University research finds major permission flaws in Android models

University research finds major permission flaws in Android models
Who says that University research is a waste of money? At North Carolina State University, researchers found that some Android devices have major permission flaws that allow untrusted apps to record your phone conversations, send you SMS messages, obtain geo-locations and do other things without your consent. 13 areas were analyzed and 11 revealed privileges were exposed thanks to a pre-loaded app.

The HTC EVO 4G and the HTC Legend were among the models with the most vulnerability among the 8 handsets cited by the report. Google and Motorola are confirming that the flaws exist while HTC and Samsung are quiet.With Stock Android powered Nexus models scoring the best, it would seem to indicate that phone manufacturers are not adhering to the security permission model devised by Google.

The study from North Carolina State University used a system the research team developed, called Woodpecker. This system checked all apps on a phone for 13 permissions that protect sensitive user data or phone features, on a phone. The Android phones studied were the HTC EVO 4G,HTC Legend, HTC Wildfire S, Motorola DROID, Motorola DROID X, Samsung Epic 4G, Google Nexus One and Google Nexus S. Until security foxes are sent out, the best thing you can do to be protected is to be careful of which apps you are downloading.

You can find the entire report at the sourcelink.

source: NCSU via EngadgetMobile



FEATURED VIDEO

39 Comments

1. The_Miz

Posts: 1496; Member since: Apr 06, 2011

First. This is why I stopped using Android and decided to do away with all the permission problems and security breaches and such.

2. bossmt_2

Posts: 459; Member since: Oct 13, 2009

That's why you'd rather use Apple and AT&T who use carrier IQ.

3. The_Miz

Posts: 1496; Member since: Apr 06, 2011

Three carriers have the iPhone, other has a network where it's operable on at 2G speeds. I'd rather use a device that doesn't have apps with a list of irrelevant permissions that it really doesn't need.

9. p0rkguy

Posts: 685; Member since: Nov 23, 2010

What's surprising is that you believe Apple's iOS is more secure just because it's a closed environment and that they "monitor/test" everything. Like humans, problems that arise in closed environments (home/internet/school/work) typically goes unheard of outside of it.

14. protozeloz

Posts: 5396; Member since: Sep 16, 2010

Apps on iOS use permission how you think an app can see if a contact added you among other things. Just because you don't see permissions does not mean the OS doesn't give permission

20. taz89

Posts: 2014; Member since: May 03, 2011

atleast Android shows you the permissions used by apps.ios is not secure Lol where do you think jailbreak comes from ummm security exploits maybe..

34. hepresearch unregistered

Yes, Android has all these awful permissions, which you can sometimes change selectively, that can be exploited if you do not remove the offending app... On the other hand, iOS does not have permissions at all... well, no changeable permissions, that is... and you will never know which permissions a given app has, and thus you will not know if an app is making your identity/location/records vulnerable... but do not worry! Apple has it all under so much control that you do not ever need to even think about it... while they store your location data, keystroke data, usage data, etc., in a very very very secure server somewhere where no one will find it because they will never think to look there because it is hidden in plain sight and no thief ever looks in obvious places or bothers to think there is anything of value in a low-security server that is publicly accessible...

16. rf1975

Posts: 264; Member since: Aug 01, 2011

you can find the Carrier IQ software almost all phone (Apple, Samsung , HTC .....etc) and most of them are Android. No Windows or Nokia ( Symbian) phone.

18. sbdn101

Posts: 1; Member since: Dec 03, 2011

that's why I use WP 7.Good middleground.Not as open as Android,not as strict as iOS

4. Yeeee

Posts: 190; Member since: Aug 02, 2011

Ur fine really unless your stupid enough to download random apps. Didn't Apple also have a security breach?

15. tacohunter

Posts: 408; Member since: Nov 06, 2011

I rly don't see what this has to do with apple.

29. networkdood

Posts: 6330; Member since: Mar 31, 2010

Plenty. Any phone can be exposed for security flaws, if someone was motivated enough.

36. Paden

Posts: 262; Member since: Jul 07, 2011

He means: What does THIS article have to do with Apple? Generally comments below articles are related to the article or contribute to healthy discussion about the article.

5. cyborg009

Posts: 119; Member since: Sep 17, 2011

along with some good comes bad.. there's a pretty thin line between awesome technology n security-holes !!

