Google reveal Samsung security flaws

Discussion in 'Alternatives to iOS and iOS Devices' started by apolloa, Nov 5, 2015.

  1. apolloa, Nov 5, 2015
    Last edited: Nov 5, 2015

    apolloa macrumors G3

    apolloa

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #1
    Interesting BBC news article, it's discusses how Google has found security holes in Android because of Samsung's skin, they are not picking on Samsung as they chose to highlight them as their phones are the most popular, Google was using them as an example of how it's trying to make Android secure but OEM software is hindering them. Convenient timing for the Nexus brand? Or good advice for handset owners? You can decide.

    Here is the article:

    http://www.bbc.co.uk/news/technology-34719564

    Google has highlighted 11 security flaws in Samsung's flagship Android handset, the Galaxy S6 Edge.

    The vulnerabilities include a loophole that could have been used by hackers to gain control of a victim's phone.

    Most of the issues were fixed after Google notified Samsung, but some have yet to be addressed.

    One independent expert said the bugs "significantly weakened the security" of Google's operating system.

    "There is definitely a tension between Google and the handset manufacturers because Google wants to protect its Android brand, and when it comes to security, Android has been quite tarnished," added Dr Steven Murdoch, a security researcher at University College London.

    "Some of that is down to the extra software that handset manufacturers add."

    A statement from Samsung said the three remaining bugs would be fixed via a security update later this month.

    "Maintaining the trust of our customers is a top priority", said the company.

    Hijacked emails

    Details of the bugs were disclosed by Google's Project Zero team, whose job is to hunt out previously unknown computer security flaws.

    It said that several of the flaws would have been "trivial to exploit".


    "Over the course of a week, we found a total of 11 issues with a serious security impact," the team blogged.

    "The majority of these issues were fixed on the device we tested via an OTA [over the air] update within 90 days.

    "It is promising that the highest severity issues were fixed and updated on-device in a reasonable timeframe."

    Among the vulnerabilities was a weakness found in Samsung's email software that could have allowed hackers to forward a victim's messages to their own account.

    Another allowed attackers to alter the settings of Samsung's photo-viewing app by sending the handset a specially encoded image.

    But Google said the most interesting issue was the existence of a "directory traversal bug" in a wi-fi utility built in to the phone.

    "If someone provided malicious data to the software, they could then change other files on the system and interfere with other functions, in particular security functions," said Dr Murdoch.



    To do this, he said, a hacker would also need to convince their target to install a malicious app, which might appear to have very limited access to the phone's other functions.

    But by exploiting the flaw, the malware could then escalate its privileges.

    "This would only happen as part of a chain of events, but eventually it could allow someone to take over the entire phone," Dr Murdoch added.

    "Android tries to have layers of protection, so even if you break past one level of protection there's another one.

    "This removed some quite important layers of that protection."

    Samsung confirmed it had addressed this particular issue in a security update released last month.

    "Samsung encourages users to keep their software and apps updated at all times," added a spokesman.
     
  2. mclld, Nov 5, 2015
    Last edited: Nov 5, 2015

    mclld macrumors 68000

    Joined:
    Nov 6, 2012
    #2
    TW shaming is good, well any skin shaming. Samsung has me like this
    [​IMG]

    Awesome, cutting edge hardware but then they put TW on it
     
  3. AustinIllini macrumors demi-god

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, USA
    #3
    Yeah, this isn't a good look for Samsung, for sure.

    I think the future of Android is two major branches:
    Android Open Source Project for OEMs (Open)
    Android for Nexus phones, tablets, and Chromebooks (Proprietary)
     
  4. apolloa thread starter macrumors G3

    apolloa

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #4
    That would be good I think.
     
  5. AustinIllini macrumors demi-god

    AustinIllini

    Joined:
    Oct 20, 2011
    Location:
    Austin, USA
    #5
    Agreed. At some point, Google might even have to "rebrand" it's stock proprietary Android offering to escape the security woes often associated with the current fragmented ecosystem. I don't know if you go "Android Pure" or something, but the reality is, Android is not a name associated with security.
     
  6. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #6
    There are many in the community trying to harden Android Google just needs to integrate the code.
     
  7. Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #7
    Every time I've had a Samsung device (and I've had a few), I've been incredibly impressed by the hardware and incredibly frustrated by TW and the slowness of getting updates out - I've got a Tab S that I waited nearly a year for a fix to a major bug that crashed completely the tablet if you were casting audio and pulled the notification shade down, never mind how long it takes them to update to new major revisions of Android!

    I have no issues with manufacturers adding to Android to support things like the S-Pen but the core OS should be fixed and controlled by Google (similar to the way Windows is controlled by Microsoft) - I don't know if it can or will ever happen, but until it does, these issues are always going to arise
     
  8. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #8
    This I agree with. I think it is funny that Google is slamming OEMs that are using THEIR OS. IF Google is concerned then they should harden the OS and lock it down. But throw mud at your business partners is not a good thing. Samsung just might go to Tizen as the OS of choice for their phones.
    Funny thing is other than lack of apps.....the change would be invisible to most consumers.
     
