Security holes caused by pre-installed Android apps
Researchers at North Carolina State University have discovered a number of security holes in various popular Android smartphones which can enable attackers to access or delete data, send SMS text messages, tap communication or determine a user's location. The vulnerability exists because some smartphone vendors' pre-installed apps fail to enforce Android's security model.
The researchers created a system called Woodpecker to analyse the flow of applications and used it to examine eight smartphones by four manufacturers: HTC's Wildfire S, Legend and EVO 4G, Motorola's Droid and Droid X, Samsung's Epic 4G and Google's Nexus One and Nexus S models.
In their study, entitled "Systematic Detection of Capability Leaks in Stock Android Smartphones", the scientists said that they could find little fault in Google's reference implementations on the Nexus models, but that they were surprised to discover that some vendors' custom implementations fail to properly enforce Android's privilege-based security model. The researchers also show a proof of concept application which requests no capabilities yet is able to record audio and send text messages.
Most of the vulnerabilities exist because some installed apps have permission to pass on their privileges, for example the right to access local data, GPS networks or mobile networks, to other applications. By configuring their pre-installed apps in this way, vendors enable other apps to access these privileges without requiring a user's permission. The researchers said that Google and Motorola have confirmed the vulnerabilities, but that HTC and Samsung "have been really slow in responding to, if not ignoring, our reports/inquiries".