Tuesday 16 August 2011

Phones Running Google's Android are Prone to Hacking

mobile security expert says he has found new ways for hackers to
attack phones running Google Inc's Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a
hacker's conference last week, told Reuters that he and his colleague
Shane Macaulay decided not to lay out their research at the gathering
for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used
Android applications that make the phones vulnerable to attack.

"App developers frequently fail to follow security guidelines and write applications properly," he said.

"Some apps expose themselves to outside contact. If these apps are
vulnerable, then an attacker can remotely compromise that app and
potentially the phone using something as simple as a text message."

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

"When you release a threat and there's no patch ready, then there is
mayhem," said Hassell, founder of boutique security firm Privateer

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed
the research with Hassell and did not believe he had uncovered problems
with Android.

"The identified bugs are not present in Android," he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and
Macaulay to make a scheduled presentation at the annual Black Hat
hacking conference in Las Vegas, the hacking community's largest annual

They had been scheduled to talk about "Hacking Androids for Profit."
Hundreds of people waited for them to show up at a crowded conference

Hassell said in an interview late on Thursday the pair also learned --
at the last minute -- that some of their work may have replicated
previously published research and they wanted to make sure they
properly acknowledged that work.

"This was a choice we made, to prevent an unacceptable window of risk to
consumers worldwide and to guarantee credit where it was due," he

A mobile security researcher familiar with the work of Hassell and
Macaulay said he understood why the pair decided not to disclose their

"When something can be used for exploitation and there is no way to fix
it, it is very dangerous to go out publicly with that information,"
the researcher said. "When there is not a lot that people can do to
protect themselves, disclosure is sometimes not the best policy."