There have been a number of security issues that are plaguing Google’s Android OS lately. The widely adopted operating system was introduced by Google to provide an open user experience, allowing manufacturers to modify the operating system with their own tweaks and tricks. Now, seven years, and several editions after launching the very first commercially-sold Android smartphone, Google is facing a number of security issues that threaten to steal sensitive content from Android-powered smartphones.
The Stagefright exploit
The recently-unearthed ‘Stagefright’ fiasco has been doing the rounds lately. A potential threat that has apparently been there since Android v2.2, any person with malicious intent can hack into a phone with the help of a single MMS. The video embedded in the message content has a code that gives a hacker access to your phone. With mobile computing increasing by volumes, a lot of people now store sensitive content as account passwords, boarding passes, credit cards, and bank identification on their cellphones. This, coupled with Android’s extensive market share across the world, exposes a huge number of users to the threat of being hacked any time, anywhere.
Google has since stated that its ASLR technology in most smartphones will protect users from this hack, but many reports have not exactly been that reassuring. Nevertheless, it has been releasing major security patches and updates to recover from the flaw. The loophole was discovered by the good folks at Zimperium Inc., a mobile security firm, who have also released a tool to help users regain their security control. A lot of havoc, however, might have already been done. Even more so, seeing that Stagefright requires practically zero user involvement, it has the potential to silently inflict the damage it is intended to.
The fingerprint debacle
Fingerprint scanner security locks on smartphones are becoming commonplace by the day, but they are not really becoming more secure. Two security researchers at the annual Black Hat conference showed exactly why, and how. It is now possible for hackers to lift fingerprint data from cellphones.
Many devices carrying these fingerprint sensors program its security on a system level, and does not ‘lock it down’ to its roots. When fingerprint data is not locked down to the roots, it is much easier for the content to go amiss. With iOS, there is no way a hacker can reach the fingerprint data unless he retrieves the crypto key that protects it. With Android devices, a hacker can not only access data, but keep it tapped to retrieve fingerprint data of any user who taps his thumb on the sensor.
Fingerprint authentication is now being used for authenticating payments in certain regions, which makes this a hunting ground for attackers. While a number of updates have since then been rolled out to devices to rectify this error and strengthen security, many devices (especially on lower budget rungs) may still be exposed to the threat.
Battery level giveaway
Apparently, your browsing habits are not secure, either. An HTML 5 battery status API is used by Firefox, Chrome and Opera, which tracks the battery level on Android phones to disable certain features when a phone hits low power levels. While this code is intended to increase battery stamina, it ends up generating an ID which keeps track of your phone, potentially compromising your secure identity.
While this was a relatively less potent threat because the duration of revisits and the algorithm required for a website to successfully track a device's location is both short and complicated, it still poses a question to the security levels on an Android smartphone. The flaw was discovered, yet again, by four researchers, which we reported about a few days ago.
App permissions
This has been a contentious issue with Android devices. We recently had a tip-off with popular e-commerce retailers Flipkart, where the app seemed to require access to contacts to work, without having a specific need for it. While the full incident is a saga of our inquisitive minds and Flipkart’s repetitive, almost-generic answers, it told us that the app clearly did not need access to contacts, but wanted it.
Opening the same app on iOS, there was no place for the application to ask for access to contacts. While a lot of people state iOS to be too ‘closed’, not allowing users or third party agents to tweak too much about the OS, there is no denying that the platform is, indeed, safer. Unwarranted application permissions are a major flaw that can easily lead to outsiders taking control of your phone.
Improved security curation, Google?
(Dis)honourable mention
Android’s security flaws have somehow been there forever, and it takes sudden, inspired watchmen to put a stop to them. The ‘Master Key’ mishap gave a hacker scope to turn a legit application into a malicious tool by modifying the app’s APK without changing its signature. The flaw had serious implications with applications that were tied up with the device makers themselves, giving hackers complete access to a device.
This flaw has reportedly been patched ever since being discovered back in 2013, but the question remains – if it was done once, can it be done again?