Android security issues

Researchers at N.C. State University have performed a study of eight Android phones (HTC's Legend, EVO 4G, and Wildfire S; Motorola's Droid and Droid X; Samsung's Epic 4G; and the Nexus One and Nexus S from Google) and found more potentially disturbing information.  While the Nexus phones and OG Droid (phones that run stock Android) had one minor security issue, namely a code bug in the pico app that would allow another app to delete the pico installer app, the rest of the bunch didn't fare so well.  All the phones with customized versions of Android had serious security issues

In particular, by exploiting these leaked capabilities, an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations – all without asking for any permission.

Apparently because the system applications built by vendors such as HTC, Moto, and Samsung are all signed with the same digital signing key, they are able to inter-communicate and access each other's data.  While this is a serious security flaw, it's also possible that it was done by design so that applications like Friendstream or Social Hub can easily parse social networking app data and aggregate it, and these researchers just found a new method to exploit that system.

While the implications for Android are new, the idea of exploit attacks on popular computing platforms is not.  As Android grows in popularity, more people will be focused on finding (and reporting) exploits against the OS.  Researchers have dutifully reported the issue to Google and all the OEM's, although they express difficulty dealing with HTC and Samsung who (as of this writing) the researchers say have been "very slow in responding, if not ignoring our reports/inquires". 

Should you be worried?  Not any more than you were yesterday.  Malware exists because a whole hell of a lot of people use Android, and users are not restricted to installing only approved applications.  If these types of reports bother you -- and that's a pretty valid response -- you still have the option of installing only trusted applications by well-known developers, or other options to not run the affected firmware on your phone.  And while nobody wants to hear me say it again (but I'm about to anyway), Nexus devices running Android as it was written are once again immune from these serious issues, so are always the better choice if you value your security. 

Source: NC State University CSC (.pdf)


Reader comments

Older phones running custom Android firmware from Moto, HTC, and Samsung have major security issues, say N.C. State researchers


It's isn't. I was being critical of the dismissive attitude of AC's recent security-related articles. It seems that some will not see Android besmirched in any way, even if it's a legitimate criticism of the platform.

Thanks for the heads up Jerry but I have a feeling this is going to be sensationalized and spread across the blogisphere like a virus.

As long as they get it right, and attribute it to OEM forks of Android and not Android itself, good.  Everyone needs to know this information.

Does this mean I should worry about cyanogenmod having boatloads of issues because I'm sure the developer doesn't have time to check out the security of all the roms on all the devices it is available for. htc EVO 4G

Naww.  If these issues exist in CM (and they probably don't) they will audit and fix in very short order.  This deals mostly with stock Sense, Touchwiz, and Blur

Actually, you probably have to worry a good amount less with CyanogenMod than with stock Sense/Sense-based ROMs. This is because CyanogenMod is just AOSP Android (like the Nexus and Moto Droid have) with a few modifications. So this same chart made for the EVO 4G running CyanogenMod is probably more like the Nexus phones and Moto Droid than the same charge for the EVO 4G running stock Sense.

"Malware exists because a whole hell of a lot of people use Android, and users are not restricted to installing only approved applications."

Per usual, be smart about what you do.

So if I read the article correctly, then it is the system apps from HTC, Motorolla, and Samsung that are causing the problems. That would lead me to believe that Cyanogenmod is clear of that because it doesn't run the manufacture's apps. I know on my Inspire you cannont run the stock HTC apps on aosp, because of a lack of the sense framework. So I would think the custom roms at risk would have to be sense/motoblur/touchwiz based.

Sounds like you're correct from what I'm reading on this. However, the ROM that is on there when you first build the phone counts, too, not just the ROM you put on after rooting the thing. So, when you buy an EVO 4G, it has the noted security issues until you root it and put a ROM on that doesn't have these issues.

It's time for Google to step up and be the adult in the room. They give away a clean, secure OS with no conditions, and the manufacturers and carriers do everything they can to introduce spyware and slow down security fixes. Why? Because it's in their best interest if we're sick of our phones when the contract expires. If Windows were managed like this, we'd all be pwned by now. This ecosystem is a hacker's dream.

Sometimes evil prevails because good people, or good companies, do nothing. I didn't make that up. Google should consider their corporate motto as they stand by and watch millions of phone owners, and the survival of Android, put in danger due to the greed of the companies they've enabled.

My biggest beef with Android/Google has always been permissions. Every time an app uses a permission they should have to ask first before gaining access. Thank god permission blocking is built into CyanogenMod. It sucks that your choices are I can either use Pandora and give it access to my contacts/calendar or I can not use it.

What just because it's on a mobile OS I now have to give up control and my privacy whereas on the desktop I have the control. I use winamp on my desktop and it is blocked by my firewall.

