Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Google Businesses The Internet Security Cellphones

Security Holes In Google's Android SDK 77

Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform. From the article: 'Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF, and BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image-processing libraries, other were introduced by native Android code that uses them or that implements new functionality.'"
This discussion has been archived. No new comments can be posted.

Security Holes In Google's Android SDK

Comments Filter:
  • yawn (Score:5, Insightful)

    by QuantumG ( 50515 ) * <qg@biodome.org> on Wednesday March 05, 2008 @01:30AM (#22646430) Homepage Journal
    Security holes in beta software you say? Wow.

    • Re:yawn (Score:5, Insightful)

      by Anonymous Coward on Wednesday March 05, 2008 @01:43AM (#22646498)
      Security holes in beta software you say? Wow.

      That would be a valid retort if it weren't for Google's perpetual beta mentality.
      • Re: (Score:2, Insightful)

        by AmaDaden ( 794446 )
        This is why they have a perpetual beta mentality. They know better then to call newly written software done. Public usage with a warning label is a good thing.
        • Re:yawn (Score:5, Insightful)

          by Nullav ( 1053766 ) <.Nullav.gmail. .ta. .com.> on Wednesday March 05, 2008 @04:05AM (#22647034)

          They know better then to call newly written software done.
          So three and a half years is early in the development process? I guess that means Hurd's only 'slightly behind schedule'.
          Really, in the hands of Google, the 'beta' tag is only a way to keep things sounding 'hip and new' and to avoid liability when something screws up.
          • Re:yawn (Score:5, Insightful)

            by AmaDaden ( 794446 ) on Wednesday March 05, 2008 @09:14AM (#22648218)
            Did you hear what the plans are for android? It's an OS that is designed to fit nearly any phone hardware, to be configurable to anyones liking, AND can run home brewed Java apps. Four years is not a bad time, It is a MASSIVE undertaking. Personally I think that ALL software is severely under tested. It tends to be pushed out the door not because it's ready but because the higher ups want to start making money on it. How many times did you use software that is 'done' but swamped with bugs? That is beta software, even if they don't admit it.
        • by ceeam ( 39911 )
          I don't think that, unlike, for example, WebMail service, you can release a phone model with "Beta" label attached.
        • by hey! ( 33014 )
          Except this isn't even beta.

          I disagree with the assumption that security holes in beta software aren't serious. Beta -- in software at least -- means that real live users are using it.

          However, at this point the software is not available to users; if the problem is that the system uses obsolete implementations for some of its APIs, the open source process has worked the way its supposed to. If the problem is inherent in some important APIs, that's a different kettle of fish.

          Still, I expect Android to be a
    • Re: (Score:2, Funny)

      by nacule ( 1249808 )
      | Security holes in beta software you say? Wow. Maybe this is why they kept gmail in beta till now. Perfect excuse for security holes
    • Except that Google's software is always in beta.
    • Isn't Google's software usually in Beta?
    • by hal9035 ( 827327 )
      But we LOVE Google....... cut them slack......
    • And google mail has been 'beta' for how long? I'm sure nobody will mind a few security holes there, since it's a beta and all. This article isn't a problem as long as they sort it out quickly, but if they do a Microsoft and leave it in for the next few versions, that's when there's a problem.
    • It looks like they're trying to compete directly with the iPhone, image library buffer overruns and all! Sweet.
  • by ZanySpyDude ( 1215564 ) on Wednesday March 05, 2008 @01:32AM (#22646440) Homepage
    If this had been in the final version that was released, is it an easy fix for google or is it a pain in the ass for end consumers to get a fix/upgrade from google?
    • It would probably be a bit painful. Many cell phones require you to hook up a transfer cable to install a new set of firmware. Of course, this is a fancy new smartphone OS, so it's possible that Google has devised a software update procedure. However, if they have designed an update procedure, what's to stop attackers from attacking the update procedure? (Methinks that an unauthorized GSM base station is all that's needed for a man-in-the-middle attack...)
      • Re: (Score:3, Interesting)

        by Firehed ( 942385 )
        Look how the iPhone handles firmware updates - plug in, download, click install. I think it's safe to assume that a Google-supported device is going to be rather heavily standards-based (I can't say I know much about Android), and as such will have a mini-USB port. Why overcomplicate things? As much as I like the idea of having my Google-centric data accessible everywhere over the air, they really need better interoperability in terms of desktop data syncing (Gmail is pretty good that way, but Gcal requi
    • I know this is kinda off subject, but I could really use some help. A friends cell phone is showing text messages from my cell phone that I have never sent. I have even got a copy of the cell phone bill showing outgoing text messages and phone calls from my phone. I suspect my friend of 'phreaking' or hacking my cell phone to make this happen. Is this possible? Does anyone know how this could happen?"
  • who cares? there are exactly zero phones running android in public (meaning outside of pros testing)...so how does this affect anyone? must be a slow news night
    • It is true that the issue would not currently matter but smart phone technology will soon be big. Very big. It remains to be seen if Google can successfully make the transition into this area with so much competition from names like Apple, Research In Motion, Nokia, Palm and who knows who else by the time Android goes public.

