x PhoneArena is looking for new authors! To view all available positions, click here.
  • Home
  • News
  • University research finds major permission flaws in Android models

University research finds major permission flaws in Android models

Posted: , by Alan F.

Tags:

University research finds major permission flaws in Android models
Who says that University research is a waste of money? At North Carolina State University, researchers found that some Android devices have major permission flaws that allow untrusted apps to record your phone conversations, send you SMS messages, obtain geo-locations and do other things without your consent. 13 areas were analyzed and 11 revealed privileges were exposed thanks to a pre-loaded app.

The HTC EVO 4G and the HTC Legend were among the models with the most vulnerability among the 8 handsets cited by the report. Google and Motorola are confirming that the flaws exist while HTC and Samsung are quiet.With Stock Android powered Nexus models scoring the best, it would seem to indicate that phone manufacturers are not adhering to the security permission model devised by Google.

The study from North Carolina State University used a system the research team developed, called Woodpecker. This system checked all apps on a phone for 13 permissions that protect sensitive user data or phone features, on a phone. The Android phones studied were the HTC EVO 4G,HTC Legend, HTC Wildfire S, Motorola DROID, Motorola DROID X, Samsung Epic 4G, Google Nexus One and Google Nexus S. Until security foxes are sent out, the best thing you can do to be protected is to be careful of which apps you are downloading.

You can find the entire report at the sourcelink.

source: NCSU via EngadgetMobile

Results of the NCSU study

Results of the NCSU study



Like this story? Like us on Facebook to follow our posts:

39 Comments
  • Options
    Close




posted on 03 Dec 2011, 00:39 6

1. The_Miz (Posts: 1496; Member since: 06 Apr 2011)


First. This is why I stopped using Android and decided to do away with all the permission problems and security breaches and such.

posted on 03 Dec 2011, 00:57 7

2. bossmt_2 (Posts: 437; Member since: 13 Oct 2009)


That's why you'd rather use Apple and AT&T who use carrier IQ.

posted on 03 Dec 2011, 01:07 3

3. The_Miz (Posts: 1496; Member since: 06 Apr 2011)


Three carriers have the iPhone, other has a network where it's operable on at 2G speeds.

I'd rather use a device that doesn't have apps with a list of irrelevant permissions that it really doesn't need.

posted on 03 Dec 2011, 03:57 5

9. p0rkguy (Posts: 684; Member since: 23 Nov 2010)


What's surprising is that you believe Apple's iOS is more secure just because it's a closed environment and that they "monitor/test" everything.
Like humans, problems that arise in closed environments (home/internet/school/work) typically goes unheard of outside of it.

posted on 03 Dec 2011, 05:15 3

14. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Apps on iOS use permission how you think an app can see if a contact added you among other things. Just because you don't see permissions does not mean the OS doesn't give permission

posted on 03 Dec 2011, 09:29 2

20. taz89 (Posts: 2014; Member since: 03 May 2011)


atleast Android shows you the permissions used by apps.ios is not secure Lol where do you think jailbreak comes from ummm security exploits maybe..

posted on 03 Dec 2011, 16:07 1

34. hepresearch (unregistered)


Yes, Android has all these awful permissions, which you can sometimes change selectively, that can be exploited if you do not remove the offending app...

On the other hand, iOS does not have permissions at all... well, no changeable permissions, that is... and you will never know which permissions a given app has, and thus you will not know if an app is making your identity/location/records vulnerable... but do not worry! Apple has it all under so much control that you do not ever need to even think about it... while they store your location data, keystroke data, usage data, etc., in a very very very secure server somewhere where no one will find it because they will never think to look there because it is hidden in plain sight and no thief ever looks in obvious places or bothers to think there is anything of value in a low-security server that is publicly accessible...

posted on 03 Dec 2011, 06:37

16. rf1975 (Posts: 249; Member since: 01 Aug 2011)


you can find the Carrier IQ software almost all phone (Apple, Samsung , HTC .....etc) and most of them are Android. No Windows or Nokia ( Symbian) phone.

posted on 03 Dec 2011, 07:43 3

18. sbdn101 (Posts: 1; Member since: 03 Dec 2011)


that's why I use WP 7.Good middleground.Not as open as Android,not as strict as iOS

posted on 03 Dec 2011, 01:26 5

4. Yeeee (Posts: 190; Member since: 02 Aug 2011)


Ur fine really unless your stupid enough to download random apps. Didn't Apple also have a security breach?

