Gidley's Gossipings

A blog about not much really

Google not fixing Android Dirty Cow Yet

2016-11-08

It’s become fashionable to give security defects ‘cool’ names like Heartbleed, the latest is Linux’s ‘Dirty Cow’. This is quite a major bug as it allows any user/app on a linux device to get ‘root’. Linux has now got a patch, but interestingly Google have delayed the patch for Android by a month.

It’s worth thinking a bit about what that ‘could’ mean…

  • Any android app on your phone can now do anything - all those permissions mean nothing to an app using this exploit
  • Google may be able to stop apps doing this getting through the Google App store - but they probably can’t stop them all
  • As a user there is nothing you can do to secure your phone/tablet

So all those apps you use on your phone are now vulnerable - even the best software security can only hinder an attacker with ‘root’ permissions on Android. That means if any developer, of any app on your phone, decides they want to do things like capture your online banking passwords, pretend to be in you in any app or engage in any mischief they want.

In all likelyhood most apps won’t try this - but it only takes one and all the stuff on your phone is exposed.

So what should be done, should consumers be demanding google patch quicker (probably), but we should also be demanding app vendors secure their own apps as much as possible and we should all be aware that IT security is always falible. There is no such thing as perfect security only ‘good for now’ security!