Last week, security researcher Jonathan Zdziarski made some hefty claims that iOS devices are vulnerable to attack due to undocumented surveillance services that Apple has included in its mobile operating system. Apple quickly refuted the claim and made those services more transparent for those suspicious of their intent.
This week, Bluebox Security came out with a report claiming that Android phones are vulnerable to attack through an uninspected certification process, which allows hackers to access payment history, account credentials, emails, and more.
The way both companies handled the accusations are completely different. Although each has a valid reason for why they approached the issue the way they did.
According to Ars Technica, Bluebox discovered a security breach they dubbed “Fake ID” because, “like a fraudulent driver’s license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits.”
A hacker can provide fake certificates to an Android device in order to gain access to personal data. Like a lazy bouncer, Android fails to properly inspect and validate the chain of certificates that allow access to personal data and let the hacker into the system. The criminal can then access Flash, Wallet, or any other app that comes stock in Android. Android then gives a “back stage pass” to anything else on the device without ever checking for a forged certificate.
“All it really takes is for an end user to choose to install this fake app, and it’s pretty much game over,” Jeff Forristal, CTO of Bluebox Security told Ars in an interview. “The Trojan horse payload will immediately escape the sandbox and start doing whatever evil things it feels like, for instance, stealing personal data.”
Google was quick to respond to the claims:
“We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.”
The contrast between Google and Apple in response to vulnerability claims is an interesting one. Google thanks the researchers for finding the problem and bringing it to their attention. Apple says the information is wrong and justifies why the system works the way it does.
While I am more likely to trust the software that Apple provides because of its superstructure and near-impenetrability, I am more likely to trust Google as a company for its honesty and transparency with the way it addresses security vulnerability claims.
» Related posts:
Millions of Android Devices Vulnerable to Heartbleed, iOS Not Affected
iOS Wi-Fi Security Bug Lets Hackers Hijack Internet Data Sessions
Criminal Hackers Attack Feedly, Demand Ransom for Release of Website