How Android N is being built to prevent the next Stagefright


What makes you chose one smartphone platform over another? App selection? Hardware availability? System security is another big factor shoppers take into consideration, and last year Google suffered a PR nightmare after the publication of the Stagefright attack, a vulnerability with the double whammy of presenting a serious risk to users, and being exploitable on a huge fraction of Android devices out there. With Android N, Google's getting serious about preventing another Stagefright disaster, and today shares some of the ways it's going about preventing another such attack.

Google was quick to develop a fix for the initial Stagefright attack, but related exploits just kept coming in the months that followed. And even with a patch available, actually getting that fix delivered to the countless Android devices out there proved to be a logistical nightmare. It doesn't take a big leap to decide that preventing another Stagefright looks preferable to dealing with its aftermath.

On its Android Developers Blog, Google talks about the two big steps it's taking to nip future Stagefrights in the bud.

Remember, Stagefright worked through the creation of specially formed media files; when Android's media subsystem attempted to process these files, the bug seized control of that software, gaining the ability to execute its own malicious code in the process.

Google's first step towards preventing future attacks like this is limiting the ability of malformed input (those hacker-tweaked media files, in the case of Stagefright) from causing unintended program behavior in the first place. To accomplish this, Google's using tools with Android N code that recognize vulnerable segments and replace them with more robust code, capable of failing gracefully.

The second step is stopping even a successful bug exploit from causing big damage. Let's say Google still misses a vulnerability with that code-scanning tool, and a bug slips through: by breaking up system processes like the Android MediaServer into multiple components, and only giving each the rights it needs to get its specific job done, it becomes harder for successful attacks to wreak havoc on a system level.

For example, if a bug got control of the old MediaServer, it could access the Android file system, communicate over the network, and read and write to system memory - all bad stuff in the wrong hands. By compartmentalizing things in Android N (see chart below), Google's making sure that even if something like a malicious audio file seizes control of MediaServer, it can only do other audio-related things; it might mute your phone or mess with your Bluetooth connections, but it's not going to be able to take control of the full system.

Well, that's the plan, anyway. Hackers are a resourceful bunch, and it remains to be seen just how well these steps will actually keep Android N safe. For now, we're just glad that Google's trying to stay ahead of the curve, being proactive rather than reactionary.


source: Google

FEATURED VIDEO

35 Comments

2. Mxyzptlk unregistered

It'll never stop. As long as Android continues being the way it is it will not stop.

3. tedkord

Posts: 17463; Member since: Jun 17, 2009

As long as Android continues being the most advanced, powerful, functional and flexible mobile OS in the world, I won't stop buying devices based on it.

8. submar

Posts: 713; Member since: Sep 19, 2014

As a blind sheep, Mxy can never understand.

14. Mxyzptlk unregistered

Technically doesn't that make you blind as well?

13. Mxyzptlk unregistered

A. I don't care about you and your buying patterns. B. Android isn't "powerful." it's what you do with it and what you can. C. Technically, it's not flexible unless you're using a Nexus device. D. Google has an iron grip on Android.

24. tedkord

Posts: 17463; Member since: Jun 17, 2009

A. Nor should you, any more than I care about your love of Apple. B. It's THE most powerful monomer OS. C. It's THE most flexible mobile OS regardless of OEM. It can be customized more than any other. D. And they offer AOSP, which anyone can modify any way they like without restriction.

26. sgodsell

Posts: 7566; Member since: Mar 16, 2013

Mxyzptlk just likes to show the world how ignorant he really is. He always cuts up Android. So Mxyzptlk what is the most powerful OS right now. Please tell us. If Android is not the most powerful, then you must have a OS in mind, so please post which OS is the most powerful. If you don't come back with an answer and a reason why, then the world will see that you are just trolling.

29. Mxyzptlk unregistered

Maybe you should try reading my comment again and pay very close attention to letter B. In case you don't know your alphabets, that's the letter after A but before C.

31. sgodsell

Posts: 7566; Member since: Mar 16, 2013

Talk about not reading. You proved my point exactly that you are a troll. You never answered the questions that were put forth to you. "B. Android isn't "powerful." it's what you do with it and what you can. " There, I pasted you B. Android is very powerful since it sits on top of Linux. It doesn't have to sit on top of Linux. In fact it could sit on top of Windows or Chrome OS, or other Linux distributions. So it is very powerful in that sense. IOS and it's ecosystem cannot do that at all. Android gives you a more robust API set compared to iOS, so developers can do a lot more with Android, than iOS Developers. Plain and simple. Apple pinned themselves down with iOS and it's tools. Apple ecosystem is looked down to its hardware. Android and its ecosystem is not tied to any hardware. Why do you think Apple came out with Swift language and runtime. Apples Swift is trying to mimic what Android has been doing since day one.

30. Mxyzptlk unregistered

Android is based on Linux, so yeah, you're wrong.

32. yoosufmuneer

Posts: 1518; Member since: Feb 14, 2015

"There’s some debate over whether Android qualifies as a “Linux distribution.” It uses the Linux kernel and other software, but it doesn’t include much of the software Linux distributions normally include. When you boot an Android device, the Linux kernel loads just like it would on a Linux distribution. However, much of the other software is different. Android doesn’t include the GNU C Library (glibc) used on standard Linux distributions, nor does it include all of the GNU libraries you’d find on a typical Linux distribution. It also doesn’t include an X server like Xorg, so you can’t run standard graphical Linux applications. Rather than running typical Linux applications, Android uses the Dalvik virtual machine to essentially run applications written in Java. These applications are targeted at Android devices and the application programming interfaces (APIs) Android provides rather than being targeted at Linux in general." - Howtogeek.com

36. JumpinJackROMFlash

Posts: 464; Member since: Dec 10, 2014

Talk about pot calling the kettle black regarding D. LOL! OK, moron who has a bigger iron grip over their mobile OS, Apple or Google?

