or Connect
AppleInsider › Forums › Mobile › iPhone › Serious security flaws discovered in Android phones, Samsung and HTC ignore issue
New Posts  All Forums:Forum Nav:

Serious security flaws discovered in Android phones, Samsung and HTC ignore issue

post #1 of 62
Thread Starter 
The ease and ability of Android licensees to modify the software they install on their smartphones has opened vast security holes that enable rogue apps to record calls, monitor users' locations and access sensitive data without permission, researchers say, noting that while Google and Motorola acknowledge the issues, HTC and Samsung have ignored their findings.

Researchers from North Carolina State University have demonstrated that Android's permission-based security system can be easily circumvented due to flaws in the software that licensees add to their devices, according to security testing performed on popular HTC, Samsung, Motorola and Google-branded smartphones.

"Android provides a permission-based security model that requires each application to explicitly request permissions before it can be installed to run," the researchers note in the paper (PDF) "Systematic Detection of Capability Leaks in Stock Android Smartphones," which will be presented at this year's Network and Distributed System Security Symposium.

"In this paper, we analyze eight popular Android smartphones and discover that the stock phone images do not properly enforce the permission model. Several privileged permissions are unsafely exposed to other applications which do not need to request them for the actual use."

Google's Android security model erased by its own openness

The researcher's tests on 8 popular Android smartphones (HTC Legend/EVO 4G/Wildfire S, Motorola Droid/Droid X, Samsung Epic 4G, and Google Nexus One/Nexus S) resulted in security breaches in 11 out of 13 privileged permissions, with up to 8 security failures found on a specific model (the HTC EVO 4G).

"By exploiting these leaked capabilities," the paper notes, "an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geolocations all without asking for any permission."

This summer, Symantec issued a report highlighting the problem that Google's Android permission system "relies upon the user to make the important security decisions," but the security firm did not publish any findings indicating that Google's permission system simply did not work as advertised on popular Android smartphones.

Apple's App Store curation vs Google's permission model

The new research paper contrasts app security models by Apple and Google, noting that "Apple uses a vetting process through which each third-party app must be scrutinized before it will be made available in the app store. After installing an app, Apples iOS platform will prompt the user to approve the use of some functions at run-time, upon their first access.

"From another perspective, Google defines a permission-based security model in Android by requiring each app to explicitly request permissions up-front to access personal information and phone features. The requested permissions essentially define the capability the user may grant to an Android app.

"In other words, they allow a user to gauge the apps capability and determine whether or not to install the app in the first place. Due to the central role of the permission-based model in running Android apps, it is critical that this model is properly enforced in existing Android smartphones."

Android's permission model has already resulted in a plague of malware, as there is no active curation in Google's Android Market that prevents rogue or malicious developers from posting apps that request inappropriate levels of permissions, in hopes that naive users will install their software without paying attention to complex permission details.

But proponents of Android claim that astute users can safeguard themselves simply by being vigilant about what apps they install, confident that the Android platform won't allow apps to go beyond the permissions they request. That turns out to not be the case, as the researchers have demonstrated that licensee-bundled software can bypass Android and enable rogue apps to wipe the phone, place unauthorized calls or messages, and spy on their location or access supposedly secure data.

The bigger the problem, the greater the denial

After finding serious security lapses in shipping Android phones, the researchers noted that "since April, 2011, we have been reporting the discovered capability leaks to the corresponding vendors," noting that "we experienced major difficulties with HTC and Samsung."

"After identifying these capability leaks, we spent a considerable amount of time on reporting them to the corresponding vendors. As of this writing, Motorola and Google have confirmed the reported vulnerabilities in the affected phones. HTC and Samsung have been really slow in responding to, if not ignoring, our reports/inquiries."

The report notes that "smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks. The reference implementations from Google (i.e., the Nexus One and Nexus S) are rather clean and free from capability leaks, with only a single minor explicit leak."

It also added that "those smartphones with system images (i.e., the Motorola Droid) close to the reference Android design (i.e., the Nexus One and Nexus S) seem to be largely free of capability leaks, while some of the other flagship devices have several."

