{"id":16899,"date":"2019-11-15T10:45:02","date_gmt":"2019-11-15T18:45:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/11\/15\/news-10637\/"},"modified":"2019-11-15T10:45:02","modified_gmt":"2019-11-15T18:45:02","slug":"news-10637","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/15\/news-10637\/","title":{"rendered":"146 New Vulnerabilities All Come Preinstalled on Android Phones"},"content":{"rendered":"

<\/p>\n

Credit to Author: Brian Barrett| Date: Fri, 15 Nov 2019 12:00:00 +0000<\/strong><\/p>\n

The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.<\/p>\n

When you buy an Android smartphone, it\u2019s rarely pure Android. Manufacturers squeeze in their own apps or give it a fresh coat of interface. Carriers do it too. The resulting stew of preinstalled software and vanilla Android sometimes turns out to be rancid, putting flaws and vulnerabilities on the phone before you even take it out of the box<\/a>. For proof of how bad it is, look no further than the 146 vulnerabilities\u2014across 29 Android smartphone makers\u2014that have just been simultaneously revealed.<\/p>\n

Yes, that\u2019s 146, all discovered by security firm Kryptowire and detailed one by one in a new gargantuan disclosure<\/a>. Most of the implicated companies operate primarily in Asia, but the list includes global heavyweights like Samsung and Asus as well. While the bugs vary in severity and scope\u2014and in some cases, the manufacturers dispute that they\u2019re a threat at all\u2014they illustrate an endemic problem for Android, one that Google has acknowledged<\/a>.<\/p>\n

The vulnerabilities Kryptowire turned up, in research funded by the Department of Homeland Security, encompass everything from unauthorized audio recording to command execution to the ability to modify system properties and wireless settings. What makes them so pernicious, though, is how they get on phones, and how hard they are to remove.<\/p>\n

\u201cWe wanted to understand how easy it is for someone to be able to penetrate the device without the user downloading an application,\u201d says Kryptowire CEO Angelos Stavrou. \u201cIf the problem lies within the device, that means the user has no options. Because the code is deeply buried in the system, in most cases the user cannot do anything to remove the offending functionality.\u201d<\/p>\n

It\u2019s one thing if you fall for a shady Fortnite<\/em> download<\/a>. At least that was a choice you made, and you can also uninstall it. The vulnerabilities Kryptowire found are often preinstalled at a system level, with no way to purge them from your device.<\/p>\n

"In the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user."<\/p>\n

Angelos Stavrou, Kryptowire<\/p>\n

If all of this sounds vaguely familiar, it\u2019s because Kryptowire has been down this road before. A little over a year ago it disclosed the results<\/a> of a similar round of research that found this same class of defects built into 10 popular Android devices. The difference now\u2014and the reason the work is so much more comprehensive\u2014is that the team has built a tool that scans firmware for issues even if they don\u2019t have the device physically in hand. Kryptowire\u2019s system then automatically creates a proof of concept, in a matter of minutes, that validates the vulnerability\u2019s existence and cuts down on false positives. The tool looks for \u201cunsafe states,\u201d as Stavrou puts it, that would allow an application to take a screenshot or record audio or create a network connection when it shouldn\u2019t.<\/p>\n

The issue often comes down to trust. Many of the vulnerabilities Kryptowire found enable apps to do things like change settings without your knowledge or consent.<\/p>\n

\u201cWe believe that if you are a vendor you should not trust anybody else to have the same level of permissions as you within the system,\u201d says Stavrou. \u201cThis should not be an automatic thing.\u201d<\/p>\n

\u201cWe appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these,\u201d Google said in a statement. Google has its own vetting process, called the Build Test Suite, that checks software for potentially harmful preinstalled apps. BTS launched in 2018, and in its first year prevented 242 of those problematic installs from reaching consumers.<\/p>\n

The Kryptowire research suggests that BTS has room for improvement. In fairness, it\u2019s a problem of enormous scope. According to a presentation on this very topic given this summer by Google security researcher Maddie Stone, every Android device ships with 100 to 400 preinstalled apps. Many of those apps originate not from the company that\u2019s making the physical device, but from third parties that provide the code for various under-the-hood tasks, or from carriers who have a vested interest in everything from messaging to payments. Most manufacturers are ill-equipped to parse all of those apps for potential risks, and even the largest still allow some sort of carrier influence.<\/p>\n

\u201cThe ecosystem involves hundreds of vendors that are not necessarily cooperating with each other or have any process for quality assurance. Or they might, but some of them have more than others,\u201d says Stavrou. \u201cAnd in the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user.\u201d<\/p>\n

Kryptowire began the lengthy process of notifying Google and the 29 manufacturers of its findings over the summer. Not all of those affected agree that the findings are all that concerning. Kryptowire disclosed 33 vulnerabilities in Samsung devices, stemming from six preinstalled apps. (It also found bugs in two additional apps, but those were present only in firmware images that bad actors had injected malware into, and weren\u2019t included in the final report.)<\/p>\n

Two of those six were developed by outside partners; though they still affect Samsung devices, the consumer electronics giant directed the researchers to those other companies. As for the remaining four, Samsung argues that the broader Android Security framework renders them harmless. \u201cSince being notified by Kryptowire, we have promptly investigated the apps in question and have determined that appropriate protections are already in place,\u201d Samsung said in a statement.<\/p>\n

Kryptowire disagrees. \u201cThe Samsung apps can be used by third-party supply chain actors to gain access to information without disclosing it or requiring permissions,\u201d says Tom Karygiannis, the company\u2019s vice president of product. \u201cThe current design of the Android Security framework does not prevent that from happening today.\u201d<\/p>\n

At least Samsung has the resources to investigate the reported vulnerabilities. Many Android manufacturers offer no clear path for reporting bugs or for patching them when found. Outside of Google\u2019s own Pixel line and a handful of well-resourced manufacturers, security updates are slow to hit Android devices under even the best of circumstances. When those flaws come from someone else\u2019s code, well, good luck.<\/p>\n

If there\u2019s a silver lining here, it\u2019s that Google has taken proactive steps to tamp down on the problem of preinstalled bugs. But as Kryptowire\u2019s sweep shows, the overall ecosystem has a long way to go.<\/p>\n

https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Brian Barrett| Date: Fri, 15 Nov 2019 12:00:00 +0000<\/strong><\/p>\n

The dozens of flaws across 29 Android smartphone makers show just how insecure the devices can be, even brand-new.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[714,21357],"class_list":["post-16899","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-security","tag-security-security-news"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16899","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16899"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16899\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16899"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16899"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16899"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}