Stagefright Bug Spurs Android Makers Into Action - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile // Mobile Devices
Commentary
8/6/2015
11:05 AM
Eric Zeman
Eric Zeman
Commentary
50%
50%

Stagefright Bug Spurs Android Makers Into Action

In the wake of the Stagefright bug, Google and Samsung plan to issue monthly Android security patches to ward off potential threats. Will other smartphone manufacturers and carriers follow?

14 Security Fails That Cost Executives Their Jobs
14 Security Fails That Cost Executives Their Jobs
(Click image for larger view and slideshow.)

The Stagefright vulnerability found in Android has coaxed a swift response from smartphone makers. Both Google and Samsung plan to step up and deliver security updates to their smartphones on a monthly basis to better protect users.

In July, Joshua Drake from Zimperium discovered a new Android weak spot -- a critical bug in its Stagefright multimedia playback engine. The Stagefright bug lets hackers barge their way into Android devices and execute code through multimedia messages. It corrupts Android's system memory and can reset a program's control counter. The control counter is used to figure out what line of code will be executed next.

If a hacker can get their own code into the queue, they can wreak all sorts of havoc.

Users can sort of mitigate the problem by switching off the setting that automatically retrieves picture and video messages. The fix isn't perfect, but it's enough of a road block for now.

The bug is serious enough that it garnered the attention of Google, which makes the Android operating system. Google developed a patch for Stagefright and is actually going to do something about it. The company announced plans to issue monthly security patches for its Nexus-branded devices moving forward.

(Image: JasminSeidel/iStockphoto)

(Image: JasminSeidel/iStockphoto)

"Security has always been a major focus for Android and Google Play. Android was built from day one with security in mind," according to an Aug. 5 Google blog post. "For example, the 'Application Sandbox' model keeps applications running separately from other apps and the rest of the device to keep your data safe. With Verify Apps, over 1 billion devices are protected via Google Play, which conducts hundreds of millions of antivirus-like security scans of devices per day seamlessly in the background."

Google points out that Android is an open source platform, which means anyone can sort through the code to find and resolve security problems.

Google believes this makes the platform stronger.

Even though plenty of protections are already in place, the Stagefright vulnerability warrants a patch, and Google is already pushing it out. Google is delivering the security update to the Nexus 4, Nexus 5, and Nexus 6 smartphones, the Nexus 7, Nexus 9, and Nexus 10 tablets, and the Nexus Player media device.

Google says the update resolves Stagefight and a number of other vulnerabilities. Google is also offering a fix through the Android Open Source Project.

In this case, Google is in control of updates for the Nexus line of handsets, meaning it can deliver updates without carrier approval. Nexus devices are always the first to see new versions of Android. Google committed to providing Nexus devices with operating system updates for a period of two years, and security updates for a period of three years.

Moving forward, all Nexus devices will receive monthly security patches.

This is great news for Nexus owners, but what of the other billion or so Android devices in the market?

[Read more about Android security.]

Samsung, LG, Alcatel, and others have all said they'll patch Stagefright in the near future, though they are somewhat hogtied by their carrier partners. The carriers often have to approve such updates before they are distributed and the process can take months.

Samsung plans to be more forceful.

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," Dong Jin Koh, executive vice president of Mobile Research and Development at Samsung Electronics, wrote in a statement. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."

Samsung promised to work with its carrier partners to make sure security problems can be resolved quickly. Like Google, Samsung will provide monthly security patches for its smartphones and tablets.

Eric is a freelance writer for InformationWeek specializing in mobile technologies. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kstaron
50%
50%
kstaron,
User Rank: Ninja
8/19/2015 | 11:41:59 AM
will it spur users too?
Well that explains the sudden rash of updates for my phone. I admit I'm not the best as updating my phone since I'm usually busy using it when it wants to update. Hopefully it will spur people to update when prompted more often. As for me I'm making a mental note to let it update when it asks next time.
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
8/8/2015 | 10:12:09 PM
Problem of Android
This is one problem for Android. With the open-sourceness of the platform and huge diversity in the market, it's hard to control and patch security threat. My company has prevented Android phone from accessing cooperate email due to the security hole recently discovered.
Commentary
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll