Rehan HoodaJul 05, 2016 17:27:30 IST
Android, the most popular mobile operating system in the world, based on the Linux kernel is one of the most discussed when it comes to security. The massive user base of the OS puts it in a position that Windows commands for the desktop. Given its sheer number of users, security vulnerabilities are exploited and researched for rewards in the form of bug bounty programs. Another issue with the operating system which works as a double-edged sword is the open source nature of the OS itself. This is where users can install the OS and look around, inspect and help make the system more secure.
Security vulnerabilities and Android go hand-in-hand because of the issues plaguing the operating system. Sometimes the problem lies in the AOSP (Android Open Source Project), while at times it is OEM specific in the code integrated by the smartphone makers to implement the custom device-specific features. Maintaining security is paramount with the growing threat of attacks ranging from large-scale attacks such as the Sony hack, to attacks on databases for passwords, down to those on individual users by a host of malware, spyware, and ransomware. Hackers have moved on from simple virus programs to complex and economically greener pastures with rogue programs that are either aim at gathering your personal data just extort money to allow you to use your data.
The full-disk encryption flaw which can only be solved by implementing new hardware has brought the security landscape of Android to the limelight once again. Some of the vulnerabilities over the years have captured the public interest because of the widespread coverage and here is a round-up of major ones that have targeted Android over last few years.
1. Stagefright and Stagefright 2
This is the most significant exploit that was discovered by security research firm, Zimperium. It was so big that pushed the debate of providing regular security updates for Android from dedicated developer forums like XDA and technology sites into the limelight. The vulnerability also highlighted the careless attitude adopted by smartphone makers who did not consider it their responsibility to provide updates to the devices supplied by them. It was a norm observed by smartphone users that their devices were not provided Android updates beyond the first one and a half year and sometimes even early.
This issue was discovered in April 2015, publicised it in July 2015 and disclosed in August 2015 at the BlackHat conference. The vulnerability impacted more than a billion devices. The degree of risk was such that devices could be taken over without the user getting to know about the hack or the vulnerability that resulted in the hack. All the hacker needed to do was to send a video through an MMS and the android mechanism to process video libStage Fright would open the door for the attack. According to Google, they managed to fix the issue though ASLR (Address Space Layout Randomization). This would require the hacker to search every device for the flaw but even this approach was not to fix the issue, but only to make it harder to exploit.
Stagefright 2 was discovered immediately after and this found almost same kind of issues in the libraries (libutils and libstagefright) processing MP3 audio or MP4 video files. Both these vulnerabilities affected Android phones right from Android version 1.0 to Android Lollipop 5.0 as reported by Androidvulnerabilities.org.
The researcher Joshua Drake was rewarded approximately $1,337 which is way less than he should have been awarded under the Official bug bounty program that was launched months after the StageFright exploit as reported by The Guardian.
2. Audio Effect
Researchers managed to find a problem known as Audio Effect where Android failed to check the buffer sized in some media player apps. The hacker could make a malicious app that will take the advantage of this flaw to cause a heap overflow. This allowed the program to record audio, video, read files, from taking photos, turning into a privacy nightmare. The bug affected all the devices running Android 2.3 all the way up to Android 5.1.1. Google, after being informed of the flaw in June 2015 fixed it in AOSP on August 1, 2015.
3. Fake ID
This flaw is part of Android operating system where the software does not properly validate the application certificate chain. Any rogue app can supply a crafted fake application identity certificate which would let the rogue app gain escalated privileged status, causing all kinds of havoc on the phone. This blunder was reported in July 2014 on Ars Technica, and there was no exact fixed version of Android to this issue by Google. Instead, different smartphone-markers maintained the patched functionality ranging from Android 4.1 to Android 4.4.
4. One class to rule them all
This flaw allowed the attackers to run malicious code which worked in the context of many apps and services instead of one particular app or service. This resulted in an elevation of privileges and was reported by IBM's X-Fore Research Team on May 2015. At the time of reporting the flaw, it was said to have affected about 55 percent of Android devices. Google, however, fixed the issue patching all the devices that were affected by the vulnerability.
This was the first app that worked as a backdoor spyware. It was specifically designed to slip through the Google Play Store detection and be published as an app. The app used the name of a formerly named news site BeNews as a way to establish trust and lure users. In exchange it downloaded malware targeting Android versions from 2.2 through Android 4.4.4, while gaining privilege escalation. The same exploit was used in the for TowelRoot.
Apart from these major security flaws that have affected Android in last couple of years, there have been plenty more that either remained limited to smartphone makers or chipset makers. Some of the vulnerabilities include- Qualcomm chown init scripts, Qualcomm Integer oveflow diagnostics, Qualcomm Integer overflow camera, Qualcomm Gandalf camera driver, Motochopper, TwerkMyMoto, LG Sprite backup, LG Lit, Gingerbreak, Samsung WifiHs20UtilityService, and Samsung GPU DMA. The details of all these have been maintained by AndroidVulnerabilities.org in association with the University of Cambridge.
Some other vulnerabilities that have plagued Android but not particularly by any errors from Google or even AOSP. This would include the Samsung Galaxy Keyboard vulnerability where over 600 million smartphones were impacted, including Samsung Galaxy S6. The reason of this is the pre-installed keyboard which allowed the attacker to access sensors, camera, microphone, ability to install malicious apps and eavesdrop on calls and messages according to nowsecure.com.
The main reason for all these security issues is the fragmentation and nonconformity to uniform security updates. These would come to smartphones by the companies that manufacture them. The fragmentation of Android coupled with the greed of companies to churn newer and newer generations of smartphones every year without supporting older phones has amplified the problem.
Another reason is the use of third-party app stores by users who don't limit themselves to the official Google Play Store to install their apps. This significantly increases the risk of installing malicious apps in the smartphone and opening their smartphones to attacks or remote take over.
However there is a bright side to all of this. The number of close calls in terms of threats and vulnerabilities has lead to significant changes in the industry, where monthly security updates are now a norm. After Stagefright, Google has opened Android for it's Bug Bounty Program which was earlier limited to Google Chrome.
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.