Great topic Andrew. We see a lot of frustration from our Security Advisor users who cannot find updates to the OS. But I would be very surprised if the guys in DC (FTC, Congress) will do anything about this. Maybe in the EU. And since the carriers and manufacturers want to keep us buying the latest new thing, I'm not sure they see this as a big deal either. A successful widespread attack may do the trick however.
PS, I wish I could delete those Samsung built-in apps :((! Sumin On Thursday, June 13, 2013 11:43:16 AM UTC-4, seattleandrew wrote: > > Hey guys, just wanted to open up discussion on something I think a few of > us recognized but didn't know the scope of how large it was. > Quarks Lab just released a vulnerability breakdown for Samsung phones in > which they created applications with little to no permissions and were able > to basically exploit the entire system. How did they accomplish this? Read > here for more: > http://www.quarkslab.com/dl/Android-OEM-applications-insecurity-and-backdoors-without-permission.pdf > > "I'm a busy person, I have no time to read this!" > > Fine... *tl;dr* Samsung's built-in apps (i.e. the non-stock apps Samsung > bundles in) allow any application installed on the device to leverage their > permissions, content providers, etc. Thus leaving a huge gap in the Android > security model. In other words, I can create an app that appears to have no > permissions, but rather uses the permissions from apps already installed on > the device. > > *Juicy stuff*: From one application, they found a vulnerability that > allowed them to write and execute code... essentially getting access to > whatever they wanted. > > Okay, so what's up with my sensationalist title-- As security researchers, > professionals, enthusiasts, what can we do about this? For users I imagine > flashing a custom ROM or sticking with a Nexus device would suffice, but > what about government and corporate implications? > > One of the biggest issues for me have been the speed at which Android > updates to other devices, often referred to as fragmentation. In this case > I think the groups largely responsible for delaying security patches are > the carriers. This is because some of them take months/years to deploy > patches and updates and by then, exploits will have been in the while for a > long time. Can carriers be held responsible for willingly delaying security > patches to their customers devices? Even if the intentions are good, e.g. > "we want to retain a high QA standard that's associated with our brand." I > can't help but feel we need a different update model for these mobile > connected devices. > > Why aren't Security updates completely separate from Usability updates? > Thoughts? > > /end rant > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