      IMHO Google has done a fairly good job in its software development (which is to say, I have personally had few issues). Being open source at least lets people know there is a problem. T
      • I can't wait until telemarketers start using exploits to take over mobile phones to make mass calls. I can see the phone bills now...

        • Although they are generally tight lipped about it, carriers have traditionally handled responsibility for such exploits. As it becomes easier to "reach out and touch someone" anywhere in the world it will be interesting to see where the axe falls next.
      • And being open source these problems will be sorted out sooner and more effectively.

        The exciting thing to me is that this Google project will introduce not only open source software, but open source thinking and open source culture to the masses.

        And knowing Google, it will be successful, and being successful it will clear up many of the uninformed stigmas that cling to open source software - hopefully beginning with the kind of FUD that MS spouts.
        • Re: (Score:1, Flamebait)

          by ajs318 ( 655362 )
          Except that isn't how Google work. Google only like software being Open Source when it has been written by other people.

          Google wouldn't release so much as a single byte of Source Code, if it wasn't for the GPL making them do so. (Where's the Source Code for Picasa? Or Google Earth? Or any of the other "free" [as in, "this dog is free from lice"] software they give away?) In fact, I'm even surprised they're basing Android on Linux and not one of the BSDs. I guess it could just be an image thing, be
  • by ewhac ( 5844 ) on Wednesday March 05, 2008 @02:02AM (#22646586) Homepage Journal

    Several vulnerabilities have been found in Android's core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP)

    Having had the ignominious privilege of writing a BMP image parser some years ago, I can state without fear of meaningful contradiction that it's one of the worst image file formats ever devised by creatures claiming to be Man, and that it needs to die die die!

    PNG does everything BMP does, and does it better. Just throw away the BMP library and save yourself the maintenance headache. No one will miss it.


    • by totally bogus dude ( 1040246 ) on Wednesday March 05, 2008 @05:08AM (#22647204)

      But then we couldn't have fun watching images load from the bottom up! It looks so cool and is totally worth a few extra (mega)bytes!

    • Sometimes you just don't want your data to be compressed; you want to be able to tell the OS to load the data from storage and have it right there, ready for you to use. Sometimes you just can't afford the overhead of decompression. But PNG, reasonably enough (I suppose) for network graphics, requires all images to be compressed; you can't say "no compression".(*) BMP, on the other hand, is uncompressed by default; aside from the line order problems (which are easily solved by pre-flipping the image), th

      • by LWATCDR ( 28044 )
        Not being able to afford the overhead of compression is a pretty rare case. Often you can get around it by pre loading the image. Not saying that an uncompressed format would never be useful but it without a doubt a rare case and not one I can imagine comming up on Android.
        But heck if you must use an uncompress format then just us IFF and be done with it :)
    • Re: (Score:3, Funny)

      by JNighthawk ( 769575 )
      It's a fantastic way to learn how to parse and render an image. You get all the basics, plus you get to try and find out why your texture is rendering upside down :-)
    • Why was this modded funny? Give him some 'insightful' points as well guys.
  • Already fixed (Score:5, Informative)

    by Zach978 ( 98911 ) on Wednesday March 05, 2008 @02:27AM (#22646694) Homepage
    This is already fixed [blogspot.com] in m5-rc15 which was released yesterday...
    • Re: (Score:2, Informative)

      by microbee ( 682094 )
      Now we know how slow Slashdot editors are.
      • It's more likely that the hole was reported to the project maintainers before being publicly released, giving them a chance to fix it
    • And so we see the benefits in open source software, a bug was found before it was even out in the wild, and fixed.

      Hoorah for google and open source software.
      • Re: (Score:3, Insightful)

        by Zach978 ( 98911 )
        well, unfortunately the source for Android isn't out yet...so Hoorah for them when they release the source!!
    • As Marvin the Paranoid Android might say -- Don't Panic
  • That's just dumb. Introducing vulnerabilities in newly developed software is unfortunate, but it happens. Using software with known vulnerabilities when these vulnerabilities have been patched is just dumb. Any clues as to why they did this?
    • Re: (Score:2, Informative)

      by initdeep ( 1073290 )
      anybody who read the bugtraq submission of the flaws would no that google themselves responded with a comment that they knew they were using old version of the libraries adn that they were planning on updating them in the next release.

      They also pointed out that this iss not BETA code, but merely a release of propsed code to allow potential devlopers to add their insights to the project on which direction the code should go on various portions.

      The libraries have now been replaced (evidently) with the newer o
  • Needs more jiggawats.
  • Oh noes! (Score:2, Funny)

    by aztektum ( 170569 )
    My new smartphone is vulnerable to malicious haxx0rz! Oh wait, it runs Windows Mobile! I'm *so* relieved!!
  • by nguy ( 1207026 ) on Wednesday March 05, 2008 @03:51AM (#22646970)
    That's why people make software open source.

    I think the only thing that bothers me about Android is that the full source code has not been released yet, although Google claims they will be making that available.
  • ... we can now build a program to hack it and build are own programs! yeah!
    I'm going to call it "Gaolbreak"

"I will make no bargains with terrorist hardware." -- Peter da Silva