This week some concerned hackers discovered two big security holes in Android. The first was an app named Angry Birds Bonus Levels, a clever name given the bizarre popularity of Angry Birds and the demand for more levels. But the only level they got was a lowered level of security as when people installed this program the software proceeded to download three programs on its own without user permission, Fake Toll Fraud, Fake Contact Stealer and Fake Location Tracker, one of which managed to grant itself the right to send text messages on its own. Ouch.
Hackers also found a hole in the embedded browser of certain HTC devices and the Motorola Droid running 2.1 wherein the browser has the ability to install software when prompted in a certain way, a way which at least one man discovered and put on display. Ouch.
Fortunately, like others in the past, these hackers were the relatively benevolent kind, known as white hat hackers, who manage to discover exploitable bugs in software, often operating systems, and either contact the developers or the vendor quietly to warn them they’ve got work to do or as in this case blow the whistle loudly and publicly, but innocuously and others see fit to push the throttle all the way down by publishing the exploit. Hackers learned from Microsoft that contacting the company rather than letting a proof of concept loose can be ineffective whereas this method puts plenty of leverage on an organization to fix the problem quickly before the Eastern Europeans, Nigerians and Chinese figure it out and make more nefarious exploits. By the way, Google pulled the software both from the app store and from phones of those who installed it.
In January Google made an intriguing move to embrace the resource of knowledge and persistence of these hackers by encouraging them to dig through the Chromium code for bugs and upon the discovery and disclosure to Google of a bug Google would award them a prize between $500 and $3,133.70 depending on the gravity of the bug and perhaps more valuably would put the hackers’ names on a public Security Hall of Fame, effectively turning hacking their software into a race but centering that encouragement somewhat on hackers who would be less likely to discover bugs and turn to the dark side but more likely to be proud to help, Google doing what they could to accommodate these ambitious hackers.
As time past, more bugs in Chromium were discovered and summarily patched, updates pushed, rewards paid, names and their respective exploits published, resulting in an approach toward an eventual draught of holes and presumably relatively tight software along with a growing community of sharp hackers who are team players. The net result of this was positive enough that Google just extended the reward program to include “any Google web properties which display or manage highly sensitive authenticated user data or accounts” though not yet client software including Picasa, Google Earth and Android. But anything web-based, which is quite a large chunk of Google’s services from Youtube to Gmail to Voice, even Google Apps – if it works in a web browser, game on.
Ballsy. But probably smart given what they learned from the Chromium experiment. I suspect that if this doesn’t backfire on them somehow as a moderate chunk of time goes by they will go ahead and extend it to Android. I imagine they know it will work too but want to do a little more diligence which I’d like not to take too much time as I don’t enjoy coming across these headline-making Android exploits even if they are handled appropriately. So I wish Google would hurry up and throw fuel on the fire rather than only working on it in-house with the occasional heads-up from the hackers and it looks like the way to do that more aggressively is with this incentive operation in order to make Android as secure as possible as rapidly as possible, even if that means shining the spotlight on your own flaws yourself in spite of the seductive temptation to sweep it all under the rug.