Android VPN redirect vuln now spotted lurking in Kitkat 4.4 Israeli researchers who specialise in ferreting out Android vulns have discovered a new flaw in KitKat 4.4 that allows an attacker to redirect secure VPN traffic to a third-party server. Late in 2013, the Ben Gurion University security researchers first discovered ways to persuade Android to leak data sent using VPN software …
Is it impossible to write software that isn't full of security holes? I am getting that impression. In the ten years that I had XP installed on my laptop, it was a regular series of 'important security updates', until it ran like a three-legged dog in treacle. Can anybody ever get it right?
Well, yes and no. Writing software that is provably correct is very difficult (if not actually impossible). Safety critical software has a huge literature and decades of experience on the subject and they're still far from achieving it in practical environments - such as flight control software that, worryingly for anyone who's been involved in software development, contains millions of lines of code.
That's the theoretical problem. The practical problem is that, in the real world, security is that which prevents me from getting on with my job. There have been attempts at writing a secure-by-design OS, but they either have limited functionality (compared with standard 'insecure' systems) or present the user with so many security hurdles that have to be jumped that they aren't often used in practice (except in some safety critical systems, and frequently not even then).
As others have said, yes and no.
There's a lot of formal dev techniques to demonstrate that a software design has been correctly implemented in source and compiled code, and there is some software is done that way (flight control software, things like Greenhill's INTEGRITY operating system, etc).
However, that's just part of the battle. First you have to be confident that the design itself is correct, never mind the source code that implements it. That's really hard to achieve; there's plenty of room for error there. For example, there was once a feature in Adobe Reader which left it wide open, and it affected Foxit too. The problem was that the PDF spec itself was flawed, and both Adobe Reader and Foxit had faithfully implemented it.
http://cyber.bgu.ac.il/blog/our-professional-and-humble-response-samsung
"9 Jan 2014 - Samsung released a public response, together with Google, in which they denied that it is a bug or flaw in Samsung KNOX or Android."
Seems you sir are the Muppet. I trust Google and Samsung far more than some pay for FUD security output.
But, but, but google "Do No Evil", they love fluffy kittens, and they give android away free and they are not an evil corporation like Apple/Windows. As always fanboys be dumb whether they are Apple, google, windows or Samsung flavoured. Those rose tinted glasses sure make it hard to read articles.
"Is it impossible to write software that isn't full of security holes?"
Yes, it is very much impossible.
Anyone who says they have made some software that is 100% bug free is either lying or doesn't know what they're talking about. Even for relatively simple software, for an entire operating system there's going to be bugs and lots of them no matter what system it is or how the development process works.
Indeed, and it's why many programmers like me were shitting themselves in the 1980s when Ronald Reagan's "Star Wars" system was proposed. That's the one that was going to require millions of lines of computer code that had to work properly the first time an invading missile was detected coming over the horizon (and not go bananas when a pigeon shat on a detector).
> Thank goodness we have such sensible and meaningful names as jelly bean, ice cream sandwich and kitkat to help us intuitively understand our releases,
Perhaps you haven't worked it out yet. Here's a clue: it's alphabetic:
Apple Pie, Banana Bread, Cupcake, ... Ice Cream Sandwich, Jelly Bean, Kitkat. Can you guess what the next release name will start with ?
> rather than those old confusing and misleading release numbers eh?
3.1, 95, NT, 98, ME, 2000, XP, Vista, 7, 8.
That is not a set of 'confusing and misleading release numbers' at all.
It might be a vulnerability in Android 4.4 but no-one will notice since VPN is pretty broken in 4.4 anyway. VPN connects but either stops passing data after a minute, or just doesn't pass data at all.
Plenty of complaints about it -
https://code.google.com/p/android/issues/detail?id=61948
https://code.google.com/p/android/issues/detail?id=62714
for instance.
Holy crap, so many articles about people misusing Android's VPN service... VPN is NOT meant to "secure your data" or anything like that! VPN is meant as an encrypted connection to your work network (for example). If a "bad guy" "redirects" the VPN, the app should detect that and stop sending data. And that's no problem since, ya know, you already lost the connection to your work network... There's no vulnerability here - the vulnerability is that people are using VPNService for things it's not meant to be used for.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
