On CNET: Start your holiday tech shopping
BNET Business Network:
BNET
TechRepublic
ZDNet

August 19th, 2008

Android security team appeals to hackers

Posted by Ryan Naraine @ 12:31 pm

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Hackers, Malware, Metasploit, Microsoft, Mobile (In)Security, Open source, Passwords, Pen testing, Responsible disclosure, Vulnerability research, Web 2.0

Tags: Team, Google Android, Mobile, Hacker, Android Platform Team, Security, Ryan Naraine

Android security team appeals to hackersAlready burned by the discovery of serious security vulnerabilities in its SDK, the Android Security Team emerged from the shadows this week with an appeal to the security community for help fixing flaws in the Linux-based mobile platform.

In a note posted to several public mailing lists, the open-source group published a detailed FAQ covering its security philosophy and process and made a direct request for hackers to use responsible disclosure (.pdf) ethics when vulnerabilities are discovered.

[ SEE: Google Android SDK has multiple vulnerabilities ]

  •  As you may expect, building and maintaining a secure mobile platform is a difficult task. The Android platform team has put a great deal of work into trying to design a platform that balances our goal of open development and user choice with the unique challenges of securing a consumer-focused mobile system.
  • While we have found and fixed many of our own bugs as well as flaws in other open source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable. That is why we would like to introduce ourselves today and let the security research community know how they can reach out and work with us.

The group provided an e-mail address for reporting bugs in Android (security-at-android.com) and a promise to respond to bug reports and keep reporters informed of the progress of an investigation.

  • We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch. Help from security researchers in the form of usable bug reports and responsible time lines will greatly assist us in securing the ecosystem of Android devices as quickly as possible. Our vulnerability bulletins will credit responsible reporters of any flaws.

The Android security team, which is part of the Open Handset Alliance, plans to release more details of the security features of the Android platform over the next several months.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 8 Talkback(s)
Think it through
While on the face it does seem absurd to ask the "little guy" for help with bugs in Android, the developers (who will sell their apps, correct?) ultimately stand to benefit if the OS is reasonably secure. If they are not going to report bugs, they may as well not bother developing apps.... (Read the rest)
Posted by: ogletree@... Posted on: 10/28/08 You are currently: a Guest | | Terms of Use
Software and the Internet are too fragile  BALTHOR | 08/19/08
Word definitions are too blurry  Archkittens | 08/20/08
When will my phone get hacked  Bozhidar | 08/20/08
RE: Android security team appeals to hackers  jscott418 | 08/20/08
I Agree  Q-dawg | 10/27/08
Sounds like whining to me  i8thecat | 10/27/08
What are you paying?  topsecret@... | 10/28/08
Think it through  ogletree@... | 10/28/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads