Android 4.3 has dangerous, but difficult to exploit, security flaw

Android 4.3 has dangerous, but difficult to exploit, security flaw
Whenever there is a security flaw found in any mobile platform, people tend to go a bit overboard, but that is never more apparent than when dealing with Android. Android has the reputation of being a haven for malware (which is only true if you have to rely on un-trusted sources for apps), so when IBM reported a security flaw in Android 4.3, the response was unsurprisingly alarmist.

The problem started with IBM itself. IBM security researchers found the flaw back in September, and reported it to the Android Security Team at Google. Somehow, although IBM found the flaw nine months ago, the company mistakenly thought that the flaw affected all Android versions up to 4.3, but that wasn't accurate (although it has been reported that way from various outlets). In fact, the flaw only affects Android 4.3 and doesn't cause problems with any versions before or after. So, the flaw is only a problem for about 10% of the ecosystem.

The security flaw itself is a relatively dangerous one, which could allow malicious hackers to gain access to the Android KeyStore and uncover user banking and virtual private network credentials, PINs, and unlock patterns. That sounds pretty bad, but it turns out that there are fail-safes built into Android, like data execution prevention and address space layout randomization, which make exploiting the flaw very difficult. And, a hacker would also have to get a helper app installed on the target device in order to fully exploit the flaw. Of course, any flaw in the KeyStore is a serious matter; so, if you're stuck on 4.3, you should start bugging your manufacturer to update. And, as usual, be careful about side-loading apps because that's your best defense. 

source: IBM via Ars Technica


Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless