Feeds

Googlephone security team seeks bug hunters

Android needs You

Internet Security Threat Report 2014

Google's Android security team has appealed to bug hunters to help it iron out flaws in the platform.

In a posting to a full disclosure mailing list, Android security staff concede that security bugs in complex software stacks are inevitable. They are inviting help from the security community in identifying and ironing out vulnerability wrinkles before they begin to show.

It's a refreshing approach that contrasts with the lack of openness from Apple's rival iPhone development team of whom little has been heard, apart from a recent job ad for a reverse engineer.

"As you may expect, building and maintaining a secure mobile platform is a difficult task," an Android security team member writes. "While we have found and fixed many of our own bugs as well as flaws in other open-source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable."

The Android team expressed a preference for hearing about bugs first-hand rather than learning about them through such channels as full disclosure mailing lists. Responsible disclosure of this type will help Google to push out patches in a timely manner.

"We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch," the post explains.

At this stage of the game would-be bug hunters do not have the benefits of devices running Android to test with. Vulnerabilities in early emulator software have already been discovered by security tools firm Core Security back in March.

A beta (0.9) version of the Android Software Development kit was released on Monday. More details on the security features of the platform will follow, the Android team promise.

"We will be releasing more details of the security features of the Android platform over the next several months, as well as developer documentation and guidance on how to use these features in your Android applications," the post, which gives contact details and links to information on the security philosophy for Android, explains.

The Android mobile device platform is based on Linux and developed by Google and the Open Handset Alliance, a consortium of hardware, software, and telecom firms. Google has promised to make the majority of code for the Android platform available under the Apache open-source licence, once the first full version of the software is released later this year. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.