning 'AppPhishing', a bogus app that scrapes a user's login using a fake screen, and 'AppJacking', where a malicious app hijacks the credentials of a trusted app.

"Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message," Hassell told Reuters by way of explanation.

What is unclear is the extent to which these or other issues found by him are original discoveries and whether they represent flaws in Android or only the apps themselves.

Jay Nacarrow of Google has reportedly said that the issues are not related to Android though without a fuller description this is hard to confirm.

What the minor controversy does suggest is that mobile operating systems, while more secure than the almost open door created by Windows XP in 2001, are turning out to be less secure by design than first assumed.

Serious exploits have been largely restricted to poor app vetting by Google and the re-engineering of applications posted to third-party download sites not covered by Google's Market, especially in China. Despite its low-key response to the issues apparently discovered by Privateer Labs, Google has appeared flat-footed when it comes to listening to feedback from security companies.

Security company Trusteer recently pointed out flaws in the security-reporting system on Google's Market.

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

HP Business Answers

Join the discussion today

The HP Business Answers group is a vibrant community of small and medium sized business owners and employees. HP provides independent and expert advice in fields such as design, branding, taxation, technology, marketing or manufacturing so join today to network with over 6500 like-minded professionals.

Join the HP Business Answers Linkedin Community

Read the most recent discussions

Read more at the HP Business Answers Linkedin Community

ComputerWorldUK Resources

ComputerworldUK
Share
x
Open
* *