Security company Zimperium discovered a serious issue that compromised Android’s security. The vulnerability was disclosed at the Blackhat conference in early August. This exploit has been called ‘Stagefright’. In short, an attacker sends you a video either through a website or MMS, and can compromise your phone.
The vulnerability was found in the ‘libStageFright’ library, a library that goes back all the way to Android 2.2, there are over 900 million devices that are running Android 2.2 and later, this is a lot of exposed people!
The real problem here, is that as Android evolves, it becomes more and more clear that the current model with manufacturers using/editing Android to ship with their devices is becoming a real issue. Google themselves can patch the vulnerability immediately, because they are the ones responsible for the operating systems and the devices that get immediately OTA (over the air) updates such as the Nexus series. What if you have a HTC or Samsung? Too bad, you depend on the manufacturer who doesn’t really care.
Android uses a technology called ASLR which is short for Adress Space Layout Randomization, and it keeps an attacker from finding pointers in the memory and sections in the memory by randomly assigning memory adress spaces to a service or a process.
Am I vulnerable, what should I do?
While the number of affected devices is staggering, Google claimed that there are still other methods in place that are protecting your device. As of this time they exploit isn’t being used in the open by exploiters. However it does raise a major issue with people who are now stuck on a version of Android, of which the manufacturer no longer gives support for.
One of the major issues with the current Android ecosystem, is that once you buy a phone, you might get 1-2 major updates for Android, and then your manufacturer drops support for the device. Personally I think they do this out of commercial reasons (want the latest android? Get our latest phone). I am running Cyanogen, which has all latest security problems patched and supports a far more recent version of Android than the one I can upgrade to if I were to depend on the manufacturer.
Stagefright and the press
Stagefright has seen a lot of publicity on the Internet, which helped people and organizations to try to tackle with the Android and manufacturer problem. As of now, Samsung released a statement they will do monthly security updates.
Dong Jin Koh, Head of Mobile and Research Development at Samsung:
“With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner,”
Liam Tung, author at ZDNet wrote an excellent article about this very issue.
The android ecosystem
Android is developed by Google and a bunch of talented opensource collaborators on Github. A manufacturer like Samsung or HTC develop their own custom-tailored version of Android (skins, bundled apps, etc), effectively standing between you, the consumer, and the developer of your operating system. It is far better for you if you chose for a brand that offers you direct updates from Google, instead of depending on a manufacturer who just doesn’t care.
Costum ROMs and rooting
If you are concerned about getting the latest Android version and protecting yourself, I can recommend getting Cyanogen. It is a fork of Android, with more focus on security and privacy than the default Android OS. You can read all about them here.