AfterDawn: Tech news

Video: Security vendor demonstrates Android exploits

Written by Rich Fiscus (Google+) @ 21 Sep 2011 15:41 User comments (6)

Video: Security vendor demonstrates Android exploits Jon Oberheide of Duo Security has released a video demonstrating two security vulnerabilities which could allow apps to take control of Android devices.
The video was created to generate interest in the firm's upcoming workshop on mobile security at the SOURCE security conference in Barcelona this November.

Last year Oberheide was responsible for exposing a weakness in Google's Android Marketplace, which allowed the remote installation of malicious code from within an app.

The first vulnerability demonstrated in the new video affects all Android devices. It allows an already installed app to install other apps without prompting the user to approve their permissions.

He says this problem can also be exploited by an attack which compromises an otherwise safe app after it has been installed.

The second attack demonstrated would allow an app to gain full control over an Android device by using a Linux kernel exploit which bypasses security permission limitations.



While Google's lack of control over Android vendors and handsets has been instrumental in its success, it also poses significant security challenges. By ceding control over the application of updates to Android devices, Google has created a system where commercial factors may outweigh the best interests of consumers.

Even if Samsung, HTC, or Motorola believes it is in their best interest to offer immediate updates, in many cases their decisions may be overruled by a carrier whose primary interest is ensuring control over customers' phones.

Previous Next  

6 user comments

121.9.2011 16:25

woah

221.9.2011 21:46

Yeah...like a blast from the past, this guy has shown up and demonstrated what everyone with ROOT has known about since they got their android phones. Copy an app to system\app and it is installed, simple as that.

This is why I have an Android...I want to be able to use a file manager (an app) to instal (and more importantly, uninstall) apps manually. And I want to be able to root as well. Sure HTC and Samsung would be happy to lock devices down like a PS3...but I don't want that.

Anyway, I do regular backups, and restoring a complete back up takes under 10 minutes including wiping the old.

321.9.2011 21:59

Is hard to care about customer while getting their money, too much task for so little people. if this doesn't change we will see nexus phones been the choice for most people... And maybe Google network if ever build will be a easy choice as well, even sprint is getting greed with 5gb cap for tether.



421.9.2011 23:01

Originally posted by KillerBug:
Yeah...like a blast from the past, this guy has shown up and demonstrated what everyone with ROOT has known about since they got their android phones. Copy an app to system\app and it is installed, simple as that.

This is why I have an Android...I want to be able to use a file manager (an app) to instal (and more importantly, uninstall) apps manually. And I want to be able to root as well. Sure HTC and Samsung would be happy to lock devices down like a PS3...but I don't want that.

Anyway, I do regular backups, and restoring a complete back up takes under 10 minutes including wiping the old.
agree indeed!

Being nice always has its own consequences

522.9.2011 4:39

HTC and Samsung devices have been rooted already, months ago.

The US is just behind the times.

622.9.2011 5:40

Originally posted by xtago:
HTC and Samsung devices have been rooted already, months ago.

The US is just behind the times.

What are you talking about? They were rooted YEARS ago, in every country. Even when a device is launched without rooting tools from the maker, it is rooted soon after. Heck, my Sensation 4G was rooted before HTC had USB drivers for it on their website!


Comments have been disabled for this article.

News archive