• United States



by Robert Lemos

MIA talk was to focus on Android developer mistakes

Aug 15, 20113 mins
AndroidApplication SecurityData and Information Security

A lack of code checking and security education has led to dozens, if not hundreds, of application security flaws that affect the Android platform, researchers claim.

A pair of researchers, who caused a stir at the Black Hat Security Briefings when they failed to show at their presentation, claim to have found dozens of vulnerabilities in Android applications using an automated analysis tool.

The presentation, titled “Hacking Androids for Profit,” focused on the problems of third-party applications on Android, not on the main operating systems or key programs developed by Google, says Riley Hassell, founder of Privateer Labs. Hassell and co-worker Shane Macaulay, also of Privateer Labs, were scheduled to present their research Aug. 4 but failed to appear.

Also see: Touring (and surviving) the mobile app minefield

The presentation would have outlined results of the company’s analysis of third-party applications using a scanning tool known as SCURVY, Hassell said.

“We found vulnerabilities in dozens of the most popular apps,” he says. “Some are information disclosure — getting information on the mobile user — others are privilege escalation.”

A particularly pernicious problem is known as activity reuse, where one application can exploit a vulnerability in another application to use that program’s elevated permissions. The security weaknesses occur because many developers allow other programs to use certain activities without checking to see if they have the permissions to take a particular action on their own.

Using SCURVY, the researchers analyzed more than 600 applications offering interfaces to more than 3,500 activities and found that 61 percent of the allowable actions did not impose acceptable security precautions on the use of their activities. For example, a version of the voice-over-IP program, Skype, could be exploited by other programs to make calls without notifying the user.

“The way to stop this is to apply appropriate permissions,” Hassell says.

While the problems are not in Google’s software, the company should seek ways to increase the security of third-party applications, he argues. Because third-party developers make up such a hefty portion of the software ecosystem, they need to be trained to write more secure code and their programs should be vetted, Hassell maintains.

“I think it is Google’s responsibility to help developers make better security choices during application development,” he says.

While avoiding details, Hassell said he found significant vulnerabilities in dozens of popular third-party applications on Android. Using the automated scanning engine, the issues are easy to find, he says.

“I could go run this thing and, in a half an hour, I will have a new nasty bug in some application,” he says.

Why did Hassell and Macaulay miss their presentation? They pair remains mum on the reasons. “No comment,” Hassell says.