We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Researcher keeps Android app security flaws to himself

Black Hat session by Privateer Labs pulled at the last minute

A security researcher is standing by the claim that his company has discovered security vulnerabilities in a dozen common Android applications, despite declining to reveal which applications are affected.

Riley Hassell of Privateer Labs had been due to give a presentation 'Hacking Android for profit' revealing the issues at last week's Black Hat security conference but called off the session after deciding that the absence of fixes for the flaws might allow attackers to exploit the research.

What remains are only vague descriptions of the issues, starting with the pre-session descriptions mentioning 'AppPhishing', a bogus app that scrapes a user's login using a fake screen, and 'AppJacking', where a malicious app hijacks the credentials of a trusted app.

"Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message," Hassell told a third-party website by way of explanation.

What is unclear is the extent to which these or other issues found by him are original discoveries and whether they represent flaws in Android or only the apps themselves.

Jay Nacarrow of Google has reportedly said that the issues are not related to Android though without a fuller description this is hard to confirm.

What the minor controversy does suggest is that mobile operating systems, while more secure than the almost open door created by Windows XP in 2001, are turning out to be less secure by design than first assumed.

Serious exploits have been largely restricted to poor app vetting by Google and the re-engineering of applications posted to third-party download sites not covered by Google's Market, especially in China. Despite its low-key response to the issues apparently discovered by Privateer Labs, Google has appeared flat-footed when it comes to listening to feedback from security companies.

Security company Trusteer recently pointed out flaws in the security-reporting system on Google's Market.

IDG UK Sites

LG G4 Note UK release date and specification rumours: Samsung Galaxy Note 5 killer could be the LG 3......

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model