The tech world is full of great devices, but along with it, even comes a number of security issues. The recent one is for those Android users, who have Bloatware installed by their handset manufacturers. Reason being that Bloatware is making Android insecure.
Researchers even said that it’s not just Carrier IQ, which one has to worry about. But along with it, it was even noted that some pre-loaded apps on Android handsets contain a serious security vulnerabilities that could be used to wipe the handset, steal data, or even eavesdrop on calls.
A detailed research was carried out by a team of researchers from North Carolina State University discovered a unique security vulnerability on eight different smartphones from Google, HTC, Motorola and Samsung. According to the details, published by the team, the problem related to how the Android permission-based security model is enforced and allows permissions granted to a pre-installed app to be ‘leaked’ to another without user consent. An extract of the publishing can be seen as under:
Our results with eight phone images show that among 13 privileged permissions examined so far, 11 were leaked, with individual phones leaking up to eight permissions. By exploiting them, an untrusted application can manage to wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission:
The team has tested on smartphones and the positive results were noted for the following eight smartphones:
-
HTC Legend
-
HTC EVO 4G
-
HTC Wildfire S
-
Motorola Droid
-
Motorola Droid X
-
Samsung Epic 4G
-
Google Nexus One
-
Google Nexus S
One might think, as to how did the team come to know about the vulnerability. It was noted that the team used a custom-build scanner called ‘Woodpecker’ to scan the pre-loaded apps for permissions leaks relating to the following permissions:
They categorized the leaks in the following categories:
-
Explicit capability leaks – Allow an app to successfully access certain permissions by exploiting some publicly-accessible interfaces or services without actually requesting these permissions by itself.
-
Implicit capability leaks – Allow the same, but instead of exploiting some public interfaces or services, permit an app to acquire or “inherit” permissions from another app with the same signing key.
Moreover, the results from the tests can be noted as under:
No wonder, the researchers called these findings ‘worrisome.’
One can even see a video demonstration of the permissions leakage in action:
{iframe width=”620″ height=”390″ align=”top”}http://www.youtube.com/embed/xGwTviVRcrg{/iframe}
Finally, it can be said that Bloatware installed by the handset manufacturers is making Android insecure.