This week some concerned hackers discovered two big security holes in Android. The first was an app named Angry Birds Bonus Levels, a clever name given the bizarre popularity of Angry Birds and the demand for more levels. But the only level they got was a lowered level of security as when people installed this program the software proceeded to download three programs on its own without user permission, Fake Toll Fraud, Fake Contact Stealer and Fake Location Tracker, one of which managed to grant itself the right to send text messages on its own. Ouch.

Hackers also found a hole in the embedded browser of certain HTC devices and the Motorola Droid running 2.1 wherein the browser has the ability to install software when prompted in a certain way, a way which at least one man discovered and put on display. Ouch.

Fortunately, like others in the past, these hackers were the relatively benevolent kind, known as white hat hackers, who manage to discover exploitable bugs in software, often operating systems, and either contact the developers or the vendor quietly to warn them they’ve got work to do or as in this case blow the whistle loudly and publicly, but innocuously and others see fit to push the throttle all the way down by publishing the exploit. Hackers learned from Microsoft that contacting the company rather than letting a proof of concept loose can be ineffective whereas this method puts plenty of leverage on an organization to fix the problem quickly before the Eastern Europeans, Nigerians and Chinese figure it out and make more nefarious exploits. By the way, Google pulled the software both from the app store and from phones of those who installed it.

In January Google made an intriguing move to embrace the resource of knowledge and persistence of these hackers by encouraging them to dig through the Chromium code for bugs and upon the discovery and disclosure to Google of a bug Google would award them a prize between $500 and $3,133.70 depending on the gravity of the bug and perhaps more valuably would put the hackers’ names  on a public Security Hall of Fame, effectively turning hacking their software into a race but centering that encouragement somewhat on hackers who would be less likely to discover bugs and turn to the dark side but more likely to be proud to help, Google doing what they could to accommodate these ambitious hackers.

As time past, more bugs in Chromium were discovered and summarily patched, updates pushed, rewards paid, names and their respective exploits published, resulting in an approach toward an eventual draught of holes and presumably relatively tight software along with a growing community of sharp hackers who are team players. The net result of this was positive enough that Google just extended the reward program to include “any Google web properties which display or manage highly sensitive authenticated user data or accounts” though not yet client software including Picasa, Google Earth and Android. But anything web-based, which is quite a large chunk of Google’s services from Youtube to Gmail to Voice, even Google Apps – if it works in a web browser, game on.

Ballsy. But probably smart given what they learned from the Chromium experiment. I suspect that if this doesn’t backfire on them somehow as a moderate chunk of time goes by they will go ahead and extend it to Android. I imagine they know it will work too but want to do a little more diligence which I’d like not to take too much time as I don’t enjoy coming across these headline-making Android exploits even if they are handled appropriately. So I wish Google would hurry up and throw fuel on the fire rather than only working on it in-house with the occasional heads-up from the hackers and it looks like the way to do that more aggressively is with this incentive operation in order to make Android as secure as possible as rapidly as possible, even if that means shining the spotlight on your own flaws yourself in spite of the seductive temptation to sweep it all under the rug.

Doug Simmons

5 COMMENTS

  1. You ever run a network intrusion detection program on servers that get traffic and map out the IPs to see where those nasty packets typically come from?

  2. So only “Eastern Europeans, Nigerians and Chinese” would be low enough to nefariously exploit a bug. Great Doug. I love your logic.

  3. How close to 100% does the share of Chinese IPs that tried to portscan, buffer overflow, cgi hack SQL inject one, probe my SMTPD for open relaying, doing that to my servers versus just innocently emailing one of my users before I get to lump them in together the way I did?

    Granted, 99% of those attacks or red flag-able incidents are not executed by a human, rather there is just a sea of compromised machines and botnets in China, but it would be appreciated if they’d clean that up a bit. Perhaps instead of using that Great Firewall technology to keep the bad stuff out they could use it to keep their own bad stuff from hitting everyone else.

    It’s been bad enough over the years that I’ve thought about putting up a tankman gallery website in hopes to get my IPs blocked by this Great Firewall. I’m serious. You want to see my logs? I’ll hand over a dump of my syslog, you breeze through it and if the first hacking attempt you can identify doesn’t go back to a Chinese or Eastern European IP I’ll give you five bucks, double or nothing on the second.

    I’m angry at the Chinese IP blocks and the data that flies out of them disproportionately to the rest of the world’s IPs, not the Chinese people. I’m rather fond of them actually. Same with the Eastern Europeans I suppose whose IPs’ naughty data fills in when the Chinese IPs need to take a break.

    I was being flip you know. But good to see we’ve got an HR department now.

  4. You are posting for a blog that might have upstanding people from Eastern Europe, Nigeria, or China reading your article who would be offended regardless of how typical the IP location is. Unless every single “nasty packet” originates from a given location, I think it’s safe to say it’s insensitive (at best) to make a statement like that.

  5. By the way people, these Android logo things I produce, they don’t photoshop themselves… just sayin’

Comments are closed.