Security Week 09: who is responsible for Android security?

Just a few news last week concerned the security of the Android platform. Of greatest interest is study Samsung smartphone security conducted by the Google Project Zero team. In the Samsung Galaxy A50 model (possibly in others, too, but this has not been verified), the manufacturer has built its own code in the Linux kernel, which is responsible for process authentication. The Process Authenticator system is designed to enhance the security of the smartphone: when starting applications and system services, it verifies the digital signature.

A relatively small number of processes are checked. According to the unique signature format, the researcher found only 13 pieces, among them – services for working with Bluetooth and Wi-Fi. An expert from Google created a scenario in which the Process Authenticator system is called to “check” a malicious application, and a number of vulnerabilities in Samsung code allow for extended rights. An example of reading data from the database of accounts authorized on the phone is given. The conclusion from this is the following: modifying the kernel from a vendor (that is, from Google) is not always a good idea. And here a completely technical article goes into the plane of politics and raises the topic of interaction between the participants of the Android ecosystem: who should be responsible for the security of software, and should smartphones developers restrict code modifications for this very security?

At least in the media, this study interpreted as a polite request from Google not to interfere with the code. In the study, it is formulated as follows: do not touch at least the core. Ideally, use safe kernel interaction techniques when writing device drivers. It also provides another example of imperfect (to put it mildly) work of a particular vendor with the Android developer. In September 2018, the Linux kernel was discovered and fixed soon enough. bug, but the patch did not reach a specific Samsung phone with security updates from November 2019 (it was fixed only with the February update this year). That is, Samsung had information, a patch was available, but for some reason (possibly a patch conflict with the manufacturer’s own code) they did not apply it.

This interesting study shows in detail how fragmentation of the Android platform works and how it affects security directly (updates arrive late) and indirectly (custom code is added, which in itself may be vulnerable). Nevertheless, the solution to this problem, as well as an assessment of its seriousness, is no longer a technical discussion, but rather a matter of observing the interests of all parties.

The Android ecosystem’s traditional issue is malicious apps entering the official Play Store. Check Point Research recently found nine applications from the repository with a new kind of malicious code known as Haken. It allows you to spy on users and subscribes them to paid services. Google in January deleted from the Play Store 17 thousand applications using the malicious Joker platform: the code was well hidden, and the programs successfully passed the test before publication. Also last week google deleted Over 600 apps for annoying ads.

What else happened:

Another critical vulnerability in the plugin for WordPress. The Duplicator add-on for backup and site transfer can be used to freely download files from the server without authorization, including, for example, a database of user logins and passwords.

Adobe released an extraordinary update that covers two critical vulnerabilities in After Effects. An unexpected goal for an emergency update, but also serious vulnerabilities – using the prepared file for this program, you can execute arbitrary code.

Fresh leaks data: MGM Resorts customer database surfaced at a hacker forum. Over 10 million entries include visitor information for MGM Grand Las Vegas casinos. Personal information, contact information, but not payment data, became publicly available. Among the victims, as expected, many celebrities.

Interesting studyon the BlueKeep Vulnerability in Windows Medical Technology. This bug in Remote Desktop Protocol was closed a year ago, but, according to CyberMDX, more than half of Windows-based medical devices work on versions of the OS that are not updated.

For Amazon Ring Webcam Users introduced forced two-factor authentication. The innovation is associated with a large number of attacks on weak (or reusable) user passwords, as a result of which crackers gain access to video data and can even contact victims directly. In December, about several such hacks wrote and in traditional media.

Eclypse Research Raises Theme verification Firmware updates for various devices, including, for example, touchpads, Wi-Fi modules for Lenovo, HP, and Dell laptops. The lack of a digital signature theoretically means that you can flash such a module without the user’s knowledge, bypassing the standard update delivery system, and at the same time add malicious functions to the code.

Similar Posts

Leave a Reply