We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,021 News Articles

Researcher keeps Android app security flaws to himself

Black Hat session by Privateer Labs pulled at the last minute

A security researcher is standing by the claim that his company has discovered security vulnerabilities in a dozen common Android applications, despite declining to reveal which applications are affected.

Riley Hassell of Privateer Labs had been due to give a presentation 'Hacking Android for profit' revealing the issues at last week's Black Hat security conference but called off the session after deciding that the absence of fixes for the flaws might allow attackers to exploit the research.

What remains are only vague descriptions of the issues, starting with the pre-session descriptions mentioning 'AppPhishing', a bogus app that scrapes a user's login using a fake screen, and 'AppJacking', where a malicious app hijacks the credentials of a trusted app.

"Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message," Hassell told a third-party website by way of explanation.

What is unclear is the extent to which these or other issues found by him are original discoveries and whether they represent flaws in Android or only the apps themselves.

Jay Nacarrow of Google has reportedly said that the issues are not related to Android though without a fuller description this is hard to confirm.

What the minor controversy does suggest is that mobile operating systems, while more secure than the almost open door created by Windows XP in 2001, are turning out to be less secure by design than first assumed.

Serious exploits have been largely restricted to poor app vetting by Google and the re-engineering of applications posted to third-party download sites not covered by Google's Market, especially in China. Despite its low-key response to the issues apparently discovered by Privateer Labs, Google has appeared flat-footed when it comes to listening to feedback from security companies.

Security company Trusteer recently pointed out flaws in the security-reporting system on Google's Market.

IDG UK Sites

EE brings 4G LTE to Cornwall and a total of 21 new towns

IDG UK Sites

iOS 8 review: Hands on with the iOS 8 beta

IDG UK Sites

5 things Android Wear *can't* do: Smartwatch OS is great but not flawless

IDG UK Sites

Sharknado 2 VFX: how The Asylum created CG flying man-eating sharks