'Security flaw detected in Android versions'
In an advisory Indian cyber security researchers have said that smartphones running Android 4.3 and Android 4.4 are vulnerable to hackers who could use a known flaw in the phones to steal sensitive information. The flaw is in the way the latest versions of Android implement virtual private network (VPN), a technology mostly used by enterprises.
This flaw can be used hackers and others to read and capture the information exchanged between the phone running Android 4.3 or Android 4.4 and a VPN server. According to data published by Google, the company behind Android, on February 4, 8.9% of all Android phones were running version 4.3 while 1.8% were on version 4.4.
The VPN flaw is a low-risk vulnerability for most users. But for companies that implement VPN and that allow employees to use Android phones, it can be of significant risk. The vulnerability was first found by researchers in an Israeli university in middle of January. Google is aware of the flaw and is likely to fix it in the next version of Android.
In India, the researchers at CERT-IN, the governments agency that monitors cyber threats, issued the advisory about the VPN flaw a few days ago.
"A critical flaw has been reported in Android's VPN implementation, affecting Android version 4.3 and 4.4 which could allow an attacker to bypass active VPN configuration to redirect secure VPN communications to a third party server or disclose or hijack unencrypted communications," noted CERT-In.
VPN is used by companies to establish secure connection between their own servers and devices like smartphones and laptops that their employees may use during work. Under ideal conditions, a VPN network offers end-to-end encryption and makes it almost impossible for anyone to snoop onto the communication taking place between a phone/laptop and a web server. This is the reason why VPN is also used by many people in countries like China to access web services that are banned in the country and by many dissent groups in countries with repressive regimes.
CERT IN added that if an Android phone has been compromised due to VPN flaw, hackers may also collect information on text messages, emails and contacts stored on the device.
Israeli researchers found the vulnerability when they were testing Knox, a security feature for enterprise users created by Samsung. Later they found that the flaw affected all Android phones and not just Samsung phones.
Samsung issued a statement on the VPN flaw and said that it was not as serious as it seemed. "Android development practices encourage (apps to use) SSL/TLS. Where that's not possible Android provides built-in VPN. Use of SSL/TLS would have prevented an attack based on a user-installed local application, (which exploited VPN flaw)," noted the company.
In its advisory, CERT IN suggested that Android users should apply OS updates when they are available, should not install applications from untrusted sources and should not click on unidentified web links received in messages or emails.