6. squallz506

Posts: 1075; Member since: Oct 19, 2011

8, 2+yr old phones hardly constitutes an epidemic.

7. GeekMovement unregistered

Hopefully not the SGS II.

8. Whateverman

Posts: 3295; Member since: May 17, 2009

I understand what you guys are saying about being careful and everything, but I'm tired of this. We all know iOS is just as vulnerable, but at least Apple appears to be doing something about it with their approval process. Google has done squat to set my mind at ease about all these security issues! I check all the permissions before downloading, but damn...what is Google gonna do to protect THEIR platforms image? Does ICS have some built in super virus killing software pre-installed that will put an end to this or what? Tell us SOMETHING!!!

11. Sniggly

Posts: 7305; Member since: Dec 05, 2009

What all security issues are you complaining about, Whateverman? Viruses are a ghost threat at best and Google does seem to be trying harder to enforce better standards among its manufacturers.

22. Whateverman

Posts: 3295; Member since: May 17, 2009

Not so much viruses, but these security vulnerabilities we keep hearing about are disturbing, and Google has said nothing in their own defense. They maybe doing something in the shadows to combat all the spyware and Big Brother-ish apps that plague the App Market, but they have to say something to the public to inspire confidence in their platform and they have been pretty much silent. Google should tell us they're doing something or else what am I to believe? Removing apps every blue moon isn't enough.

37. SPcamert

Posts: 56; Member since: Feb 06, 2010

Google's whole platform is designed around the concept of "OPEN" contribution to the mobile ecosystem. To include a review process in the app submission sequent would be completely against everything they were working for. The fact is that bad people will always do bad things and Google's policy is that if something is malicious and causing problems then the ecosystem will handle that by the user review process and the fact that after enough people vote the program down it will no longer be a top hit and will fail because of that. People just need to stop assuming that everything coded for their phone is coded by a pro-developer with intentions to provide only the best product and instead need to adopt the assumption that all apps can be damaging until proven otherwise.

12. protozeloz

Posts: 5396; Member since: Sep 16, 2010

Well. As always ICS has already fixed several things. Including some new way to manage sertain things including that any new app installed needs to run a first time before operating. Google should do something to protect the Android market more anyways. There are ways to keep it open and secure at the same time

23. Whateverman

Posts: 3295; Member since: May 17, 2009

I hope you're right about ICS, because I can't do iOS. That would bore me to tears! (No offense to the iOS fans. It's a great product, I just need customization.) But I agree, there has to be a way to keep the market open and secure at the same time.

25. protozeloz

Posts: 5396; Member since: Sep 16, 2010

Google is not very talkative. But they sure care also this exploids are more understandable when they are properly explained, both explicit and implicit

27. protozeloz

Posts: 5396; Member since: Sep 16, 2010

30. networkdood

Posts: 6330; Member since: Mar 31, 2010

Since the phone allow us to download off the internet, or from a file on a PC, the user, in the end, is responsible. Google can only do so much.

10. remixfa

Posts: 14605; Member since: Dec 19, 2008

so what this is basically saying is that the more a manufacturer messes with andriod with their overlays, the less secure it is.. wow, if thats not an advertisement for a stock google experience, i dont know what is. :)

19. beatsandmelody

Posts: 109; Member since: Nov 01, 2011

Yeah, basically. Droid 1 is basically as secure as the Nexus phones, and it it has the most easily unlockable bootloader Motorola has yet to release. Psh. Need that GN...

13. protozeloz

Posts: 5396; Member since: Sep 16, 2010

Hope this tells companies like HTC they need to do something about their skin and reduce them to plain apps and Widgets

17. rf1975

Posts: 264; Member since: Aug 01, 2011

These things are unavoidable problems when you make software open and allow for full customization. I think Google has to analyse the current situation and come up with some sort of restriction on Android. First they have to make this OS hassle free. Then they can out perform any OS out there in the market.

21. MorePhonesThanNeeded

Posts: 645; Member since: Oct 23, 2011

Lol, did anyone actually read this. It says and I quote "Untrusted Apps". Sigh now for the people who seem to know how to read and understand we all know that we don't just install any old thing off the net to your phone. Looking at the list seems that HTC phones fare the worst, but all the manufacturers need to stick to Google's layout to keep the phone and OS secure. Yawn, more non news to report again, moral of the story don't go installing untrusted apps on your damn phone...for the love of all that is sentient.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.