Android bloatware results in serious security flaws

Android bloatware results in serious security flaws

Summary: Bloatware installed by the handset manufacturers is making Android insecure.

SHARE:
TOPICS: Security, Mobility
53

It's not just Carrier IQ that Android users need to be worried about. Researchers have discovered that some pre-loaded apps on Android handsets contain a serious security vulnerabilities that could be used to wipe the handset, steal data, or even eavesdrop on calls.

A team of researchers from North Carolina State University discovered the security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the paper published by the team, the flaw relates to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be 'leaked' to another without user consent.

Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones - all without asking for any permission

The eight smartphones tested by the team were:

  • HTC Legend
  • HTC EVO 4G
  • HTC Wildfire S
  • Motorola Droid
  • Motorola Droid X
  • Samsung Epic 4G
  • Google Nexus One
  • Google Nexus S

The team used a custom-build scanner called 'Woodpecker' to scan the pre-loaded apps for permissions leaks relating to the following permissions:

The leaks were categorized as follows:

  • Explicit capability leaks - Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself.
  • Implicit capability leaks - Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or "inherit" permissions from another app with the same signing key.

Here are the results from the tests:

The researchers called these findings 'worrisome.'

Here's a video demonstration of the permissions leakage in action:

Bottom line, bloatware installed by the handset manufacturers is making Android insecure.

Related:

Topics: Security, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • RE: Android bloatware results in serious security flaws

    Again and again.

    Consumers clearly don't care about all this and continue to buy smartphones from a market flooded with devices running an operating system designed for geeks.
    TheCyberKnight
    • RE: Android bloatware results in serious security flaws

      @TheCyberKnight, let me guess you own an iPhone?? Such a predictable response from one of the sheep.
      MicroNix
      • RE: Android bloatware results in serious security flaws

        @MicroNix And because he possibly owns an iPhone or disagrees with your point of view he is somehow a sheep? Typical fandroid zealot response... even though he is correct in that Android was designed for geeks and tinkerers. But by all means tell me how he is wrong in anything he posted. Thought not.
        athynz
    • RE: Android bloatware results in serious security flaws

      @TheCyberKnight And the poor quality reporting that goes with these "revelations" doesn't help. Apart from the Nexus, we are talking carrier branded phones here, but there is no mention which "bloatware" is responsible.

      Is it manufacturer bloatware or carrier bloatware? Is my unbranded phone as at risk as a Sprint phone? Or is it on a par with the Nexus?

      The video and this article totally fail to provide any useful information, just a sensational headline to get viewer numbers.
      wright_is
      • RE: Android bloatware results in serious security flaws

        @wright_is

        I think the real point is, it doesn't matter whether the carrier or the OEM puts it on, one of the strengths of Android (openess) is also a weakness. The carriers and OEMs load all this crap on then lock it down, requiring the phone to be rooted to remove it. I know for all the Android geeks this isn't a problem, but it is for the average consumer.

        Say what you want about Apple, but they took a hard line with the carriers and as result, this stuff never found it's way onto their phones (CarrierIQ aside).

        And I say that as an Android user. I shouldn't have to root just to get Sprint's freakin' NASCAR app off my phone.
        TroyMcClure
      • RE: Android bloatware results in serious security flaws

        @piousmonk And the malware slipped past the app store checkers?
        http://www.zdnet.com/blog/security/apple-fixes-ios-vulnerability-exposed-by-charlie-miller/9796
        http://www.zdnet.com/blog/hardware/so-thats-what-happens-when-you-highlight-an-ios-security-hole/16078
        wright_is
      • RE: Android bloatware results in serious security flaws

        @wright_is

        I never said iOS was impervious to malware. I simply gave Apple credit for not letting the carriers muck up their hardware with bloatware, unlike Google and the Android OEMs.

        As for malware making it's way into app stores, anyone who believes (or expects) that Apple's review process is going to be perfect really needs a reality check. Companies dedicated to malware protection don't achieve 100% detection/prevention, so to expect any company from a different sector to do so is naive.

