V flaw reported in latest version of Android

BY

Published 30 Jan 2014

NSFW AI Why trust Greenbot

We maintain a strict editorial policy dedicated to factual accuracy, relevance, and impartiality. Our content is written and edited by top industry professionals with first-hand experience. The content undergoes thorough review by experienced editors to guarantee and adherence to the highest standards of reporting and publishing.

Disclosure

A V bypass flaw discovered last week in Android lly Bean 4.3 also exists in the latest version of ’s mobile operating system, KitKat 4.4, Israeli researchers say.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

Gurion University researchers found the initial bug then did further testing to determine its existence in KitKat. The researchers published their latest findings on the university’s Cyber Security bs blog.

did not respond to a request for comment, but security experts said dnesday the bugs in both versions of Android should be fixed quickly.

“I believe this is a serious issue,” Henry, a senior security instructor at the SANS Institute, said.

Because of differences in the OS versions, the same exploit code cannot be used, the researchers said. However, what can be accomplished by malware is the same.

The flaws make it possible for a malicious app to bypass a V (virtual private network) configuration redirect the secure data communications to a different network address. The data is rerouted before it is encrypted.

The KitKat flaw is somewhat similar to what the same researchers found last December in Samsung’s Knox security platform. That vulnerability could let a malicious app intercept files on Samsung S4 devices before they are stored in a secure Knox container.

Samsung dismissed the reported Knox flaw, saying in a statement that the researchers’ exploit “uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.”

In essence, the researchers demonstrated a “class man-in-the-middle attack,” which could be launched at any point on the network to capture unencrypted data, Samsung said. The researchers did not exploit an actual vulnerability.

If the latest vulnerabilities prove to be real, then they should be fixed quickly, rc, chief technology officer for security software tester NSS bs, said. However, if finds that the flaw is in the network stack, “that is not trivial to fix.”

In addition, any patch on Android takes time to reach users because it has to be rolled out by wireless carriers device manufacturers.

In the meantime, Henry advises businesses to set their mobile device management systems to alert IT of any changes in the security settings associated with the V of an Android smartphone or tablet.