Android bloatware results in serious security flaws
Summary: Bloatware installed by the handset manufacturers is making Android insecure.
It's not just Carrier IQ that Android users need to be worried about. Researchers have discovered that some pre-loaded apps on Android handsets contain a serious security vulnerabilities that could be used to wipe the handset, steal data, or even eavesdrop on calls.
A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the paper published by the team, the flaw relates to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be 'leaked' to another without user consent.
Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission
The eight smartphones tested by the team were:
- HTC Legend
- HTC EVO 4G
- HTC Wildfire S
- Motorola Droid
- Motorola Droid X
- Samsung Epic 4G
- Google Nexus One
- Google Nexus S
The team used a custom-build scanner called 'Woodpecker' to scan the pre-loaded apps for permissions leaks relating to the following permissions:
The leaks were categorized as follows:
- Explicit capability leaks - Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself.
- Implicit capability leaks - Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or "inherit" permissions from another app with the same signing key.
Here are the results from the tests:
The researchers called these findings 'worrisome.'
Here's a video demonstration of the permissions leakage in action:
Bottom line, bloatware installed by the handset manufacturers is making Android insecure.
Related:
- Check your Android handset for Carrier IQ rootkit
- Are security firms that warn of Android malware 'charlatans and scammers'?
- Most free Android anti-malware scanners 'near to useless'
- BEWARE - Rogue Android apps flood into alternative markets
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Android bloatware results in serious security flaws
Consumers clearly don't care about all this and continue to buy smartphones from a market flooded with devices running an operating system designed for geeks.
RE: Android bloatware results in serious security flaws
RE: Android bloatware results in serious security flaws
RE: Android bloatware results in serious security flaws
Is it manufacturer bloatware or carrier bloatware? Is my unbranded phone as at risk as a Sprint phone? Or is it on a par with the Nexus?
The video and this article totally fail to provide any useful information, just a sensational headline to get viewer numbers.
RE: Android bloatware results in serious security flaws
I think the real point is, it doesn't matter whether the carrier or the OEM puts it on, one of the strengths of Android (openess) is also a weakness. The carriers and OEMs load all this crap on then lock it down, requiring the phone to be rooted to remove it. I know for all the Android geeks this isn't a problem, but it is for the average consumer.
Say what you want about Apple, but they took a hard line with the carriers and as result, this stuff never found it's way onto their phones (CarrierIQ aside).
And I say that as an Android user. I shouldn't have to root just to get Sprint's freakin' NASCAR app off my phone.
RE: Android bloatware results in serious security flaws
http://www.zdnet.com/blog/security/apple-fixes-ios-vulnerability-exposed-by-charlie-miller/9796
http://www.zdnet.com/blog/hardware/so-thats-what-happens-when-you-highlight-an-ios-security-hole/16078
RE: Android bloatware results in serious security flaws
I never said iOS was impervious to malware. I simply gave Apple credit for not letting the carriers muck up their hardware with bloatware, unlike Google and the Android OEMs.
As for malware making it's way into app stores, anyone who believes (or expects) that Apple's review process is going to be perfect really needs a reality check. Companies dedicated to malware protection don't achieve 100% detection/prevention, so to expect any company from a different sector to do so is naive.
And let's not pretend that Google has a perfect batting average when it comes to preventing malware from entering their app store. They've had just as many instances, if not more.
RE: Android bloatware results in serious security flaws
RE: Android bloatware results in serious security flaws
Me too!
RE: Android bloatware results in serious security flaws
RE: Android bloatware results in serious security flaws
RE: Android bloatware results in serious security flaws
According to your logic, I never have, nor has anyone I known who
And who cares what happens at a hacker conference where hackers have weeks to prepare and only can execute it on a certain build, or in many cases a Jailbroken iOS device.
And Like Pete said, I guess you are ignoring the malicious apps that exist in the Android Store. Much harder to get a Malware app into the Apple App store as it has to be digitally signed by Apple, and then if it is discovered that it is malware, Apple will know who to send to jail. Just like the recent malware author that got spanked by Apple for attempting to do just that.
is looking more and more like Windows
But less me guess... Is not MS fault if OEM'e install full of bloatware...
RE: Android bloatware results in serious security flaws
It isn't, to be blunt.
RE: Android bloatware results in serious security flaws
Take away the bloatware and Android is still a mess.
RE: Android bloatware results in serious security flaws
And who's fault is it to include bloatware into iTunes?
[quote]
http://www.zdnet.com/blog/bott/the-unofficial-guide-to-installing-itunes-10-without-bloatware/2390
Why is that important? When you run the iTunes setup program, it unpacks six Windows Installer packages and a master setup program, which then installs nearly 300MB of program and support files, a kernel-mode CD/DVD-burning driver, multiple system services, and a bunch of browser plugins. It configures two ???helper??? programs to start automatically every time you start your PC, giving you no easy way to disable them. It installs a network service that many iTunes users don???t need and that has been associated with security and reliability issues.
And you wonder why I dislike iTunes with a passion that burns like the fire of a thousand suns?[/quote]
I believe that any bloatware is bad for efficiency and security. Period.
[i]~~~~~~~~~~
Everything is theoretically impossible, until it is done.
~ Robert A. Heinlein[/i]
RE: Android bloatware results in serious security flaws
It's so pitiful most of the time that you just can't help but laugh at it. Every system has it's flaws and every system has great positives, in the end it's up to each individual person. I happen to own MS products, windows computers, Vista laptop, and Win7 desktop. I also own an Ipad.
I also don't have a smartphone, just a regular cell phone that does have a camera. However, I haven't had an issue with ITunes, as has been mentioned here on any of my Windows devices, maybe because I don't use Safari or QuickTime which is part of the ITunes download?
In any event, There are security issues with every system, all you need to do is be smart how you use your equipment when online.....
best response yet.
Agreed and well put. I own ms products (xp-server-wm) for personal use. Apple macbook pro & iphone issued by work for work and android tablet for tinkering with. All have their pros and cons. To each his own. In my line of work apple has no place so 80% of us run windows on vitrual box and/or vmware. So again, to each his own.