Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Big Leaks In Pre-installed Android Apps

Posted by Soulskill on from the secure-your-leaking-data-with-large-bucket dept.

An anonymous reader sends this quote from an article at Ars Technica: "Researchers at North Carolina State University have uncovered a variety of vulnerabilities in the standard configurations of popular Android smartphones from Motorola, HTC, and Samsung, finding that they don't properly protect privileged permissions from untrusted applications (PDF). In a paper just published by researchers Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang, the four outlined how the vulnerabilities could be used by an untrusted application to send SMS messages, record conversations, or even wipe all user data from the handset without needing the user's permission. The researchers evaluated the security of eight phones: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. While the reference implementations of Android used on Google's handsets had relatively minor security issues, the researchers were 'surprised to find out these stock phone images [on the devices tested] do not properly enforce [Android's] permission-based security model.' The team shared the results with Google and handset vendors, and have received confirmation of the vulnerabilities from Google and Motorola. However, the researchers have 'experienced major difficulties' in trying to report issues to HTC and Samsung."

38 of 136 comments (clear)

  1. Cyanogenmod by Skarecrow77 · · Score: 5, Insightful

    What does it say when I trust a bunch of random coders on the internet to give me a better performing, more secure, and overall more pleasing experience with my smartphone than the company that created it.

    1. Re:Cyanogenmod by NatasRevol · · Score: 5, Funny

      That they stood on the shoulders of giants, and combed their hair?

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Cyanogenmod by iluvcapra · · Score: 4, Interesting

      People who own and use phones have a greater incentive to make a good phone OS than people who sell and provide service to phones.

      --
      Don't blame me, I voted for Baltar.
    3. Re:Cyanogenmod by clarkn0va · · Score: 4, Insightful

      You're right, and what a sad statement that is on the current state of affairs when a group of companies can treat their consumer base with something between indifference and contempt and yet continue to profit from them.

      --
      I am literally 3000 tokens away from the chaotic crossbow --Stephen
    4. Re:Cyanogenmod by jasno · · Score: 3, Insightful

      Look, the people who develop the phones use them too. The reality is that there just aren't that many smart, motivated, capable engineers out there. Even when you have a few alpha-engineers on a team, their time is usually spent trying to squash those hard-to-fix bugs instead of doing a thorough security analysis. They're rushing to get the damn thing to production so they can move on to the next big thing.

      I've spent my career developing embedded applications and not once has anyone paid me to address security. Bugs - user experience issues, stability problems, content security, standards compliance - those get the money. No one in management values security or privacy and they won't unless security researchers and hackers make the consumer aware of it.

      --

      http://www.masturbateforpeace.com/
    5. Re:Cyanogenmod by jasno · · Score: 3, Interesting

      Actually - I wonder if there is a certification agency for security/privacy? I've never heard of it, but if someone like the EFF got together with a testing lab and established a logo-certification program for various classes of devices(phones, operating systems, set-top boxes, networking equipment, etc.) you'd have a way for the consumer to evaluate security and make decisions accordingly.

      --

      http://www.masturbateforpeace.com/
  2. Re:Android sucks by masternerdguy · · Score: 2, Funny

    Or First Post (Sent from iPhone)

    --
    To offset political mods, replace Flamebait with Insightful.
  3. Carriers by bonch · · Score: 3, Insightful

    The lack of control the carriers have over iOS is just one of the reasons I prefer it over Android. They wanted to pre-install a bunch of junk on the iPhone, and Apple wouldn't have it. The difficulty reporting these vulnerabilities to HTC and Samsung is not surprising.

