Smartphone makers break Android security with pre-installed apps

Researchers find gaping holes in security drilled to make phone-makers' own apps work

Carrier IQ and the WikiLeaks revelation about government domestic smartphone spying are dominating the mainstream headlines today with a salacious mix of betrayal, corporate and bureaucratic presumption and voyeurism.

There's more bad news about smartphone security today you probably shouldn't miss, especially if you use or manage anything involving Android phones.

[ Updated for iOS 5, Android 4, BlackBerry OS 7, and Windows Phone 7.5: Learn how to manage mobile devices in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights via Twitter and with the Mobile Edge blog and Mobilize newsletter. ]

A major source of the innumerable security flaws in Android phones, it turns out, come not from the Android code or specification itself, or even from the delay most manufacturers allow before upgrading existing smartphones to the most recent version of the OS, as previously reported.

An equally important set of vulnerabilities comes from the failure of many manufacturers to properly enforce or implement Android's permissions-based security model.

Using a security analysis tool called Woodpecker that they developed themselves, researchers found 11 of the 13 applications studied had been given permission for specific functions that were far beyond what they should have had.

That not only gives one pre-installed app more power than it should have. It gives untrusted apps the ability to use the pre-installed app's permissions to do almost anything -- from tracking location data to wiping out all the information on the phone -- without asking permission, according to the paper from a North Carolina State Univ. research team led by Xuxian Jiang, who has identified or analyzed several major Android malware variants during the past few months.

While Google's standard reference model included few problems with application permissions, the 13 apps installed by default by manufacturers on eight smartphones tested poked gaping holes in Android's security by taking unwarranted permissions for themselves or changing the default for some security settings to Off.

Many of the functions involved -- the ability to record sound, send SMS messages, or track locations, for example -- should be accessible only by the phone's firmware or only by special permission of the user according to researchers at North Carolina State University, whose paper, "Systematic Detection of Capability Leaks in Stock Android Smartphones," will be published as part of the proceedings of The Internet Society's Network & Distributed System Security Symposium, which is taking place Feb. 5-8 2012 in San Diego, Calif.

Woodpecker is designed to run on Android phones and audit the permissions and capabilities of each application, including abilities that should be available only to the firmware, but have acquired though unknown or illicit means.

Jiang and the team posted a video demonstration of Woodpecker on YouTube and posted the full text of the paper itself as a free PDF.

Just don't store it on an Android device. You don't know what those apps would do with it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

This story, "Smartphone makers break Android security with pre-installed apps" was originally published by ITworld.

Copyright © 2011 IDG Communications, Inc.