Android security patch 'flawed'

First Slide

In July, a vulnerability that affected up to a billion Android phones was made public by software researchers. Google made a patch available, but security company Exodus Intelligence said it had been able to bypass the fix. Exodus Intelligence said the update could give people a "false sense of security". Google told the BBC that most Android users were protected by a security feature called address space layout randomisation (ASLR). "Currently over 90% of Android devices have ASLR enabled, which protects users from this issue," it said. ASLR makes it difficult for an attacker to plot an attack, and introduces more guesswork to the process, which is more likely to crash a smartphone than compromise it. 'Vulnerability remains' In April, another security company, Zimperium, found a bug in Android that could let hackers access data and apps on a victim's phone, just by sending a video message. The company disclosed the issue to Google and provided its own patch for the software, which Google made available to phone manufacturers. Details of the flaw were made public in July, after Google had integrated the patch into the latest version of Android. At the time, Google pointed out that there had been no reported cases of anybody exploiting the bug. On Thursday, Exodus Intelligence said its researcher Jordan Gruskovnjak had easily bypassed the patch and the vulnerability remained. "The public at large believes the current patch protects them when it in fact does not," the company said on its blog

Related News