Google researchers suggest Android OEMs add vulnerable code

By Scorpus
Nov 4, 2015
Post New Reply
  1. Security researchers at Google have discovered that Android manufacturers don't do much to improve the security of the ecosystem, especially if they're adding custom skins and software to the operating system.

    The team at Google analyzed Samsung's Galaxy S6 Edge, running Android 5.1 with TouchWiz, and found 11 "high-impact security issues" that were relatively easy to find during a week's work. The idea was to see how an OEM device differs from a Nexus device running stock Android in its security, and the results shouldn't come as a huge surprise.

    One of the vulnerabilities the researchers discovered in the S6 Edge related to a process that scanned for and automatically unzipped a file in a certain location. Samsung wasn't verifying the file path, however, which allows an attacker to write files to an unexpected system location.

    An issue in Samsung's email client was uncovered that made it easy to forward a user's emails to another account. Another issue in the email client allowed JavaScript embedded in the message to be executed.

    A further three issues were discovered in Samsung's device drivers, and another five in Samsung's image processing software, which allowed an attacker to escalate their privileges in a variety of areas. Some attacks could have originated from a single image file, and in other cases from an unprivileged application.

    When Google notified Samsung of the issues with their handset, the company responded promptly, and has already patched most of the issues in the latest October Maintenance Release. Three lower-severity issues remain unpatched, although a November patch is expected to address these vulnerabilities.

    While Google was impressed at how quickly these issues were addressed, it's obviously not ideal to have OEMs introducing vulnerabilities into the operating system with their dodgy code. Devices with stock Android remain the most secure on the market today, so if you want to keep your device safe, it's probably best to buy a Nexus

    Permalink to story.

  2. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    "it's probably best to buy a Nexus".
    Nah, not the best value for money, not here anyway and I'm not particularly fond of Nexus devices, not since that humongous contraption of last year and the 5X & 6P haven't changed my perception. Anyway Samsung seems to be delivering on their promise to patch the OS regularly. Since that promise my device has been updated four times although I have no idea what they're busy fixing, but one was an OS update from 5.0.2 to 5.1.1. I'm not holding my breath for 6.0 but it would be nice.
  3. wiak

    wiak TS Enthusiast Posts: 51

    Devices with stock Android remain the most secure on the market today, so if you want to keep your device safe, it's probably best to buy a Nexus or Root it yourself

    most of the time the oem modded stock firmware is horrbile compared to forks like cynagenmod, slimlp etc

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...