Google reveal Samsung security flaws

apolloa

macrumors G5
Original poster
Oct 21, 2008
12,249
7,701
Time, because it rules EVERYTHING!
Interesting BBC news article, it's discusses how Google has found security holes in Android because of Samsung's skin, they are not picking on Samsung as they chose to highlight them as their phones are the most popular, Google was using them as an example of how it's trying to make Android secure but OEM software is hindering them. Convenient timing for the Nexus brand? Or good advice for handset owners? You can decide.

Here is the article:

http://www.bbc.co.uk/news/technology-34719564

Google has highlighted 11 security flaws in Samsung's flagship Android handset, the Galaxy S6 Edge.

The vulnerabilities include a loophole that could have been used by hackers to gain control of a victim's phone.

Most of the issues were fixed after Google notified Samsung, but some have yet to be addressed.

One independent expert said the bugs "significantly weakened the security" of Google's operating system.

"There is definitely a tension between Google and the handset manufacturers because Google wants to protect its Android brand, and when it comes to security, Android has been quite tarnished," added Dr Steven Murdoch, a security researcher at University College London.

"Some of that is down to the extra software that handset manufacturers add."

A statement from Samsung said the three remaining bugs would be fixed via a security update later this month.

"Maintaining the trust of our customers is a top priority", said the company.

Hijacked emails

Details of the bugs were disclosed by Google's Project Zero team, whose job is to hunt out previously unknown computer security flaws.

It said that several of the flaws would have been "trivial to exploit".


"Over the course of a week, we found a total of 11 issues with a serious security impact," the team blogged.

"The majority of these issues were fixed on the device we tested via an OTA [over the air] update within 90 days.

"It is promising that the highest severity issues were fixed and updated on-device in a reasonable timeframe."

Among the vulnerabilities was a weakness found in Samsung's email software that could have allowed hackers to forward a victim's messages to their own account.

Another allowed attackers to alter the settings of Samsung's photo-viewing app by sending the handset a specially encoded image.

But Google said the most interesting issue was the existence of a "directory traversal bug" in a wi-fi utility built in to the phone.

"If someone provided malicious data to the software, they could then change other files on the system and interfere with other functions, in particular security functions," said Dr Murdoch.



To do this, he said, a hacker would also need to convince their target to install a malicious app, which might appear to have very limited access to the phone's other functions.

But by exploiting the flaw, the malware could then escalate its privileges.

"This would only happen as part of a chain of events, but eventually it could allow someone to take over the entire phone," Dr Murdoch added.

"Android tries to have layers of protection, so even if you break past one level of protection there's another one.

"This removed some quite important layers of that protection."

Samsung confirmed it had addressed this particular issue in a security update released last month.

"Samsung encourages users to keep their software and apps updated at all times," added a spokesman.
 
Last edited:

mclld

macrumors 68020
Nov 6, 2012
2,204
1,195
TW shaming is good, well any skin shaming. Samsung has me like this


Awesome, cutting edge hardware but then they put TW on it
 
Last edited:

AustinIllini

macrumors demi-goddess
Oct 20, 2011
10,826
7,437
Austin, TX
Yeah, this isn't a good look for Samsung, for sure.

I think the future of Android is two major branches:
Android Open Source Project for OEMs (Open)
Android for Nexus phones, tablets, and Chromebooks (Proprietary)
 

AustinIllini

macrumors demi-goddess
Oct 20, 2011
10,826
7,437
Austin, TX
That would be good I think.
Agreed. At some point, Google might even have to "rebrand" it's stock proprietary Android offering to escape the security woes often associated with the current fragmented ecosystem. I don't know if you go "Android Pure" or something, but the reality is, Android is not a name associated with security.
 
  • Like
Reactions: Hal~9000

Phil A.

Moderator
Staff member
Apr 2, 2006
5,499
2,280
Shropshire, UK
Awesome, cutting edge hardware but then they put TW on it
Every time I've had a Samsung device (and I've had a few), I've been incredibly impressed by the hardware and incredibly frustrated by TW and the slowness of getting updates out - I've got a Tab S that I waited nearly a year for a fix to a major bug that crashed completely the tablet if you were casting audio and pulled the notification shade down, never mind how long it takes them to update to new major revisions of Android!