4. Well-Manicured-Man

Posts: 711; Member since: Jun 16, 2015

Openess comes with a price. So does a closed OS. It is up to us users to chose what fits us best.

18. Finalflash

Posts: 4063; Member since: Jul 23, 2013

Openness at least let's millions of good people help you find the exploits. Apple still doesn't know how hackers are breaking into iOS so easily.

22. kiko007

Posts: 7520; Member since: Feb 17, 2016

This comment makes absolutely no sense. "Good people" don't help you do anything, hackers find these exploits and Google pays said hackers to patch them. And when was the last time Apple had a "Stage fright" level hack? What's that....never. Open means exactly that, anyone can come in. You don't leave your door wide open when you leave do? So why doesn't security on your personal devices matter?

25. sgodsell

Posts: 7566; Member since: Mar 16, 2013

The source code is open. There are parts of the OS which are closed. Like all the 3G/4G/LTE stuff is all closed, most of the video drivers closed, the encryption stuff is all closed, and a number of other drivers and libraries are closed. Not to mention many of the apps are closed. Kiko007 you make it sound like Android is wide open, like the wild, wild west. It's far from it. Kiko007 you make it sound like iOS is so secure. So why is their hacks that let users install non sanctioned apps on iOS devices? Please stop trying to make it look like Apple is really secure, especially when it's not.

5. natypes

Posts: 1110; Member since: Feb 02, 2015

https://www.hackread.com/apples-os-x-most-vulnerable-software-of-2015/ What's that at #2? Wait, what's that at #20? Keep believing everything the apple-paid news articles tell you.

6. jove39

Posts: 2148; Member since: Oct 18, 2011

Apple doesn't/need not to pay any site...it's just that people running these sites are blind to vulnerabilities in their beloved (i)(mac) os.

9. MrElectrifyer

Posts: 3960; Member since: Oct 21, 2014

In case any iSheeps are still in denial, it's been like that for at least 2 consecutive years now: http://www.dereferer.org/?http%3A%2F%2Fbit%2Ely%2F1FZM9C9 It's really no surprise, as the so-claimed "world's most advanced mobile OS" got bricked by a simple date change: http://www.dereferer.org/?http%3A%2F%2Fbit%2Ely%2F1RGQduS

11. elitewolverine

Posts: 5192; Member since: Oct 28, 2013

I love when you post these. I dare you to look at the source, then click on the source, then click on the vulnerability. Then go and see how many people are affected (by seeing what version it affects)....I will wait. You will come to notice that the odds are in iOS favor of being secured and patched. The things that 'add' to the list are old software, that less than 20% of ios users are affected by. Marshmallow is on how many devices? 7%?

15. AlikMalix unregistered

They avoid the fact that these list things that were fixed already - they forget that majority of android users are stuck in kitkat and Lolipop and even older android - 80% are running latest.

17. AlikMalix unregistered

Edit: 80% + are running the latest iOS.

16. AlikMalix unregistered

Wow, I have already schooled you about linking to this article. Look at the damn sourse of these stats!!!! (The following is a copy/paste from some of the comments - not mine, because it gives a perfect example what these numbers mean). The source website publishes already fixed volnutavilities. Please correct me if i am wrong. They're not posting ALL vornulabilities - just the ones that are listed on patches and updates that you and I get. If you're running iOS - this is a list of all that was fixed. If your running android these are the list of all that you're probably going to get an update in a year or so or when you buy a new device running "M". Meaning if you're running old android - which is what most are - you still have those vulnerabilities and I know vulnerabilities. If you're running iOS - you don't have these volnurabilities these are already patched because u less you have a 5 year old device - you've already got latest patch. I cannot simplify this any better for you... Learn to do some more research before you spread BS. So when we look at the stats, we see x amount of cve’s that were fixed, This tells me that the people at apple work working a little harder then most. If lets say, IOS has 100 cve,s issues and android has 1000. apple fixes 20 of them and android fixes 2. this would mean to me that androids os is infact worse and not better. These are in fact posted as a list of volnurabilities FIXED by Apple or google in certain patch - you can read each one and they describe it as (versions up to iOS x.x.x) meaning it's been patched and that's why it's on the list. This is a good thing - this means that developers are doing better in rooting these out. You guys see numbers everyone else sees results. Stop reconstructing things you do not understand, or do you choose to ignore it on purpose? Which is it?

19. marorun

Posts: 5029; Member since: Mar 30, 2015

Some ppl need to stop acting like moronic fool. There is load of hole thats where seen in ios in the past. Its just thats they are reported less often but they exist and are as numerous if not more.

21. shahrooz

Posts: 792; Member since: Sep 17, 2013

Okay, now have fun with the mostest securestest OS.

7. jove39

Posts: 2148; Member since: Oct 18, 2011

That's good work from Google...Now I wonder how many devices released last year, will get Android N.

10. adecvat

Posts: 658; Member since: Nov 15, 2013

About 5%, lol

33. Sovat_fc

Posts: 224; Member since: Aug 30, 2014

5% is almost equal to the number of iPhone devices available. Keep trolling, dude.

34. adecvat

Posts: 658; Member since: Nov 15, 2013

Nope. There is 1 billion IOS devices and 80% of them are up to date.

37. Hellouser

Posts: 39; Member since: Feb 05, 2015

yeah but most ios users have every single phone that came out, a few of my colleagues have all of them still but only use 1 device. so

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.