Hardware makers be like ‘everything is fine with our preinstalled software’ THAT SWANKY NEW ANDROID PHONE you’ve bought…good innit? Well according to security boffins at Kryptowire it could be harbouring a selection of some 146 vulnerabilities. For a wee bit of background, an Android phone starts life with pure virginal stock Android on in, then
Hardware makers be like ‘everything is fine with our preinstalled software’
For a wee bit of background, an Android phone starts life with pure virginal stock Android on in, then firms like Samsung, Sony, OnePlus and others part vanilla Android’s digital legs and fire custom apps and interfaces all up inside.
Sometimes this is done with a light-touch, that’s pretty much vanilla Android with a few extras, and other times it results in a heavily customised interface as is the case with Samsung’s TouchWiz and OneUI software.
Depending on how you feel about such UIs, you’re either happy with that situation or really just want a stock Android phone.
Taking a deep dive into Android phones from 29 brands, the researchers found that pre-installed apps and services loaded on top of basic Android introduced vulnerabilities into such phones. Nearly 150 of these vulnerabilities were found, manifesting themselves as executables by local apps or by being executable by ‘signature’ apps.
These vulnerabilities could be exploited to allow apps to do and change things on a phone without a user’s knowledge. For example, some vulnerabilities could enable command execution or dynamic code loading, or even the modification of wireless settings.
While brands working on cheaper phones had such vulnerabilities, so did phones from the Android heavy hitters likes Samsung and Sony.
The problem here is multifaceted. It stems in part from potential shoddiness from hardware makers when it comes to making apps and features to go on top of Android. But it’s also down to third parties providing apps and code that the hardware makers use to enable certain background features in their phones. Pre-installed apps could also come from telecoms carriers who want their apps to be installed on smartphones from hardware makers they have a partnership with.
Vulnerabilities and security holes that affect Android phones are far from new. But a lot of them come from user’s activity downloading dodgy apps or side-loading software from outside of Google’s Play Store. Yet responsibility for that ultimately falls on the user’s shoulders; having devices with what are effectively pre-installed vulnerabilities shouldn’t be.
Kryptowire has a solution to this problem in that it has an automated firmware scanning tool to cook up proof-of-concept attacks and fire them at pre-installed software on phones. That’s all well and good, but it doesn’t exactly help build up trust in hardware makers.
Then again there’s a boatload of Android devices out in the wild from vendors of all sizes, so expecting a cash-strapped startup to have the resources to commit to deep firmware scanning is perhaps a tad unrealistic.
Kryptowire CEO Angelos Stavrou noted that such Android hardware makers are in a bit of a tricky position when it comes to ensuring all the software on their devices is clean from cyber nasties.
“The ecosystem involves hundreds of vendors that are not necessarily cooperating with each other or have any process for quality assurance. Or they might, but some of them have more than others,” Stavrou told Wired. “And in the race to create cheap devices, I believe that the quality of software is being eroded in a way that exposes the end user.”
Stavrou suggested that hardware vendors shouldn’t trust anybody else to have the same level of permissions within their phone systems as they do.
If you’re looking for a solution to this problem, then you’ve come to the wrong place pal, as there isn’t really one for end-users to harness. Being aware of what you download and who you give your phone to would certainly help mitigate the exploitation of these security holes. But aside from that, you’re really at the mercy of the hardware maker’s diligence.
Google does have its Build Test Suite to check that preloaded software isn’t potentially harmful. But Kryptowire’s research indicated that more needs to be done to spot the digital dangers that some phones could come with straight out of the box. µ