DefCon Dings Reveal Google Product Security Risks

Patents aren't the only malady affecting Android this weekend—a newly discovered "design flaw" could potentially allow malicious hackers to create pop-ups or other phishing schemes right on your device.

As reported by CNET from the DefCon conference, the Android flaw was revealed by researchers Sean Schulte, SSL developer at Trustwave, and Nicholas Percoco, senior vice president of SpiderLabs at Trustwave.

According to those two, malicious developers could, in theory, create an innocent-looking application that pushes a fake login screen to the user whenever they attempt to access, say, their mobile banking app. The only indication that this is occurring is an almost imperceptible screen blip or flicker, after which the fake log in screen replaces the legitimate one. Pretty scary!

Another far less scary but incredibly annoying application of this application is the idea of "competing ads." Basically, if you were playing an EA game, for example, an Activision game with the malicious code could push Activision pop-ups onto your screen while you're attempting to play (Note: This is purely hypothetical. Neither EA nor Activision have exploited this alleged Android design flaw).

On the Chrome OS front, we learned today that while Google's malware security claims still hold water, security experts at DefCon argue mobile exploits are a much more viable target for hackers because the OS is more similar to mobile devices and apps.

One well-known bug, the first of many one would have to assume, was the ScratchPad exploit that Google addressed back in December 2010.

When you take notes with ScratchPad, it syncs the note to your Google Docs account. What most people didn't realize about Google Docs is that the person you share a document or folder with doesn't have to approve receiving it. It just automatically appears in your Docs. This lack of structured permissions massively increased the risk of running an exploit, said Johansen, because it affects everybody, it has access to your Google log-in and there's no permissions wall to break through. - CNET

When it comes to Chrome OS, security experts have widened their scope to include oft-ignored email notification services and even RSS readers—basically, anything that can be considered an extension with access to a database or takes information from one place and displays it to a user.

I suppose it's ultimately a good thing we're reading about this at DefCon and not as a breaking news investigative report in the WSJ. [CNET, ]