Researchers from North Carolina State University have demonstrated that Android's permission-based security system can be easily circumvented due to flaws in the software that licensees add to their devices, according to security testing performed on popular HTC, Samsung, Motorola and Google-branded smartphones.
"Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run," the researchers note in the paper (PDF) "Systematic Detection of Capability Leaks in Stock Android Smartphones," which will be presented at this year's Network and Distributed System Security Symposium.
"In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use."
Google's Android security model erased by its own openness
The researcher's tests on 8 popular Android smartphones (HTC Legend/EVO 4G/Wildfire S, Motorola Droid/Droid X, Samsung Epic 4G, and Google Nexus One/Nexus S) resulted in security breaches in 11 out of 13 privileged permissions, with up to 8 security failures found on a specific model (the HTC EVO 4G).
"By exploiting these leaked capabilities," the paper notes, "an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geolocations all without asking for any permission."
This summer, Symantec issued a report highlighting the problem that Google's Android permission system "relies upon the user to make the important security decisions," but the security firm did not publish any findings indicating that Google's permission system simply did not work as advertised on popular Android smartphones.
Apple's App Store curation vs Google's permission model
The new research paper contrasts app security models by Apple and Google, noting that "Apple uses a vetting process through which each third-party app must be scrutinized before it will be made available in the app store. After installing an app, Apples iOS platform will prompt the user to approve the use of some functions at run-time, upon their first access.
"From another perspective, Google defines a permission-based security model in Android by requiring each app to explicitly request permissions up-front to access personal information and phone features. The requested permissions essentially define the capability the user may grant to an Android app.
"In other words, they allow a user to gauge the apps capability and determine whether or not to install the app in the first place. Due to the central role of the permission-based model in running Android apps, it is critical that this model is properly enforced in existing Android smartphones."
Android's permission model has already resulted in a plague of malware, as there is no active curation in Google's Android Market that prevents rogue or malicious developers from posting apps that request inappropriate levels of permissions, in hopes that naive users will install their software without paying attention to complex permission details.
But proponents of Android claim that astute users can safeguard themselves simply by being vigilant about what apps they install, confident that the Android platform won't allow apps to go beyond the permissions they request. That turns out to not be the case, as the researchers have demonstrated that licensee-bundled software can bypass Android and enable rogue apps to wipe the phone, place unauthorized calls or messages, and spy on their location or access supposedly secure data.
The bigger the problem, the greater the denial
After finding serious security lapses in shipping Android phones, the researchers noted that "since April, 2011, we have been reporting the discovered capability leaks to the corresponding vendors," noting that "we experienced major difficulties with HTC and Samsung."
"After identifying these capability leaks, we spent a considerable amount of time on reporting them to the corresponding vendors. As of this writing, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung have been really slow in responding to, if not ignoring, our reports/inquiries."
The report notes that "smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks. The reference implementations from Google (i.e., the Nexus One and Nexus S) are rather clean and free from capability leaks, with only a single minor explicit leak."
It also added that "those smartphones with system images (i.e., the Motorola Droid) close to the reference Android design (i.e., the Nexus One and Nexus S) seem to be largely free of capability leaks, while some of the other flagship devices have several."
With only Google and Motorola having acknowledged any of the problems, that leaves the most successful Android licensees, HTC and Samsung, not only ignoring the reported issues but also continuing to deliver products that are the least safe for users, in many cases without any provisions for updating phones that have already been sold.