Android Security Team Calls for Collaboration from Security Researchers

In an e-mail sent on Monday to the popular Full Disclosure mailing list, the Android Security Team introduces itself to the security community and provides contact information for people interested in tracking bugs and discovering vulnerabilities in the new Android Platform.

Android is a software platform for mobile devices developed by Google and the Open Handset Alliance, "a group of more than 30 technology and mobile companies who have come together to accelerate innovation in mobile", as stated on their website. The platform consists of an operating system based on the 2.6 Linux kernel, middleware and several applications for mobile devices.

An initial version is planned for release later this year and it will be open source. "All of the source code of the Android Platform will be released later this year under the GPL and Apache 2.0 Licenses, and many diverse groups are already working on their own Android devices and applications," announces the e-mail.

The Android Security Team motivated their e-mail by pointing out that security issues would be inevitable, regardless of how much effort they put into fixing and finding bugs themselves. "That is why we would like to introduce ourselves today and let the security research community know how they can reach out and work with us," they note.

They also present their security FAQ, for interested people, and point out that vulnerability disclosure should be done responsibly, by contacting them first and giving them the chance to fix vulnerabilities before releasing the information to the general public. In this regard, they gave assurances that people providing usable reports will be properly credited in their advisories - "Help from security researchers in the form of usable bug reports and responsible time lines will greatly assist us in securing the ecosystem of Android devices as quickly as possible. Our vulnerability bulletins will credit responsible reporters of any flaws".

A new beta of the Android SDK has been released not so long ago and several vulnerabilities have already been discovered in the previous versions. The Security Team's announcement closes with the promise of releasing more security documentation for developers in the near future - "We will be releasing more details of the security features of the Android platform over the next several months, as well as developer documentation and guidance on how to use these features in your Android applications".