Bugged: Half of Android users vulnerable to ‘privacy disaster’
Experts raise concerns over the role of vendors in mitigating challenge.
KARACHI:
Privacy is a sensitive issue. As the world moves towards a more digitised environment, issues ranging from misuse of personal information, data leak and security pose a bigger challenge.
With smartphone usage on its rise, Android users in Pakistan remain vulnerable.
The mobile operating system already released patches for security bugs found recently in the older versions of its built-in browser. However, leading technology experts state that around half of its user base still remains vulnerable while also raising concerns about the role of phone makers in mitigating the problem.
Experts from mobile security firm, Lookout, have said in a blog post – quoted by several technology blogs – that around 45% of Android devices are still vulnerable to the two security bugs because of the software’s varying ecosystem.
During mid-September, Pakistani security researcher Rafay Baloch had exploited two same-origin policy (SOP) bypass vulnerabilities in the Android Open Source Platform Browser, in versions prior to 4.4 (KitKat). This bug was termed ‘privacy disaster’ by leading information security experts.
A cornerstone of web browser security, the SOP is implemented in most browsers, such as Internet Explorer, Mozilla Firefox and Google Chrome. The aforesaid security flaw, however, allows a bypass of the SOP protection thus giving attackers access to users’ private data.
According to Baloch, Google’s security team has applied the patches to Jelly Bean users while the downstream users – those using older versions, such as Ice Cream Sandwich and Gingerbread – may still be at risk.
The topic was once again picked up by various technology blogs after Lookout’s disclosure of the existing threat.
“Google was quick in patching it up. However, given the nature of Android’s ecosystem, updates aren’t rolled out that quickly,” technology blog Redmondpie.com said in a report.
“While Google has patched up the vulnerability with an update, that still leaves a huge chunk of users waiting for Android’s ecosystem to speed it up a bit,” it said.
Raising a similar point, another technology blog, PCWorld said, “Google has released patches for the two vulnerabilities through AOSP, which serves as the base for the customised Android firmware installed on devices by manufacturers. The task now falls on device vendors to import those patches and release firmware updates to end users.”
According to the bloggers, users in both developed and frontier markets are exposed to these vulnerabilities but the number may vary depending upon how many people are using the older versions.
Vendors remain unaware
The Express Tribune contacted a few mobile phone vendors – both local and international – that are operating in Pakistan to find out if they released the relevant security updates locally. However, none of them were even aware of the issue.
“The mobile phone manufacturers operating in Pakistan rarely send security updates to users,” Baloch, the researcher, said pointing towards ‘a serious security issue’. The mobile phone manufacturers should release such updates because majority of Pakistanis are using the older versions of Android, which are still vulnerable to these bugs, he said.
Baloch went on to say that the average user in the country is not skilled enough to go to the source and apply these patches to the mobile phones. “It is the vendors’ moral responsibility to send direct updates to the users who can then accept and run it.”
However, some experts say the process may not be that simple due to the customised nature of Android operating system.
“Android is a very generic operating system and modified by the vendors. Sending security updates directly to the user should, therefore, be done through the vendors,” Information Communication Technology expert, Parvez Iftikhar said.
Established brands, such as Apple, Samsung and HTC can release updates internationally, Iftikhar said. But the case with local vendors is different. “Our local companies get their phones manufactured by different vendors,” he said. Since the vendor has to test the patches before releasing them to the user, it can be complicated and costly.
“History has shown that the availability of Android firmware updates vary greatly among manufacturers, different devices from the same manufacturer and even among countries, as local carriers also play a role in the distribution of over-the-air updates,” PCWorld said in its report. “This is reflected in data about these two vulnerabilities that was collected by Lookout from users of its mobile security products,” it added.
Published in The Express Tribune, October 16th, 2014.
Privacy is a sensitive issue. As the world moves towards a more digitised environment, issues ranging from misuse of personal information, data leak and security pose a bigger challenge.
With smartphone usage on its rise, Android users in Pakistan remain vulnerable.
The mobile operating system already released patches for security bugs found recently in the older versions of its built-in browser. However, leading technology experts state that around half of its user base still remains vulnerable while also raising concerns about the role of phone makers in mitigating the problem.
Experts from mobile security firm, Lookout, have said in a blog post – quoted by several technology blogs – that around 45% of Android devices are still vulnerable to the two security bugs because of the software’s varying ecosystem.
During mid-September, Pakistani security researcher Rafay Baloch had exploited two same-origin policy (SOP) bypass vulnerabilities in the Android Open Source Platform Browser, in versions prior to 4.4 (KitKat). This bug was termed ‘privacy disaster’ by leading information security experts.
A cornerstone of web browser security, the SOP is implemented in most browsers, such as Internet Explorer, Mozilla Firefox and Google Chrome. The aforesaid security flaw, however, allows a bypass of the SOP protection thus giving attackers access to users’ private data.
According to Baloch, Google’s security team has applied the patches to Jelly Bean users while the downstream users – those using older versions, such as Ice Cream Sandwich and Gingerbread – may still be at risk.
The topic was once again picked up by various technology blogs after Lookout’s disclosure of the existing threat.
“Google was quick in patching it up. However, given the nature of Android’s ecosystem, updates aren’t rolled out that quickly,” technology blog Redmondpie.com said in a report.
“While Google has patched up the vulnerability with an update, that still leaves a huge chunk of users waiting for Android’s ecosystem to speed it up a bit,” it said.
Raising a similar point, another technology blog, PCWorld said, “Google has released patches for the two vulnerabilities through AOSP, which serves as the base for the customised Android firmware installed on devices by manufacturers. The task now falls on device vendors to import those patches and release firmware updates to end users.”
According to the bloggers, users in both developed and frontier markets are exposed to these vulnerabilities but the number may vary depending upon how many people are using the older versions.
Vendors remain unaware
The Express Tribune contacted a few mobile phone vendors – both local and international – that are operating in Pakistan to find out if they released the relevant security updates locally. However, none of them were even aware of the issue.
“The mobile phone manufacturers operating in Pakistan rarely send security updates to users,” Baloch, the researcher, said pointing towards ‘a serious security issue’. The mobile phone manufacturers should release such updates because majority of Pakistanis are using the older versions of Android, which are still vulnerable to these bugs, he said.
Baloch went on to say that the average user in the country is not skilled enough to go to the source and apply these patches to the mobile phones. “It is the vendors’ moral responsibility to send direct updates to the users who can then accept and run it.”
However, some experts say the process may not be that simple due to the customised nature of Android operating system.
“Android is a very generic operating system and modified by the vendors. Sending security updates directly to the user should, therefore, be done through the vendors,” Information Communication Technology expert, Parvez Iftikhar said.
Established brands, such as Apple, Samsung and HTC can release updates internationally, Iftikhar said. But the case with local vendors is different. “Our local companies get their phones manufactured by different vendors,” he said. Since the vendor has to test the patches before releasing them to the user, it can be complicated and costly.
“History has shown that the availability of Android firmware updates vary greatly among manufacturers, different devices from the same manufacturer and even among countries, as local carriers also play a role in the distribution of over-the-air updates,” PCWorld said in its report. “This is reflected in data about these two vulnerabilities that was collected by Lookout from users of its mobile security products,” it added.
Published in The Express Tribune, October 16th, 2014.