Ignore Android security FUD: buy a new phone


The Android security world is so full of FUD (Fear, Uncertainty and Doubt) that even great research sometimes gets buried behind hyperbolic headlines.

The chances are that your device isn’t going to be hacked by Russian super-villains who can now crack the full disk encryption you’ve installed. If you do want to shrink the risk even smaller than it has already shrunk itself, with a little help from Google and Qualcomm, that’s easy enough. Stop using handsets with stupidly old, and insecure, versions of the Android OS.

Stop using handsets with stupidly old versions of Android installed

There are always new reports hitting the inbox here at IT Security Thing, many of them involving the mobile sector, and Android in particular. Most suggest that the Android security ecosystem is screwed, if the number of malware infections are concerned.

Here’s the latest one: Skycure’s new Mobile Threat Intelligence Report reveals “every organization with at least 200 mobile devices, iOS or Android, has at least one malware-infected device, and companies with Android devices are nearly twice as likely to have malware.”

The answer to which is, of course, ensure the proper security systems are in place to prevent such malware infections from hitting the handsets in the first place. These measures include staff awareness training, usage policy and software as well as disaster recovery systems to restore ransomware infected devices for example. This is not the time to get into the whole BYOD security debate, so we’ll leave it there.

The map of the mobile threatscape is covered in FUD

The point being that while these reports help to join the dots when it comes to drawing a map of the mobile device threatscape, that map can only ever be two dimensional. There’s no ability to zoom in and magnify a section to see what’s really happening. Mainly because the view is covered in FUD (Fear, Uncertainty and Doubt).

New headlines fulfil a similar colouring in function, but again far too often fall victim to the FUD factor. So when stories proclaim that Android full disk encryption has been compromised for tens of millions of users, or is easily broken and a major security threat, they need really reading through ‘the whole story’ specs.

This was the case when a respected security researcher, Gal Beniamini, disclosed that he had found a method of breaking Android full disk encryption (FDE) by extracting Qualcomm’s keymaster keys. The full technical breakdown of his methodology can be found here and I suggest anyone of a technical bent goes have a good read.

Let’s just get this bit out of the way before going any further: I am not knocking the Beniamini research any more than I am the SkyCure research, both are interesting and valid. Beniamini discovered vulnerabilities that enabled him to explore the implications of code execution within the Android TrustZone kernel. And, effectively, break the Android FDE scheme.

Beniamini is a decent chap and, having found he’d made a fundamental mistake in his original disclosure, corrected it as soon as possible. That mistake was to suggest that Qualcomm were able to sign firmware images, whereas actually only OEMs can do this. This is important as it dilutes the severity of the attack methodology in so far as it means Qualcomm cannot be coerced into creating a custom TrustZone image as first thought.

This fact, and this correction, has sadly not appeared to have found itself into most of the coverage that I have found online about the threat. This is where the FUD factor comes in, and it’s only the start of where many stories just didn’t really live up to the original headlines.

Some have added updates to their body copy, or following it, that point out an attacker would still have to (1) brute force your device password and (2) the device manufacturer would also have to have directly modified the software.

Number 1 is certainly possible for most ordinary Android owners who use non-complex PINs. It also remains something of an unlikely scenario in the real world where there are hundred of millions of device users.

Number 2 is exactly that, a great big stinking pile of number 2. This rather takes it into the realms of security labs fantasy hacking league at this stage I would suggest.

Beniamini himself, remember, stated he had been working with Qualcomm about the issue and there had been full disclosure before going public. The two vulnerabilities in this case (CVE-2015-6639 and CVE-2016-2431) had coincidentally already been discovered by Qualcomm’s internal security auditing processes, and patches already made available to customers and partners alike.

Security isn’t helped by the brutal fragmentation of the Android platform

Which isn’t the same as patches being installed on end-user devices it has to be said. Android has quite the most fractured of security patching processes, not aided by the brutal fragmentation of the platform out there in the real world. However, the patches are available and some have already been rolled out.

Rolled out by, for example, Google. As well as including the patches in the May security update that goes out to Nexus and a number of other device users, Google also paid the researcher for his find. Yep, it paid out through the Google Vulnerability Rewards Program earlier this year.

I’ll say it again though, that still leaves a large number of devices that won’t have got those security updates and probably never will. But this ‘old device syndrome’ which should really be called old OS syndrome, is no different to any other platform.

Say a vulnerability hits Windows 10. A vulnerability that could also impact on Windows XP, a long since unsupported version of the OS. Do we count all those XP users and somehow then blame them that Windows 10 is insecure when it has already been patched and protected? No, the sensible hat wearers amongst us advise that users update to a more secure version of the OS as soon as possible.

That’s exactly the advice that should be going around to users of old and unsupported Android versions; upgrade to a more secure version.

Maybe the real headline in this case should have been “Researcher discovers security flaw in millions of Android phones, mostly ones way past their security use by date.”

Yoast tells me that’s longer than recommended for SEO purposes; so how about ‘Ignore the Android security FUD: buy a new phone’ instead?