Here’s another reason why Android has constant issues with security: OEMs add their own code to devices that might have big holes of its own. With more than 1.4 billion Android devices in use, a security team can probably find ways to exploit any custom code OEMs add to Google’s final Android releases. In fact, Google’s own Project Zero team took the Galaxy S6 Edge’s custom software for a spin and found several significant flaws in its code.
As explained in a lengthy post on its Project Zero blog, the security team ran an internal contest for a week, with two teams of researchers tasked to find bugs in Samsung’s code that could be used by attackers for malicious purposes.
“Each team worked on three challenges, which we feel are representative of the security boundaries of Android that are typically attacked,” Google wrote. “They could also be considered components of an exploit chain that escalates to kernel privileges from a remote or local starting point.” These are the three challenges, as shared by the security team.
- Gain remote access to contacts, photos and messages. More points were given for attacks that don’t require user interaction and required fewer device identifiers.
- Gain access to contacts, photos, geolocation, etc. from an application installed from Play with no permissions
- Persist code execution across a device wipe, using the access gained in parts 1 or 2
In a week, Google discovered 11 security issues that could potentially affect the Samsung device.
“Overall, we found a substantial number of high-severity issues, though there were some effective security measures on the device that slowed us down,” Google concluded. “The weak areas seemed to be device drivers and media processing. We found issues very quickly in these areas through fuzzing and code review. It was also surprising that we found the three logic issues that are trivial to exploit. These types of issues are especially concerning, as the time to find, exploit and use the issue is very short.”
More specific details about each of the 11 security issues Project Zero discovered in Galaxy S6 edge’s code are available at the source link.