Phone manufacturers leaving Android open to attack
By Stewart Mitchell
Posted on 1 Dec 2011 at 08:58
Security researchers have uncovered a flaw in the way Android is implemented on many handsets, making it possible for attackers to to record phone calls, send SMS messages and access user data.
The computer scientists from North Carolina State University tested handsets from several manufacturers, including Samsung, HTC and Motorola and were “surprised to find out these stock phone images do not properly enforce the permission-based security model”, they reported in a paper.
In the absence of an apps vetting process, Android phones rely on a permission-based security model that requires each application to explicitly request permissions before it can be installed.
These leaked capabilities can be exploited to wipe out the user data, send out SMS messages to premium numbers
According to the researchers, they used "interprocedural data flow analysis" techniques to expose possible capability leaks where an untrusted app could gain unauthorised access to sensitive data or privileged actions.
Using a tool dubbed Woodpecker, the researchers found that of the 13 permissions run through the process, 11 of them could be exploited, with one individual phone leaking up to eight permissions.
“These leaked capabilities can be exploited to wipe out the user data, send out SMS messages to premium numbers, record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission,” the researchers said.
From around the web
Bloatware at its best.
My Galaxy S2 came with so much junk installed I'm surprised it can boot up, and none of it can be removed until you root the phone, voiding your warranty. It's even more annoying when you learn the size of the security hole the stuff makes.
I tried installing Cyanogenmod, a fairly vanilla Android OS which I'd bet is much more secure. Unfortunately it wasn't great for battery life (which I suspect is more to do with the Samsung drivers than anything else). If they could address that, I'd be a convert.
By ChrisH on 1 Dec 2011 
Same with my iphone sorry to say
Packed with as much bloatware as my sons HTC, and all the tracking logs (though Apple now say they have stopped supporting CarrierIQ since ios5), and security holes and apps waiting to do in-app payments without consent, so dont dare leave kids with it. Really gorgeous and smooth but wish they would resolve the above.
By Overmars on 2 Dec 2011
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Is Microsoft mismanaging Windows on ARM?
- Dealing with spam surrogates
- Why 3G broadband can be better and cheaper than ADSL
- Is Twitter bad for business?
- Publishing your email address isn't a security disaster
- Why you'll need a fax machine to develop iOS apps
- Learning to adapt to the mobile web
- Why you shouldn't use WPS on your Wi-Fi network
- Disabled users suffer when software breaks the rules
advertisement
