Android App IDs Smartphone, Tablet Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android App IDs Smartphone, Tablet Vulnerabilities

Can Samsung, HTC, Motorola, and carriers be pressured to stop waiting months before patching known, exploitable vulnerabilities on their Android smartphones and tablets?

What Kindle Fire Needs To Beat Nexus Tablet
What Kindle Fire Needs To Beat Nexus Tablet
(click image for larger view and for slideshow)
Is your Android smartphone or tablet secure?

A new, free app dubbed X-Ray For Android, released this week by Duo Security, aims to help Android users answer that question.

"X-Ray is a mobile application [we] developed ... that allows users to scan their Android device for unpatched vulnerabilities that may be exploitable by malicious apps," said Android security researcher Jon Oberheide, CTO of Duo Security, via email.

Unlike antivirus software, X-Ray isn't designed to compare the signatures of apps installed on a device with a list of suspicious applications. Instead, the app looks for the presence of "all of the major privilege escalation vulnerabilities that have affected the Android platform since its inception," said Oberheide. "Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices."

[ Android is getting more secure--but only if it's patched. See Android Hacker: Jelly Bean Tougher To Crack. ]

The X-Ray app won't protect users from any escalation vulnerabilities it detects, but with luck, it will pressure carriers into getting serious about patching their Android devices. "We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users' devices," said Oberheide. To that end, the X-Ray software also collects statistics about the vulnerabilities found on a given device to help Duo Security track how many vulnerable Android devices are at large, both by manufacturer and device.

What's the risk from escalation vulnerabilities? "Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system," according to an X-Ray overview published by Duo. Such vulnerabilities haven't just been found in the core Google operating system, but also in many of the Android "skins" or customizations developed by handset makers and added to their Android distributions before smartphones get shipped to subscribers. "Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old," according to Duo Security.

Indeed, according to a research conducted last year by Bit9, 56% of the top 20 Android smartphones were running outdated software, thus leaving them open to attack by malware exploiting known vulnerabilities. The worst offender was Samsung, which took 316 days to patch its Galaxy Mini smartphone after Google released an Android update. Meanwhile, the fastest update--a Droid X patch from Motorola --still required 141 days to be released.

Many security experts blame the patching delay on economics: once carriers sell a phone to a consumer, they're under no obligation to keep it updated. Furthermore, carriers stand to make more money by having customers refresh their handsets to get the latest version of Android, rather than getting it for free by having the vendor patch older devices.

Still, another part of the patch-delay problem can be traced to the Android codebase itself, which remains a patchwork of not just Google code, but functionality from third parties as well. "Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third parties, not to mention all the open source components--Linux kernel, WebKit, libraries--owned by various project maintainers," according to Duo Security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/28/2012 | 10:29:41 AM
re: Android App IDs Smartphone, Tablet Vulnerabilities
No weaknesses found on Galaxy Nexus with Jelly Bean ... YAY Google!!
User Rank: Apprentice
7/25/2012 | 9:42:32 PM
re: Android App IDs Smartphone, Tablet Vulnerabilities
Cool - done / checked / good to go.

Simple enough check. Nice.
Now how good is it?
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll