Android's big security flaw, and why only Google can fix it

Device makers and carriers let patches languish, so users may not ever get them -- a new approach is sorely needed

In August 2010, hackers bent on jailbreaking Android smartphones found a vulnerability in the way the Android debugger handled an overwhelming number of processes. The code designed to exploit the flaw, dubbed RageAgainstTheCage, allowed users to reflash their smartphone and install custom firmware.

Google quickly patched the vulnerability in the Android Open Source Project, but there the fix languished. Smartphone manufacturers did not make pushing the patch out to users a priority. So, in March 2011, malicious programmers found an opportunity with the unpatched vulnerability: A Trojan horse dubbed DroidDream exploited the security issue to compromise more than 250,000 unpatched Android smartphones.

[ See why Apple's iOS is the most secure mainstream OS today. | Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In August 2010, hackers bent on jailbreaking Android smartphones found a vulnerability in the way the Android debugger handled an overwhelming number of processes. The code designed to exploit the flaw, dubbed RageAgainstTheCage, allowed users to reflash their smartphone and install custom firmware.

Google quickly patched the vulnerability in the Android Open Source Project, but there the fix languished. Smartphone manufacturers did not make pushing the patch out to users a priority. So, in March 2011, malicious programmers found an opportunity with the unpatched vulnerability: A Trojan horse dubbed DroidDream exploited the security issue to compromise more than 250,000 unpatched Android smartphones.

[ See why Apple's iOS is the most secure mainstream OS today. | Learn how to manage iPads, iPhones, Androids, BlackBerrys, and other mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

Nearly a year later, despite the threat of similar attacks, more than half of Android smartphones remain vulnerable to the flaw, according to mobile security firm Lookout.

The Android operating system's patch process poses a quandary for Google and a danger to users. Android's openness allows bugs to be found faster, but that benefit is offset by a longer supply chain in which manufacturers and vendors test patches at a glacial pace. Smartphone manufacturers must first create custom builds of the operating system that include their add-on software, then they test the software. Next, carriers take the firmware update and test it to make sure it does not harm their networks. The end result: Pushing patches out to users' smartphones is slowed. (Google declined to discuss the issue with InfoWorld.)

"The fundamental problem is that there are too many cooks in the kitchen," says Timothy Vidas, a doctoral researcher at Carnegie Mellon University focusing on Android security.

Android: A reverse-engineer's dream In a presentation on Android security at the Usenix Workshop on Offensive Technologies, Vidas and his colleagues pointed to patching delays as a major security issue for Android-based smartphones. The Android 2.2 "Froyo" operating system, for example, was released in May 2010, fixing major vulnerabilities. Yet Motorola Mobility and HTC took seven months to issue an update for their smartphones. Samsung took even longer, releasing its software update nearly a year later (in spring 2011), according to the CMU researchers.

For attackers, the delays are a boon, because they can study the fixes and create exploits for the masses of unpatched devices. "Attacks stay viable for much longer, and a crafty user can actually reverse-engineer some of the earlier patches to find the vulnerability and use that to exploit slower updating devices," says Daniel Votipka, a CMU researcher and co-author of the Android security report (video).

Other groups have highlighted the long patch cycle as well. In an analysis of the Android 2.6.32 kernel performed in November 2010, static-analysis firm Coverity found 0.47 defect per line of code -- better than the software industry as a whole. Yet in chasing down the source of flaws, Coverity found that only a few ended with Google. Many others led to open source components and their developers, some of whom never responded to the company's bug reports. Were the issues fixed? The company does not know.

"It is an example of the complexity of the software supply chain -- it has become more expansive because the amount of suppliers that people have for their software," says Andy Chou, the chief scientist at Coverity.

The worries come as attackers are already starting to focus more heavily on compromising mobile devices. IBM's X-Force security research lab estimates that 2011 will see twice as many exploits of vulnerabilities as the previous year. Lookout has seen malware take off from fewer than 100 attacks in 2010 to more than 400 so far this year. Compared to the PC world, where tens of millions of attacks are detected each year, the numbers are small, but the trend is clear: Security researchers and attackers are increasingly targeting mobile devices, and most campaigns are focused on the Android operating system.

The patch problem is not unique to Android, but it is worse for Android Although Android is the focus, perhaps due to its well-known softness as a target and its growing market share, the problems with mobile patching is not just an issue for Google. Other mobile operating system makers also have to deal with the delay. "Mobile operating systems, in general, have longer patch cycles given the number of different people involved," says Tim Wyatt, principal security engineer at Lookout.

Case in point: flaws in the WebKit HTML rendering engine, which powers most smartphone browsers. In July 2010, researchers reported a use-after-free vulnerability in WebKit. Google fixed the issue in the Chromium browser within eight weeks and ported the fixes to the stock Android source code soon after. It took Apple until March 2011 -- eight months -- to fix the issue on its iOS devices. And Android handset makers? Because the companies do not specify the vulnerabilities patched in their firmware updates, it remains a large question mark.

For Google, the patch issue is more acute because of its choices with security design and its open app marketplace. Apple's popular iPhone, for example, has additional defenses that can make attacking it more difficult. First, Apple vets every application posted to the App Store, complicating -- though not preventing -- the publishing of a malicious program. And the iOS platform has more security designed in, says Dino Dai Zovi, an independent security researcher and author of the "Mac Hacker's Handbook." He notes, "There is a tapestry of security defenses on iOS that block you at every stage, which does not exist on Android."