I have no issues with manufacturers adding to Android to support things like the S-Pen but the core OS should be fixed and controlled by Google (similar to the way Windows is controlled by Microsoft) - I don't know if it can or will ever happen, but until it does, these issues are always going to arise
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
Every time I've had a Samsung device (and I've had a few), I've been incredibly impressed by the hardware and incredibly frustrated by TW and the slowness of getting updates out - I've got a Tab S that I waited nearly a year for a fix to a major bug that crashed completely the tablet if you were casting audio and pulled the notification shade down, never mind how long it takes them to update to new major revisions of Android!

I have no issues with manufacturers adding to Android to support things like the S-Pen but the core OS should be fixed and controlled by Google (similar to the way Windows is controlled by Microsoft) - I don't know if it can or will ever happen, but until it does, these issues are always going to arise
This I agree with. I think it is funny that Google is slamming OEMs that are using THEIR OS. IF Google is concerned then they should harden the OS and lock it down. But throw mud at your business partners is not a good thing. Samsung just might go to Tizen as the OS of choice for their phones.
Funny thing is other than lack of apps.....the change would be invisible to most consumers.
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
This I agree with. I think it is funny that Google is slamming OEMs that are using THEIR OS. IF Google is concerned then they should harden the OS and lock it down. But throw mud at your business partners is not a good thing. Samsung just might go to Tizen as the OS of choice for their phones.
Funny thing is other than lack of apps.....the change would be invisible to most consumers.
I want Google throwing mud and continue to until OEM's and carriers start doing the right thing.
 
  • Like
Reactions: ozaz

apolloa

macrumors G5
Original poster
Oct 21, 2008
12,249
7,701
Time, because it rules EVERYTHING!
I have to say, although I am missing the Note 5 I tried to live with, in my opinion Touch Wiz wasn't as good as my Sony Xperia Z3 Tablet skin. I think because Sony doesn't change a lot of things Plus they have been pretty good with the updates.
I haven't changed a thing on my tablet out the box where as I was trying different launchers on the Note 5. However if you like to tinker as some on here do, you can release that VERY powerful hardware.

Google is absolutely right in what it's claiming, it releases these patches to their OEM partners who then take months to update their devices. As said above perhaps Google should have its own Android version for Nexus and then a different one for OEMs.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
I want Google throwing mud and continue to until OEM's and carriers start doing the right thing.
I agree...to a point. They need to keep on OEMs to make security a bigger concern. But making those public instead of developing a structure in place to have all this done behind the scenes is the best route.
After all Android is their OS. If it has flaws holes and security concerns then Google should be the one patching and hardening the OS so that it cannot be compromised so easily.
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
I agree...to a point. They need to keep on OEMs to make security a bigger concern. But making those public instead of developing a structure in place to have all this done behind the scenes is the best route.
After all Android is their OS. If it has flaws holes and security concerns then Google should be the one patching and hardening the OS so that it cannot be compromised so easily.
Security work and flaws should never be behind the scenes it should always be 100% transparent. Behind the scenes is how things go unpatched for years.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
Security work and flaws should never be behind the scenes it should always be 100% transparent. Behind the scenes is how things go unpatched for years.
no...quite the opposite. It is one thing to notify a company of an flaw or security exploit. It is quite another thing to make those flaws or exploits public without a private notification. Those are two distinctly different things.
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
no...quite the opposite. It is one thing to notify a company of an flaw or security exploit. It is quite another thing to make those flaws or exploits public without a private notification. Those are two distinctly different things.
Nope they all need to be public, every last one of them. They should be on the front page of every media outlet from news papers to tech blogs.
 

MRU

Suspended
Aug 23, 2005
25,312
8,706
Other
If it has flaws holes and security concerns then Google should be the one patching and hardening the OS so that it cannot be compromised so easily.
That would only be possible if Samsung used stock android. As soon as they begin changing and altering it - security flaws become their issue to address.
 
