Google researchers suggest Android OEMs add vulnerable code

Scorpus

Posts: 2,159   +239
Staff member

Security researchers at Google have discovered that Android manufacturers don't do much to improve the security of the ecosystem, especially if they're adding custom skins and software to the operating system.

The team at Google analyzed Samsung's Galaxy S6 Edge, running Android 5.1 with TouchWiz, and found 11 "high-impact security issues" that were relatively easy to find during a week's work. The idea was to see how an OEM device differs from a Nexus device running stock Android in its security, and the results shouldn't come as a huge surprise.

One of the vulnerabilities the researchers discovered in the S6 Edge related to a process that scanned for and automatically unzipped a file in a certain location. Samsung wasn't verifying the file path, however, which allows an attacker to write files to an unexpected system location.

An issue in Samsung's email client was uncovered that made it easy to forward a user's emails to another account. Another issue in the email client allowed JavaScript embedded in the message to be executed.

A further three issues were discovered in Samsung's device drivers, and another five in Samsung's image processing software, which allowed an attacker to escalate their privileges in a variety of areas. Some attacks could have originated from a single image file, and in other cases from an unprivileged application.

When Google notified Samsung of the issues with their handset, the company responded promptly, and has already patched most of the issues in the latest October Maintenance Release. Three lower-severity issues remain unpatched, although a November patch is expected to address these vulnerabilities.

While Google was impressed at how quickly these issues were addressed, it's obviously not ideal to have OEMs introducing vulnerabilities into the operating system with their dodgy code. Devices with stock Android remain the most secure on the market today, so if you want to keep your device safe, it's probably best to buy a Nexus

Permalink to story.

 
"it's probably best to buy a Nexus".
Nah, not the best value for money, not here anyway and I'm not particularly fond of Nexus devices, not since that humongous contraption of last year and the 5X & 6P haven't changed my perception. Anyway Samsung seems to be delivering on their promise to patch the OS regularly. Since that promise my device has been updated four times although I have no idea what they're busy fixing, but one was an OS update from 5.0.2 to 5.1.1. I'm not holding my breath for 6.0 but it would be nice.
 
Devices with stock Android remain the most secure on the market today, so if you want to keep your device safe, it's probably best to buy a Nexus or Root it yourself

most of the time the oem modded stock firmware is horrbile compared to forks like cynagenmod, slimlp etc
 
Back