    1. Re:Carriers by robmv · · Score: 2

      Not again the iOS vs Android mantra about carrier installed crap, do you want a new clean phone? buy it unlocked without carrier intervention. Expensive? need financing? Use your credit card financing services, problem solved. And this worked since the old smatphones generations, I used Nokia and Sony Ericsson phones before the Nexus One

    2. Re:Carriers by UnknowingFool · · Score: 2

      iOS is not any less vulnerable than Android when it comes to security. This specific issue highlights that the vulnerabilities can occur because the manufacturer screwed up Android implementation. Apple is less likely to do so as they control the hardware and software. Also with as much profit as Apple makes, they don't have any excuses. With Android manufacturers, they might have a lack of QC due to lack of money or that they really need the revenue generated by crapware.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    3. Re:Carriers by PNutts · · Score: 2

      The IPhone comes with a pile of junk on it too, which you can't remove. Furthermore, Apple have admitted they've been using Carrier IQ, which was obfuscated from detection.

      Finally, the iPhones are the only phones you can root by merely going to a website. Now that is utterly pathetic!

      I'm not sure why I'm bothering, but what junk are you referring to? You may not want a magnetic compass or a calculator but I wouldn't classify it as junk. Put it in a folder off your home screen and I doubt it uses more disk any song that's not innagadadavida.

      The iPhone's diagnostic data is not obfuscated. It's plain text and available/viewable from the menu. It never recorded keystrokes.

      True about the website and many people see that as a benefit. Downloading and running an app to root is so 1990.

  4. Re:facepalm by TheRealMindChild · · Score: 5, Insightful

    You say this, like something complex is doomed to be incomprehensible to do correctly. Simple fact of the matter is, these silly folks are still using strlen(...) and ridiculously bad coding practices, known for decades, all to come in under deadlines. I see WAY too often a multi-tier database application, where security is implemented by constantly querying what rights the user has from a "Users" table. They implement security with a bunch of 'if/switch' statements and claim "it's the nature of complex software!" when a security vulnerability is found, rather than putting security on the database.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  5. Re:Just try to remove them... by Samalie · · Score: 3, Insightful

    But you CAN root your phone, which means that these massive security flaws are actually a FEATURE of Android phones, because it will inspire everyone to root their android phone too!

    Duh!

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  6. But Let's Vote Using Smartphones by mtrachtenberg · · Score: 4, Insightful

    I hope all of the people thinking it would be very cool and convenient to vote via smart phones (or the internet, or the telephone, or the mail system) will notice that smart phones might not yet be perfect.

    Voting is a classic example of a situation where the requirements cry out for appropriate technology.

    The requirements are unique: you must not be able to prove how you voted, you must not be able to sell your vote or be coerced by anyone, you should be able to have complete confidence that your vote was counted properly along with everyone else's.

    The technology that is required is completely straightforward -- people have to go to protected locations, create physically countable and non-traceable artifacts that represent their uncoerced opinions, deposit these artifacts into a locked box at the location, and know that the contents of the locked box are properly reflected in the results.

    The best way to accomplish the last step is to count the contents in public before the contents are moved, and to generate and digitally sign images of the artifacts so that anyone who wants to confirm your count is an accurate representation of the contents is able to do that.

    All attempts to modernize voting for convenience's sake are misguided. All opinions that making a simple approach more complex to speed up the distribution of results are misguided. Something that is convenient but cannot be checked is not appropriate for voting. And any time a computer scientist tells you how secure something is, introduce them to real people and the way they protect their passwords.

    1. Re:But Let's Vote Using Smartphones by Dr_Barnowl · · Score: 3, Insightful

      The appropriate technology for voting is a pencil.

      Anything mechanized or computerized might be splendid, efficient, and offer a whole host of other benefits. But they all lack the absolutely vital feature; the average man on the street must be able to audit it. And verily, should be required to do so.

      Making a voting system where only a limited set of technocrats can audit it's veracity is madness.

    2. Re:But Let's Vote Using Smartphones by The+Good+Reverend · · Score: 2

      Even if the voting machine is a pencil, as long as the counting machine is a computer, we run into the same issue. Sure, it can be audited, but that's not going to happen the majority of the time.

    3. Re:But Let's Vote Using Smartphones by mtrachtenberg · · Score: 2

      And that's why, in addition to hand counting of the ballots at the precinct, there ought to be (at least) a digital image backup enabling complete redundant counting off the images.

