Samsung security: How long is 'too long' to patch?

UPDATE: Updated with comment from Samsung.

How long should companies have to patch security problems before public disclosure? A case study documenting a recent Samsung mobile vulnerability begs the question.

The Dr. Manuel Sadosky Foundation, based in Argentina, disclosed on security list Full Disclosure a vulnerability which impacts Samsung device users. Discovered by Joaquín Manuel Rinaudo, security vulnerabilities in the Samsung SNS Provider application for Android place social media accounts at risk, potentially allowing malicious third-party apps to access photos, status updates, feeds, location and other information -- as well as post content on the user's behalf without consent.

The Samsung Social Networking Service Provider application (SNS Provider) is used by Samsung devices to manage social media accounts including those on Facebook, Twitter, Google+, LinkedIn and Foursquare. The service also acts internally as a bridge to allow other applications, such as Gallery, to access data and content stored on these websites.

When a user logs into their social media account on a Samsung device which has SNS Provider installed, the app immediately requests full access to the account. If permitted, an access token to the account is obtained and stored in a local shared preference file.

SNS Provider is used monthly by 41 million users as of February 17, 2015, according to the bulletin.

The foundation says SNS Provider implements services used for management and syncing of these accounts, but "these services aren't protected by any permissions." The security notice states:

"As a result, malicious third party applications installed on the device could use these unprotected services to directly obtain photos, statuses, feeds, location and other type of information from the user's social Facebook or Twitter accounts as well as post new content to it."

In addition, Samsung's software also allows other apps to request the access token to Facebook and Twitter accounts -- which are protected by custom permissions but no "proper" protection level tags. As a result, users are not notified by default when requests are sent.

"A malicious application that is granted these permissions could then connect to these services and obtain the credentials required to access a users's social network account content permanently," the security bulletin states. "For example, such an application could access the user's private messages on Facebook using the access token provided by the corresponding SNS Provider service."

In devices running Android 4.3 and below, the app also includes content providers with custom permissions as "normal," so any app running on these devices can request the tokens -- and therefore access information stored within.

The vulnerable packages are detailed below:

• SNS Provider version older than 1.1.1 on Samsung devices on Android 4.1
• SNS Provider version older than 1.1.6 on Samsung devices on Android 4.2
• SNS Provider version older than 1.2.1 on Samsung devices on Android 4.3
• SNS Provider version older than 1.3.5 on Samsung devices on Android 4.4
• SNS Provider version older than 1.3.5 on Samsung devices on Android 5.0

After Samsung was notified of the vulnerability, the South Korean firm disabled the App ID assigned to SNS Provider on Facebook and Twitter in February, and issued fixed versions of the app with a new ID. Users are now protected from malware which uses the access tokens obtained via prior versions. If users are still using vulnerable versions, they are likely to see expiry or 'try again' notices when signing in.

Read this

How Samsung broke the Galaxy S6 in order to compete with the iPhone

Read now

However, the most important part of these disclosure story is the timeline supplied by the security researchers. The vulnerability was originally reported to Samsung's mobile security team on November 20, 2014. After close to a week of discussion over encrypted email, Programa de Seguridad en TIC -- which coordinated the disclosure with Rinaudo -- supplied a preliminary report and notified the company the original disclosure date was set for December 2, 2014.

On November 26, 2014, Samsung requested for the disclosure to be delayed and requested a proof-of-concept of the exploit. On the same date, Programa de Seguridad en TIC agreed to the request and provided a POC.

Four days later, Samsung confirmed the vulnerability.

See also: Bug bounties: 'Buy what you want'

Moving into December, Samsung asked for additional details on the flaw, and the institution agreed to push back disclosure until December 16, 2014. On December 12, Samsung realized an update would require coordination between Samsung SNS vendors and service carriers.

The company then asked for six months to fix the problem, as it would "require coordination of the release schedule with the service carriers," despite testing already being underway. In addition, the problem was made even more complex as lists of vulnerable device models would need to be compiled and tested.

On December 15, Programa de Seguridad en TIC informed the vendor six months was too long. In response, Samsung admitted it would likely take longer than half a year to fix the problem, "because of complexities in Android software ecosystem, inability to auto-update the application and problems updating the software to some models due to carrier policies."

Alternative, stop-gap measures were then discussed at the beginning of January. Informing users and requesting them to disable the app, invalidating the SNS Provider's App ID on Facebook or for Samsung to use one of its own auto-updaters to deliver the patch were all debated. While the security researchers agreed to once-again postpone disclosure, Samsung faced delays in invalidating the App ID due to necessary internal Q&A processes.

In February, Samsung said it would disable the old ID from the social network server side -- Facebook and Twitter, since the others have other protections rendering such a move unnecessary -- a move which was meant to take place on February 13, but took a further week due to testing, clearance delays and reviews. Samsung also asked for another push-back on disclosure to March 10.

Finally, months after discovery, the security flaw was fixed and a public disclosure notice was issued. However, the case does beg the question -- how long is too long between public disclosure and security fixes? On one hand, public disclosure may push tech giants into fixing vulnerabilities sooner, protecting users in a timely basis -- but it could also be argued public disclosure is asking for hackers to exploit bugs in the first place. Some companies, such as Microsoft, believe disclosures can feel less principled and more like a "gotcha," wheres firms such as Google argue their Project Zero 90-day disclosure policy gives other companies ample time to sort out security problems.

A Samsung spokeswoman told ZDNet:

"We thank the Manuel Sadosky Foundation for notifying us of the possible vulnerability issue within the Samsung 'SNS Provider' application. We have already addressed the issue through the application update as of February 17. Mostly all users have already received the automatic application updates.
However, for users who have specifically selected to manually update their application through the Samsung's app store, 'Galaxy Apps' or 'Samsung Apps', we recommend updating the 'SNS Provider' application through either 'Galaxy Apps' or 'Samsung Apps'."

Read on: In the world of security

• Anonymous targets ISIS social media, recruitment drives in #OpISIS campaign
• Poor security left Anthem customer records exposed
• Verizon rushes fix for email account open season security flaw
• Sony executive Amy Pascal steps down following cyberattack, email exposure
• Facebook funds GNU Privacy Guard development