Android App IDs Smartphone, Tablet Vulnerabilities - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Android App IDs Smartphone, Tablet Vulnerabilities

Can Samsung, HTC, Motorola, and carriers be pressured to stop waiting months before patching known, exploitable vulnerabilities on their Android smartphones and tablets?

What Kindle Fire Needs To Beat Nexus Tablet
What Kindle Fire Needs To Beat Nexus Tablet
(click image for larger view and for slideshow)
Is your Android smartphone or tablet secure?

A new, free app dubbed X-Ray For Android, released this week by Duo Security, aims to help Android users answer that question.

"X-Ray is a mobile application [we] developed ... that allows users to scan their Android device for unpatched vulnerabilities that may be exploitable by malicious apps," said Android security researcher Jon Oberheide, CTO of Duo Security, via email.

Unlike antivirus software, X-Ray isn't designed to compare the signatures of apps installed on a device with a list of suspicious applications. Instead, the app looks for the presence of "all of the major privilege escalation vulnerabilities that have affected the Android platform since its inception," said Oberheide. "Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices."

[ Android is getting more secure--but only if it's patched. See Android Hacker: Jelly Bean Tougher To Crack. ]

The X-Ray app won't protect users from any escalation vulnerabilities it detects, but with luck, it will pressure carriers into getting serious about patching their Android devices. "We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users' devices," said Oberheide. To that end, the X-Ray software also collects statistics about the vulnerabilities found on a given device to help Duo Security track how many vulnerable Android devices are at large, both by manufacturer and device.

What's the risk from escalation vulnerabilities? "Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system," according to an X-Ray overview published by Duo. Such vulnerabilities haven't just been found in the core Google operating system, but also in many of the Android "skins" or customizations developed by handset makers and added to their Android distributions before smartphones get shipped to subscribers. "Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old," according to Duo Security.

Indeed, according to a research conducted last year by Bit9, 56% of the top 20 Android smartphones were running outdated software, thus leaving them open to attack by malware exploiting known vulnerabilities. The worst offender was Samsung, which took 316 days to patch its Galaxy Mini smartphone after Google released an Android update. Meanwhile, the fastest update--a Droid X patch from Motorola --still required 141 days to be released.

Many security experts blame the patching delay on economics: once carriers sell a phone to a consumer, they're under no obligation to keep it updated. Furthermore, carriers stand to make more money by having customers refresh their handsets to get the latest version of Android, rather than getting it for free by having the vendor patch older devices.

Still, another part of the patch-delay problem can be traced to the Android codebase itself, which remains a patchwork of not just Google code, but functionality from third parties as well. "Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third parties, not to mention all the open source components--Linux kernel, WebKit, libraries--owned by various project maintainers," according to Duo Security.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
brucko
50%
50%
brucko,
User Rank: Apprentice
7/28/2012 | 10:29:41 AM
re: Android App IDs Smartphone, Tablet Vulnerabilities
No weaknesses found on Galaxy Nexus with Jelly Bean ... YAY Google!!
Rhonindk
50%
50%
Rhonindk,
User Rank: Apprentice
7/25/2012 | 9:42:32 PM
re: Android App IDs Smartphone, Tablet Vulnerabilities
Cool - done / checked / good to go.

Simple enough check. Nice.
Now how good is it?
Commentary
Future IT Teams Will Include More Non-Traditional Members
Lisa Morgan, Freelance Writer,  4/1/2020
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll