North Carolina State University Uses “Woodpecker” To Peck Holes In Security Of Android Smartphones

Researchers at North Carolina State University revealed some major findings regarding Android devices. Using a tool called “Woodpecker” that was developed the researchers, they found noteworthy vulnerabilities on HTC, Samsung and Motorola smartphones. The specific phones studied were the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. Woodpecker analyzed the pre-loaded pieces of software on each phone, probing for capacity leaks– sensitive application and operating system privileges left exposed to other applications in ways that would allow them to be accessed by a malicious app without requesting permission from the device user. The researchers were “surprised to find out these stock phone images [on the devices tested] do not properly enforce [Android’s] permission-based security model”.

Basically the capacity leaks fell into two categories, explicit and implicit. Explicit leaks allows applications to exploit a public interface or service of another app without making a permission request. Implicit leaks allows other applications to inherit permissions from another application signed with the same digital certificate (this allows applications from the same developer to automatically interact with each other). They found that while implicit leaks were not as serious a problem, explicit leaks were. Sensitive information such as geo-location, address book, SMS messages, etc.– were leaked on the pre-installed apps. Moreover the researchers found “an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations—all without asking for any permission”. This study is definitely eye-opening, but not surprising as there are examples of some HTC phones and Motorola DROIDs being vulnerable.

So what do you as an Android owner take from this study? First pay close attention to the permissions that each and everyone of your applications of your smartphone or tablet may have. Remember gang, we have a nice little tip sheet for how to spot questionable applications and verify permissions in order to keep your Android protected. Second– Android manufacturers (and even Google) will need to take software security much more seriously. Hopefully the new generation of Android devices will alleviate our fears and concerns for these software holes found in the Android OS.

[via ars technica by North Carolina State University]


About the Author: Roy Alugbue

Conceived as Spock’s 4th cousin, Roy has had quite the life. He was born in beautiful San Jose, California, raised in Los Angeles, California and now resides in the greater New York City area. He has always been fascinated and obsessed with technology, especially the continuous advancements of mobile platforms. He was a Blackberry slave since his undergrad days at the University of Southern California until realizing in Feb. 2011, there were greener pastures in the land of Android. His first Android phone was the Motorola Atrix 4G, and he hasn’t looked back. He currently works in corporate media, enjoys following media and technology trends, reading a good book, weightlifting, playing on his XBOX 360 and conversing with total strangers.


  • Mathenk2

    There’s absolutely no excuse for not checking permissions before installing applications.

  • Guest

    @a51e28781f947f8a81cf5bd0c360c1f9:disqus Did you read the part where “Explicit leaks [allow] applications to exploit a public interface or service of another app without making a permission request”?

    Not to mention that the leaks come from pre-installed applications.