According to security company Rapid7, Google needs to rethink how it patches Android in the wake of initial botched attempts to resolve the Stagefright vulnerability.
The criticism comes as Google itself confirmed users of its Nexus devices – who are the first to get security fixes – won't be fully protected until September.
The Stagefright vulnerability for Android phones creates a means to infect devices simply by sending a booby-trapped MMS message. An estimated 950 million devices that run Android versions 2.2 through 5.1 are at risk. Version 4.1 and later have defences that mitigate, without eliminating, the possibility of a successful attack.
The Stagefright vuln, discovered by Zimperium, ultimately stems from flaws in code handling multimedia files.
Google released a six-pack update to resolve the Stagefright vulnerability last week, but it quickly emerged that one of the components was incomplete, so that even patched devices were still at risk.
These shortcomings have put back the whole security remediation process by weeks.
Tod Beardsley, security engineering manager at Rapid7 – the firm behind the Metasploit pen-testing tool – commented: "The problem Google is facing is not so much shipping security vulnerabilities in popular software products: everyone ships bugs, it happens. The real problem we're seeing today is a breakdown in the Android patch pipeline."
"In this case, two critical components of Google's vulnerability handling process are failing. First, it is extremely difficult for Google, or anyone else, to get updated software into the hands of users," Beardsley said.
"Even Nexus devices, which Google has the most direct control over, will have to wait until a September release for an update to the insufficient Stagefright patch. This lag time between having a fix in hand and distributing it to the user base is simply too slow to be reasonably safe," he added.
"If malicious actors choose to exploit this set of vulnerabilities in the meantime, there seems to be nothing everyday users can do to defend themselves," Beardsley warned.
Google's security researchers in its Project Zero team regularly turn up flaws in the codebase of other vendors before pushing them to develop a timely fix. Now that the boot is on the other foot, Google is failing to respond to resolve flaws in a key aspect of its technology in a timely manner, according to Beardsley.
"The other breakdown in the Stagefright feedback process was Google's handling of Exodus's alert about the flawed patch, by not responding in a timely way," Beardsley said. "Many companies struggle with first contact with researchers reporting vulnerabilities, but this is not Google’s first rodeo."
"After all, Google's Project Zero reports vulnerabilities to other major vendors routinely with certain expectations on communication. It needs to be able to practise what it preaches a little better in this area if Android users are to be confident in Google's stewardship of the codebase," he concluded.
Google declined to comment on Rapid7's criticism, but did provide an update on progress towards resolving the Stagefright security vulnerability, together with risk mitigation advice.
Currently, over 90 per cent of Android devices have a technology called ASLR* enabled, which protects users from this issue. We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update.
A blog post by Google explaining how it planned to go about resolving Stagefright can be found here. ®
* ASLR stands for Address Space Layout Randomisation, a secure coding technique that makes it harder to develop successful exploits based on a vulnerability.