Mobile
News
7/25/2012
08:53 AM
Connect Directly
RSS
E-Mail
50%
50%

Android App IDs Smartphone, Tablet Vulnerabilities

Can Samsung, HTC, Motorola, and carriers be pressured to stop waiting months before patching known, exploitable vulnerabilities on their Android smartphones and tablets?

What Kindle Fire Needs To Beat Nexus Tablet
What Kindle Fire Needs To Beat Nexus Tablet
(click image for larger view and for slideshow)
Is your Android smartphone or tablet secure?

A new, free app dubbed X-Ray For Android, released this week by Duo Security, aims to help Android users answer that question.

"X-Ray is a mobile application [we] developed ... that allows users to scan their Android device for unpatched vulnerabilities that may be exploitable by malicious apps," said Android security researcher Jon Oberheide, CTO of Duo Security, via email.

Unlike antivirus software, X-Ray isn't designed to compare the signatures of apps installed on a device with a list of suspicious applications. Instead, the app looks for the presence of "all of the major privilege escalation vulnerabilities that have affected the Android platform since its inception," said Oberheide. "Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices."

[ Android is getting more secure--but only if it's patched. See Android Hacker: Jelly Bean Tougher To Crack. ]

The X-Ray app won't protect users from any escalation vulnerabilities it detects, but with luck, it will pressure carriers into getting serious about patching their Android devices. "We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users' devices," said Oberheide. To that end, the X-Ray software also collects statistics about the vulnerabilities found on a given device to help Duo Security track how many vulnerable Android devices are at large, both by manufacturer and device.

What's the risk from escalation vulnerabilities? "Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system," according to an X-Ray overview published by Duo. Such vulnerabilities haven't just been found in the core Google operating system, but also in many of the Android "skins" or customizations developed by handset makers and added to their Android distributions before smartphones get shipped to subscribers. "Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old," according to Duo Security.

Indeed, according to a research conducted last year by Bit9, 56% of the top 20 Android smartphones were running outdated software, thus leaving them open to attack by malware exploiting known vulnerabilities. The worst offender was Samsung, which took 316 days to patch its Galaxy Mini smartphone after Google released an Android update. Meanwhile, the fastest update--a Droid X patch from Motorola --still required 141 days to be released.

Many security experts blame the patching delay on economics: once carriers sell a phone to a consumer, they're under no obligation to keep it updated. Furthermore, carriers stand to make more money by having customers refresh their handsets to get the latest version of Android, rather than getting it for free by having the vendor patch older devices.

Still, another part of the patch-delay problem can be traced to the Android codebase itself, which remains a patchwork of not just Google code, but functionality from third parties as well. "Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third parties, not to mention all the open source components--Linux kernel, WebKit, libraries--owned by various project maintainers," according to Duo Security.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
brucko
50%
50%
brucko,
User Rank: Apprentice
7/28/2012 | 10:29:41 AM
re: Android App IDs Smartphone, Tablet Vulnerabilities
No weaknesses found on Galaxy Nexus with Jelly Bean ... YAY Google!!
Rhonindk
50%
50%
Rhonindk,
User Rank: Apprentice
7/25/2012 | 9:42:32 PM
re: Android App IDs Smartphone, Tablet Vulnerabilities
Cool - done / checked / good to go.

Simple enough check. Nice.
Now how good is it?
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.