Android bloatware results in serious security flaws

Summary:Bloatware installed by the handset manufacturers is making Android insecure.

It's not just Carrier IQ that Android users need to be worried about. Researchers have discovered that some pre-loaded apps on Android handsets contain a serious security vulnerabilities that could be used to wipe the handset, steal data, or even eavesdrop on calls.

A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the paper published by the team, the flaw relates to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be 'leaked' to another without user consent.

Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission

The eight smartphones tested by the team were:

  • HTC Legend
  • HTC EVO 4G
  • HTC Wildfire S
  • Motorola Droid
  • Motorola Droid X
  • Samsung Epic 4G
  • Google Nexus One
  • Google Nexus S

The team used a custom-build scanner called 'Woodpecker' to scan the pre-loaded apps for permissions leaks relating to the following permissions:

The leaks were categorized as follows:

  • Explicit capability leaks - Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself.
  • Implicit capability leaks - Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or "inherit" permissions from another app with the same signing key.

Here are the results from the tests:

The researchers called these findings 'worrisome.'

Here's a video demonstration of the permissions leakage in action:

Bottom line, bloatware installed by the handset manufacturers is making Android insecure.

Related:

Topics: Security, Mobility

About

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.Adrian has authored/co-authored technic... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.