Computer and mobile device security is a tough business. There's hype and then there are real threats and so far most in mobile have been hype (but see AVG-gate). Still, Android is either an OS with a lot of security vulnerabilities or everyone just likes to pick on it. Either way, between Carrier IQ earlier this week and now this paper from North Carolina State University, the little robot is having a tough time.
Computer scientists at NCSU created an app called 'Woodpecker' that would search for app vulnerabilities in Androids's permission-based security model. In short, when you install an app in Android, it tells you what that app can access e.g. user info, data, geolocation, recording sound, etc. Basically if you don't think a wallpaper app should have access to say, recording sounds, you prevent the app from installing. The problem is this: apps can unknowingly grant permissions to other apps, allowing a seemingly innocuous program to gain access to functions not agreed to by the user.
In the paper (PDF), the researchers looked at eight Android phones: HTC Legend, EVO 4G, Wildfire S; Samsung Epic 4G; Motorola Droid, Droid x and Google Nexus One and S. Only on-board, pre-installed software was analyzed e.g. OEM or carrier software, but not third party apps. In short, they found they could install apps that had access to higher level functions not specifically granted by the user via what is called a "confused deputy attack" where "where one app is tricked by another into improperly exercising its privileges". The culprit? OEM apps that unwittingly revealed their higher level permissions to 'Woodpecker--the more OEM apps, the more vulnerable. This is because, according to the researchers, "...app markets do not report the actual permissions granted to an app. Instead they report only the permissions an app requests or embodied in the manifest file".
As can be seen in the video above, an app is installed with these higher level functions but no warning was issued during installation. The question is this: is this a real threat or potential? Looks to be potential only at this point, but then again who knows. The researchers concluded it does "constitute a tangible security weakness" for Android.
"These leaked capabilities can be exploited to wipe out the user data, send out SMS messages (e.g., to premium numbers), record user conversation, or obtain the user’s geo-location data on the affected phones – all without asking for any permission."
Windows Phone seems to be inoculated against such attacks because, in theory, the apps are vetted. But then again, the AVG app did get by Microsoft meaning perhaps even Windows Phone apps could have similar vulnerabilities (what are called "capability leaks"). That AVG app, according to Justin Angel, improperly used the Geo Location (GeoCoordinateWatcher) in a way not granted by the certification guidelines. One thing working in our favor though is the sand-boxed nature of our OS and apps, meaning deep-level functions cannot be touched (unless you hack and interop-unlock, of course).
Update 6: Microsoft wants all of TikTok, but Trump's order may interfere
The Financial Times reports that as part of negotiations, Microsoft is now inquiring whether it can buy all of TikTok, instead of just the business in the US., Canada, Australia, and New Zealand. This new plan would include India and Europe (and excluding China).
Surface Duo and double Dans take over this week's Android Central podcast
Need even more Surface Duo in your life? Check out the latest Android Central podcast, in which Daniel Rubino and Daniel Bader (double the Dans!) discuss Surface Duo, Microsoft's Samsung love affair, and Project xCloud.
This is the best Windows 10 tablet you can buy right now
There are many Windows 10 tablets on the market, but it's hard to sort through the rubbish. Here's our picks for the best Windows 10 tablets you can buy right now. At the top of our list is the Surface Pro X, which we think is the best due to its ARM processor, large display, and thin form factor while still packing good battery life and excellent performance.
Secure your business with these Dell tools
Are you an IT professional or business owner that wants to heighten security? Dell Technologies has the products you need to keep your files, hardware, and more, as secure as possible.