VPN flaw reported in latest version of Android

Same vulnerability found that was found in Jelly Bean 4.3 allows malicious app to bypass VPN configuration and redirect communications

A VPN bypass flaw discovered last week in Android Jelly Bean 4.3 also exists in the latest version of Google's mobile operating system, KitKat 4.4, Israeli researchers say.

[Experts weigh in with wish lists for Android 4.4 KitKat security]

Ben Gurion University researchers found the initial bug and then did further testing to determine its existence in KitKat. The researchers published their latest findings on the university's Cyber Security Labs blog.

Google did not respond to a request for comment, but security experts said Wednesday the bugs in both versions of Android should be fixed quickly.

"I believe this is a serious issue," Paul Henry, a senior security instructor at the SANS Institute, said.

Because of differences in the OS versions, the same exploit code cannot be used, the researchers said. However, what can be accomplished by malware is the same.

The flaws make it possible for a malicious app to bypass a VPN (virtual private network) configuration and redirect the secure data communications to a different network address. The data is rerouted before it is encrypted.

The KitKat flaw is somewhat similar to what the same researchers found last December in Samsung's Knox security platform. That vulnerability could let a malicious app intercept files on Samsung S4 devices before they are stored in a secure Knox container.

Google and Samsung dismissed the reported Knox flaw, saying in a statement that the researchers' exploit "uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device."

In essence, the researchers demonstrated a "class man-in-the-middle attack," which could be launched at any point on the network to capture unencrypted data, Google and Samsung said. The researchers did not exploit an actual vulnerability.

If the latest vulnerabilities prove to be real, then they should be fixed quickly, John Pirc, chief technology officer for security software tester NSS Labs, said. However, if Google finds that the flaw is in the network stack, "that is not trivial to fix."

[iOS vs. Android: Which is more secure?]

In addition, any patch on Android takes time to reach users because it has to be rolled out by wireless carriers and device manufacturers.

In the meantime, Henry advises businesses to set their mobile device management systems to alert IT staff of any changes in the security settings associated with the VPN of an Android smartphone or tablet.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags mobile securityGoogleNetworkingvpnAndroid OS

More about GoogleSamsungSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts