14 DAY TRIAL // Researchers from the North Carolina State University released a paper in which they highlight the security issues that emerge from the fact that manufacturers and wireless carriers are allowed to modify Android operating systems to their own liking.
The study entitled "Systematic Detection of Capability Leaks in Stock Android Smartphones," presents a system called Woodpecker that determines the efficiency of Android’s permission-based security model.
HTC Legend/EVO, 4G/Wildfire S, Motorola Droid/Droid X, Samsung Epic 4G, and Google Nexus One/Nexus S were all put to the test using the Woodpecker system.
“In particular, Woodpecker employs interprocedural data flow analysis techniques to systematically expose possible capability leaks where an untrusted app can obtain unauthorized access to sensitive data or privileged actions,” reads the paper.
Unfortunately, the results are not too good. It turns out that of the 13 privileged permissions examined, 11 were leaked, one device in particular, HTC’s EVO 4G, leaking up to 8 permissions.
All these flaws could be easily used by a cybercriminal to monitor the user’s every move, to record conversations, obtain his geo-location data and even install software that seamlessly sends SMS messages to premium rate numbers, a practice that's favored by many hackers.
The researchers contacted the manufacturers to make sure they’re fully aware of these serious issues and while Google and Motorola quickly acknowledged the findings, HTC and Samsung failed to respond.
“Since April, 2011, we have been reporting the discovered capability leaks to the corresponding vendors. So far, Motorola and Google have confirmed the discovered vulnerabilities related to their phones. However, we experienced major difficulties with HTC and Samsung,” the experts note.
Finally, they explain that even if many would rush to blame the manufacturers for allowing vulnerable apps to be installed on the phone's firmware, “there is no need to exaggerate their negligence.” They believe that the security model can be easily adapted to mitigate the capability leaks they discovered.