With the T-Mobile G1 only being out for a few days, a group of security researchers have already found a serious flaw in the Android software by Google. It appears that the G1 is threatened by many of the same security threats that personal computer owners face. We are not surprised that something such as this was found in the first device of its kind, the iPhone, being the second of its kind still has security flaws despite having several updates.
Charles A. Miller, a former National Security Agency computer security specialist, notified Google of this security flaw this week and said he was not publicizing it because he believes that in general phone users are not aware that smartphones face the same threats that plague PCs connected to the internet. Miller said, the flaw could be used by an attacker to trick a G1 user into visiting an unsafe Website.
Google acknowledge the security issue and say the security features of the phone will limit the extent of damage that could be done, compared with today’s PCs and other phones. Unlike computers and advances smartphones such as the iPhone, Android creates a series of compartments that limit access by intruders to a single application. Google security engineer, Rich Cannings said, “We wanted to sandbox every single application because you can’t trust any of them,”
Miller says the security flaw is in the web browser partition of the phone, making it possible for an intruder to install programs that can capture keystrokes made on the phone. This would make it easy for someone to steal personal information such as credit card numbers, usernames and passwords that are entered on Webpages.
Google executives say that they believe Miller has violated an unwritten code between companies and researchers that gives companies time to fix problems before they are publicized. Miller said he is withholding technical details, he believes that customers have a right to know that these products have security flaws. We feel he did the right thing in bringing such a large security flaw to our attention rather than keeping it from G1 users.[Via NewYork Times]