Researchers Discover Serious Flaw in Android’s App Security

Researchers led by North Carolina State associate professor Xuxian Jiang have discovered a serious flaw in the Android OS's approach to app security.

They found that some pre-loaded apps and features from Android device manufacturers could be exploited by hackers.

These apps and features are meant to make the devices more useful and convenient right out of the box.

However, some of them are built on top of the existing Android architecture in such a way as to create potential 'backdoors' that can be used to give third-parties direct access to personal information or other phone features, said Jiang.

Jiang's study characterize the vulnerability as a classic confused deputy attack, in which one app (virus) tricks another (legitimate) app or feature into leaking information or capabilities it has permission to access.

The study chose to focus on pre-loaded apps and features, which, as a part of the Android phone's firmware, has access to some permissions that are too privileged to be granted to third-party apps.

It focused on 13 privileged permissions, including location data and the ability to send text messages.

The breach of some of these permissions could allow hackers to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations, the study stated.

The results showed that 11 of the tested permissions were leaked.

The Android devices the researchers tested consisted of the HTC Legend, HTC EVO 4G, HTC Wildfire S, Motorola Droid, Motorola Droid X, Samsung Epic 4G, Google Nexus One and Google Nexus S.

The best-performing devices (i.e. those that had the least leaks) - the Google and Motorola phones tested in this study - had the reference Android design or had system images similar to it. Better-performing devices also tend to have fewer pre-loaded apps and features.

The device that fared the worst was the HTC EVO 4G, which had nine leaks.

The researchers said as of their writing of the study, Motorola and Google confirmed the reported liabilities while HTC and Samsung have been really slow in responding to, if not ignoring, [their] reports/inquiries.

The leaks found by the study highlight a vulnerability in the Android OS's primary approach to app security.

Apple's iOS, for example, uses a vetting process that scrutinizes each third-party app before they are put on the app store.

Google's Android OS, contrastingly, relies on its permission-based security model that requires each app to explicitly request permissions up-front to access data and features. The apps themselves are not put through an Apple-like vetting process.

Jiang study, however, showed that the Android's permission system can be gamed.

To address this flaw, the researchers recommended either the capability-leaking app needs to ensure that it will not accidently expose its capability without checking the calling app's permission, or the underlying Android framework needs to diligently mediate app interactions so that they do not inappropriately violate the integrity of a capability.