Android's unpatched dead device jungle is good for security

'Attackers can't just use one exploit to pwn a billion devices' says Square's security lead


Black Hat Asia Android's diverse and oft un-patched ecosystem is a strength, not a weakness. So says says Dino Dai Zovi, security lead at mobile payments outfit Square, because he feels diversity makes criminal hackers work harder.

Android variants are a dime a dozen, thanks to customisations used to get the OS running on myriad phones and tablets.

About a third of all measured devices run version 4.4 (KitKat) of the operating system, released in 2013, and a further third operate version 5 (Lollipop) released in 2014.

This is problematic because those old operating systems are un-patched against scores of dangerous vulnerabilities, and most manufacturers are slow or outright refuse to roll in the latest ASOP updates to their own Android operating systems.

But Dai Zovi, who today spoke at the Black Hat Asia conference in Singapore, says this fragmented heterogenous ecosystem brings safety to the un-patched masses because exploiting dangerous vulnerabilities like Stagefright requires tailoring for each device make

Dino Dai Zovi. Image: Darren Pauli / The Register.

“The ecosystem is such that it makes exploitation more difficult because it needs to be designed for [each device],” Dai Zovi said during a session at the event.

“[Android] security features like verify apps, and Google Play store application checks makes it a much safer system.”

Android vulnerabilities are regularly discovered that affect huge numbers of devices. The re-occurring StageFright menace was first noted as affecting up to a billion devices with relatively simple but highly dangerous attacks which prompted Google to issue a fast run of patches.

Dai Zovi did not go as far as to recommend those who warn the likes of Stagefright are world-ending should back down, but did strongly suggest that the descriptions be weighed against the high cost of developing exploits for the many diverse Android platforms.

Android fragmentation

Android fragmentation as of August 2015. Image: Open Signal.

The best Android security features are present in the latest versions Lollipop and Marshmallow and include security checks for side-loaded applications by producing warning flags that make it difficult for users to inadvertently compromise their devices. Such warnings help those who accidentally use pirated apps or code downloaded from sources other than Google Play.

Dai Zovi referenced the Georgia Tech University study The Core of the Matter: Analysing Malicious Traffic in Cellular Carriers [PDF] published in 2013 which found malware resided in 0.0009 percent of Android devices, noting that the low statistic would be similar across the current landscape.

“The number of actually infected devices is exceeding low,” Dai Zovi says. ®

Similar topics


Other stories you might like

  • Euro-telcos call on big tech to help pay for their network builds

    Aka 'rebalancing global technology giants and the European digital ecosystem'

    The European Telecommunications Network Operators' Association (ETNO) has published a letter signed by ten telco CEOs that calls for, among other things, Big Tech to pay for their network builds.

    The letter, signed by the CEOs of the Vodafone Group, BT Group, Deutsche Telekom, Telefónica, Orange Group and five more telco leaders, calls for a "renewed effort to rebalance the relationship between global technology giants and the European digital ecosystem".

    "A large and increasing part of network traffic is generated and monetized by Big Tech platforms, but it requires continuous, intensive network investment and planning by the telecommunications sector," the letter states, adding "This model – which enables EU citizens to enjoy the fruits of the digital transformation – can only be sustainable if such platforms also contribute fairly to network costs."

    Continue reading
  • AI-enhanced frog stem cells start to replicate in entirely new ways

    Xenobots scoop up loose cells to make more of themselves. We welcome our new overlords

    In January of 2020, scientists from the University of Vermont announced they had built the first living robots; this week they have published reports that those robots, made from frog cells and called Xenobots, can reproduce and have found a new way to do so.

    The millimetre-sized xenobots are essentially a computer-designed collection of around 3,000 cells. They were created by taking stem cells from frog embryos, scraping them, leaving them to incubate, then cutting them open and sculpting them into specific shapes. After all that action, the cells began to work on their own – auto-repairing when sliced and moving about inside petri dishes.

    With a little design tweak, the creatures could do even more. "With the right design, they will spontaneously self-replicate," said University of Vermont researcher Joshua Bongard, Ph.D. in a canned statement.

    Continue reading
  • Panasonic admits intruders were inside its servers for months

    Spotted the crack after it ended – still not sure what was lost

    Japanese industrial giant Panasonic has admitted it's been popped, and badly.

    A November 26 statement [PDF] from the company admits that its network "was illegally accessed by a third party on November 11, 2021". That date has since been revised – the company now says it became aware of the intrusion on the 11th, but that unknown entities had access to its systems from late June to early November.

    "After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network," the statement adds.

    Continue reading

Biting the hand that feeds IT © 1998–2021