And this is why I still blame Google, even if they only play a small part. It might not be their full responsibility to fix this, but they CAN fix it if they wanted to. And by not fixing it, they are to blame too.

Jerry, I'm still disturbed by your dismissive attitude.

And I'm disturbed by OEM's taking an open source project, changing it until it's no longer secure, not releasing that source, and allowing the project originators to take the brunt of the blame when independent research shows it is entirely the OEM's fault.  I could release a very insecure distribution of Linux tomorrow.  Would RedHat or Debian be blamed for that?  Or the kernel repository?  Or GNU?  No, I would.

I'm also disturbed that people think Google should halt the AOSP project, and force vendors to do things their way.  Android offers choice.  Not all the choices are going to be good ones for you.

The beauty of it all is that we don't have to agree.  As long as you thought about the issues, and formed your own opinion, my work is done.

Jerry, I'll grant your position for Linux, which is generally used by people who have consciously chosen to forgo the mainstream options. I don't think it applies to Android, which has become the mainstream option. The average Android user looks much less like the people who trade opinions on this forum, much less like the typical Google employee, and much more like those folks' mothers.

Microsoft pushes Windows security fixes at least monthly. By default those fixes are installed automatically. Antivirus programs update in the background, constantly scan for threats, and take action without asking. In spite of these precautions, a significant number of Windows machines are virus-infected.

Android comes with no malware protection whatsoever. Responsibility for security is diluted through layer after layer of code contributors, some of whom actively delay software updates because it's in their best interest for the value of our phones to zero out on the day our two year contract expires.

The resulting device isn't a computer. It's a consumer product, sold to people who think they're buying a phone, and whose understanding of software starts and ends with Angry Birds. And if you think that doesn't matter, consider that many of the people carrying these hackable, location-aware devices are children.

I love my Nexus One. But I keep up with security issues and install new Cyanogenmod versions whenever Steve is good enough to release one. I believe the Nexus line and the developer community is a perfect example of open source done right. For most other Android phones, the open source model doesn't even apply. Has anybody seen the source of Touchwiz lately? Sense? How about Carrier IQ? I fail to see how the open source community can work to improve those permanent modifications to what was initially an open source project, but for most end users no longer is.

Open source works great as long as it's supported by an active community that constantly looks for flaws, corrects them, and distributes those fixes as quickly as possible to the installed base. In that environment, software grows, heals and responds to the needs of its user base faster than any commercial software possibly can.

Anybody out there who thinks that last paragraph describes the Android/Sense/Touchwiz/Blur/carrier bloatware mess being run by ninety-five percent of Android phone users, please raise your hand.

Your reply was brilliant and spot-on. Just go look at the comments on a phone on a carrier site. There you'll see the general knowledge and expertise of the average user. They simply aren't equipped to deal with these threats and privacy breaches that have been coming along at an alarming rate.

I, too, am disturbed by everything you mentioned. The difference is that I ALSO blame Google while you give them a free pass as if they shouldn't do anything about it.

You are also assuming that I want the AOSP project stopped. That would be beyond stupid. You can pretend that Google is not forcing companies behind-the-scenes to do things their way when they think it benefits/hurts Android, but you are just being delusional. Your own site covered how Google does this through the access/denial of Google apps. What I'm saying is that Google should do the exact same thing here and -not force but essentially- "convince" the manufacturers that their skins are hurting Android. And if they still don't listen, then that's fine. But then it is up to Google to change the way skins work in Android. There has to be a way to make the skins less intrusive and more of an actual skin, and not an insecure mini-OS within the OS.

I would guess that your point is that Google is 0% responsible for Samsung/HTC/etc's skins, right? Well, we would have to agree to disagree. I'm sure Google can change the way Android gets themed without taking away any of the freedom of company skins and without restricting OUR freedom to privacy.

Keep in mind too that Google does benefit financially through ad traffic from carrier adoption of Android, even though they give it away.

If Google puts too many conditions on its software, carriers will see more advantage in paying for WP7, and Google will lose ad money. So nobody should portray Google as a financial innocent in this situation.

Ok, everyone that's paranoid go out and get and iphone or Wp...Its privacy fright week. Be afraid, be very afraid.

This is why every device should run vanilla Android, and any differentiating software should be an optional download after purchase, and designed to only work on the manufacturer's devices or specific models. Or, all the crap should be removable by the user.

Personally, I'd like it if the manufacturers kept their customizations to just being integrated at the app level. HTC could keep sense as their launcher and lock screen, everything else can be integrated at the app level. Same with Moto and Samsung.

This would allow them less development time coupled with better user experience along with faster updates. It's a big win for everyone if they eventually decided to go down that road.