Android, you have serious security problems

Google has failed to meet its own deadlines for fixing two nasty Android security flaws, and is failing to communicate. It's time to put some stick about.
Written by Stilgherrian , Contributor

"This is Android's moment to stop and have a 'trustworthy computing' moment," tweeted Scott Williams, a Sydney-based IT consultant, on Friday. He's right. Two massive vulnerabilities need to be patched fast, and that's highlighted the utter shoddiness of the Android ecosystem's processes for updates.

And that includes Google itself.

Last week, Google issued a patch for the Stagefright vulnerability -- the nasty one, where the device can be compromised by sending it an MMS message. It affects every Android version since 2.2, an estimated 950 million devices in use worldwide.

But the patch doesn't work.

"The patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping. The public at large believes the current patch protects them when it in fact does not," Exodus Intelligence wrote in their announcement of the discovery on Thursday

"We notified Google of the issue on August 7th but have not had a reply to our query regarding their release of an updated fix. Due to this, as well as the following facts, we have decided to notify the public of our findings," they wrote.

Exodus is clearly unimpressed: "The flaw was initially reported over 120 days ago to Google, which exceeds even their own 90-day disclosure deadline... Google is still currently distributing the faulty patch to Android devices via OTA updates... Google has not given us any indication of a timeline for correcting the faulty patch, despite our queries."

If that wasn't bad enough, researchers at MWR Labs announced -- also on Thursday -- that they've figured out a way to bypass Android's sandbox.

"A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," says MWR Labs' advisory.

MWR Labs says they first disclosed this issue to Google on 17 March this year, and it was acknowledged the next day. Nothing was heard for two months, and when MWR Labs asked what's going on, Google asked for another two weeks, and then another extension. Another seven weeks passed with no news of progress, so on 5 August, MWR Labs informed Google of their intention to disclose the vulnerability -- which they did this week.

Respected security journalist Dan Goodin described these two vulnerabilities as a one-two punch that has put Android security on the ropes.

"The rash of vulnerabilities being reported in Android and the difficulty in getting them installed on end-user devices is taking its toll on the mobile OS. Fortunately, there are no current indications that such vulnerabilities are being actively exploited in the wild. Still, Android users -- this reporter included -- have reason to be concerned and to remain wary," Goodin wrote.

Until now, I suspect that most of us had assumed that Google's processes were robust, and that Android's security problems could be blamed on the rest of the supply chain. Device manufacturers that were slow to issue patches, and telcos that were even slower -- if they even bothered at all.

Even though Samsung and HTC had announced that they'd be moving to a monthly patching cycle -- welcome to the best practices of 2003, guys -- Android end-user security would still be at the mercy of the telcos.

Christopher Soghoian, principal technologist at the American Civil Liberties Union's Speech, Privacy and Technology Project nailed it in a tweet on Monday: "Samsung/HTC: We will give monthly security updates to carriers -> I am giving a steak to my dog, to deliver to you. I'm sure it'll arrive."

Now, though, it looks like Google itself is a key part of the problem.

So, what to do about it?

The "trustworthy computing moment" that Williams was referring to happened back in 2002, when Microsoft's software was being compromised by one virus and worm after another. Then-CEO Bill Gates issued an all-staff memo which pointed out something that should have been obvious: If people dont trust products, they won't buy them, so we need to fix our stuff.

Gates' memo launched Microsoft's Trustworthy Computing initiative. The company's programming efforts were restructured into the Security Development Lifecycle. The result? The security of Microsoft's products improved dramatically. So much so, in fact, that the bad guys moved up the stack to the application layer, and found themselves a target-rich environment. Hello, Adobe!

But that took years. Windows Vista was completed on 8 November 2006, but was only partly developed under SDL. Windows 7 was the first operating system developed under SDL from start to finish, and that wasn't released to manufacturing until 22 July 2009.

Android doesn't have that many years. The game has changed. Android isn't facing a handful of amateur malware authors from 2002. It's facing the professional, well-organised criminal and government operations of 2015.

Fortunately, Android is in a better position now than Microsoft was in 2002. Current versions of Android are more secure than Windows ME or the first release of Windows XP -- not a difficult task, sure -- and the massed waves of malware haven't started hitting just yet.

But clearly, Google needs to fix its problems, and fast. Device manufacturers need to follow the example of Samsung and HTC, and get those updates moving. And telcos need to realise that if they want to insert themselves into the supply chain, then they've got to seriously lift their game -- or get out of the way.

This isn't to say that Android's chief competitor, Apple's iOS, is perfect.

Updates for both OS X and iOS were released today, and both fix a long list of security problems -- some of them, in the case of OS X version 10.10.5, date back to last year.

In February 2014, I wrote that Apple's goto fail needed a massive culture change to fix. Have things changed since then? Perhaps, but the cult of secrecy still rules the magic garden.

"For the protection of our customers, Apple generally does not disclose, discuss, or confirm security issues until a full investigation is complete and any necessary patches or releases are available," reads Apple's product security page.

That means Apple may know full well about unpatched vulnerabilities, but you won't know about them -- even if they're being actively exploited.

Disclosure: Stilgherrian has travelled to US security events twice as Microsoft's guest, including a briefing on SDL. He uses a MacBook Pro, having been primarily a Mac user since 1985. And he uses an Android phone -- for now.

Editorial standards