Patching a fragmented, Stagefrightened Android isn't easy
REM had the answer in 1992, Google
Android users face a triple patching headache with the recent discovery of a collection of serious vulnerabilities affecting smartphones and tablets running Google's mobile operating system.
Security experts warn that the fragmented nature of Android devices will make patching more difficult than it would be in updating PCs.
The Stagefright vulnerability, which could be used by an attacker to install a spyware app in a targets phone without their knowledge just by sending an MMS, was quickly followed up by the “Certifi-gate” vulnerability, which poses a similar risk.
The Certifi-gate flaw was found within pre-installed plug-ins for mobile remote support tools (MRSTs) bundled with Android devices.
Because of a security weakness hackers might be able to wrap seemingly innocuous apps with MRSTs, bypassing Android security restrictions in the process.
This week another blockbuster security flaw in Android – this time hitting 55 per cent of mobiles – emerged. The latest (unnamed) privilege escalation hole allows normal apps to gain superuser rights to snoop on a device's owner, smuggle in malware, and more.
Google has promised to patch Stagefright and Samsung and LG have committed to monthly fixes.
Some security firms estimate Google has to do even more if it wants to avoid Android being seen as less secure than devices based on Apple's iOS. In particular, it needs to push carriers to push over-the-air updates promptly after fixes become available.
Tod Beardsley, engineering manager at Rapid7, the firm behind Metasploit, commented: "The acknowledgment from Adrian Ludwig from Google’s security team that Google needs to be more responsive and more transparent about security fixes is great news, and shows that Google is taking the lead on revitalising the patching pipeline for the Android ecosystem."
"However, my optimism is still very cautious, because while Google and the handset manufacturers are taking steps to improve security, I haven’t seen any similar commitments from the various carriers," he added.
"It’s still unclear if carriers have prioritised pushing out these patches in an over-the-air update, which means that Android users are still expected to seek out these patches and apply them themselves," he said.
Automated patch systems, which proved themselves on the desktop and server room, need to be rolled out into mobile devices, according to Beardsley.
"We’ve seen that automatic patch systems are vastly more effective than merely making patches available in pretty much every other hardware and software ecosystem, and I’m hopeful that the Android space will get there sooner rather than later," Beardsley explained, adding that legacy smartphones pose a particular challenge.
"We are still dealing with the many millions of devices that have fallen into a limbo of un-supportability from both the hardware vendors and Google’s policy of end-of-life’ing pre-KitKat devices," Beardsley said.
"I’m worried that this is a huge install base of largely cheaper phones in less wealthy parts of the world, where that older device is many, many people’s only means of net connectivity. I can imagine a huge swathe of these devices getting compromised on a massive scale, causing serious and sustained outages in the regions where they’re most prevalent," he added.
For now it's up to users, who are advised to keep a close eye on the patch availability for their particular device and operating system, and apply these critical fixes at their earliest opportunity, according to Rapid7
David Baker, chief security officer at identity management firm Okta, argued that the thousands of versions of Android on the market make patching a far more difficult process.
Baker said: “Stagefright is the early warning alert to a much bigger challenge; how do you solve the Android fragmentation problem? For Stagefright, there are fixes available in the architecture and the Android team is good at patching quickly, so overall, the immediate problem is tempered."
"The bigger problem is that there are 26,000 unique Android instances and many of them rely on the phone developers — there is no comprehensive update solution for Android," he added.