In-brief: Google’s insistence on stricter security policies with its latest release of the Android mobile operating system are being watered down by the company’s partners, who are undermining stricter OS security with weak or insecure policies and device configuration, a new report from Aalto University in Finland finds.
The folks over at The Register picked up on an interesting paper from researchers at Aalto University in Finland (PDF here) that found recent security improvements to Google’s “Lollipop” release of its Android mobile operating system are failing to be adopted by Android users, with Android original equipment manufacturers (OEMs) the culprit.
Specifically, the researchers studied adherence to Google’s requirement that all processes must be run inside confined SEAndroid access
control domains. That requirement was introduced with the 5.0 Lollipop release of Android. However, an analysis of SEAndroid policies from a number of 5.0 Lollipop devices on the market revealed that modifications to Android by OEMs often relax Google’s strict policies, creating opportunities for would-be attackers.
From the article:
The errors arise because OEMs aren’t coping with turning product around quickly enough to compete, while trying to make sure their implementations comply with the SEAndroid security policy.
An over reliance on default profiles can result in pointers to sensitive resources from untrusted domains being accepted. The researchers also found that OEMs rely too heavily on predefined domains on Android like system_app or platform_app, instead of creating separate domains for each of their apps. That leads to multiple mobile applications on an Android device sharing the same “allow” rules for a given domain, increasing the opportunity for abuse. Finally, the researchers found that many Android devices are larded up with forgotten, many auto-generated or linked to obsolete drivers. With knowledge of those “allow” rules, attackers can exploit them.
[Read more Security Ledger coverage of Android security.]
Google’s fateful decision to promote adoption by releasing Android as an open source operating system has helped promote Android adoption. But it has also created an Android install base that is fractured and impossible to manage. A recent study, “Security Metrics for the Android Ecosystem,” (PDF) by Alastair Beresford at the University of Cambridge found that there was “significant variability in the timely delivery of security updates across different device manufacturers and network operators” in getting software updates out to Android users. The result: an average of 88% of Android devices are “exposed to at least one of 11 known critical vulnerabilities,” Beresford found.
Source: OEMs still the Achilles heel of Android security, say boffins • The Register
Pingback: October 30 | InfraGard Maryland Members Alliance
Blaming OEMs instead of Google is kind of a cop-out (not just kind-of one, it is one). To base an operating system that is clearly one of the widest used (if not the widest used) operating system by now, certainly in the portable market it is — on an operating system with rolling patch cycles and updates and crippling that and its security mechanisms (including privsep, rootability and its ramifications, and so forth) and removing the user from the equation whatsoever IS the problem. I’ve been saying this ever since the first prototypes came out and this was not part of the plan. This can’t honestly be an oversight. This is a flat-out design flaw that makes every user of EVERY mobile phone vulnerable — and the user of every PHONE vulnerable if it’s been contacted by a mobile phone user. Nobody talks about these PII breaches. Nobody also talks about how, given how updates are rolled out and implemented, mobile phones, especially most android phones, are almost completely uncleanable once they have been thoroughly compromised. There’s no way for the user to clean their phone completely (or at least know it has been) — and with the on-board chips that come with most android devices it doesn’t take something like stagefright and its (irresponsibly disclosed) ilk to ‘own’ a phone’s ‘owner’.
While yes, the OEMs have and do bear a huge responsibility, the flaw is with the design and architecture of the system in the first place.
Though I get a massive guffaw out of them naming the latest iteration ‘marshmallow’. Because those are definitely affiliated with a sense of security, privacy, and hardening. Well, at least they’re advertising what they have to offer now: something smushy, soft, and utterly incapable of protecting the user.
Please don’t take offense at this posting, anyone. What I’d love to see is someone (maybe a kickstarter?) tear this model apart and make it so that phones can have a proper grsec-like kernel, with rolling updates and patches, and a way to TRULY clean a phone out (that doesn’t require, in most cases, OTA updates and/or (so much worse) hookups to (often horribly malware-laden machines running Windows) — even if one is lucky enough to run something WITH an up-to-date image — there are SO many vulnerabilities CONSTANTLY rolling out.
As a software architect for many years, I am appalled, and Google et al should be ashamed. Those OEMs should be demanding ANDROID fix their model. I try not to be pessimistic and hope I’m wrong so I dn’t want to suggest it’s only because in not so pressuring, it guarantees greater sales for upgrades. Most OEMs stop updating rather quickly.
Anyway, just my two cents. It’s a conversation that needs to be had, and badly, especially in an environment where people are dropping 0days for machines and operating systems which have a notoriously poor history of not updating things — not out of malice or laziness but because their update cycles don’t include for such things. As consumers we should be appalled — and we should have other options. It’s getting harder and harder to even find usable phones that aren’t ‘smart phones’ anymore.