With only Google and Motorola having acknowledged any of the problems, that leaves the most successful Android licensees, HTC and Samsung, not only ignoring the reported issues but also continuing to deliver products that are the least safe for users, in many cases without any provisions for updating phones that have already been sold.
post #2 of 62
Quote:
Originally Posted by AppleInsider View Post

The bigger the problem, the greater the denial



If I ever want an infected, inferior and piece of crap OS, I'll be sure to get an Android device.

Android is a free OS, that is attractive to bums and people who do not have high standards. I can understand the people who get the devices for free, as some people are poor, but I don't see how anybody can willingly pay any money for any Android device.
post #3 of 62
It's windows all over again.
post #4 of 62
Quote:
Originally Posted by Apple ][ View Post



If I ever want an infected, inferior and piece of crap OS, I'll be sure to get an Android device.

Android is a free OS, that is attractive to bums and people who do not have high standards. I can understand the people who get the devices for free, as some people are poor, but I don't see how anybody can willingly pay any money for any Android device.

explain.
post #5 of 62
Watch out Android users, the boogyman is hiding in your closet. You'd better watch your backs!! \
post #6 of 62
Quote:
Originally Posted by pedromartins View Post

explain.

There's something called "Google" that will answer it all. It's been discussed countless times already.
post #7 of 62
Quote:
Originally Posted by pedromartins View Post

explain.

Doesn't Google give Android away for free? Somebody can correct me if I'm mistaken, but I don't think that Google licenses out their OS for money. It's open source and that's why so many manufacturers make Android phones.

Google is an advertising company and that's how they make their money. Google wants a ton of Android devices out there, as the more people using their OS, means more ad money for them.
post #8 of 62
With windows PCs most people ignore the malware threat. They usually don't have that much critical data on it: mostly photos, emails, some contact data and their browser history plus cookies. Rarely financial data, rarely password safes, no location data. And if so chances are high, that data is stored in nonunique ways, spreaded all over disk, formatted by thousands of different software solutions make it harder to steal the data.

I can really say that when watching my parents and their generation using their PCs. They just don't care or rely on some standard antivirus and firewall software shipped with the OS.. without knowing it's quality, without updating virus almanach data, without caring for other threats. Most people just never experienced anything dangerous over the last 10y on their PCs.

I think that most Android users an unaware of the fact that their mobile is a much greater threat! Critical data is much easier to find, stored much more uniform way. And there is much more critical data on these devices than on a regular PC. Plus the regular contact with wild wifi networks is also a fact not known to PCs. The threat is much higher and the defense is much weaker than on a PC.

I would never go with such a device, it's just incredible.
post #9 of 62
Quote:
Originally Posted by AppleInsider View Post

[...] But proponents of Android claim that astute users can safeguard themselves simply by being vigilant about what apps they install [...]

I wonder what percentage of the Android-using public are actually astute users.
If you really care about quality and you are completely aware of all the smartphone options available to you
as a consumer, you get an iPhone. Especially now that price is no longer an issue.

Sent from my iPhone Simulator

Reply

Sent from my iPhone Simulator

Reply
post #10 of 62
Quote:
Originally Posted by Apple ][ View Post

Doesn't Google give Android away for free? Somebody can correct me if I'm mistaken, but I don't think that Google licenses out their OS for money. It's open source and that's why so many manufacturers make Android phones.

Google is an advertising company and that's how they make their money. Google wants a ton of Android devices out there, as the more people using their OS, means more ad money for them.

Android as an OS is free, but OEMs have to pay a licensing fee in order to have access to Google services (Gmail, Maps, and most importantly, Android Market). Companies like Amazon and Barnes and Noble don't pay the fee because they use their own version of Android and use their own services instead of Google. Everything that has Google stuff on it, though, there is a license being paid.
post #11 of 62
Quick! Somebody blame this on Apple so Al Franken will look into it.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #12 of 62
Quote:
Originally Posted by AppleInsider View Post

The report notes that "smartphones with more pre-loaded apps tend to be more likely to have explicit capability leaks. The reference implementations from Google (i.e., the Nexus One and Nexus S) are rather clean and free from capability leaks, with only a single minor explicit leak."

It also added that "those smartphones with system images (i.e., the Motorola Droid) close to the reference Android design (i.e., the Nexus One and Nexus S) seem to be largely free of capability leaks, while some of the other flagship devices have several."

