Open Handset Alliance Android SSL Certificate Spoofing Vulnerability

Release date:
Updated on:

Affected Systems:
Open Handset Alliance Android 2.1
Open Handset Alliance Android 2.0.1
Open Handset Alliance Android 1.5
Open Handset Alliance Android 1.0
Unaffected system:
Open Handset Alliance Android 2.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 48940

Android is a project launched by Google through Open Handset Alliance. It is used to provide a complete set of software for mobile devices, including operating systems and middleware.

The Android SSL Certificate Spoofing vulnerability exists in the implementation of Open Handset Alliance. Local attackers can exploit this vulnerability to display an incorrect SSL certificate so that the victims mistakenly think they are viewing valid websites.

<* Source: Shuhei Ohtani

Link: http://www.privateerlabs.net/research/evadingscanningviatheandroideventmodel
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Open Handset Alliance
---------------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.openhandsetalliance.com/android_overview.html