It hasn’t been a good week for the security of the Android operating system, with continuing reports on the state of several persistent vulnerabilities that affect millions of users. And it looks like even Android Marshmallow, the next major release of the software that Google will launch this fall, isn’t going to do much to mitigate the major security problems underlying the world’s most popular mobile operating system.
Dan Goodin reports for Ars Technica that two separate code defects continue to put millions of users at risk. The first involves a recent update from Google, which aimed to fix a flaw that enabled attackers to execute malicious code on about 950 million Android phones — using nothing more than a text message sent to the user’s phone number. Seven days after Google deployed a fix, security researchers reported that the patch, which Google has had since April, is itself so flawed that attackers can still exploit the vulnerability. “The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Jordan Gruskovnjak and Aaron Portnoy of security firm Exodus Intelligence told Ars Technica. “The public at large believes the current patch protects them when it in fact does not.”
The vulnerability is a result of a buffer overflow bug in Stagefright, the code library that processes video in the Android operating system. The patch, which was submitted by the researchers who discovered the flaw and privately reported it to Google in April, prevents some but not all exploits.
Buffers act as containers for specific amounts of data, and when the designated size is exceeded, the contents can be executed. New versions of Android make overflow exploits more difficult to complete with a security measure called address space layout randomization, which randomizes the locations into which the malicious code is loaded. However, more advanced hackers can often bypass the mitigation.
As Apple Insider reported, Google issued another update to its partners, and the Nexus 4, 5, 6, 7, 9, 10 and Nexus Player may be the first to get the update when it’s issued in September. It’s unclear when non-Nexus phones will get the new patch. In Goodin’s estimation, “The incident underscores just how hard it is to get security right.”
In a separate incident, researchers from security firm MWR Labs reported a flaw that enables malicious apps to break out of the Android security sandbox, a key defense that prevents the passwords and sensitive data associated with one app from being accessed by another. The bug, which resides in the Android Admin application, enables apps to bypass the restrictions and read arbitrary files with the use of symbolic links.
Ars Technica notes that the rash of vulnerabilities, and the difficulty in getting fixes installed on users’ devices, is taking a toll on the Android operating system. While there are currently no indications that the vulnerabilities are actually being exploited, users are worried. And for good reason: Even the next version of Android, recently announced as Marshmallow, won’t address Android’s flawed security model.
Ina Fried and Mark Bergen report for Re/Code that both of the recent Android vulnerabilities “underscore the nagging headache Google has built with an OS so reliant on hardware partners, many of whom are struggling to maintain profits. And it shows that Google will continue to wrestle with the issues as Android moves onto other devices, like cars, wearables and home automation.” Google isn’t in control of the updating process for Android, which depends on device makers and wireless carriers.
Re/Code notes that Android’s current security issues are reminiscent of those that Microsoft experienced with Windows “back in the day.” The dominant operating system found itself the target of constant attacks, and many businesses were reticent to update their servers and PCs without independent testing. But while they had the opportunity to install updates as soon as Microsoft made them available, Google releases patches that typically go to the phone maker, not to the end user. Phone makers, already stressed under thin margins and stiff competition, often don’t update phones that have already been sold. That’s a problem for big, multinational smartphone makers, and potentially a bigger one for small, local manufacturers selling budget phones.
Because major software updates also often go through the carriers, who do their own testing, major releases often take months to be approved, if they’re made available at all. Many in the industry recognize that Android security updates need a new approach, and Google has already committed to monthly updates, a schedule that Samsung and LG have agreed to support. Google recently said that it would push monthly updates specifically for security to Nexus devices, which are the only ones that Google can fully control.