With only Google and Motorola having acknowledged any of the problems, that leaves the most successful Android licensees, HTC and Samsung, not only ignoring the reported issues but also continuing to deliver products that are the least safe for users, in many cases without any provisions for updating phones that have already been sold.

Not a happy camper that HTC and Sammy are neglecting issues like this, but since this is the only part of the article that pertains to me, Google being among those who acknowledge these flaws, AND have an referenced design phone, I can pretty much say that this is nothing new or special for me in terms of security.

If the problem stems largely from 3rd party pre-installed apps, then this should be less of a threat, but still a noticeable one in the coming months regardless, due to the fact that any phone or tablet getting an ICS update will allow for 3rd party pre-installed apps.

Still, It shouldn't take the removal of such to fix security flaws in these.
post #13 of 62
Quote:
Originally Posted by Apple ][ View Post



If I ever want an infected, inferior and piece of crap OS, I'll be sure to get an Android device.

Android is a free OS, that is attractive to bums and people who do not have high standards. I can understand the people who get the devices for free, as some people are poor, but I don't see how anybody can willingly pay any money for any Android device.

You're such a pathetic excuse for a human being.

Are you a creationist by any chance?
post #14 of 62
Quote:
Originally Posted by Jexus View Post

Not a happy camper that HTC and Sammy are neglecting issues like this, but since this is the only part of the article that pertains to me, Google being among those who acknowledge these flaws, AND have an referenced design phone, I can pretty much say that this is nothing new or special for me in terms of security.

If the problem stems largely from 3rd party pre-installed apps, then this should be less of a threat, but still a noticeable one in the coming months regardless, due to the fact that any phone or tablet getting an ICS update will allow for 3rd party pre-installed apps.

Still, It shouldn't take the removal of such to fix security flaws in these.

Yea the OEMs are often Android's worst enemy. Carriers too.
post #15 of 62
Quote:
Originally Posted by Apple ][ View Post



If I ever want an infected, inferior and piece of crap OS, I'll be sure to get an Android device.

The sad part is, despite these repeated warnings and caveats, Androiders don't seem to care all that much. In fact, I get the feeling that, increasingly, many are wearing this sort of abuse as a badge of honor.

Truly pathetic.
post #16 of 62
Quote:
Originally Posted by AbsoluteDesignz View Post

You're such a pathetic excuse for a human being.

Are you a creationist by any chance?

I normally agree with your viewpoints, but please explain what being a creationist has to do with anything?

Since the ones most vulnerable are Samsung and HTC I would say the culprit is not the OS itself but the skinning they apply over it, TouchWiz and Sense UI. My Moto Droid just got some security patches so at least Motorola is on the ball.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #17 of 62
Quote:
Originally Posted by AbsoluteDesignz View Post

Are you a creationist by any chance?

What does 'creationism' have to do with his being pro-Apple/anti-Android?
post #18 of 62
Quote:
Originally Posted by anantksundaram View Post

The sad part is, despite these repeated warnings and caveats, Androiders don't seem to care all that much. In fact, I get the feeling that, increasingly, many are wearing this sort of abuse as a badge of honor.

Truly pathetic.

What you call pathetic I call being a well-rounded human in today's society.

Being worried about virtual boogeyman coming to get your phone is half paranoid and half childish.

It has been proven that Apple's curated app store doesn't prevent malicious software, Carrier IQ was only just removed from the iPhone and Apple fixes previously unknown iOS vulnerabilities in every other software release.

I don't hide under my bed scared of the iOS monsters and I wouldn't expect Android users too either.
post #19 of 62
Quote:
Originally Posted by hittrj01 View Post

Android as an OS is free, but OEMs have to pay a licensing fee in order to have access to Google services (Gmail, Maps, and most importantly, Android Market). Companies like Amazon and Barnes and Noble don't pay the fee because they use their own version of Android and use their own services instead of Google. Everything that has Google stuff on it, though, there is a license being paid.

Most of them are also paying a license fee to Microsoft.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #20 of 62
And here's another unresolved flaw with Android. Carriers and vendors can do whatever they want to the device allowing for even less consistency across vendors and carriers.

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #21 of 62
Quote:
Originally Posted by anantksundaram View Post

What does 'creationism' have to do with his being pro-Apple/anti-Android?

Nothing with that. But his entire online persona is real similar to the young earth creationists I've run across.