  9. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #9
    I want Google throwing mud and continue to until OEM's and carriers start doing the right thing.
     
  10. gotluck macrumors 603

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #10
    I would bet it all that that crash was caused by some Samsung specific library, file, or something that would not happen on a non Samsung device
     
  11. apolloa thread starter macrumors G3

    apolloa

    Joined:
    Oct 21, 2008
    Location:
    Time, because it rules EVERYTHING!
    #11
    I have to say, although I am missing the Note 5 I tried to live with, in my opinion Touch Wiz wasn't as good as my Sony Xperia Z3 Tablet skin. I think because Sony doesn't change a lot of things Plus they have been pretty good with the updates.
    I haven't changed a thing on my tablet out the box where as I was trying different launchers on the Note 5. However if you like to tinker as some on here do, you can release that VERY powerful hardware.

    Google is absolutely right in what it's claiming, it releases these patches to their OEM partners who then take months to update their devices. As said above perhaps Google should have its own Android version for Nexus and then a different one for OEMs.
     
  12. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #12
    I agree...to a point. They need to keep on OEMs to make security a bigger concern. But making those public instead of developing a structure in place to have all this done behind the scenes is the best route.
    After all Android is their OS. If it has flaws holes and security concerns then Google should be the one patching and hardening the OS so that it cannot be compromised so easily.
     
  13. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #13
    Security work and flaws should never be behind the scenes it should always be 100% transparent. Behind the scenes is how things go unpatched for years.
     
  14. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #14
    no...quite the opposite. It is one thing to notify a company of an flaw or security exploit. It is quite another thing to make those flaws or exploits public without a private notification. Those are two distinctly different things.
     
  15. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #15
    Nope they all need to be public, every last one of them. They should be on the front page of every media outlet from news papers to tech blogs.
     
  16. MRU macrumors demi-god

    MRU

    Joined:
    Aug 23, 2005
    Location:
    Ireland
    #16
    That would only be possible if Samsung used stock android. As soon as they begin changing and altering it - security flaws become their issue to address.
     
  17. gotluck macrumors 603

    gotluck

    Joined:
    Dec 8, 2011
    Location:
    East Central Florida
    #17
    Especially since most of these items seem to be from Samsung specific apps

    Important to note most of these seem to have been patched
     
  18. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #18
    That is where we disagree and will leave it at that. Even the most ardent exploit finders in the world all do private notifications first. Then when no action was taken the make them public.
    Here is one scenario if you will.
    Your next door neighbor notices you don't lock your teenager comes home late and doesn't lock the front door to your house at night. Instead of notifying you that maybe that is not a good idea privately......they post that fact on the internet or something to that effect maybe a community bulletin board or such.
    Its the same concept. If trying to help you is the intent then a private conversation is all that is needed.
    If your trying to hurt your neighbor and have them compromised then posting it on the internet for everyone to see.....is a good place to start.

    If you post a flaw or exploit publically before the OEM has had a chance to patch then you are leaving them open to be hacked or compromised.
    But if you notify them and they don't patch then....then that's a different story.
     
  19. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #19
    What would lead you to believe that it's not already being exploited? If one dude or even a team of people at Google can find it a few hundred thousand people plus government types looking to exploit a target rich environment have found and are using it.
     
  20. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #20
    Oh I agree....but if the OS was hardened so that that the OEM had to engage Google to make sure their skin or software was security sound enough not to compromise security then the flaw or exploit would not happen in the first place.

    I think Google should take more ownership/control over the OS from start to finish. So if a OEM wants to use say TW for example then Samsung would have to go through a security vetting process with Google.
     
  21. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #21
    What would make you think the OEM knew of the exploit or flaw? Why not notify them that they have the flaw before posting it to all the hackers and people them mean them harm?
     
  22. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #22
    Because the people that mean them and by extension us harm already know. There are more bad actors looking for flaws than good actors and that not even considering scriddies who happen onto stuff.
     
  23. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #23
    Great so lets make it easier for them. Lets post all the exploits and flaws on the internet first. Then let all the software devs and coders find out that way. Usually they will find out AFTER they have been compromised. That's bad security practice and puts the whole environment at risk. It is better to notify those involved first.

    That also lets all the hacker wannabes and script kiddies know of the exploit before anyone has had a chance to patch. Not a good idea generally.
     
  24. jamezr macrumors G3

    jamezr

    Joined:
    Aug 7, 2011
    Location:
    US
    #24
    I am all for making companies responsible for security. I think making it public that they had a exploit or flaw and knew about it and still did not patch is a good idea.
    But I think there should be private notification first.
     
  25. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #25
    They already know the info is only new to security researchers and the company.
     

Share This Page