Android Security Update: The Panasonic Details

guard1Remember last week when we told you something was happening we just weren’t positive what? We guessed that UK based Android Phones were getting some sort of security update and US based Android Phones who had installed the UK 1.5 Cupcake for all its goodies were ALSO getting the update, mistaking it for the Official Cupcake OTA? It appears our guess was right and now we have some details.

The security flaw was pretty severe (at least in concept). Basically, when 2 applications by the same author are installed on your Android Device, the operating system allows the applications to share information between those applications without requiring verification by the user. The vulnerability would allow application developers to bypass the system of inter-application signature checking, essentially gaining access from other applications NOT written by that developer.

Ouch. Start talking about applications from Visa, your bank, or applications that might have other sensitive data and that is a potentially severe security flaw. Or maybe it would just access your SMS, contacts, PIN numbers for the lock screen or other info readily available by other apps? Not good… not good at all. But to the credit of Google and the OHA we’re not finding this information out until AFTER (we assume) the threat has already been removed.

This affected the following versions of Android:

  • 1.5 CRB17
  • 1.5 CRB42

The “fixed” version is listed as “1.5 CRB43″ and the flaw doesn’t affect 1.0 and 1.1 but let us know if you’re still running one of the flawed versions.

Another interesting tidbit to point out is that Credit for noticing the Security flaw was given to Panasonic! A few days ago we learned, courtesy of Panasonic themselves, that we could see a Panasonic Android Phone in 2010. Seeing as how they are neck deep in the code, finding vulnerabilities before other OHA members, perhaps a Panasonic Android Phone will come sooner rather than later?

panasonic-logo

The Panasonic CEO mentioned they were “discussing” Android and were “considering” the platform for overseas products… in reality they are MUCH further along then that and the fact that they sourced this security flaw illustrates the fact.

This information was published publicly on oCERT.org – an organization I’m not familiar with but whose members include Google, Intel, Nokia and Wind River. Here is a section from the oCERT About page:

ocert-logo

The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can’t afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

The bug was reported by Panasonic on May 14th and 4 days later the Android Security team requested assistance from oCERT. It appears the issue was resolved on May 22nd. I know curiousity killed the cat but I can’t help but ask… what was the Android Security Team doing for the 4 days the Security Threat was known before oCERT was working on it and how long was this vulnerability “out there”?

[Thanks James!]

Continue reading:




  • Garrett

    If I may hazard a guess, I bet someone was just taking a long weekend between the 14th and the 18th.

  • http://www.snctln.com snctln

    The ADP1 image and Android SDK were updated with the fix for this security issue last week too

  • http://jasondabrowski.blogspot.com Jason D

    sometimes all you need is a second or third pair of eyes. If the same people are looking at the same thing, day in, and day out, they develop what’s known as “selective blindness”. You don’t notice things right in front of you because you’ve been looking at them so long.

    I have a feeling for those 4 days google was trying to figure it out on their own. And then they decided they needed an assist from oCert.

  • cupcake man

    I agree with Jason D on this one. I got cupcake through a manual download and it’s the crb43. It’s awesome!

  • Jake

    YES ! Finally some High-Tech Japaneese mobile phones in Europe…Hope and pray for Panasonic to make their P9 series top model phone with the world best software Google inside…SWEAT – Remember to build in the Digital TV tuner Panasonic !!!!

  • Taylor Mauceri

    *************************READ****************************
    I got G1 Update in the US VIA TMobile at 9:00pm EST…It here for the US WOOT!

  • olypdd

    The manual update I just did this past weekend is the CRB43 and it’s impressive. I wish they would provide a system preference for increasing font size or changing font styles. Blackberry does this, and I like the feature.

  • http://www.youtube.com/watch?v=sj9v7FVzA8c lethal

    No Manual update, No ROOT, No Dev, No UK to G1 update but TRUE OTA http://www.youtube.com/watch?v=sj9v7FVzA8c

  • lkelemen

    You may update this article. The affected Android versions
    are all those between 1.5 CRB17 and 1.5 CRB42 according to
    http://www.ocert.org/advisories/ocert-2009-006.html

    Affected version:
    Android >= 1.5 CRB17 <= 1.5 CRB42

    I.e. not just 2 versions. I for example had 1.5 CRB21