Suddenly the big beasts of Android are taking the platform's security very seriously. Recent weeks have seen a number of significant security flaws, including a particularly alarming one called Stagefright that could be used against almost every Android user on the planet with very little difficulty.
Google suddenly appears to be less laid back than usual about this, announcing within days of Stagefright that from this month its own Nexus devices will receive at least monthly Over-The-Air (OTA) updates offering security fixes. Samsung, the biggest hardware partner, has said it will feed this through to Galaxy smartphones and tablets, also from this month, although the timing will for specific fixes will still depend on coordination with mobile carriers.
What prompted the change? Numbers from Danish vulnerability management firm Secunia show that 80 flaws have been found in Apple's iOS so far in 2015 compared to an apparently modest 10 in Android. These numbers are deceptive; what matters with mobile operating systems is how serious the flaws are, how easy they are to fix and how quickly that happens. Apple has direct control over that process, Google (with the exception of Nexus devices) doesn't. If Google either produces a patch that must be applied by carriers or phone makers, or the flaw exists in a third-party plug-in that is part of the ecosystem not controlled by Google, it could be weeks, months or never before handsets receive an update.
Worries about Android's fragmentation and its effect on security are nothing new but anxieties about the way the platform handles security speak run deeper. There was a time when Windows PCs were only updated for security issues on an occasional basis but by 2003 Microsoft had realised that this was no longer sufficient. Android is now going through much the same growing up process.
Depending on the nature of the flaw (i.e. whether it is buried in Android itself or a third-party component) Google always produces the first fix. But consumers still rely on carriers and manufacturers to apply it, and much the same may apply to enterprises. The fact that a large organisation manages its Android devices using Samsung's Knox security platform for BYOD or a third-party Mobile device Management (MDM) system is irrelevant if no patch is available for the flaw in question.
The 'Certifi-Gate' mRST flaw
Revealed on this week by Check Point, this is a weakness in the certificate two mobile Remote Support Tool (mRST) plug-ins called Rsupport and TemaViewer, used by a large number of handset makers for remote support. In essence, the weakness allows an attacker to use a malicious app piggyback on the certificates and permissions given to these apps, taking control of the device.
Devices affected: Affected makers running Android devices up to version 5.1 Year: 2015 Fix: Not easy but will depend on each company updating handsets individually. There's also some doubt about how easy it will be to revoke access to an older version of the vulnerable flaw which implies that attackers could find a way back in even when an update is issued. Tools: Check Point offers a Certifi-gate scanner app which an admins can use to confirm the bad news.
'Stagefright' MMS flaw
The most sever flaw ever to affect Android, largely because of its universality and the ease with which it could be exploited by an attacker to take over a handset by sending a malicious MMS message. Google's Nexus devices should get the fix first straight from Google first although as of 7 August that hadn't happened on our test device. Otherwise, enterprises are at the mercy of the handset maker and network carrier in question unless they run a specialist device such as the secure Blackphone, which has already implemented it. This flaw will be a major test of how fast Android can be updated in the filed for a major issue.
Devices affected: All handsets up to version 5.1 Year: 2015 Fix: Wait for updates for device maker or Google. In the meantime, disable automatic MMS retrieval in the default messaging app if the carrier doesn't do it. Tools: Zimperium has released an app on Google Play to detect vulnerable smartphones called Stagefright Detector.
Android Installer hijacking
Allows attackers to hijack the install process and sneak a malicious application on to the target smartphone. A vulnerability that will still be very common on older Android smartphones although it only affects enterprises using third-party app stores which reduces the danger level.
Devices affected: up to version 4.3 Year: 2015 Fix: Buy a new smartphone or update to Android 4.3_r0.9 Tools: Palo Alto offers a tool on Google Play.
Android FakeID flaw
Slightly older but potentially serious flaw, again affecting older smartphones from version 2.1 to version 4.4. Provides a way for attackers to impersonate a trusted application without that being apparent to the user.
Devices affected: All Android versions up to 4.31 Year: 2014 Fix: Multiple handset makers and carriers released patches for this flaw by early August 2014. Tools: Bluebox Security and others released scanner apps.
Linux futex 'TowelRoot'
A vulnerability that started life with a CVE number but not long after was incorporated into a legitimate rooting tool - the first proof-of-concept exploit in effect, albeit one with a specific purpose. That tool gave the flaw its name, TowelRoot. Unusual in that it also affected Linux itself, and was given the CVE-2014-3153 identifier.
Devices affected: Android up to version 4.4 Year: 2014 Fix: Patched in Android 4.43 Tools: None needed to detect it but some mobile security products claim to block it