      The best approach would be to generate the image collection, on unchangeable media, at the precinct at the close of polls. This should probably be generated from an independent scanning station, so that the ballots can be shuffled prior to scanning. This copy should be created at the precinct, because that is where workers can check the permanent copy against the ballots themselves. Read about the Humboldt County Election Transparency Project, which has taken baby steps towards this destination.

      This is a naturally distributed problem -- it would be easy for poll workers to do a 100% hand check of a permanent record of 500 images, though it might be hard to do this for a stack of 50,000 images once the ballots have been collected to a single point.

      The remaining question becomes "how do I know that the digitally signed collection I receive matches that which was generated at the precinct on election night?" That, unfortunately, continues to depend on key management, as far as I can tell.

    4. Re:But Let's Vote Using Smartphones by elsurexiste · · Score: 4, Interesting

      Let's be honest: the average man can't audit anything. In the end, it's more about trust than technology.

      Can I trust that no one will fold the ballot in a certain, unique way that would allow someone to tell it apart? Can I trust that no one will add a doodle that will equally provide a "signature"? If I can't, then I must admit there are ways to prove how someone voted.

      Can I trust that no one will use the signatures describe above to identify a voter and pay/coerce? Can I trust that everyone will uphold the secrecy? If I can't, then I must admit that votes may be up for sale or manipulation.

      Can I trust that no one will miscount? Can I trust that the people counting are impartial and not subject to coercion? Can I trust that, even if I'll never be present at the counting and audit the system myself, it will be carried out perfectly? If I can't, then I must admit that the whole counting thing will eventually be rigged.

      There's only one reason an average man on the street trusts the system (if he does): it's familiar. Just like his trust on https, credit cards, or the expiration date of his food. Regulations for voting give trust to Average Joes and Janes because they are familiar with those measures and can somewhat understand how are they supposed to prevent rigging, not because they are effective (this is true for a lot of situations, TSA comes to mind). If people trust electronic voting systems, then they'll become the appropriate technology.

      I'm sick and tired of hearing "You can't be 100% sure of X with electronic voting systems! The whole system is crap!" or "Aha! The 7th step in your chain of validations can be manipulated! The whole system is crap!". Well, it isn't. Look at elections worldwide: they are done in P&P, yet everyone says they are rigged, regardless of international (and supposedly impartial) auditing. Regardless of analysis. Just because people don't have trust in it.

      We can't, therefore, judge a voting system just on how inexpugnable they are: the only thing we can do is put enough checks and barriers to make it really hard to break the main requirements, we do enough information campaigns to explain in layman terms what's going on, and we friggin' trust on the outcome. We are losing some great stuff (i.e. precision and accuracy) just because we demand things we never had and never will.

      Now, let the /. crowd proceed to mod me down. But before that, my ad hominem. Your comment is group-think at its finest. Only a few people bring nice arguments to the /. table nowadays; the rest just repeats whatever the consensus is and are happy to maintain the status quo. Use your friggin' brain and don't follow the herd.

      --
      I rarely respond to comments. Also, don't ask for clarifications: a brain and Google are faster, believe me!
    5. Re:But Let's Vote Using Smartphones by swillden · · Score: 2

      You should look into Scantegrity, developed by security researchers David Chaum and Ron Rivest (the latter is the 'R' in RSA).

      It is an automated, scanner-based voting system which is more secure than pencil and paper systems, precisely because it's more auditable. It actually enables each voter to verify that his or her ballot was counted correctly in the final tally -- but without giving the voter the ability to prove who they voted for to anyone else, to eliminate issues of vote coercion. The system also allows auditors (which can be anyone who is interested) to verify that no additional ballots were added to the system, and that the ballots were tallied correctly. Manual recounts can also be performed if someone doesn't trust the mathematical proofs of correctness (though the manual recounts are more likely to introduce errors than to correct them).

      Technology actually can improve over the traditional ballot.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Re:facepalm by The+Moof · · Score: 4, Insightful

    Yea, sure bugs exist. But when you force this software on your customers, and restrict their ability to remove the software, you better make damn sure that software's secure.

