It appears that Google is getting serious about Android security. They have, for the past several months, been releasing patch updates every month – like other software companies. While I have no visibility to AT&T and Verizon, Sprint has been religious at pushing those updates out to my phone.
This month they released patches covering over 100 bugs in both the Android core OS and in chipset drivers from various component chip manufacturers.
Phone vendors have a choice between two different update packages to distribute to their customers.
Android’s Mediaserver component is the recipient of 16 patches, including 7 rated as critical. These bugs, like Stagefright before it, allow hackers to attack your phone just by sending it specially crafted text (MMS) messages or audio and video files. This works because the Android OS, in an effort to speed things up when a user wants to open a picture, audio or video file, pre-processes those files in the background without asking or telling you. If those files are infected, so is your phone. It has been so bad that Google Hangouts, for example, no longer pass media files to this component automatically.
Another critical vulnerability is in the built in crypto libraries, OpenSSL and BoringSSL.
The first of the two patch options, labelled 2016-07-01 when you go to SETTINGS|ABOUT in Marshmallow, fixes 32 bugs, 8 of which are critical, 15 high and 9 moderate. These bugs apply to the core Android OS. 32 bugs starts to rival Microsoft patches, but doesn’t reach the level of Adobe Flash patches.
The other patch option, labelled 2016-07-05 in ABOUT fixes 75 additional bugs that are device specific, meaning some may affect this device while others may effect a different device.
These fixes are in modules such as the Qualcomm GPU driver, the MediaTek WiFi driver, the Qualcomm performance component, the NVIDIA video driver, the kernel file system (not sure why this is device specific though), the USB driver and other unspecified drivers.
Since these are running in a privileged process, a compromise of these modules is a serious problem. In fact, some of these compromises may only be repairable by reflashing the device firmware, something most users cannot do even if they wanted to.
There are an additional 54 high severity bugs in various drivers that can also lead to a complete device compromise. The difference here is that an attacker would have had to already compromise the phone in order to exploit these 54 bugs.
Google has already released these patches to Google branded Nexus phones – possibly the most important reason to buy a Nexus phone. How long it will take the various phone manufacturers to get off their collective butts and release them is unknown.
In the meantime, hackers around the world have access to these patches and are busy reverse engineering them to figure out how to attack your phone – it is a race to the bottom.
While this is the biggest Android patch release I have ever seen Google release in a single month, I think, maybe, it is a good thing. I am hoping that it means that Google is getting serious about upgrading the security of Android and not just trying to cram as many features as possible into the next release.
What this does mean is that users who are running Lollipop (Android 5), Jelly Bean (Android 4.1), Ice Cream Sandwich (Android 4.0) and earlier are at significant risk of compromise because these versions of the Android OS will never be patched.
As of June 1st, 2016, only 10 percent of Android phones were running Marshmallow. Apple is quite a bit better in FORCING adoption of new versions of the OS because they own the OS and the phone, but this may change as Congress is looking at passing a law forcing phone vendors to patch phones that they sell. If you make money from it, you have to patch it. Since Google isn’t releasing patches for older versions, this will force the phone makers, if the law is enacted, to upgrade the phones to the current version. From a user standpoint, this would be a good thing.
As a consumer, if you are concerned about the security of your data, or, if you are a business and you are concerned about the security of your company systems accessed by employee phones, you need to consider replacing phones on a regular basis. If you combine Android 5 and 6 together, this still represents less than half the Android phones. Many of the phones running Android 4 and earlier are likely outside the U.S., but companies, especially, need to be proactive about dealing with this.
Information for this post came from Infoworld.