Android study reveals what we already knew: the device is flawed

Over half of Android devices have unpatched vulnerabilities? We knew that.

Over half of Android devices are vulnerable to known, exploitable security flaws, a report from mobile security firm Duo Security claims. I have no trouble believing it, because it's old news.

IDG colleague Lucian Constantin writes this about the Duo Security findings:

Over half of Android devices are vulnerable to known security flaws that can be exploited by malicious applications to gain complete access to the operating system and the data stored on it, according to a report from mobile security firm Duo Security.

This conclusion is based on scans performed during the last couple of months with X-Ray, a free Android vulnerability assessment tool developed by Duo Security. X-Ray scans devices for known privilege escalation vulnerabilities that exist in various versions of the mobile operating system.

"Since we launched X-Ray, we've already collected results from over 20,000 Android devices worldwide," security researcher Jon Oberheide, who is co-founder and CTO of Duo Security, said Wednesday.

A friend of mine, security researcher Zach Lanier, touched on this problem two years ago. He wasn't necessarily talking about these specific flaws, but about the general tendency of Android devices to ship with the same kinds of flaws attackers were exploiting on PCs a decade ago. After taking apart Android and studying the OS pieces, he told me the problems that needed fixing were on the developer side. In the rush to satisfy smart phone users hungry for new apps, the same mistakes that were made around 1999-2000 in the PC world were being repeated. After looking at the more popular phones like Android and BlackBerry, he and another researcher discovered, among other things, that:

  • Intercepting one's credentials on an app like Foursquare is pretty easy.
  • Storage apps -- popular among those who like to store and easily retrieve music and video on their phones -- contain security holes an attacker could exploit to cause a denial of service or bypass digital rights management controls.
  • Carrier-based apps tend to trust you just because you happen to be on the carrier network.
  • Third-party apps are sometimes better than carrier-based apps in this regard, but there's still incomplete support for open standards.
  • Man-in-the-middle attacks are fairly trivial across the board.
  • It's trivial for a bad guy to replay a user's picture upload requests via a third-party upload app for BlackBerry and send their own, potentially malicious files to random accounts. Zusman said injection flaws in the picture upload feature abound and that it was fairly simple to inject their own XML attribute.

Also see: Touring (and surviving) the mobile app minefield

Since the mobile threat landscape is still largely uncharted territory, don't expect these flaws to go away any time soon. Things will eventually get better (heavy emphasis on "eventually"), but for now, the reader would be wise to look at a feature I wrote awhile back about the Dos and Don'ts of mobile security.

I also recommend you check out the following related material:

The mobile security survival guide

Smartphone attacks: Here and now

In 2012, a mobile security minefield

Copyright © 2012 IDG Communications, Inc.

21 best free security tools to make your job easier