Researchers at North Carolina State University revealed some major findings regarding Android devices. Using a tool called “Woodpecker” that was developed the researchers, they found noteworthy vulnerabilities on HTC, Samsung and Motorola smartphones. The specific phones studied were the HTC Legend, EVO 4G, and Wildfire S; the Motorola Droid and Droid X; the Samsung Epic 4G; and the Google Nexus One and Nexus S. Woodpecker analyzed the pre-loaded pieces of software on each phone, probing for capacity leaks– sensitive application and operating system privileges left exposed to other applications in ways that would allow them to be accessed by a malicious app without requesting permission from the device user. The researchers were “surprised to find out these stock phone images [on the devices tested] do not properly enforce [Android’s] permission-based security model”.
Basically the capacity leaks fell into two categories, explicit and implicit. Explicit leaks allows applications to exploit a public interface or service of another app without making a permission request. Implicit leaks allows other applications to inherit permissions from another application signed with the same digital certificate (this allows applications from the same developer to automatically interact with each other). They found that while implicit leaks were not as serious a problem, explicit leaks were. Sensitive information such as geo-location, address book, SMS messages, etc.– were leaked on the pre-installed apps. Moreover the researchers found “an untrusted app on these affected phones can manage to wipe out the user data on the phones, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain user geo-locations—all without asking for any permission”. This study is definitely eye-opening, but not surprising as there are examples of some HTC phones and Motorola DROIDs being vulnerable.
So what do you as an Android owner take from this study? First pay close attention to the permissions that each and everyone of your applications of your smartphone or tablet may have. Remember gang, we have a nice little tip sheet for how to spot questionable applications and verify permissions in order to keep your Android protected. Second– Android manufacturers (and even Google) will need to take software security much more seriously. Hopefully the new generation of Android devices will alleviate our fears and concerns for these software holes found in the Android OS.