Google Admits Android Security Problem - but it May Never be Fixed

Fragmentation of Android means an admitted security flaw in the software affecting hundreds of thousands of apps may go unfixed.

Google has confirmed there is a problem with the way Android generates random numbers but the software on your phone or tablet may never be updated to fix the problem.

Earlier this week the a flaw in the way Android generates random numbers needed for the creations of private cryptographic keys was revealed when the Bitcoin Foundation warned that the flaw meant that all Bitcoin wallets were open to theft.

Bitcoin is the virtual digital currency used to purchase goods online which relies on cryptographic keys to remain secure. therefore a weakness in the security of these wallet apps which store a person's Bitcoins, is a serious problem.

Google on Thursday confirmed the existence of the security flaw in Android saying the numbers generated were cryptographically weak, identifying apps which use the pseudorandom number generator (PRNG) in the Java Cryptography Architecture (JCA) as the root of the problem.

"Make sure you do"

On the Android Developers Blog, security engineer Alex Klyubin recommended that all developers who use this method of generating random numbers should fix their apps. Security expert Graham Cluley says that Android doesn't correctly initialise the random number generator, "so [developers] have to make sure that you do."

Klyubin even includes a suggested fix in the blog to make it easy for Android developers to implement the changes.

On the face of it that should be the end of the matter, but rather than affecting just a handful of Android apps, the issue is affecting hundreds of thousands of Android apps. According to Symantec, it has found over 360,000 apps which use the SecureRandom class which has proven to be vulnerable.

This means it is not just Bitcoin apps which are affected, but gaming, entertainment, lifestyle and productivity apps too.

Patches

Klyubin adds that Google has helpfully developed patches for Android which will see the OpenSSL PRNG initialise correctly. Google has even provided the patches to the companies which use Android on their phones and tablets.

Great, that should solve the problem. Right?

Well no, because we are dealing with Android here, the problem is much more complex. If it was Apple or Microsoft and the problem was on iOS or Windows Phone, it would be fixed at source and a security update made available to all users at once.

Android doesn't work like this however, and the problem of fragmentation and piecemeal updates means that millions of Android smartphones and tablets will likely never be patched to fix this security flaw.

According to OpenSignalMaps there are eight different versions of Android in use around the world today with almost 12,000 different devices running the software.

Updates

The process for updates on Android therefore works something.

1. Google issues its partners (Samsung, LG, HTC etc) who are in the Open Handset Alliance (OHA) with the updated software.
2. They then carry out their own internal testing to make sure it works with their tweaked version of Android which they use on their devices.
3. Once that is cleared, the updated software is then passed from the manufacturers to the various networks around the world.
4. These netowrks then carry out their own internal testing of the software.
5. Only then, and only with the go ahead of Google is the updated software pushed to the end user.

With a process like this in place, it is no wonder that so many Android phones and tablets are running on older versions of the software, as most manufacturers/networks think it is not worth the hassle of updating the software for every device.

While this attitude is questionable when it comes to giving end users new features and faster performance, when it comes to failing to fix major security flaws it is downright unacceptable.

As Cluley puts it: "Shame on any Android handset manufacturer who doesn't accept their responsibility to protect their customers, and fails to issue this fix to users as soon as possible."