(1) Is the following report available yet? -- from the recent news it looks like hackers figured it out on their own...
http://lwn.net/Articles/414816/ ............ [Ryan Ware of Intel] noted the recent Coverity study of the Android kernel that found 88 high-risk defects and there were "some interesting things in there". The report will not be available for a bit as Coverity gave Google 60 days to fix the problems before the report will be released. Ware noted that the study found that the defect rate for the code written for Android was "significantly higher than for the rest of the kernel". (2) http://www.theregister.co.uk/2011/03/04/google_android_market_peril/ Android malware attacks show perils of Google openness Is there a vetter in the house? By Dan Goodin in San Francisco Posted in Malware, 4th March 2011 01:25 GMT This week's discovery of malware that hijacked tens of thousands of Android cellphones shows the pitfalls of Google's decision to make the operating system the Wikipedia of mobile platforms that offers apps written by virtually anyone. A couple years ago, the choice helped the OS gain traction against Apple's more entrenched iPhone by quickly building out the number of apps available in the Android Market. Once developers pay a $25 registration fee, Google gives them “complete control over when and how they make their applications available to users.” Contrast that with Apple's App Store, which the company rules with an iron fist. The recent discovery of some 55 malware-tainted apps available in the Android Market shines a bright light on the dark side of its openness. The malware hid in legitimate titles that had been repackaged and distributed by three developers. Once installed, the apps exploited known vulnerabilities that gave the malware root access to a phone's most sensitive functions, according to this analysis from Lookout, which provides antimalware apps for Android, Blackberry and Windows Mobile handsets. A separate analysis provided by antivirus firm Kaspersky Labs said that DreamDroid, as the malware has been dubbed, connected to a server controlled by the attackers, where it appeared to access “a list of applications to download and install on the already infected device.” In other words, DreamDroid is a classic trojan backdoor downloader. The infected apps were downloaded by phones that numbered in the tens of thousands to hundreds of thousands, according to Market figures. [...] (3) http://gcn.com/articles/2010/12/23/android-fips-security.aspx Android-based smart phones are all the rage these days -- unless, of course, you work at a federal agency. Google and the Open Handset Alliance’s version of a mobile operating system has been exploding in the consumer market for the last year, to the point where it may actually dethrone Apple’s iPhone while further distancing itself from BlackBerry in terms of smart phone market share. The problem with Android, though, is that it is difficult to implement into existing security protocols for federal agencies. It seems like it should be a relatively straightforward concept: bake Federal Information Processing Standards 140-2 (FIPS) right into the phone and give enterprises and agencies the ability to configure security as needed. Yet this is not common practice for device-makers. BlackBerry has been doing this for years, but the other major smart phone players – Apple, Google and Microsoft – are behind in their efforts to cater to the federal space and security-minded enterprises. According to the National Institute of Standards and Technology (NIST), which controls the labs that test FIPS security algorithms through the Cryptographic Module Validation Program (CMVP), Apple does have a couple FIPS security features in testing for the iPhone and iPad, as well as a general cryptographic module that is likely for desktops and notebooks. Microsoft has had its Windows Mobile CE (versions 6.0 and 6.5) certified, but Windows Mobile 7 hasn't been yet. (4) http://gcn.com/Articles/2011/03/01/Android-malware-on-the-rise.aspx Android an emerging target for cyber criminals Niels http://nielsmayer.com _______________________________________________ MeeGo-community mailing list MeeGo-community@meego.com http://lists.meego.com/listinfo/meego-community http://wiki.meego.com/Mailing_list_guidelines