        And let's not pretend that Google has a perfect batting average when it comes to preventing malware from entering their app store. They've had just as many instances, if not more.
        TroyMcClure
    • RE: Android bloatware results in serious security flaws

      @TheCyberKnight Geeks? Seriously? Anyone over 60 IQ can use any smartphone in the market... Don't dumb yourself down by saying you can't use Android because you are no geek...
      AmediaN
  • RE: Android bloatware results in serious security flaws

    I think I'll just stick to my dumb, do nothing phone...
    mcpetty
    • Me too!

      @mcpetty I iz "old tech sheep kitty". =^.^=m
      PC Ferret
  • RE: Android bloatware results in serious security flaws

    Good God, Droid is a mess...
    The one and only, Cylon Centurion
    • RE: Android bloatware results in serious security flaws

      @Cylon Centurion, these articles come out constantly but I have yet to meet anyone who has ever been a victim of any foul play. I would be more worried if I owned an iPhone as they are usually the first and quickest to get hacked at hacker conferences. Yes, that's right, they are pwnd in less time than an Android phone.
      MicroNix
      • RE: Android bloatware results in serious security flaws

        @MicroNix So none of the malware found in the Google App Market and the random SMS issue makes no nevermind? I love how you completely ignore the facts about your favored platform.
        athynz
      • According to your logic, I never have, nor has anyone I known who

        @MicroNix has an iPhone running the authorized build ever been hacked, so therefore I shouldn't worry, and neither should anyone else.

        And who cares what happens at a hacker conference where hackers have weeks to prepare and only can execute it on a certain build, or in many cases a Jailbroken iOS device.

        And Like Pete said, I guess you are ignoring the malicious apps that exist in the Android Store. Much harder to get a Malware app into the Apple App store as it has to be digitally signed by Apple, and then if it is discovered that it is malware, Apple will know who to send to jail. Just like the recent malware author that got spanked by Apple for attempting to do just that.
        Snooki_smoosh_smoosh
    • is looking more and more like Windows

      @Cylon Centurion
      But less me guess... Is not MS fault if OEM'e install full of bloatware...
      theo_durcan
      • RE: Android bloatware results in serious security flaws

        @theo_durcan

        It isn't, to be blunt.
        Lerianis10
      • RE: Android bloatware results in serious security flaws

        @theo_durcan

        Take away the bloatware and Android is still a mess.
        The one and only, Cylon Centurion
      • RE: Android bloatware results in serious security flaws

        @theo_durcan

        And who's fault is it to include bloatware into iTunes?

        [quote]
        http://www.zdnet.com/blog/bott/the-unofficial-guide-to-installing-itunes-10-without-bloatware/2390

        Why is that important? When you run the iTunes setup program, it unpacks six Windows Installer packages and a master setup program, which then installs nearly 300MB of program and support files, a kernel-mode CD/DVD-burning driver, multiple system services, and a bunch of browser plugins. It configures two ???helper??? programs to start automatically every time you start your PC, giving you no easy way to disable them. It installs a network service that many iTunes users don???t need and that has been associated with security and reliability issues.

        And you wonder why I dislike iTunes with a passion that burns like the fire of a thousand suns?[/quote]

        I believe that any bloatware is bad for efficiency and security. Period.

        [i]~~~~~~~~~~

        Everything is theoretically impossible, until it is done.
        ~ Robert A. Heinlein[/i]
        WinTard
  • RE: Android bloatware results in serious security flaws

    @pgalea You might as well as forget getting an honest answer around here. About 99% of these responses are "MS is better than Apple, Apple is better than MS, Android is better than MS and Apple!"

    It's so pitiful most of the time that you just can't help but laugh at it. Every system has it's flaws and every system has great positives, in the end it's up to each individual person. I happen to own MS products, windows computers, Vista laptop, and Win7 desktop. I also own an Ipad.

    I also don't have a smartphone, just a regular cell phone that does have a camera. However, I haven't had an issue with ITunes, as has been mentioned here on any of my Windows devices, maybe because I don't use Safari or QuickTime which is part of the ITunes download?

    In any event, There are security issues with every system, all you need to do is be smart how you use your equipment when online.....
    T-Wrench
    • best response yet.

      @T-Wrench
      Agreed and well put. I own ms products (xp-server-wm) for personal use. Apple macbook pro & iphone issued by work for work and android tablet for tinkering with. All have their pros and cons. To each his own. In my line of work apple has no place so 80% of us run windows on vitrual box and/or vmware. So again, to each his own.
      Free Webapps