Skip to main content

Manufacturers’ Android modifications open security leaks, study shows

android_holes
Image used with permission by copyright holder

Researchers at North Carolina State University have discovered a vulnerability with a number of leading Android handsets that could allow hackers to access private data without having to get explicit user permission. According to the study, such a loophole could give malicious hackers the ability to “wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.”

Unlike apps for iOS, which alert a user anytime the app wants to access some type of personal information, like location, Android apps use a permissions-based security system, which tells the user up-front what type of information to which the app may at some point need access. Users can then decide whether or not they want to install the app based upon the permissions granted.

The NCSU study shows that the modification of Android by some handset manufacturers creates a hole in the permissions infrastructure, which could allow hackers to access sensitive private information, or perform functions on the phone, even if an app doesn’t explicitly request permission to perform these activities.

“These features are standard and make the phone more user-friendly,” said Xuxian Jiang, assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”

Using their “Woodpecker” diagnostics tool, which checks to see if an app can perform a function for which it has no permission, the researchers found the following devices to be most vulnerable: HTC Evo 4G, HTC Wildfire S, HTC Legend, Motoroal Droid and Droid X, Samsung Epic 4G, Google Nexus One and Nexus S. Both Google and Motorola have responded to the researchers, confirming their discovery. Samsung and HTC, however, have given the team “major difficulties.”

Despite their findings, the researchers say that manufacturers should not necessarily be condemned for including these loopholes. In addition, they say all is not lost with Android’s permissions-based system.

“Though one may easily blame the manufacturers for developing and/or including these vulnerable apps on the phone firmware, there is no need to exaggerate their negligence,” the team writes in the study. “Specifically, the permission-based security model in Android is a capability model that can be enhanced to mitigate these capability leaks.”

Read the full study here (pdf).

Andrew Couts
Former Digital Trends Contributor
Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…
Apple just announced the dates for WWDC 2024
WWDC 2024 banner.

Apple has just announced the dates for its Worldwide Developers Conference (WWDC) 2024. WWDC will take place from June 10 through June 14, 2024. A special event will be held at Apple Park in Cupertino, California, on June 10, and we expect to see the reveal of iOS 18, iPadOS 18, watchOS 11, tvOS 18, macOS 15, and visionOS 2.

WWDC will be free for all developers online. Developers will be able to access a variety of online sessions and labs that will showcase the latest advancements in software across all of Apple’s hardware.

Read more
Does the Moto G Stylus have NFC?
Moto G Stylus 5G 2023 leaning

The Motorola Moto G Stylus is a line of midrange Android smartphones, each of which comes packing a stylus — as the name ,akes clear. The two latest models are the Moto G Stylus (2023) and the Moto G Stylus 5G (2023). Although these models are similar, they have some noticeable differences, including their support for near-field communication (NFC) technology. This article will examine which Moto G Stylus models come with NFC and which do not.
What is NFC?

Near-field communication (NFC) is a technology that lets two gadgets communicate with each other when they are within a few centimeters of each other. It is useful for touch payments, e-tickets, data sharing, and effortlessly linking devices via Bluetooth and Wi-Fi.

Read more
Galaxy AI is now available for these other Samsung phones
A white Samsung Galaxy S23 next to a pink Samsung Galaxy S23 Plus.

In January, Samsung introduced its Galaxy AI features alongside its Galaxy S24 series of smartphones. Since then, if you've wanted to use Galaxy AI, you've needed a Galaxy S24, Galaxy S24 Plus, or Galaxy S24 Ultra. That's about to change.

Samsung just announced that it's about to bring those Galaxy AI features to a lot more devices, meaning you'll soon be able to use Galaxy AI even if you don't have a Galaxy S24.

Read more