In-brief: Google’s insistence on stricter security policies with its latest release of the Android mobile operating system are being watered down by the company’s partners, who are undermining stricter OS security with weak or insecure policies and device configuration, a new report from Aalto University in Finland finds.
The folks over at The Register picked up on an interesting paper from researchers at Aalto University in Finland (PDF here) that found recent security improvements to Google’s “Lollipop” release of its Android mobile operating system are failing to be adopted by Android users, with Android original equipment manufacturers (OEMs) the culprit.
Specifically, the researchers studied adherence to Google’s requirement that all processes must be run inside confined SEAndroid access
control domains. That requirement was introduced with the 5.0 Lollipop release of Android. However, an analysis of SEAndroid policies from a number of 5.0 Lollipop devices on the market revealed that modifications to Android by OEMs often relax Google’s strict policies, creating opportunities for would-be attackers.
From the article:
The errors arise because OEMs aren’t coping with turning product around quickly enough to compete, while trying to make sure their implementations comply with the SEAndroid security policy.
An over reliance on default profiles can result in pointers to sensitive resources from untrusted domains being accepted. The researchers also found that OEMs rely too heavily on predefined domains on Android like system_app or platform_app, instead of creating separate domains for each of their apps. That leads to multiple mobile applications on an Android device sharing the same “allow” rules for a given domain, increasing the opportunity for abuse. Finally, the researchers found that many Android devices are larded up with forgotten, many auto-generated or linked to obsolete drivers. With knowledge of those “allow” rules, attackers can exploit them.
[Read more Security Ledger coverage of Android security.]
Google’s fateful decision to promote adoption by releasing Android as an open source operating system has helped promote Android adoption. But it has also created an Android install base that is fractured and impossible to manage. A recent study, “Security Metrics for the Android Ecosystem,” (PDF) by Alastair Beresford at the University of Cambridge found that there was “significant variability in the timely delivery of security updates across different device manufacturers and network operators” in getting software updates out to Android users. The result: an average of 88% of Android devices are “exposed to at least one of 11 known critical vulnerabilities,” Beresford found.