WebProNews

The Google Android SDK for developing mobile applications contained a slew of vulnerabilities, including a passwordless root account.

Since the end of January, Google received reports about its Android SDK possessing a number of security flaws. As Google released the SDK to the open source community, bug detection would be an expected part of the development process.

Security vendor Core Security provided a lengthy advisory about the Android SDK, which to us indicates the open source process worked. The prototype Android phones seen already won't be a reality until the software bugs receive the attention they need.

Google made this statement, listed in the advisory, about Core's findings:

"The current version of the Android SDK is an early look release to the open source community, provided so that developers can begin working with the platform to inform and shape our development of Android toward production readiness. The Open Handset Alliance welcomes input from the security community throughout this process. There will be many changes and updates to the platform before Android is ready for end users, including a full security review."

The trio of vulnerabilities detected by Core all concerned the processing of images by Android's web browser. Core said the flaws in processing GIF, BMP, and PNG images could have enabled a malicious website to attack the platform and ultimately execute arbitrary code.

A little sloppiness, not on Google's part, could be to blame for the problems Core found. They noted the use of an outdated libpng reference library for handling PNG images in a library used by Android. Google has since updated Android with a current version of libpng that should eliminate that particular problem.

Fixes for the GIF and BMP issues arrived with newer SDK releases. However, followup research by Core found the root account arriving without a password by default. "Unprivileged users with shell access can simply use the su program to gain privileges," said Core.