Fragmented Android development creating greater security risks

Some flaws exist on over a ‘hundred phone models and affect millions of users’

The fragmentation of Android is creating additional security risks, as the rush to release new devices without sufficient testing is inadvertently introducing security flaws, security researchers have warned.

The researchers – Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, Muhammad Naveed and XiaoFeng Wang – uncovered flaws in customised drivers using a custom tool, dubbed Addicted, that they developed as part of the study into what they argue is an overlooked problem.

"Running ADDICTED on popular phone models, we discovered critical flaws that allow an unauthorized app to take pictures and screenshots, and even record the user’s input keys from touchscreen," the researchers (computer scientists from Indiana University, Bloomington and University of Illinois at Urbana-Champaign) warn. "Those vulnerabilities were found to exist on hundreds of other phone models."

An abstract of their paper, entitled The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations (pdf), explains:

Android phone manufacturers are under the perpetual pressure to move quickly on their new models, continuously customising Android to fit their hardware.

However, the security implications of this practice are less known, particularly when it comes to the changes made to Android’s Linux device drivers, such as those for camera, GPS, NFC etc.

In this paper, we report the first study aimed at a better understanding of the security risks in this customisation process. Our study is based on ADDICTED, a new tool we built for automatically detecting some types of flaws in customised driver protection.

Specifically, on a customised phone, ADDICTED performs dynamic analysis to correlate the operations on a security-sensitive device to its related Linux files, and then determines whether those files are under-protected on the Linux layer by comparing them with their counterparts on an official Android OS.

In this way, we can detect a set of likely security flaws on the phone. Using the tool, we analyzed three popular phones from Samsung, identified their likely flaws and built end-to-end attacks that allow an unprivileged app to take pictures and screenshots, and even log the keys the user enters through touchscreen.

Some of those flaws are found to exist on over a hundred phone models and affect millions of users.

We reported the flaws and helped the manufacturers fix those problems. We further studied the security settings of device files on 2423 factory images from major phone manufacturers, discovered over 1,000 vulnerable images, and also gained insights about how they are distributed across different Android versions, carriers and countries.

Vendors and carriers are aggressively customising official OS versions to accommodate new hardware pieces and services, potentially undermining Android security protection in the process, the security researchers conclude.

More than 1,000 phone models distributed across different Android versions, carriers and countries are vulnerable for one reason or the other, the researchers argue.

Independent mobile security experts, such as Jon Sawyer from Applied Cyber Security, agree that Android customisation has the side effect of creating a greater security risk.

"AOSP [Android Open Source Project] code has had the most eyes on it, from Google, the SOC partners, the OEMs, the community. It is quite reviewed," Sawyer told El Reg. "Customised code only really has had eyes from it's OEM on it. Some are more reviewed, and better than others. Some appear as if the OEM doesn't even have anyone look at it."

"So yes, many bugs come from OEM customisations," Sawyer concluded.

The US computer scientist conclude that their research only "scratches the surface of the grand security challenges" that come with Android customisations. Their conclusions point towards further work that ought to be undertaken.

"Even on the Linux layer, still there are many device files we cannot interpret, not to mention detection of their security flaws," the researchers conclude.

"More importantly, further effort is expected to understand how to protect security-critical resources on different Android layers, and develop effective means to ensure that customized resources are still well guarded," they added.

The research (first presented in Oakland last year) has been picked up by other researchers and taken forward. For example, a talk by Ohad Bobrov and  Avi Bashan at the Black Hat conference in Vegas next month draws heavily on the research of Xiaoyong Zhou et al. The Black Hat talk, entitled CERTIFI-GATE Front-door access to pwning millions of Android is due to show how even devices running the latest version of Android OS (Lollipop) can be hijacked.

Demonstration of an exploit against a live device is promised. Both Bobrov and  Bashan worked for Lacoon Mobile Security before moving to Check Point.

El Reg approached Xiaoyong Zhou, who took time out to bring us up to speed on his work.

"We have reported all vulnerabilities to Samsung and Google, the report includes 69 phone models that contain vulnerabilities allow unauthorised apps to take screenshots, key logger and use the camera without user consent," Zhou explained.

"Samsung awarded us with a Samsung Note phone to show its acknowledgement. Samsung also fixed its flagship phone models since the report. In its new flagship phones such as S6, Note 4, we did not find similar vulnerabilities," he added.

Further comparative work into the security of different Android customisations by a mix of researchers from IC-UNICAMP and Samsung can be found here.

The researchers analysed five different distributions: Google Nexus 4, Google Nexus 5, Sony Z1, Samsung Galaxy S4 and Samsung Galaxy S5, all running OS versions 4.4.X (except for Samsung S4 running version 4.3).

"Our conclusions indicate that serious security issues such as expanded attack surface and poorer permission control grow sharply with the level of customisation," the team concluded in a short six-page paper submitted for the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks.

El Reg approached representatives of Samsung directly for comment on the research by Xiaoyong Zhou et al into Android customisation, which is more detailed than the short paper put forward by Samsung boffins, but we're yet to hear back from the smartphone manufacturer. ®

Similar topics

Narrower topics

Other stories you might like

  • Apple wins Epic court ruling: Devs will pay up for now as legal case churns on

    Previous injunction that ordered company to allow non-Apple payments systems is suspended

    Apple will not be required to implement third-party in-app payments systems for its App Store by 9 December, after a federal appeals court temporarily suspended the initial ruling on Wednesday.

    As part of its ongoing legal spat with Epic, a judge from the Northern District Court of California said Apple wasn’t a monopoly, but agreed it’s ability to swipe up to a 30 per cent fee in sales processed in iOS apps was uncompetitive. Judge Yvonne Gonzalez Rogers ordered an injunction, giving the iGiant 90 days to let developers add links or buttons in their apps to direct users to third-party purchasing systems.

    Those 90 days were set to end on 9 December. If developers were allowed to process financial transactions using external systems they wouldn’t have to hand over their profits to Apple, they argued. When Apple tried to file for a motion to stay, which would pause the injunction until it filed an appeal, Rogers denied its request.

    Continue reading
  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading
  • Canadian charged with running ransomware attack on US state of Alaska

    Cross-border op nabbed our man, boast cops and prosecutors

    A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.

    A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.

    The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."

    Continue reading

Biting the hand that feeds IT © 1998–2021