Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Big Leaks In Pre-installed Android Apps

Posted by Soulskill on from the secure-your-leaking-data-with-large-bucket dept.

An anonymous reader sends this quote from an article at Ars Technica: "Researchers at North Carolina State University have uncovered a variety of vulnerabilities in the standard configurations of popular Android smartphones from Motorola, HTC, and Samsung, finding that they don't properly protect privileged permissions from untrusted applications (PDF). In a paper just published by researchers Michael Grace, Yajin Zhou, Zhi Wang, and Xuxian Jiang, the four outlined how the vulnerabilities could be used by an untrusted application to send SMS messages, record conversations, or even wipe all user data from the handset without needing the user's permission. The researchers evaluated the security of eight phones: the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. While the reference implementations of Android used on Google's handsets had relatively minor security issues, the researchers were 'surprised to find out these stock phone images [on the devices tested] do not properly enforce [Android's] permission-based security model.' The team shared the results with Google and handset vendors, and have received confirmation of the vulnerabilities from Google and Motorola. However, the researchers have 'experienced major difficulties' in trying to report issues to HTC and Samsung."

6 of 136 comments (clear)

  1. Cyanogenmod by Skarecrow77 · · Score: 5, Insightful

    What does it say when I trust a bunch of random coders on the internet to give me a better performing, more secure, and overall more pleasing experience with my smartphone than the company that created it.

    1. Re:Cyanogenmod by NatasRevol · · Score: 5, Funny

      That they stood on the shoulders of giants, and combed their hair?

      --
      There are two types of people in the world: Those who crave closure
  2. Re:facepalm by TheRealMindChild · · Score: 5, Insightful

    You say this, like something complex is doomed to be incomprehensible to do correctly. Simple fact of the matter is, these silly folks are still using strlen(...) and ridiculously bad coding practices, known for decades, all to come in under deadlines. I see WAY too often a multi-tier database application, where security is implemented by constantly querying what rights the user has from a "Users" table. They implement security with a bunch of 'if/switch' statements and claim "it's the nature of complex software!" when a security vulnerability is found, rather than putting security on the database.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  3. Re:facepalm by MozeeToby · · Score: 5, Insightful

    Nope. This complex software (Android) has a surprisingly good security model. Carriers are installing software which ignores permissions, is not removable by the user, and creates new, serious security issues. The carriers are being evil and/or incompetent.

  4. HTC and Samsung by ThatsNotPudding · · Score: 5, Funny

    However, the researchers have 'experienced major difficulties' in trying to report issues to HTC and Samsung.

    No problem. Just repeat your findings into one of their phones: they'll literally get the message via CarrierIQ.

  5. Re:Android sucks by JustOK · · Score: 5, Funny

    he tried using "Frosty piss" with Siri, but it gave him directions to closest outdoor bathroom

    --
    rewriting history since 2109