  • Like
Reactions: gotluck

gotluck

macrumors 603
Dec 8, 2011
5,638
1,014
East Central Florida
That would only be possible if Samsung used stock android. As soon as they begin changing and altering it - security flaws become their issue to address.
Especially since most of these items seem to be from Samsung specific apps

Important to note most of these seem to have been patched
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
Nope they all need to be public, every last one of them. They should be on the front page of every media outlet from news papers to tech blogs.
That is where we disagree and will leave it at that. Even the most ardent exploit finders in the world all do private notifications first. Then when no action was taken the make them public.
Here is one scenario if you will.
Your next door neighbor notices you don't lock your teenager comes home late and doesn't lock the front door to your house at night. Instead of notifying you that maybe that is not a good idea privately......they post that fact on the internet or something to that effect maybe a community bulletin board or such.
Its the same concept. If trying to help you is the intent then a private conversation is all that is needed.
If your trying to hurt your neighbor and have them compromised then posting it on the internet for everyone to see.....is a good place to start.

If you post a flaw or exploit publically before the OEM has had a chance to patch then you are leaving them open to be hacked or compromised.
But if you notify them and they don't patch then....then that's a different story.
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
That is where we disagree and will leave it at that. Even the most ardent exploit finders in the world all do private notifications first. Then when no action was taken the make them public.
Here is one scenario if you will.
Your next door neighbor notices you don't lock your teenager comes home late and doesn't lock the front door to your house at night. Instead of notifying you that maybe that is not a good idea privately......they post that fact on the internet or something to that effect maybe a community bulletin board or such.
Its the same concept. If trying to help you is the intent then a private conversation is all that is needed.
If your trying to hurt your neighbor and have them compromised then posting it on the internet for everyone to see.....is a good place to start.

If you post a flaw or exploit publically before the OEM has had a chance to patch then you are leaving them open to be hacked or compromised.
But if you notify them and they don't patch then....then that's a different story.
What would lead you to believe that it's not already being exploited? If one dude or even a team of people at Google can find it a few hundred thousand people plus government types looking to exploit a target rich environment have found and are using it.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
That would only be possible if Samsung used stock android. As soon as they begin changing and altering it - security flaws become their issue to address.
Oh I agree....but if the OS was hardened so that that the OEM had to engage Google to make sure their skin or software was security sound enough not to compromise security then the flaw or exploit would not happen in the first place.

I think Google should take more ownership/control over the OS from start to finish. So if a OEM wants to use say TW for example then Samsung would have to go through a security vetting process with Google.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
What would lead you to believe that it's not already being exploited? If one dude or even a team of people at Google can find it a few hundred thousand people plus government types looking to exploit a target rich environment have found and are using it.
What would make you think the OEM knew of the exploit or flaw? Why not notify them that they have the flaw before posting it to all the hackers and people them mean them harm?
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
What would make you think the OEM knew of the exploit or flaw? Why not notify them that they have the flaw before posting it to all the hackers and people them mean them harm?
Because the people that mean them and by extension us harm already know. There are more bad actors looking for flaws than good actors and that not even considering scriddies who happen onto stuff.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
Because the people that mean them and by extension us harm already know. There are more bad actors looking for flaws than good actors and that not even considering scriddies who happen onto stuff.
Great so lets make it easier for them. Lets post all the exploits and flaws on the internet first. Then let all the software devs and coders find out that way. Usually they will find out AFTER they have been compromised. That's bad security practice and puts the whole environment at risk. It is better to notify those involved first.

That also lets all the hacker wannabes and script kiddies know of the exploit before anyone has had a chance to patch. Not a good idea generally.
 

jamezr

macrumors G5
Aug 7, 2011
12,543
10,037
US
Because the people that mean them and by extension us harm already know. There are more bad actors looking for flaws than good actors and that not even considering scriddies who happen onto stuff.
I am all for making companies responsible for security. I think making it public that they had a exploit or flaw and knew about it and still did not patch is a good idea.
But I think there should be private notification first.
 

lowendlinux

Contributor
Sep 24, 2014
5,155
6,309
North Country (way upstate NY)
Great so lets make it easier for them. Lets post all the exploits and flaws on the internet first. Then let all the software devs and coders find out that way. Usually they will find out AFTER they have been compromised. That's bad security practice and puts the whole environment at risk. It is better to notify those involved first.

That also lets all the hacker wannabes and script kiddies know of the exploit before anyone has had a chance to patch. Not a good idea generally.
They already know the info is only new to security researchers and the company.