posted on 03 Dec 2011, 06:04 3

15. tacohunter (Posts: 408; Member since: 06 Nov 2011)


I rly don't see what this has to do with apple.

posted on 03 Dec 2011, 13:02 1

29. networkdood (Posts: 6326; Member since: 31 Mar 2010)


Plenty. Any phone can be exposed for security flaws, if someone was motivated enough.

posted on 03 Dec 2011, 17:08 2

36. Paden (Posts: 262; Member since: 07 Jul 2011)


He means: What does THIS article have to do with Apple?

Generally comments below articles are related to the article or contribute to healthy discussion about the article.

posted on 03 Dec 2011, 01:31 2

5. cyborg009 (Posts: 93; Member since: 17 Sep 2011)


along with some good comes bad.. there's a pretty thin line between awesome technology n security-holes !!

posted on 03 Dec 2011, 01:32 2

6. squallz506 (banned) (Posts: 1075; Member since: 19 Oct 2011)


8, 2+yr old phones hardly constitutes an epidemic.

posted on 03 Dec 2011, 02:27 2

7. GeekMovement (Posts: 1521; Member since: 09 Sep 2011)


Hopefully not the SGS II.

posted on 03 Dec 2011, 03:18 2

8. Whateverman (Posts: 3233; Member since: 17 May 2009)


I understand what you guys are saying about being careful and everything, but I'm tired of this. We all know iOS is just as vulnerable, but at least Apple appears to be doing something about it with their approval process. Google has done squat to set my mind at ease about all these security issues! I check all the permissions before downloading, but damn...what is Google gonna do to protect THEIR platforms image? Does ICS have some built in super virus killing software pre-installed that will put an end to this or what? Tell us SOMETHING!!!

posted on 03 Dec 2011, 04:29 1

11. Sniggly (Posts: 7182; Member since: 05 Dec 2009)


What all security issues are you complaining about, Whateverman? Viruses are a ghost threat at best and Google does seem to be trying harder to enforce better standards among its manufacturers.

posted on 03 Dec 2011, 12:22

22. Whateverman (Posts: 3233; Member since: 17 May 2009)


Not so much viruses, but these security vulnerabilities we keep hearing about are disturbing, and Google has said nothing in their own defense. They maybe doing something in the shadows to combat all the spyware and Big Brother-ish apps that plague the App Market, but they have to say something to the public to inspire confidence in their platform and they have been pretty much silent. Google should tell us they're doing something or else what am I to believe? Removing apps every blue moon isn't enough.

posted on 03 Dec 2011, 18:31 2

37. SPcamert (Posts: 56; Member since: 06 Feb 2010)


Google's whole platform is designed around the concept of "OPEN" contribution to the mobile ecosystem. To include a review process in the app submission sequent would be completely against everything they were working for. The fact is that bad people will always do bad things and Google's policy is that if something is malicious and causing problems then the ecosystem will handle that by the user review process and the fact that after enough people vote the program down it will no longer be a top hit and will fail because of that. People just need to stop assuming that everything coded for their phone is coded by a pro-developer with intentions to provide only the best product and instead need to adopt the assumption that all apps can be damaging until proven otherwise.

posted on 03 Dec 2011, 05:09 1

12. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Well. As always ICS has already fixed several things. Including some new way to manage sertain things including that any new app installed needs to run a first time before operating. Google should do something to protect the Android market more anyways. There are ways to keep it open and secure at the same time

posted on 03 Dec 2011, 12:28 2

23. Whateverman (Posts: 3233; Member since: 17 May 2009)


I hope you're right about ICS, because I can't do iOS. That would bore me to tears! (No offense to the iOS fans. It's a great product, I just need customization.) But I agree, there has to be a way to keep the market open and secure at the same time.

posted on 03 Dec 2011, 12:36 2

25. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Google is not very talkative. But they sure care also this exploids are more understandable when they are properly explained, both explicit and implicit

posted on 03 Dec 2011, 12:42 1

27. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Here is a more detailed idea
http://mobile.theverge.com/2011/12/2/2603678/android-app-security-capability-leaks

posted on 03 Dec 2011, 13:03 1

30. networkdood (Posts: 6326; Member since: 31 Mar 2010)


