May 26th, 2009

guard1Remember last week when we told you something was happening we just weren’t positive what? We guessed that UK based Android Phones were getting some sort of security update and US based Android Phones who had installed the UK 1.5 Cupcake for all its goodies were ALSO getting the update, mistaking it for the Official Cupcake OTA? It appears our guess was right and now we have some details.

The security flaw was pretty severe (at least in concept). Basically, when 2 applications by the same author are installed on your Android Device, the operating system allows the applications to share information between those applications without requiring verification by the user. The vulnerability would allow application developers to bypass the system of inter-application signature checking, essentially gaining access from other applications NOT written by that developer.

Ouch. Start talking about applications from Visa, your bank, or applications that might have other sensitive data and that is a potentially severe security flaw. Or maybe it would just access your SMS, contacts, PIN numbers for the lock screen or other info readily available by other apps? Not good… not good at all. But to the credit of Google and the OHA we’re not finding this information out until AFTER (we assume) the threat has already been removed.

This affected the following versions of Android:

  • 1.5 CRB17
  • 1.5 CRB42

The “fixed” version is listed as “1.5 CRB43” and the flaw doesn’t affect 1.0 and 1.1 but let us know if you’re still running one of the flawed versions.

Another interesting tidbit to point out is that Credit for noticing the Security flaw was given to Panasonic! A few days ago we learned, courtesy of Panasonic themselves, that we could see a Panasonic Android Phone in 2010. Seeing as how they are neck deep in the code, finding vulnerabilities before other OHA members, perhaps a Panasonic Android Phone will come sooner rather than later?


The Panasonic CEO mentioned they were “discussing” Android and were “considering” the platform for overseas products… in reality they are MUCH further along then that and the fact that they sourced this security flaw illustrates the fact.

This information was published publicly on – an organization I’m not familiar with but whose members include Google, Intel, Nokia and Wind River. Here is a section from the oCERT About page:


The oCERT project is a public effort providing security handling support to Open Source projects affected by security incidents or vulnerabilities, just like national CERTs offer services for their respective countries.

The service aims to help both large infrastructures, like major distributions, and smaller projects that can’t afford a full-blown security team and/or security resources. This means aiding coordination between distributions and small project contacts. The goal is to reduce the impact of compromises on small projects with little or no infrastructure security, avoiding the ripple effect of badly communicated or handled compromises, which can currently result in distributions shipping code which has been tampered with.

The bug was reported by Panasonic on May 14th and 4 days later the Android Security team requested assistance from oCERT. It appears the issue was resolved on May 22nd. I know curiousity killed the cat but I can’t help but ask… what was the Android Security Team doing for the 4 days the Security Threat was known before oCERT was working on it and how long was this vulnerability “out there”?

[Thanks James!]

local_offer    Panasonic