Managed WAF

Android Security Overview

Posted DateFebruary 3, 2017
Posted Time 6   min Read

Statistically Android has around 75-80 percent of the worldwide smartphone market, which leads us to believe that it is the most popular OS used by mobile phones in the market. Bear in mind that Google stops sending out updates to its devices 2 years after they have been launched. What is bothersome is, that since most use Android – an OS developed by Google, we are letting Google gain access to all our personal information. One would argue that they don’t care if Google gains access to it. However I’m not only talking about Google having access to our information.

Android still continues to use the software-update pattern that it had followed back when the Android ecosystem had zero devices to update. It doesn’t work because there’s more to the picture than what is shown to us. What Google does is, it releases Android to OEMs (Original Equipment Manufacturer. These people are the manufacturers who resell another company’s product under their own name/brand). OEMs hence have the liberty to make changes to the system and release the code to carriers. Carriers again have the liberty to make further changes and they eventually release the code to the consumers aka to the world, to YOU and me.

The aftermath of the “Stagefright” vulnerability (Stagefright is the group of software bugs that affect versions 2.2 and newer versions of the Android OS, which allows an attacker to perform malicious activities on the victim’s device via RCE and privilege escalation) got Android all worked up about focussing more on areas of security. According to the numbers, it is estimated that 95% of Android devices are vulnerable to RCE via a simple method like receiving a malicious video MMS on the device. Android does have other protections in place to hinder RCE from happening on your device, however it is still a major concern. Google, Samsung & LG have claimed to have taken up the security issues seriously and to fix the issues ASAP. The ‘proposed fix’ only patches 2.6% of all the active Android devices. That percentage includes the devices that are running Android 5.1 today (Fairly 5 months after it was released in the market).

It is concerning though, that billions of Android devices are not receiving the latest security updates in order to shield themselves from serious vulnerabilities that are out there in the wild.

OEMs want to maintain their branding and customizations to Android in order to promote their own products and applications to their target customers. However, comma they aren’t concerned about the post-sale customer support i.e. they generally don’t have a good system in place which helps their customers after the sale of their products are made. They deem it as unprofitable and hence they focus more on investing their time and energy in methods that would benefit their business and in-turn bring in more profits.

Since there doesn’t seem to be a clear cut solution to the existing problem yet, companies are simply masking the problem and making failed attempts at fixing the actual root of the problem at hand.

Android’s application sandbox would help reduce the damage that exploits can do, PlayStore helps in limiting most user’s exposure to malicious android applications & there are carriers working to detect & block those malicious Stagefright MMS messages. There are different stakeholders that are only putting a mask over the problem aka a bandage over it. The root problem being that there isn’t a way to provide the latest updates to the core OS for every user.

A user’s phone typically contains their banking and personal information which can be remotely stolen by exploiting innumerable known as well as unknown bugs in the Android system. Post selling their devices to their target audience, vendors like Xiaomi, LG, Samsung for eg), aren’t really keen on keeping their customer’s devices updated with the latest fixes implemented by Google. Most Android devices are hence out of date which leaves them vulnerable to the many attacks that a creative/non-creative attacker can use for their own malicious purposes.

You’d think that Amazon wouldn’t co-launch an exclusive flagship product that has a hidden backdoor that secretly sends all your personal information to an unknown server in China. After all, they too have a reputation to uphold.

Of course they’d have security checks in place – a team of information security consultant with skills similar to Quantico-like agents to catch activities of this nature on spot (or atleast during their routine/scheduled security audits), right?

The truth is, that most don’t care about the security of unlocked Android phones that are sold world-wide. The OEMs, Google, Amazon doesn’t care. What’s cringe-worthy is, that the customers themselves don’t care until they’re victims of an attack.

Google started to take security for Android seriously only after the bad reputation that followed post the Stagefright bug. According to security researchers, Google devices like Nexus and Pixel are on par with iOS’s security implementations, however comma the issue isn’t resolved since majority of the consumers continue to purchase the devices that have third party softwares installed to them, which brings us back to square one. Almost near it anyway.