Since the phone allow us to download off the internet, or from a file on a PC, the user, in the end, is responsible. Google can only do so much.

posted on 03 Dec 2011, 04:20 3

10. remixfa (Posts: 14168; Member since: 19 Dec 2008)


so what this is basically saying is that the more a manufacturer messes with andriod with their overlays, the less secure it is.. wow, if thats not an advertisement for a stock google experience, i dont know what is. :)

posted on 03 Dec 2011, 08:26 1

19. beatsandmelody (Posts: 109; Member since: 01 Nov 2011)


Yeah, basically. Droid 1 is basically as secure as the Nexus phones, and it it has the most easily unlockable bootloader Motorola has yet to release. Psh.

Need that GN...

posted on 03 Dec 2011, 05:12 1

13. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Hope this tells companies like HTC they need to do something about their skin and reduce them to plain apps and Widgets

posted on 03 Dec 2011, 06:47

17. rf1975 (Posts: 249; Member since: 01 Aug 2011)


These things are unavoidable problems when you make software open and allow for full customization. I think Google has to analyse the current situation and come up with some sort of restriction on Android. First they have to make this OS hassle free. Then they can out perform any OS out there in the market.

posted on 03 Dec 2011, 11:34 1

21. MorePhonesThanNeeded (Posts: 645; Member since: 23 Oct 2011)


Lol, did anyone actually read this. It says and I quote "Untrusted Apps". Sigh now for the people who seem to know how to read and understand we all know that we don't just install any old thing off the net to your phone. Looking at the list seems that HTC phones fare the worst, but all the manufacturers need to stick to Google's layout to keep the phone and OS secure. Yawn, more non news to report again, moral of the story don't go installing untrusted apps on your damn phone...for the love of all that is sentient.

posted on 03 Dec 2011, 13:06 1

31. networkdood (Posts: 6326; Member since: 31 Mar 2010)


Agree, or, if you do, open up the code and inspect it...that is what I do.

posted on 03 Dec 2011, 12:30

24. geedup (banned) (Posts: 74; Member since: 01 Dec 2011)


Another day another article about how insecure this OS is. Then you look at the comments and most are saying its not an issue. Let's face it guys if you want security you have to go with Apple or Rim. Android may be the least secure OS on the planet.

posted on 03 Dec 2011, 12:38 1

26. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Lol check the wikileaks report and come back you'd be amazed ;)

posted on 03 Dec 2011, 12:48 1

28. geedup (banned) (Posts: 74; Member since: 01 Dec 2011)


Nothing is 100% secure, but android security is awful. They don't even try.

posted on 03 Dec 2011, 13:09 1

32. protozeloz (Posts: 5381; Member since: 16 Sep 2010)


Do you even understand how the exploit works? If so then explain if don't they don't pull a statement you can't actually backup

posted on 03 Dec 2011, 14:54 1

33. networkdood (Posts: 6326; Member since: 31 Mar 2010)


No, Ta...err...geedyup is just happy to spout his/her nonsense as he/she feels that he/she is somehow protecting a company, believing that loyalty will somehow pan out to a prize at the end of the rainbow, someday.

posted on 03 Dec 2011, 18:51 1

38. hepresearch (unregistered)


Security on Android... do your research first, and then set it the way you want it set and do not do anything dumb. Learn about it, and then take care of it yourself.

Security on iOS... Apple tells you it is secure, so you do not question it.

Permissions on Android... lots of stuff to adjust and watch out for, but you know they are there and you set them appropriately for your needs. Once again, you make it happen your way with a little elbow grease, spit and polish.

Permissions on iOS... you simply do not have a clue. You do not see any, so there must not be any to worry about (because Apple does not ask for your permission... they just make it how its gonna be, and tell you only the parts they feel they have to legally... usually only after getting caught in the act of not telling you anything).

posted on 03 Dec 2011, 16:14

35. hepresearch (unregistered)


I am glad I do not have to deal with any of this stuff... I do not have, and never have had, an Android phone... or an iPhone. I am happy that I do not have to deal with this at all right now. As long as feature phones without GPS radios still exist...

posted on 04 Dec 2011, 02:49

39. kadalil (Posts: 20; Member since: 26 Oct 2011)


Best security conscious o.s is the wp7...

Want to comment? Please login or register.

Latest stories