Android-Powered G1 Mobile Phone Flaw Patched
On October 24th, as Lisa reported, a serious vulnerability was discovered in the Google Android powered G1 mobile phone.
Though security researchers classified the flaw in the Android browser as serious, Google assured users that the risk wasn't necessarily as dire as it seemed, due to the way the Android operating system restricts each application to its own area.
CNet News reporter Stephen Shankland says his G1 was patched on Saturday through a quick system update.
The fact that Android had a vulnerability of this nature is not so surprising. There will always be flaws and vulnerabilities with new software products -- open or not. What matters is how the software developers (Google, in this case) handle the issue, and how quickly the fix comes.
The folks at Google and the Android team certainly didn't waste any time fixing the issue. Waiting week or so to offer a patch for a vulnerability such as this wasn't unreasonable. Depending on how the errant code affected other browser components, the speed at which this was patched could be a huge testament to Google's commitment to Android and its user base.
There is a bit of concern with the "old fashioned" way Google handled the announcement of the vulnerability. The Android security team had previously requested that security researchers disclose vulnerabilities to Google rather than making them generally available. Google says that this will allow them some time to get a handle on the problem prior to those who would exploit these vulnerabilities.
This might be less noticeable or seem less out of place in proprietary or closed applications, but in an open source arena, it doesn't really apply. It's not about Google hiding anything wrong with the code, it's about the fact the code is there, and anyone looking to actively exploit it could do so whether or not the vulnerability is made public. Making the public aware protects them, making a wider developer base aware prevents future issues and speeds up fixing those at hand. It's the model used in open source software, and it's worked well for a good long while.
Google has opened Android, and has passed its first "real world" test by issuing a patch that installed cleanly and smoothly. It's a strong start. It's understandable that Google is a little uneasy about vulnerabilities compromising a new product -- and those vulnerabilities getting blown out of proportion. The switch to the open source "bug report" mindset must be a tough one, but it is one the company will have to make to truly open the product and -- ultimately -- protect and benefit its customers.