You might have heard about how sneaky MediaTek/BLU phones had behaved lately.

BLU phones had become very popular on Amazon.com and were selling like hotcakes!

Unbeknownst to most of us, these phones were sneakily regularly sending out the user’s personal information to servers located in China. The ‘Personal information’ that I speak of here, includes a juicy mix of the user’s text messages, device location, call logs, installed apps, contact lists, etc. After the further investigation was performed, it was bought to light that this mischief was happening through a low-level piece of software called ADUPS. Interestingly, a security researcher had discovered a secret backdoor in the device by a “combination of happenstance and curiosity”. The devices, and several other models from BLU, were collecting and transmitting Personally Identifiable Information (PII – It’s also referred to as Sensitive Personal information, is information that can be used to uniquely identify, contact, or locate an individual) to a server in China every 24 to 72 hours. These activities were happily carried out disregarding the user’s privacy and of course, it all took place right under their noses (Literally here. Our smartphones are after all usually always facing us! Lame joke. Moving on) ie without the user’s consent.

After this information came to light, Google tried to counter it by implementing checks in its systems for ADUPS. MediaTek however, being the mischiefs that they are, tried to outwit Google by modifying their system’s software in order to dodge the security checks strategically set in place by them.

Amazon was hence forced to pull off the BLU R1 HD – its bestselling unlocked phone, from the market because of the reasons mentioned above.

BLU’s CEO officially told NYTimes – “It was obviously something that we were not aware of”. It is concerning however that neither BLU nor Amazon detected the backdoor since the phone’s launch in July 2016.

Google maintains a blacklist of bad software that isn’t allowed to be used on Android phones.

A security research team – Red Naga discovered the flaw on 1st March 2015 and tried to get BLU to patch it. However comma this is what they heard back from BLU whenever they tried to bring the flaw to their attention – “BLU claims they have no security department and cannot assist.”

Since MediaTek wasn’t big on helping with the issue and neither was BLU, Google eventually gave in and accepted a CTS patch to check for the ADUPS system socket. You’d think that this should’ve helped. MediaTek on the other hand, changed the name of the socket to intentionally dodge Google’s CTS check. Whooop!

In spite of having a bad rep for security, MediaTek still gets plenty of attention and demand because they win in terms of designs and since they are popular amongst their ODM (Original Design Manufacturers) partners.

From the above example, you can derive how the software on our phones, in spite of being based on Google’s software, is customized by the different creative vendors from whom we eventually purchase the phone from.

Now that I’ve got your attention, ‘what can we do to secure our data?’ you ask?

iPhone has been known to take security very seriously. If its data protection that you’re looking for and if you have the budget, get an iPhone if security really concerns you.

Apple is still sending out security updates to its minions, albeit on iOS 9, for the iPhone 4s which was released in 2011. The iPhone 5 is still being updated with iOS 10.

This is for those of you (like moi) who prefer sticking with Android:

It is recommended on getting an official Google device, meaning either a Nexus or a new Pixel. Google’s policy for Pixel and Nexus security states that they will ship security updates either for three years after device’s introduction in the market, or for 1.5 years after the device was last officially sold from the Google Store, whichever is longer. Doesn’t that sound just peachy?

iPhones are really expensive and the devices which are being released by Google now, are targeting an audience who’d shell out a huge sum to purchase the device as well. Point being, the audience that actually uses Android on a daily basis (most of us who are on a budget), are deprived of the latest security updates/fixes and the best that Google has to offer simply because they don’t fall under that target audience which Google is targeting to sell their high end devices to.

Let me introduce you to the COPPERHEAD OS!

“Copperhead OS is a two-man team based in Toronto, ships a hardened version of Android that aims to integrate Grsecurity and PaX (state of the art secure technology – Grsecurity and PaX.) into their distribution. Their OS also includes numerous security enhancements, including a port of OpenBSD’s

web application security banner

Ambreen Ansari

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.