  8. Re:facepalm by TheCouchPotatoFamine · · Score: 2

    so true! at least put security at the method call level, not in the code-body! A user of an API should NOT be capable of even running if the user does not have permission!

    --
    CS majors know the time/space tradeoff, but they never get taught the 3rd, crucial, tradeoff of the set: comprehension!
  9. Re:Its actually worse that that by Wamoc · · Score: 2

    This same poster did the same link earlier in the comments and it was reported as Goatse. Please mod parent down.

  10. Re:facepalm by MozeeToby · · Score: 5, Insightful

    Nope. This complex software (Android) has a surprisingly good security model. Carriers are installing software which ignores permissions, is not removable by the user, and creates new, serious security issues. The carriers are being evil and/or incompetent.

  11. Re:Not Exactly Shocking... by Galestar · · Score: 3, Insightful

    No no and no. Open source is not by definition vulnerable. Also, if you bother to read the title, let alone RTFA, you'd notice it is the handset manufacturer that is making the security blunders. The reference implementation (the open source stuff) "had relatively minor security issues".

    Open source, assuming you have enough (competent) people working on it, is MORE secure than closed source.

    In short, it appears you have some rather backwards pre-conceived notions about open source, and apparently you also have a reading comprehension problem.

    --
    AccountKiller
  12. HTC and Samsung by ThatsNotPudding · · Score: 5, Funny

    However, the researchers have 'experienced major difficulties' in trying to report issues to HTC and Samsung.

    No problem. Just repeat your findings into one of their phones: they'll literally get the message via CarrierIQ.

  13. Re:facepalm by sexconker · · Score: 4, Interesting

    You say this, like something complex is doomed to be incomprehensible to do correctly. Simple fact of the matter is, these silly folks are still using strlen(...) and ridiculously bad coding practices, known for decades, all to come in under deadlines.

    I see WAY too often a multi-tier database application, where security is implemented by constantly querying what rights the user has from a "Users" table. They implement security with a bunch of 'if/switch' statements and claim "it's the nature of complex software!" when a security vulnerability is found, rather than putting security on the database.

    Uh, what other way is there to implement a rights check?
    Whether you get your data once or a hundred times, or whether you do a specific check or rely on the OS do it, it doesn't matter - it's still a table of users + rights, and a bunch of conditional statements the cpu plows through. You may argue that it's more error prone if you're writing a query and an if statement every time a check is needed, rather than using an API or relying on the OS to automatically call its own APIs. But you can't say it's less secure until you actually have an incident where there was an error that would have been prevented by calling the API instead of doing an ad-hoc query + if.

    More likely to be insecure != insecure != less secure.

  14. Re:I love drop-through logic... by thestudio_bob · · Score: 3, Funny

    if (x if (x == 0) { do_other_stuff(); exit;}
    if (x > 1) {
    ... establish restrictions ...

    perform_secure_operation();

    }
    ...So... what happens when x == 1

    } else {
    ... user equals root.
    }

    --
    The real Sig captains the Northwestern. This one captains /.
  15. Re:Android sucks by JustOK · · Score: 5, Funny

    he tried using "Frosty piss" with Siri, but it gave him directions to closest outdoor bathroom

    --
    rewriting history since 2109
  16. Re:facepalm by CmdrPony · · Score: 3, Insightful

    Wait, what now? So when it's about Android vulnerabilities it's "Faceplam. This just in: complex software has security vulnerabilities." and when it's about Windows vulnerabilities, Gates should get a death sentence and we should bomb half the planet to kill every human being has ever even touched Windows?

  17. Re:facepalm by AJH16 · · Score: 3, Insightful

    How then do you prevent the user from circumventing the application and using their db permissions to misbehave directly if the user should only be able to do certain things in certain situations? To say blanketly that the only correct approach to security is to implement it at the db level is naive as there are many situations where it is not desirable that the user have any permission to the DB other than through the application. It would be nice if it was possible to have a combined security that would only allow the user to have permission while going through the application, but that is also notoriously difficult (if not impossible) to implement in many situations or on certain platforms.

