As European officials continue to voice concerns about privacy, surveillance, and Google’s products, researchers released a report this week on the security of the search engine company’s operating system:
Security researchers believe they have found a major security flaw in Google’s Android mobile operating system, which could affect up to 99 percent of Android phones now in consumers’ hands . . .
The problem lies in the security verification process that has been used on the Google Play applications store since the release of Android 1.6. It could leave up to 900 million devices open to hackers. The flaw, the research firm said, is a weakness in the way that Android applications verify changes to their code. The weakness would allow hackers to “turn any legitimate application into a malicious Trojan” without flagging the attention of Google’s app store, a mobile phone or the person using an application.
The result, researchers said, would be that anyone who breaks into an app this way would have access to the data that app collects and — if an app made by the device manufacturer gets exploited — could even “take over normal functioning of a phone.”. . .
Security is a common concern on Android phones, in part because the open nature of the system also means that it’s easy for anyone to find out how it works. Android is the OS of choice for 75 percent of the world’s smartphones, IDC reported in May. But a report released in March from the F-Secure security firm found that 79 percent of all mobile malware found in 2012 was running on Android phones.
This problem is exacerbated by the fact that so many smartphone manufacturers use their own versions of the Android operating system, making it more difficult to get system updates that may include security fixes out to customers.
On the same day that the report was released, a German official advised users to avoid certain companies, including Google, that share information with the U.S. government if they are concerned about eavesdropping:
NSA leaker Edward Snowden claimed Google, Facebook and Microsoft were among several Internet companies to give the U.S. National Security Agency access to their users’ data under a program known as PRISM. The companies have contested this, but the claims prompted outrage in Europe and calls for tighter international rules on data protection.
“Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” German Interior Minister Hans-Peter Friedrich said.
He also said German officials are in touch with their U.S. counterparts “on all levels” and a delegation is scheduled to fly to Washington next week to discuss the claims that ordinary citizens — and even European diplomats — were being spied upon by the NSA.
The agency said that it was particularly concerned that Google’s policy, which went into effect in March and covers over 60 Google services, does not give users enough information about the data the firm collects and how it is used. It also has concerns that the policy does not share enough information about how long Google keeps user data.
If Google does not amend its policy, the British agency said, it will “leave the company open to the possibility of formal enforcement action.” The Guardian reported that the company could also face fines of up to $750,000, but only if there is proof that individuals may have been harmed by the policy.
Also on Thursday, the data protection office in Hamburg, Germany — where Google’s German office is based — said in a statement that it will be calling Google in for a hearing over concerns that the policy’s provisions on data collection are unclear.
While European regulators have been more skeptical of Google’s policies than their counterparts in the United States, lawmakers in Congress have questioned Google about its new Glass headware:
On Monday, Google attempted to assure U.S. lawmakers that the headset, which mimics many of the functions of a smartphone, does not push the barriers of its privacy standards. But that was not enough to satisfy some lawmakers’ lingering concerns. . .
Rep. Joe Barton (R-Tex.), co-chairman of the caucus, said that Google has failed to answer the key question: How can it ensure the privacy of passersby who have not agreed to be photographed or videotaped?
He said that there ought to be a way to alert individuals that they may be on camera and that there should be limits on the types of data that Google and other companies can collect from it, as well as limits on how long that data can be stored.
“There do not appear to me to be strong privacy protections for the population at large, or even ownership protection for the user of the Google Glass product,” Barton said.
Google has argued that it will be clear to people in the vicinity when the device is active or recording.