Feeds

Googlephone security team seeks bug hunters

Android needs You

Website security in corporate America

Google's Android security team has appealed to bug hunters to help it iron out flaws in the platform.

In a posting to a full disclosure mailing list, Android security staff concede that security bugs in complex software stacks are inevitable. They are inviting help from the security community in identifying and ironing out vulnerability wrinkles before they begin to show.

It's a refreshing approach that contrasts with the lack of openness from Apple's rival iPhone development team of whom little has been heard, apart from a recent job ad for a reverse engineer.

"As you may expect, building and maintaining a secure mobile platform is a difficult task," an Android security team member writes. "While we have found and fixed many of our own bugs as well as flaws in other open-source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable."

The Android team expressed a preference for hearing about bugs first-hand rather than learning about them through such channels as full disclosure mailing lists. Responsible disclosure of this type will help Google to push out patches in a timely manner.

"We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch," the post explains.

At this stage of the game would-be bug hunters do not have the benefits of devices running Android to test with. Vulnerabilities in early emulator software have already been discovered by security tools firm Core Security back in March.

A beta (0.9) version of the Android Software Development kit was released on Monday. More details on the security features of the platform will follow, the Android team promise.

"We will be releasing more details of the security features of the Android platform over the next several months, as well as developer documentation and guidance on how to use these features in your Android applications," the post, which gives contact details and links to information on the security philosophy for Android, explains.

The Android mobile device platform is based on Linux and developed by Google and the Open Handset Alliance, a consortium of hardware, software, and telecom firms. Google has promised to make the majority of code for the Android platform available under the Apache open-source licence, once the first full version of the software is released later this year. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.