Wednesday, December 14, 2011
Manufacturers’ Android modifications open security leaks, study shows
12/14/2011
New1Mobile9
re North Carolina University Researchers have discovered holes created through manufacturer modification of Android that makes it possible for malicious apps to access information for which they do not have explicit permission from the user.
Researchers at North Carolina State University have discovered a vulnerability with a number of leading Android handsets that could allow hackers to access private data without having to get explicit user permission. According to the study, such a loophole could give malicious hackers the ability to “wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.”Unlike apps for iOS, which alert a user anytime the app wants to access some type of personal information, like location, Android apps use a permissions-based security system, which tells the user up-front what type of information to which the app may at some point need access. Users can then decide whether or not they want to install the app based upon the permissions granted.
The NCSU study shows that the modification of Android by some handset manufacturers creates a hole in the permissions infrastructure, which could allow hackers to access sensitive private information, or perform functions on the phone, even if an app doesn’t explicitly request permission to perform these activities.
“These features are standard and make the phone more user-friendly,” said Xuxian Jiang, assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”
Using their “Woodpecker” diagnostics tool, which checks to see if an app can perform a function for which it has no permission, the researchers found the following devices to be most vulnerable: HTC Evo 4G, HTC Wildfire S, HTC Legend, Motoroal Droid and Droid X, Samsung Epic 4G, Google Nexus One and Nexus S. Both Google and Motorola have responded to the researchers, confirming their discovery. Samsung and HTC, however, have given the team “major difficulties.”
Despite their findings, the researchers say that manufacturers should not necessarily be condemned for including these loopholes. In addition, they say all is not lost with Android’s permissions-based system.
“Though one may easily blame the manufacturers for developing and/or including these vulnerable apps on the phone firmware, there is no need to exaggerate their negligence,” the team writes in the study. “Specifically, the permission-based security model in Android is a capability model that can be enhanced to mitigate these capability leaks.”
Read the full study here (pdf).
The NCSU study shows that the modification of Android by some handset manufacturers creates a hole in the permissions infrastructure, which could allow hackers to access sensitive private information, or perform functions on the phone, even if an app doesn’t explicitly request permission to perform these activities.
“These features are standard and make the phone more user-friendly,” said Xuxian Jiang, assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”
Using their “Woodpecker” diagnostics tool, which checks to see if an app can perform a function for which it has no permission, the researchers found the following devices to be most vulnerable: HTC Evo 4G, HTC Wildfire S, HTC Legend, Motoroal Droid and Droid X, Samsung Epic 4G, Google Nexus One and Nexus S. Both Google and Motorola have responded to the researchers, confirming their discovery. Samsung and HTC, however, have given the team “major difficulties.”
Despite their findings, the researchers say that manufacturers should not necessarily be condemned for including these loopholes. In addition, they say all is not lost with Android’s permissions-based system.
“Though one may easily blame the manufacturers for developing and/or including these vulnerable apps on the phone firmware, there is no need to exaggerate their negligence,” the team writes in the study. “Specifically, the permission-based security model in Android is a capability model that can be enhanced to mitigate these capability leaks.”
Read the full study here (pdf).
16 commentaires:
Hello there, I found your website via Google while looking for a related topic, your web site came up, it looks great. I have bookmarked it in my google bookmarks.
hello
Just a quick note to tell you that your blog is great.
Keep it up and that the force be with you
voyance par telephone
It’s a really great site you have here. Thank you for the effort to be so good for us (even though we don`t deserve it) and keep it up.
Everything is well designed your site and very nice with many choices, it is a wonder! Congratulations. friendly
Adorable item that I discovered by chance, and my greatest pleasure, congratulations!
voyance gratuite par mail
Great and awesome, I really enjoy reading the post, thanks for sharing I really like it.
Love it! A site where we can not see the time go !!
Thank you to you!
I am very much pleased with the contents you have mentioned.I wanted to thank you for this great article. I enjoyed every little bit part of it and I will be waiting for the new updates.Thanks.
Félicitation à tous ceux qui veillent pour le bon déroulement de ce magnifique blog
voyance gratuite en ligne
I went for a ride on your site. Continues! Can you put me in partner because I put you on my website.
Thank you for sharing this thought provoking post
Coucou, ton blog est trop ! Je viens tous les jours et cela me plait beaucoup
voyance gratuite en ligne
Merci pour tout ce travail que cela reprĂ©sente et pour tout le plaisir que j’y trouve
Bravo ! Votre blog est l'un des meilleurs que j'ai vu !
voyance gratuite en ligne
Merci c’est super!.. Bravo tout simplement. Et encore merci infiniment.
Thank you for those good times on your blog. I am often at the station to watch (again and again) those wonderful articles you shared. Really very interesting. All the best !
voyance discount gratuite
Post a Comment