November 6th, 2008
Google moves quickly to plug Android security hole
Earlier this week a security hole was discovered in Android 1.0 (TC4-RC-29) that allowed you to gain root access to the device. The trick was that you have to start up a telnetd server on the phone, and then anyone who knows your IP address can log into the machine without a password to an administrator account.
Update: It’s worse (and funnier) than we thought, see: Worst. Bug. Ever.
Some developers called this a “jailbreak feature” because it allows them to build and install native applications for the gPhone instead of having to go through the normal sandboxed virtual machine. Although that’s a nice ability to have, this particular opening was unintentional and poses an unnecessary risk.
Google says they’re going to close the hole soon with an over-the-air patch:
We’ve been notified of this issue and have developed a fix. We’re currently working with our partners to push the fix out and updating the open source code base to reflect these changes.
Android already allows applications to be installed from sources other than Android Market, but the user has to explicitly change a system setting. Hopefully they will provide a similar setting for allowing native applications on the device without having to jump through hoops to jailbreak it and without opening up security holes for less adventurous users and developers.
Ed Burnette is a professional developer and author of several articles and books about computing including Hello, Android: Introducing Google's Mobile Development Platform, 2nd Edition. For disclosure of Ed's industry affiliations, click here or to view his full profile click here.
Subscribe to Dev Connection via Email alerts or RSS.
