Major Android Security Flaws Spotlight Growing Mobile Threat

If you employ an Android smartphone and you care about the security and privacy of the data stored on your device listen up: Two serious Android security flaws were uncovered over the past few days that reportedly affect a number of very popular new handsets running Google’s mobile OS, including AT&T’s version of the Samsung Galaxy SII, the HTC Thunderbolt, and both the HTC EVO 3D and 4G, among others.

The first, and probably more severe flaw, was revealed last weekend by a coder named Trevor Eckhart, and it’s particularly ugly. According to Mr. Eckhart, HTC recently released software updates for a handful of devices that installed a nasty little application designed to collect a bunch of user information, which HTC planned to use for unknown reasons.

But that’s not the worst part. The data logging tools also reportedly allow any other application that has been granted Internet access by the user access to the collected user data, which could include account information (e-mail address, data sync status, etc.); GPS- and network-based locations and a short history of last-visited locations; phone numbers from users’ phone logs; SMS data; and system logs, which could provide information on active apps, e-mail info, phone numbers and other sensitive data.

Yikes. This is a data harvesting opportunity just waiting to be taken advantage of by some crafty Bad Guy.

Mr. Eckhart reportedly informed HTC of this major security flaw last week, but didn’t hear back promptly, so he decided to go public with the information. Right now HTC says it’s looking into the report, but hasn’t yet offered a solution to the problem. So if you use an HTC Android device, I’d probably be very careful about the applications you install and grant Web access to until HTC offers up more information. (Also, check out my list of Android security tips, to help protect your device.)

Secondly, tech blog BGR.com last week uncovered a serious Android security flaw that affects AT&T’s version of the new Samsung Galaxy SII smartphone–not Sprint’s Galaxy SII–and the vulnerability basically renders the device’s single most valuable security safeguard, its password, completely useless.

From BGR:

If you have a PIN or an unlock pattern set, all you have to do in order to bypass it is simply tap the lock button to wake the display and then let the screen time out and go black. Tap the lock button again and low and behold, the unlock screen is gone and the phone can be accessed with no PIN or pattern input whatsoever.

Again, neither Samsung nor AT&T has issued a resolution–the companies say they’re “investigating a permanent fix.” So AT&T Samsung Galaxy S II users ought to be extra careful not to let their handhelds out their sight, until Samsung or AT&T addresses this major password problem.

It’s times like these that make me very happy to use a BlackBerry as my main smartphone. Not that Research In Motion (RIM) and BlackBerry are perfect–just last week I reported on a new application that can supposedly crack BlackBerry devices passwords, though the process is a complex one–but RIM’s OS is built with security in mind, unlike Android. And in all the years I’ve been using a BlackBerry, nothing like these latest security threats have affected BlackBerry smartphones.

AS

Via AndroidPolice, BGR