Also he isn't merely pro-Apple anti Android he dehumanizes anyone who doesn't think like him or like what he likes.

He is, it seems, a despicable human being.

(Note: I know many creationists even YEC in real life and they are great people but those who post online tend to be...Apple ][-ish)
post #22 of 62
Quote:
Originally Posted by dasanman69 View Post

I normally agree with your viewpoints, but please explain what being a creationist has to do with anything?

Since the ones most vulnerable are Samsung and HTC I would say the culprit is not the OS itself but the skinning they apply over it, TouchWiz and Sense UI. My Moto Droid just got some security patches so at least Motorola is on the ball.

That was a tangent unrelated to the topic at hand.
post #23 of 62
Quote:
Originally Posted by SolipsismX View Post

Quick! Somebody blame this on Apple so Al Franken will look into it.

...and then file a class-action lawsuit against apple for...something
post #24 of 62
Quote:
Originally Posted by AbsoluteDesignz View Post

You're such a pathetic excuse for a human being.

Are you a creationist by any chance?

Well, I believe that most people are created equally, except for Fandroids of course.

God must've been smoking crack when he made those people.
post #25 of 62
Quote:
Originally Posted by AbsoluteDesignz View Post

That was a tangent unrelated to the topic at hand.

The topic at hand, as it usually is, is how much Android sucks. Your attempts at diverting the topic away from the subject and over to creationism and other nonsense is not the topic at hand by the way.
post #26 of 62
Quote:
Originally Posted by stniuk View Post

It's windows all over again.

But, worse. When Windows first came out, virus evolution was in the single simple cell stage. Android is entering into an environment with many species of the disease. Is the solution for Android going to be the running virus protection software in the background on their phones and tablets?

Android will be hit by a pandemic; it will be the path of least resistance for malware developers, leaving Apple's iOS alone? Will users be reinstalling the Android OS weekly? Will this be an opening for Windows 8?

In any case, Apple's mature and fortified environment will be left standing among the rubble of competitors.
post #27 of 62
Google have managed with something amazing.
Unix/Linux have been 100% secure. Free from viruses and malware. This have been a 50 year tradition and over 700 million *nix computers/devices.

If Google wants to have an open App store, they need to think about security. Since all program installs in a SU process, there is no security today.

6 month ago it was reported that 5% of Android devices is infected by malware. That figure is rising quickly.
post #28 of 62
Quote:
Originally Posted by jragosta View Post

Most of them are also paying a license fee to Microsoft.

Android is the worlds most expensive "free" system.

Google bought it. Developed it for many years. They used unlicensed Linux instead of licensed Unix as foundation. Linux foundation have lead to that Google have used code they have no right to use. They lost a patent case and had to pay 5 million.

Google also cloned iPhone and used Java without license.

This have lead to many patent litigations. Android vendors have in desperation signed licensing agreement with Microsoft to use their patent umbrella. The vendors are not stupid. They pay money to MSFT since they know that Google have broken patent. Next year alone MSFT will get almost 1 billion dollar in licensing fee's from Android vendors.

Since Google knows that they have broken patents, they have gone on a mad patent hunt. They bought Motorola mobile + a bunch of IBM patents. Cost almost 14 billion.

So far Android have costed 20 billion.

Android devices generates about 1 billion in revenue for Google in ad revenues. It would have been much cheaper for Google to continue pay mobile vendors to have Google as default search engine.

The biggest blow is still to come: If Apple wins its patent case against HTC it means that every single Android device is breaking patents.

Google could have avoided all if they had build their own system instead of buying/cloning.
But that is Googles culture. The young peoples culture that everything on the net is "free".
post #29 of 62
just like Windows NT, Android was not designed to be secure from the ground up. so now, just like Windows, security has to be bolted on after the fact. which is never completely successful and there are potential soft spots in many places throughout the OS.

because Android (and Windows) first and foremost were business strategies, not best of class engineering. corners were cut and disparate parts were jammed together for the sake of seizing market position.

whereas OS X' Unix foundation is as secure as they get. the top levels of the OS will always have some vulnerabilities thanks to interactions with third party software, but they are fewer in number and easier to close off.

the question is whether the cyber thieves will attack Android's vulnerabilities with the same intensity that they focused on Windows' vulnerabilities. we'll see. but Google will always be playing catch-up with them.
post #30 of 62
Quote:
Originally Posted by AbsoluteDesignz View Post

Nothing with that. But his entire online persona is real similar to the young earth creationists I've run across.

