Slashdot Mirror
One Billion Android Devices Open To Privilege Escalation
msm1267 (2804139) writes "The first deep look into the security of the Android patch installation process, specifically its Package Management Service (PMS), has revealed a weakness that puts potentially every Android device at risk for privilege escalation attacks. Researchers from Indiana University and Microsoft published a paper that describes a new set of Android vulnerabilities they call Pileup flaws, and also introduces a new scanner called SecUP that detects malicious apps already on a device lying in wait for elevated privileges. The vulnerability occurs in the way PMS handles updates to the myriad flavors of Android in circulation today. The researchers say PMS improperly vets apps on lower versions of Android that request OS or app privileges that may not exist on the older Android version, but are granted automatically once the system is updated.
The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.
The researchers said they found a half-dozen different Pileup flaws within Android's Package Management Service, and confirmed those vulnerabilities are present in all Android Open Source Project versions and more than 3,500 customized versions of Android developed by handset makers and carriers; more than one billion Android devices are likely impacted, they said." Handily enough, the original paper is not paywalled.
The problem here is that the permissions system goes beyond just ordinary user permissions. The system itself uses permissions to control which parts of the system can do what, and those permissions are normally only available to system components (trying to install an app that asks for those permissions results in the app being rejected because it doesn't qualify to get those permissions). For instance, the "Across_users" permission was added to Android 4.2, and allows system components to break through the normal restrictions that separate different users in the system. An app with this permission can reach out and directly affect everything on the phone, not just the things that belong to it. It's restricted to Android system components only. But if I install an app that asks for it on an Android 4.0 device, the app will install without any warnings. If the device is then upgraded to 4.2, the app will silently get the "Across_users" permission activated. So now we have a user-installed app which has a permission that it could never legitimately have that lets it bypass security and the sandbox, and the user will be unaware of the problem. It's very definitely NOT just a UI issue.
In the Unix world it'd be equivalent to finding an other-writable directory sitting in the root user's PATH, and in that directory are executables named "ls", "cat" and so on. It's the kind of thing that'd make a security admin excrete cinder blocks at velocities sufficient to have them achieving high orbit, ceilings nonwithstanding.
In that it still doesnt allow line-item veto of app priveleges.
This should be the most basic feature.