| |||||||||||||
EFF: Don't Sacrifice Security on Mobile DevicesEFF: Don't Sacrifice Security on Mobile DevicesPosted Jan 24, 2011 20:16 UTC (Mon) by foom (subscriber, #14868)In reply to: EFF: Don't Sacrifice Security on Mobile Devices by cmccabe Parent article: EFF: Don't Sacrifice Security on Mobile Devices
> Of course, since Android now supports native code, hackers can attack the kernel API. I kind of hate to admit this, but that API might be one of the more vulnerable parts of the system at the moment.
I think the image display libraries and the web browser are still prime attack targets (written in C, note!). Think of an MMS message, spam email, or webpage that takes control of your phone. And of course emails or MMSes itself to all your contacts to continue propagation.
(Log in to post comments)
EFF: Don't Sacrifice Security on Mobile Devices Posted Jan 25, 2011 1:12 UTC (Tue) by cmccabe (guest, #60281) [Link]
> I think the image display libraries and the web browser are still prime
> attack targets (written in C, note!). Think of an MMS message, spam email, > or webpage that takes control of your phone. And of course emails or MMSes > itself to all your contacts to continue propagation.
Remember that just because code is written in C, doesn't mean it's part of the trusted codebase.
For example, the Chrome web browser is sandboxed. So if you can buffer overflow a webkit HTML rendering thread (not a very hard task), you get control of... what is displayed on the screen. Nothing else.
There was an article on the sandbox at http://lwn.net/Articles/347547/
I'm not 100% sure if Google has deplyed the seccomp stuff yet on Chrome for Android (I haven't checked the source.)
On the other hand, I'm guessing that the image display libraries are built into Dalvik itself. They probably are part of the trusted codebase.
C.
|
|||||||||||||