First Google Android flaws surface

Android relies on 80 open-source components

A trio of researchers has disclosed the first security flaw for the Google Android platform and pointed out a fundamental security problem in the open source process.

The vulnerability was discovered by researchers Charlie Miller, Mark Daniel and Jake Honoroff from security testing and analysis firm Independent Security Evaluators.

While the three have elected not to disclose details about the flaw until a fix can be issued, they said that a successful exploit could allow an attacker to retrieve all stored information in the victim's browser.

The researchers praised Android for its secure "sandbox" mode, which limits the scope of attacks by cutting off access to outside components, but they also noted what could become a major security hurdle for Android.

The flaw lies within one of the open-source components used by the Android platform, say the researchers.

"The vulnerability is due to the fact Google did not use the most up-to-date versions of all these packages," the trio said.

"In other words, this particular security vulnerability that affects the G1 phone was known and fixed in the relevant software package, but Google used an older, still vulnerable version."

Because Android relies on some 80 different open-source components, keeping track of security disclosures and bug fixes could prove difficult, potentially leaving the platform open to future attacks.

News of the disclosure comes less than one week after the first Android-powered handset hit the US market in the form of the T-Mobile G1. Other vendors, including Motorola and Kyocera are also said to be poised to unveil Android devices.