Wednesday, December 14, 2011

Manufacturers’ Android modifications open security leaks, study shows

North Carolina University Researchers have discovered holes created through manufacturer modification of Android that makes it possible for malicious apps to access information for which they do not have explicit permission from the user.
Researchers at North Carolina State University have discovered a vulnerability with a number of leading Android handsets that could allow hackers to access private data without having to get explicit user permission. According to the study, such a loophole could give malicious hackers the ability to “wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.”
Unlike apps for iOS, which alert a user anytime the app wants to access some type of personal information, like location, Android apps use a permissions-based security system, which tells the user up-front what type of information to which the app may at some point need access. Users can then decide whether or not they want to install the app based upon the permissions granted.
The NCSU study shows that the modification of Android by some handset manufacturers creates a hole in the permissions infrastructure, which could allow hackers to access sensitive private information, or perform functions on the phone, even if an app doesn’t explicitly request permission to perform these activities.
“These features are standard and make the phone more user-friendly,” said Xuxian Jiang, assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”
Using their “Woodpecker” diagnostics tool, which checks to see if an app can perform a function for which it has no permission, the researchers found the following devices to be most vulnerable: HTC Evo 4G, HTC Wildfire S, HTC Legend, Motoroal Droid and Droid X, Samsung Epic 4G, Google Nexus One and Nexus S. Both Google and Motorola have responded to the researchers, confirming their discovery. Samsung and HTC, however, have given the team “major difficulties.”
Despite their findings, the researchers say that manufacturers should not necessarily be condemned for including these loopholes. In addition, they say all is not lost with Android’s permissions-based system.
“Though one may easily blame the manufacturers for developing and/or including these vulnerable apps on the phone firmware, there is no need to exaggerate their negligence,” the team writes in the study. “Specifically, the permission-based security model in Android is a capability model that can be enhanced to mitigate these capability leaks.”
Read the full study here (pdf).

17 commentaires:

tarots gratuits said...

Hello there, I found your website via Google while looking for a related topic, your web site came up, it looks great. I have bookmarked it in my google bookmarks.

barbara said...

Just a quick note to tell you that your blog is great.
Keep it up and that the force be with you
voyance par telephone

voyance said...

It’s a really great site you have here. Thank you for the effort to be so good for us (even though we don`t deserve it) and keep it up.

voyance gratuite mail said...

Everything is well designed your site and very nice with many choices, it is a wonder! Congratulations. friendly

Meera Saif said...

Adorable item that I discovered by chance, and my greatest pleasure, congratulations!
voyance gratuite par mail

voyance par mail gratuite said...

Great and awesome, I really enjoy reading the post, thanks for sharing I really like it.

voyance serieuse gratuite said...

Love it! A site where we can not see the time go !!
Thank you to you!

voyance en ligne gratuite said...

I am very much pleased with the contents you have mentioned.I wanted to thank you for this great article. I enjoyed every little bit part of it and I will be waiting for the new updates.Thanks.

lora said...

Félicitation à tous ceux qui veillent pour le bon déroulement de ce magnifique blog

voyance gratuite en ligne

voyance gratuite par email said...

I went for a ride on your site. Continues! Can you put me in partner because I put you on my website.

Appartement à vendre casablanca said...

Thank you for sharing this thought provoking post

rosy123 said...

Coucou, ton blog est trop ! Je viens tous les jours et cela me plait beaucoup

voyance gratuite en ligne

voyance par mail gratuite said...

Merci pour tout ce travail que cela représente et pour tout le plaisir que j’y trouve

rosy123 said...

Bravo ! Votre blog est l'un des meilleurs que j'ai vu !
voyance gratuite en ligne

voyance gratuite en ligne par mail said...

Merci c’est super!.. Bravo tout simplement. Et encore merci infiniment.

rosy123 said...

Franchement vous êtes formidable d'avoir fait un site pareil
voyance email

spuig Maurice said...

Mille mercis pour tout.
Tu es incroyable, mille bisous pour toi.

avenir gratuit par mail

Post a Comment