Android Security Flaws Deepen

When Android was first launched they were complete newcomers to the game. They started from scratch and today own 80% of the market share. However, this has not come without it’s sacrifices. In order to get everyone to join in, Android made their OS completely open to OEMs as well as the mobile networks. Because of this updates require an enormous effort and some time to be released.

Which is where Android security problems arise. With Google and Samsung trying to make an entrance into the enterprise market they have to find a way to alleviate the constant security concerns. A problem that iOS and Windows have been able to keep a handle on for the most part.

Android Security Woes

The most current Android security flaw has been dubbed Stagefright: after the media playback tool that Android uses. Using this flaw in Android security, hackers are able  to gain complete control of a user’s phone.

The vulnerability was first discovered by Joshua Drake, an employee at the mobile security company Zimperium. The details were published in a blog post on July 27  entitled Unicorn at The Heart of Android.  In the post Zimperium notes that anyone with an Android phone is susceptible to this attack: “…prime ministers, government officials, company executives, security officers to IT managers.” The flaw has been realized as the largest Android security threat to date. In total, about 95% of Android enabled devices are affected.

However, there isn’t much worry that your phone is already under control of a hacker. Experts agree that there is no indication that this vulnerability has been exploited at all.

Is there a fix?

Yes and no.

The very thing that gives Android its market strength is also the thing that creates the biggest Android security faults. Fragmentation, as it is known, makes updating, and thus fixing, the vulnerabilities all but impossible.

Fragmentation refers to the different operating systems that use Android as their base. As puts it, there are just too many cooks in the kitchen. Android is first released to OEMs (Samsung, LG, etc.) who can change the OS by adding their marketing or branding specifics, then it is released to the carriers (T-Mobile, Sprint, etc.) who can again add their own marketing or branding to it. By the time it is all said and done, there are over 24,000 different Android enabled devices on the market.

In reaction to this vulnerability Google, LG, and Samsung have all agreed to work vigorously on a fix. Initial estimates say that the fix will be available for about 2.6% of all Android phones. Such a low percentage is due to the fact that these guys are only working on patching Android 5.1- released less than 6 months ago.

This is a product of the two year cycle mentality that phone companies have adopted. After this, updates stop being created and support in general is greatly reduced. This frees up the company to focus on models that are currently being sold.

However, according to this report by Open Signal that’s not necessarily how the general public behaves. In the top-ten in-use Samsung devices, six are older than two years old. Two others are less expensive phones that were released with an older OS that likely won’t even need the fix. Chances are that Samsung will only release a fix for the S6- number 13 on the list.

The Hits Keep on Coming for Android Security

Only a week after Stagefright was revealed, another vulnerability known as Certifi-Gate has been made public. This gaping hole in Android security is exploited between the Remote Support Tool (mRST- that allows tech supoort agent to gain remote access of your phone) and system level plugins.

This problem was revealed by security company Check Point at Black Hat Las Vegas. Not only would Certifi-Gate exploitation give hackers complete control of the users Android phone like Stagefright, but it also gives the hacker root access to the Android OS. And to top it off this is easily exploited as explained by Check Point researchers:

Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited.[…] you will continue your day as usual – with a trojaned phone.

The fault of this security lapse does not lay with Google however. They claim it is third-party apps rather than Android itself that has the flaws. That is to say, it is the apps given the seal of approval and installed by OEMs and mobile phone networks that allows would-be hackers to gain root access to the users Android device.

Because access cannot be outright revoked, fixes for this may just be band-aids over a gaping flesh wound.

Why Can’t You be More Like Your Cousin?

I’ll preface this by saying I am a bit biased towards Windows, I’ve only ever owned one Android phone and I didn’t particularly enjoy it.

When you think about varying hardware make up, wide OEM support and massive distribution, Windows is the closest OS to Android. However, Microsoft incorporates a centralized update system and an OS that is off-limits to mobile network companies and OEMs. This allows more speedy- and with less fragmentation- less convoluted updates.

When an update is released by Microsoft users are allowed to get it long before the update is released by OEM and mobile networks. This allows the user to start using the meat and potatoes of the update without having to wait for the OEM and networks to put their own touches on it.

Maybe Android security can be increased by learning something from Microsoft, but without rebuilding from the ground up it seems that, as well as fixing the fragmentation issue, is unlikely.

If you take your privacy as seriously as we do, then you should follow @LiquidVPN

You can follow the author @FreelanceTony

You can also share this post

feature image courtesy of Unclano Tekno via Flickr