Share Tweet Share





It started with the Google Browser, now security flaws are extending into Google’s Android phone. The real question right now is what has happened to Google’s formerly impeccable record in information security? Google has an enviable record in web based information security, flaws are found quick and patched, they work with the outside community, and generally are very aware and proactive of security issues with their web-based applications. However, the last two applications, the Chrome Browser, and now the phone operating system, Android have been released with serious security flaws. The android flaws though center on the browser, and on the image processing system both of which have been well known for a very long time. Chromes issues started out because they were using an outdated web kit, and androids problem seems like it is also centering on the use of outdated and older rendering libraries. The sad part is that these types of flaws have been known for a while, and the documentation on the flaws in the libraries is also well known. The use of these libraries and other tools used in systems should never have made it to the light of day if there had been a focus on security first. Microsoft and the Open Source community get this concept and are aggressive about finding and patching these kinds of issues. Google not so much based on what we are seeing with their formal software products. While it is good to sandbox each of the applications within the android framework, it is also well known how to bounce out of those sand boxes and then corrupt the entire framework that the program runs on. Using a sand box as a security mechanism is more akin to using a speed bump, rather than trying to ensure that the entire framework is secure. Sandboxes serve their purpose, but should not be the last word in the security of a device. It would be great to see Google take on these kinds of issues, ensuring that the programs that run on their desktop and cell phones is using good libraries, up to date base software and not ones that are known to have flaws. This is more of an issue within how code is written in Google for an application rather than anything else. Google will address them sooner or later if they have not already pushed patches to the system, but the base SDK should be upgraded as well, otherwise there is too much of a risk that the underlying code will be broken, and the sand box violated so that the entire smart phone or browser can be owned by someone else. Tags: google, android, security, flaw, discovered, sandbox, security, infosec, application