    --
    AJ Henderson
  18. Re:facepalm by TheRealMindChild · · Score: 2

    Your database is likely "remote" compared to the application. That is, the database is only accessible through a remote protocol, so that, unless the DB has security issues, the application AND the user can NOT do anything to the data store that they shouldn't. I see a few replies like yours... and that is the problem. If a user shouldn't be able to delete records from the "Whatever" table, accessing the database outside of the application should yield no more rights than through the application. Alike, if a user shouldn't be able to manipulate file X, then you need to implement security on the OS/Filesystem level, detached from the application. Logic in the application level can ALWAYS be circumvented, if even just with a hex editor.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  19. Re:Android = Windows 98 by wierd_w · · Score: 3, Informative

    The real problem with android, is that handset makers release closed source binary drivers.

    This creates a powerful barrier to entry against rom hackers like the cyanogen team.

    Personally, I would like to see google smack some bitches by demanding either open source drivers only, or supplying feature complete whitepapers for all devices released with closed drivers intended for the android platform.

    This would create a permanent hole in the current software lockdowns carriers and handset makers use.

    My own phone, a samsung sidekick 4g, is basically a galaxy series device inside, but is not supported by cyanogen because of binary drivers issues, and a not fully documented cpu variant. I would very much like to ditch the stock rom, and not have to rely on cooked roms based on it, and finally get something newer than froyo with a facelift.

    Requiring open drivers or feature complete white papers would fix that.

  20. Re:facepalm by UnknowingFool · · Score: 3, Insightful

    If you bothered to read the summary, the vulnerabilities lie in how the manufacturers implemented Android. To use an analogy if Dell made PCs that had a vulnerability because of the sound drivers they implemented, the fault lies with Dell. Where we give MS grief is Windows vulnerabilities affect versions of Windows regardless of the OEM that installed it.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  21. Re:Not Exactly Shocking... by HiThere · · Score: 2

    You are presuming that they are blunders rather than something more sinister. This may be a correct presumption, but should not be presumed so. The actual fact is, we don't know why they are doing this. If it's a mistake, someone else will take advantage of it, if it's intentional, they will, perhaps by selling the information, perhaps more directly.

    So the reason is less important than the fact. But it's not unimportant, so it shouldn't be presumed. While there's insufficient information it should remain undecided.

    That said, yes, there are reasons why FOSS is generally more secure. One of them is the expectation of errors being revealed. We all want to avoid embarrassment. Closed source software doesn't usually need to worry about that.

    Unfortunately, this sounds like basic flaws in simple designs. Either the products are incredibly shoddy (possible when everything is being done as fast as possible as cheaply as possible), or the companies intend to take advantage of the errors which were not expected to be made public. Perhaps one of the law suits that have been launched over Carrier IQ will provide information to decide which.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  22. Re:Where are the free source code scrubbers? by Miamicanes · · Score: 2

    They exist (though they're extremely immature at the Android end of the spectrum), but they're breathtakingly expensive. I'm not allowed to cite specific products or prices, but we're talking "annual licensing fees comparable to the salary of a full-time human employee for 3-6 months" expensive.

  23. Re:Where are the free source code scrubbers? by TheRaven64 · · Score: 2

    The static analyser in clang is free and would catch several of the things that people who R'd TFA say were mentioned.

    --
    I am TheRaven on Soylent News
  24. Re:facepalm by thoromyr · · Score: 2, Insightful

    If you read the paper you would find that *Google* phones also suffered from the problem, albeit to the least degree. Both the Nexus One and Nexus S did not effectively protect the DELETE_PACKAGES permission. That isn't exactly insignificant. Now, the likelihood of a google fixing it is rather higher than Samsung or HTC who ignored the researchers reports prior to release of the paper, but it isn't *just* a carrier issue.

  25. Re:facepalm by Anonymous Coward · · Score: 2, Informative

    Well maybe you need to read more closely too -- Those two phones allowed DELETE_PACKAGES to be called on a hard-coded string related to the pico TTS component. Basically if you used this method, you would uninstall part of a text to speech engine. This is not exactly critical. The carrier leaks potentially considerably worse though.