Also he isn't merely pro-Apple anti Android he dehumanizes anyone who doesn't think like him or like what he likes.

He is, it seems, a despicable human being.

(Note: I know many creationists even YEC in real life and they are great people but those who post online tend to be...Apple ][-ish)

The good creationists don't post online and you're ok with them, the bad ones are despicable, dehumanize others, and are Apple-ish online? Looks like you've got it all figured out profiling the thousands of creationists you have 'run across'.....
post #31 of 62
Quote:
Originally Posted by Sipadan View Post

The good creationists don't post online and you're ok with them, the bad ones are despicable, dehumanize others, and are Apple-ish online? Looks like you've got it all figured out profiling the thousands of creationists you have 'run across'.....

He has no clue at all.

I'm not a creationist.
post #32 of 62
Quote:
Originally Posted by anantksundaram View Post

What does 'creationism' have to do with his being pro-Apple/anti-Android?

I'd think that if you were a creationist you'd be against Apple... or at least about women picking them and fooling you into consuming it.
post #33 of 62
Quote:
Originally Posted by waldobushman View Post

But, worse. When Windows first came out, virus evolution was in the single simple cell stage. Android is entering into an environment with many species of the disease. Is the solution for Android going to be the running virus protection software in the background on their phones and tablets?

Android will be hit by a pandemic; it will be the path of least resistance for malware developers, leaving Apple's iOS alone? Will users be reinstalling the Android OS weekly? Will this be an opening for Windows 8?

In any case, Apple's mature and fortified environment will be left standing among the rubble of competitors.

I have wonder if the potential bad guys in all this, the ones that will empty Android users' bank accounts, are currently overwhelmed by the scale of opportunity they face. How long before a Russian mob type, organized crime group get this together and an attack takes place on an epic scale?
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #34 of 62
Quote:
Originally Posted by Alfiejr View Post

just like Windows NT, Android was not designed to be secure from the ground up. so now, just like Windows, security has to be bolted on after the fact. which is never completely successful and there are potential soft spots in many places throughout the OS.

Incorrect. Android OS security is just as stout as iOS "from the ground up". Do a bit of study and don't just go by something you read at AI.

http://www.informationweek.com/articles/231000953

Apple and Android have taken two different views on how closed the application markets should be, and that's where you see comments such as this article coming from.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #35 of 62
IIRC, Apple ][ is an atheist. It's honestly his only redeeming quality.
post #36 of 62
Quote:
Originally Posted by tonton View Post

IIRC, Apple ][ is an atheist. It's honestly his only redeeming quality.



Speaking as an atheist I'd just like to point out there is nothing in common between atheists. 'Not belonging doesn't a group make'.
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #37 of 62
Quote:
Originally Posted by digitalclips View Post

Speaking as an atheist I'd just like to point out there is nothing in common between atheists. 'Not belonging doesn't a group make'.

Your wrong, they share the same belief.

J.
post #38 of 62
Quote:
Originally Posted by tonton View Post

IIRC, Apple ][ is an atheist. It's honestly his only redeeming quality.

I don't believe in any god, but I wouldn't mind becoming a deity in the future sometime. It seems like a fun thing to be. I am however hesitant to call myself an atheist, as I don't like quite a few atheists, and I'd rather not be lumped together with that group.

Some atheists are just as bad as religious fanatics. I could do without either one.
post #39 of 62
Quote:
Originally Posted by SolipsismX View Post

Quick! Somebody blame this on Apple so Al Franken will look into it.

post #40 of 62
Quote:
Originally Posted by Apple ][ View Post



If I ever want an infected, inferior and piece of crap OS, I'll be sure to get an Android device.

Android is a free OS, that is attractive to bums and people who do not have high standards. I can understand the people who get the devices for free, as some people are poor, but I don't see how anybody can willingly pay any money for any Android device.

My wife is far from being a bum, has a higher level of education than you and probably higher standards, She just got a Galaxy S II.

Which disproves your theory.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Serious security flaws discovered in Android phones, Samsung and HTC ignore issue
AppleInsider › Forums › Mobile › iPhone › Serious security flaws discovered in Android phones, Samsung and HTC ignore issue