Project Zero routinely attacks different devices to try to find new security holes in Android. Usually, it only tests stock Android installs on Google’s own Nexus phones, but the team recently turned its attention towards the Samsung Galaxy S6 Edge to see how different attacking a device built by one of the hundreds of smartphone OEMs would be. The trial was organised as a “bug bash” in which teams compete to find the most issues in a set amount of time.
Organiser Natalie Silvanovich wrote in a blog post: “We decided to work together on a single problem for a week, and see how much progress we could make on the Samsung device. To get our competitive spirits going, we decided to have a contest between the North American and European members of Project Zero, with a few extra participants from other Google security teams to make the teams even, giving a total of five participants on each side.”
The teams worked on three challenges each, together representing the key entry points for attacks on Android. After a week of hacking the Samsung, Project Zero had identified 11 serious flaws in its software.
The issues occurred in several areas of Samsung’s customised version of Android, publicly known as TouchWiz. The particular weak areas centred around the phone’s device drivers — software that lets the different pieces of hardware work together — and media processing code. Three different logic issues would have allowed a hacker to easily gain access to the device. Project Zero said “these types are issues are especially concerning, as the time to find, exploit and use the issues is very short.”
The team also found flaws in Samsung’s email and gallery apps as well as a directory traversal bug that could allow a hacker to write any file to the device using system privileges. It noted that Samsung had implemented “some effective security measures” that slowed down the exploitation of some bugs but these did not successfully mitigate every issue.
The findings confirm the thoughts of many Android users for years. Manufacturer customizations are known to slow phones down and add bloat the user often doesn’t want, something Samsung admitted this year when it rolled out an updated, scaled-back version of TouchWiz. The discovery suggests the alterations made by manufacturers aren’t always secure and introduce some severe bugs on top of the ones that lie in Android’s Google-built core.
The upshot is that Samsung was quick to respond to the team’s report and has fixed all but three of the issues identified in its October Maintenance Release. The update has already been delivered to devices, less than 90 days after Google began probing the Galaxy S6 Edge. The remaining issues “appear to be lower severity” and are scheduled to be patched this month.
The findings highlight a key problem with Android. Although Google creates the operating system, it isn’t what most consumers will see, unless they buy a Nexus device. Manufacturers place their own interfaces on top and Google has no way of ensuring this extra software is safe to use.
The company explains: “The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture. OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers.”
The Samsung Galaxy S6 Edge was selected for testing because it is a recent high-end device with a large number of users and not due to any prior concerns regarding the security of Samsung’s software. Project Zero won’t ever be able to assess every single Android device though; currently, over 1,300 manufacturers are building products using the software, all of which will be modifying the core in some way to make it compatible with the specific hardware in use.
