This article is more than 1 year old
Patching a fragmented, Stagefrightened Android isn't easy
REM had the answer in 1992, Google
A Heartbleed for mobile
Stagefright lets attackers send malware directly to any device where they know the phone number. Worse yet, the flaw is easy to exploit making it the worst mobile security vulnerability witnessed to date.
Chris Wysopal, CTO at app security firm Veracode, commented: “This is Heartbleed for mobile – a remotely exploitable vulnerability that affects millions of Android-based phones and tablets. These are exceedingly rare and pose a serious security issue for users since they can be impacted without having clicked on a link, opened a file or opened an SMS. All an attacker needs to do is send an MMS to a user’s device phone number and sit back and wait for the malware to take over."
It may not be quite so severe but Check Point reckons the Certifi-gate vulnerability is going be trickier than getting over Stagefright.
"Patching is going to be slow and piecemeal because it’s the device vendors and OEMs that have to push the patches, not Google," a Check Point spokesman told El Reg.
"The Android ecosystem works by the OEMs & vendors being responsible for compiling the Android version they are using by themselves – and with this particular flaw, it can only be patched by the vendor/OEM pushing the patch for their own compiled version," they added. "Some are rolling out patches now, some are still doing so."
Bring Your Own Defence
Flaws like Certifi-gate and Stagefright being unpatched conceivably create a rational for a temporary moratorium on bringing Androids into the workplace.
Security experts argue such a ban wouldn't help in the current cases any more than it is likely to work in future. What's needed is a strategy that manages risk rather than attempts the impossible task of eliminating threats.
Enterprise, at least, can make use of the Trusted Execution Environment, a secure area for apps built into over 350 million leading Android devices at the point of manufacture.
The technology can be used to mitigate the risks posed by unresolved security vulnerabilities for devices brought into corporates as part as the industry-wide drive to bring your own device.
"The Trusted Execution Environment offers a secure operating environment for trusted apps dealing with sensitive data and critical user interactions," said Chris Edwards, CTO at secure mobility tools firm Intercede. "Through hardware protected isolation, the TEE acts as a ‘bank vault’ for trusted applications."
Eric Aarrestad, boss of the endpoint management business unit at HEAT Software, argued that Google should do more. The openness of its app platform has made the creating of apps easier for both legitimate developers and crooks, who are attracted by the growing number of potential targets.
Nonetheless Google can take steps to blunt this assault.
"Google has the responsibility and the opportunity to take the lead on platform security while also paving the way for ecosystem help/self-help," Aarrestad said. "Google has built and encouraged this in the wild model (vs. iOS walled garden approach) and with that comes responsibility to take the lead on device OS platform security."
"This includes higher requirements for third-party apps, more frequent updates/patches, partner education and enablement, and is evidenced by recent improved practices in terms of responsiveness, update frequencies and bug bounties," he added. ®
Biting the hand that feeds IT
