Thursday, November 21, 2013

Smartphone security exploits caused by manufacturers

With smartphones becoming more advanced, concerns of security risks and exploits also increases. A recent study by North Carolina State University shows that most security risks are actually caused by the smartphone manufacturers and not the core operating system.

Smartphones are becoming increasingly popular penetrating more and more in the cell phone market. Similarly, smartphones are also becoming very sophisticated with advanced operating systems underneath. Currently the Apple iOS and the Google Android operating system clearly dominates the market. Apple iOS can only be used on Apple iDevices and has so far managed to keep the security rather tight. However, Google Android is used by multiple smartphone manufacturers due to its open-source and license nature. This results in the, so called, Android fragmentation issue. With Google Android having a market share of approximately 80%, it is therefore also a highly attractive platform for hackers and malicious users to attack.

A recent thorough study by the North Carolina State University has shown that up to 85% of the vulnerabilities and security exploits found on smartphones (primarily Google Android phones) are not caused by the core operating system itself, but rather by the customizations made by the manufacturers.

As we know, most manufacturers tend to put their own theme and skin on the phones while also installing customized default apps on the phone. In some cases, the customization does bring value to the users, while in other cases the customization merely function as eye candy and even slows down the phone. The problem, however, arises when the manufacturers do not have strict quality and security control on the customizations, which results in exploits being exposed which otherwise does not exist in the default operating system.

In addition, a major problem with the customizations is that patches tend to be pushed out extremely slowly. This is due to the nature of the smartphone ecosystem. For Google Android, a very bad case is formed when Google has to push out a patch, the smartphone manufacturers would then have to customize the patch and add it to their repository. Finally, the manufacturers have to push the patch out to the operator which only then will reach the users. This process tend to take several months, even if the exploit is critical.

An interesting fact found by the study is that the Google Nexus devices clearly contain the least number of vulnerabilities. Google does pay clear attention to security in the Android operating system and it makes sense that with every addition, customization or tweak, the manufacturers introduces new potential attack vectors into the phone.

Fortunately, not everything is bad with third party phone manufacturers, and some manufacturers, such as Sony Mobile actually even patches bug in the Android source code by themselves!

The list below summarizes the results from the study of the major models and the number of security exploits found.

Model:Security vulnerabilities:
HTC Wildfire S: 40
Samsung Galaxy S3: 40
Samsung Galaxy S2: 39
LG P880: 26
LG P350: 17
HTC One X: 15
Google Nexus S:8
Sony Xperia Arc S: 8
Google Nexus 4: 3

No comments:

Post a Comment