Tuesday, December 6, 2011

Android Bloatware, Another Serious Android Privacy Issue

          Researchers have found that some Android smartphones are more vulnerable to attacks than others, thanks to add-on software and skins that get installed by handset makers before they ship their smartphones to subscribers. It’s not just Carrier IQ that Android users need to be worried about.

          A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. Black hat hacker can exploit these vulnerabilities to record phone calls (see proof of concept video below), wipe out your phone, call or text premium rate numbers, and read your private messages and emails, all without your permission, of course. According to the paper published by the team.

          "Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission". According to the researchers, certain system configurations added on top of the Android OS by manufacturers, contain a backdoor to this personal information.

          Android permissions are cornerstone of Android security and user privacy. For example, if an application requests permission to use a user's location--perhaps as part of an advertiser-backed effort to track their online behavior--the smartphone owner can deny that request. Likewise, permissions serve as a last line of defense against malicious applications that may end up on their phones. For example, if an application attempts to access both the Internet and a user's address book, but shouldn't need to do so, it could indicate that the application in question is attempting to steal data and phone home.

          To test the permission-enforcement security model on Android smartphones, the researchers built a tool, dubbed Woodpecker, that subjects images of Android operating systems to permission tests. As a baseline, they first studied the Google Nexus One and Nexus S smartphones which come with a vanilla version of Android installed as well as the Motorola Droid, which is "close to the reference Android design," they said.

The university researchers explained that the code allows these apps to sidestep Android's permission system in the interfaces and services phone manufacturers to add on to their devices to supplement Google's firmware.

0 comments:

Post a Comment