Hey guys, just wanted to open up discussion on something I think a few of us recognized but didn't know the scope of how large it was. Quarks Lab just released a vulnerability breakdown for Samsung phones in which they created applications with little to no permissions and were able to basically exploit the entire system. How did they accomplish this? Read here for more: http://www.quarkslab.com/dl/Android-OEM-applications-insecurity-and-backdoors-without-permission.pdf
"I'm a busy person, I have no time to read this!" Fine... *tl;dr* Samsung's built-in apps (i.e. the non-stock apps Samsung bundles in) allow any application installed on the device to leverage their permissions, content providers, etc. Thus leaving a huge gap in the Android security model. In other words, I can create an app that appears to have no permissions, but rather uses the permissions from apps already installed on the device. *Juicy stuff*: From one application, they found a vulnerability that allowed them to write and execute code... essentially getting access to whatever they wanted. Okay, so what's up with my sensationalist title-- As security researchers, professionals, enthusiasts, what can we do about this? For users I imagine flashing a custom ROM or sticking with a Nexus device would suffice, but what about government and corporate implications? One of the biggest issues for me have been the speed at which Android updates to other devices, often referred to as fragmentation. In this case I think the groups largely responsible for delaying security patches are the carriers. This is because some of them take months/years to deploy patches and updates and by then, exploits will have been in the while for a long time. Can carriers be held responsible for willingly delaying security patches to their customers devices? Even if the intentions are good, e.g. "we want to retain a high QA standard that's associated with our brand." I can't help but feel we need a different update model for these mobile connected devices. Why aren't Security updates completely separate from Usability updates? Thoughts? /end rant -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
