Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/5/2013
04:41 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Custom Features Incur Security Flaws In Popular Android Smartphones

Researchers find vulnerabilities in preloaded customized apps and features

It's not the Android app stores that you need to worry most about: The biggest security weaknesses in most Android smartphones today are the custom apps and features that come packaged with the devices, new research shows.

Those are some of the findings from researchers at NC State who recently studied how custom vendor features on Android smartphones affect the security of the devices. Some 60 percent of all vulnerabilities the researchers found in popular smartphone models were due to what the researchers call "vendor customizations," or features the smartphone manufacturers tweak or include with the phones.

Another shocker: Newer smartphone models aren't necessarily more secure, according to NC State researchers Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, and Xuxian Jiang, who will present their research tomorrow at the ACM Conference on Computer and Communications Security in Berlin.

"We all know that Android, though popular, has one major problem: fragmentation. Among other [things], vendor customizations play a key role in contributing to the fragmentation," Jiang said in an email interview. "We are interested in better understanding how vendor customizations will impact overall Android security."

[Google Android's single sign-on feature 'weblogin' convenient but risky to an organization's Google Apps, DEF CON researcher shows. See One Hacked Android User Can Lead To An Enterprise Breach .]

Jiang and his team studied Android Version 2.X and Version 4.X models from Samsung, HTC, LG, Sony, and Google -- specifically, the Samsung Galaxy S2 and S3; the HTC Wildfire S and One X; the LG Optimus P350 and Optimus P880; Sony Xperia Arc S and Xperia SL; and the Google Nexus S and Nexus 4. Some 80 percent of the apps on those phones were preloaded and customized by the smartphone manufacturers; all 10 devices were vulnerable due to those preloaded apps.

Jiang said the team's research uncovered other surprising trends: On average, 85 percent of all of these preloaded apps have too many user privileges on the devices, thanks to vendor customization. That means an app gets permissions it wouldn't actually use, such as the ability to send SMS messages, record audio, or make phone calls without the user's permission, for example.

The Android Version 2.x phones each contained an average of 22.4 vulnerabilities; the newer Version 4.x phones, an average of 18.4 vulnerabilities.

Upgrading to the newest smartphone model doesn't necessarily help securitywise, the researchers found. Every time the vendor customizes more features on the phone, it opens the door for more security flaws. "While a newer Android phone may run a newer version of OS , which might already fix vulnerabilities present in older versions, vendor customizations, however, being significant on these devices, could still introduce additional vulnerabilities into newer phones," Jiang said.

Of the Android 4.x phones, the Google Nexus 4 performed the best, with just three total vulnerabilities, and the Galaxy S3 fared worst, with 40 total bugs. That was only a slight improvement overall from the Android 3.x phones, however, where the Google Nexus S and the Sony Xperia Arc each had eight flaws (the lowest), the HTC Wildfire S had 40 flaws, and the Samsung Galaxy S2, 39.

Buyers can't do much about these preloaded apps, Jiang said, but smartphone manufacturers can step up by taking security and privacy more seriously in their designs. He said they should adopt the least-privilege principle when building apps and conduct white- and black-box vulnerability analysis to find and fix bugs.

"Through this study, we hope to highlight the need for heightened focus on security by the smartphone industry. And the work was supported in part by the U.S. National Science Foundation," Jiang says.

The full NC State research paper, titled "The Impact of Vendor Customizations on Android Security," is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7989
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userUsername XSS.
CVE-2020-7990
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/user/add userName XSS.
CVE-2020-7991
PUBLISHED: 2020-01-26
Adive Framework 2.0.8 has admin/config CSRF to change the Administrator password.
CVE-2020-7984
PUBLISHED: 2020-01-26
SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information. The attacker can use a customer ID to self register and read any aspects of the agent/a...
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...