Security Holes In Google's Android SDK 77
Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform. From the article: 'Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF, and BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image-processing libraries, other were introduced by native Android code that uses them or that implements new functionality.'"
yawn (Score:5, Insightful)
Re:I'm not exactly sure how phone software works.. (Score:3, Insightful)
Re:yawn (Score:5, Insightful)
That would be a valid retort if it weren't for Google's perpetual beta mentality.
Re:Re-using, Re-using, Not re-inventing the wheel, (Score:4, Insightful)
Re:Re-using, Re-using, Not re-inventing the wheel, (Score:5, Insightful)
I've heard it said, as an example, that only 20% of the code in Gecko is to implement a reliable, standards-compliant rendering engine, and the other 80% is to implement workarounds for (sometimes horribly) broken HTML, and recover from what should rightfully be critical errors. I'm not sure if this statistic is accurate (or, if it was when I heard it, if it still is now); however, at a previous position, our (large-scale) software product, developed over the course of the last decade, large, complex, and convoluted, had a similar statistic. Over 80% of the code that we had in our core product was there to deal with bugs in previous code, bugs in other people's products, bugs in how different vendors implemented the standards (i.e. poorly), bugs with corrupted images, and so on.
Think about that for a second; anyone can re-implement a PNG library by reading the specifications and learning how to do the math on the algorithms; there are probably people at Google who could write a complete PNG library in C inside of a week (they DO have some pretty brilliant people working for them). What they CAN'T do is go out and feed into that library all of the broken, corrupted, or just-a-little-bit-off PNG images that are out there on the web that require little tweaks and adjustments (or horrific workarounds) to process, and find all the fixes to all the glitches that end-users might see.
The extensive experience that the libpng developers have had over the lifetime of the project cannot be simply re-implemented from a textbook. THAT is why simply re-writing it is impractical, and THAT is why code re-use is a good thing. Expand that from PNG images out to every other shared library in the project, and 'not invented here' syndrome turns simple and straightforward bllet-point requirements for Android into a large-scale programming project, and makes the whole thing impractical.
Re:yawn (Score:2, Insightful)
Re:I'm not exactly sure how phone software works.. (Score:-1, Insightful)
Since when was it painful to flash firmware? And yeah, most motherboards and other devices support flashing from the OS, as long as that OS is Windows. I assume such a mechanism isn't as insane as you make it out to be.
But if you want to get ultra-technical, your typical general purpose piece of equipment is so full of security holes it's hilarious. I actually think it's a pretty big joke on the white hats that they aren't spilling out vulnerabilities all the time. Probably because they're disheartened by all the threats of lawsuits instead of actual action when they discreetly disclose them.
Security is a joke in the world we live in. If any smart person wants to spend a little time hacking something it will be hacked. Every video game console, Tivo, Windows, Windows Media Player, FairPlay, iPhone, Mac OS X, DVD, Bluray, HD-DVD, Intel CPUs (P4 and Core 2 bugs). All haxed. A sufficiently motivated person/organization/institution could pwn your laptop from wifi/bluetooth/wimax/cellular, turn on your webcam or mic remotely, flash your firmware, install keyloggers, load a root kit that hides it all. Yes, even yours, firewall + antivirus guy. Do you really think a rinky-dink cell phone manufacturer that makes a new model every 6 months is really going to magically protect you from that? You're not protected by good engineering you're protected by hacker disinterest.
But you know what? People make phone calls and use bluetooth. People play video games online. People listen to music. And we're all reading and typing this on Windows/Linux/Mac OS X/etc from our IE/Firefox/Safari/etc web browsers and the world continues to rotate.
(In short to answer your question: yes, they can attack via an update mechanism. Or just about a bazillion other vectors. And to answer the implied statement here, no, nobody seems to care. Not even the hackers.)
Re:yawn (Score:5, Insightful)
Really, in the hands of Google, the 'beta' tag is only a way to keep things sounding 'hip and new' and to avoid liability when something screws up.
Re:Already fixed (Score:3, Insightful)
Re:yawn (Score:5, Insightful)