Android's Big Security Flaw, and Why Only Google Can Fix it
Device makers and carriers let patches languish, so users may not ever get them -- a new approach is sorely needed
Thu, October 06, 2011
InfoWorld — In August 2010, hackers bent on jailbreaking Android smartphones found a vulnerability in the way the Android debugger handled an overwhelming number of processes. The code designed to exploit the flaw, dubbed RageAgainstTheCage, allowed users to reflash their smartphone and install custom firmware.
Google quickly patched the vulnerability in the Android Open Source Project, but there the fix languished. Smartphone manufacturers did not make pushing the patch out to users a priority. So, in March 2011, malicious programmers found an opportunity with the unpatched vulnerability: A Trojan horse dubbed DroidDream exploited the security issue to compromise more than 250,000 unpatched Android smartphones.
[ See why Apple's iOS is the most secure mainstream OS today. | Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]
Nearly a year later, despite the threat of similar attacks, more than half of Android smartphones remain vulnerable to the flaw, according to mobile security firm Lookout.
The Android operating system's patch process poses a quandary for Google and a danger to users. Android's openness allows bugs to be found faster, but that benefit is offset by a longer supply chain in which manufacturers and vendors test patches at a glacial pace. Smartphone manufacturers must first create custom builds of the operating system that include their add-on software, then they test the software. Next, carriers take the firmware update and test it to make sure it does not harm their networks. The end result: Pushing patches out to users' smartphones is slowed. (Google declined to discuss the issue with InfoWorld.)
"The fundamental problem is that there are too many cooks in the kitchen," says Timothy Vidas, a doctoral researcher at Carnegie Mellon University focusing on Android security.
Android: A reverse-engineer's dream
In a presentation on Android security at the Usenix Workshop on Offensive Technologies, Vidas and his colleagues pointed to patching delays as a major security issue for Android-based smartphones. The Android 2.2 "Froyo" operating system, for example, was released in May 2010, fixing major vulnerabilities. Yet Motorola Mobility and HTC took seven months to issue an update for their smartphones. Samsung took even longer, releasing its software update nearly a year later (in spring 2011), according to the CMU researchers.
For attackers, the delays are a boon, because they can study the fixes and create exploits for the masses of unpatched devices. "Attacks stay viable for much longer, and a crafty user can actually reverse-engineer some of the earlier patches to find the vulnerability and use that to exploit slower updating devices," says Daniel Votipka, a CMU researcher and co-author of the Android security report (video).
