The Open Source Computer Emergency Response Team (oCERT) revealed two new flaws in Google’s Android mobile operating platform. Both software vulnerabilities could leave devices using the Android software open to denial of service attacks.
The first flaw exploits the way in which Android interacts with SMS texts. It is possible to send a malformed text message which manipulates an application running on the affected device, using a combination of Java and WAP. When the application is forced to reboot, the device is disconnected from the network. Additionally users with PIN codes assigned to their SIM cards will be forced to re-enter the code before they can reconnect. Repeated attacks by malformed messages would cause a perpetual denial of service.
The second flaw actively involves the device user, requiring that they execute a maliciously constructed application which exploits one of Android’s APIs. The result of this bug is a complete system restart. Furthermore, it may be possible for the bug to become integrated unintentionally into an area in which the execution path utilises the affected function call. This too would be classed as a denial of service attack by oCERT standards.
Once the vulnerabilities were made public, Google was quick to patch both issues. Although the Android platform is going to come under increasing scrutiny as it becomes more widely used, it is at least reassuring that Google are able to respond quickly to plug the perceived threats before they are exploited. Some are concerned that the next software flaw could be found by malicious parties as opposed to oCERT and denial of service attacks could just be the start of a more troubling threat to data stored on Android devices.
It is through the collective efforts of groups such as oCERT that the vulnerabilities of Android and other mobile platforms can be identified before it is too late. These groups will therefore be of fundamental importance to businesses and individuals concerned about the security of their data and the integrity of the major mobile software platforms as a whole.
