Security hole in first Google Android phone

The first mobile phone based on Google's open source Android platform features a security vulnerability, researchers have claimed, days before the T-Mobile device is set to launch in the UK.

Researchers from Independent Security Evaluators (ISE), said the problem occurred because Google didn't use the most up to date versions of the open source packages that make up Android.

"In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version," wrote the researchers, Charlie Miller, Mark Daniel, and Jake Honoroff.

This is similar in origin to a vulnerability found in Google's Chrome browser just after it launched, which saw previously fixed holes make it into the final product after old code was used.

According to ISE's study, the Android security hole has left the web browser vulnerable to exploit if users visit malware-loaded pages. "It's a standard client-side flaw, where the malicious attacker needs to get the user to go to a site that they control," Honoroff told IT PRO.

But the researchers said Android's well-constructed architecture limits the impact of the breach. While attackers will be able to access the same information the browser can such as cookies, saved passwords and autocomplete data they can not control the phone itself. "It has to do with sandboxing, where different processes are not allowed to step on each other... so just because you can control the browser doesn't mean you can do anything else," Honoroff explained.

In the research note, ISE added: "This is in contrast, for example, with Apple's iPhone which does not have this application sandboxing feature and allows access to all features available to the user when compromised."

The researchers said they would not release any further information until the hole had been patched, adding Google was alerted to the problem last week and is working with the researchers on a fix.

A Google spokesman said: "Google is working on a browser software patch for Android. We are coordinating with T-Mobile on a plan to soon deliver this update over-the-air to customers' G1 devices. For people currently using the phone, we do not believe this matter will negatively impact their experience with the device."

Last month IT PRO got a first look at the T-Mobile G1.