Manufacturers’ Android modifications open security leaks, study shows

By Andrew Couts Published December 13, 2011

android_holes — Image used with permission by copyright holder

Researchers at North Carolina State University have discovered a vulnerability with a number of leading Android handsets that could allow hackers to access private data without having to get explicit user permission. According to the study, such a loophole could give malicious hackers the ability to “wipe out the user data, send out SMS messages, or record user conversation on the affected phones – all without asking for any permission.”

Unlike apps for iOS, which alert a user anytime the app wants to access some type of personal information, like location, Android apps use a permissions-based security system, which tells the user up-front what type of information to which the app may at some point need access. Users can then decide whether or not they want to install the app based upon the permissions granted.

Recommended Videos

The NCSU study shows that the modification of Android by some handset manufacturers creates a hole in the permissions infrastructure, which could allow hackers to access sensitive private information, or perform functions on the phone, even if an app doesn’t explicitly request permission to perform these activities.

“These features are standard and make the phone more user-friendly,” said Xuxian Jiang, assistant professor of computer science at NCSU. “They make the phones more convenient to use, but also more convenient to abuse.”

Using their “Woodpecker” diagnostics tool, which checks to see if an app can perform a function for which it has no permission, the researchers found the following devices to be most vulnerable: HTC Evo 4G, HTC Wildfire S, HTC Legend, Motoroal Droid and Droid X, Samsung Epic 4G, Google Nexus One and Nexus S. Both Google and Motorola have responded to the researchers, confirming their discovery. Samsung and HTC, however, have given the team “major difficulties.”

Despite their findings, the researchers say that manufacturers should not necessarily be condemned for including these loopholes. In addition, they say all is not lost with Android’s permissions-based system.

“Though one may easily blame the manufacturers for developing and/or including these vulnerable apps on the phone firmware, there is no need to exaggerate their negligence,” the team writes in the study. “Specifically, the permission-based security model in Android is a capability model that can be enhanced to mitigate these capability leaks.”

Read the full study here (pdf).

Topics

Former Digital Trends Contributor

Features Editor for Digital Trends, Andrew Couts covers a wide swath of consumer technology topics, with particular focus on…

Mobile

The Oura Ring 4 is out, so the Oura Ring 3 is on sale

A person wearing the Oura Ring 3rd generation Horizon model.

Fitness trackers come in all shapes and sizes, but did you know that they can also come in the form of rings? If you're interested, you can get the Oura Ring 3, a smart ring that can monitor different kinds of health metrics, with a $50 discount from Best Buy. Instead of its original price of $299, you'll only have to pay $249, but you need to act fast because we're not sure when the offer will end. Add the wearable device to your cart and proceed with the checkout process immediately if you don't want to miss the savings.

Why you should buy the Oura Ring 3
Despite the arrival of the Oura Ring 4, the Oura Ring 3 remains a worthwhile purchase as one of the best fitness trackers that you can buy. According to our Oura Ring 4 versus Oura Ring 3 comparison, the Oura Ring 4 is thinner and lighter, and offers a slightly improved battery, but it shares the same fitness tracking features with the Oura Ring 3, and both are compatible with iOS and Android smartphones. They also both require an Oura membership that costs $6 per month to unlock deeper insights and exclusive features, so the lower price of the Oura Ring 3 compared to the Oura Ring 4 is even more appealing.

Deals

We loved the Google Pixel 9 Pro XL, and it’s on sale today

Pixel Studio app running on the Google Pixel 9 Pro XL.

We’re just a week away from Christmas 2024, which means there’s going to be a lot of folks doing last-minute shopping, both in stores and online. And if you’ve been perusing the web for great phone deals and you’re looking to stay away from iPhones and Samsung Galaxy hardware, we found the perfect offer for you:

Right now, you can order the 256GB unlocked version of the Google Pixel 9 Pro XL, and you’ll only end up paying $950. At full price, this phone sells for $1,200. We tested the Pixel 9 Pro XL back in October, and reviewer Joe Maring said, “The Google Pixel 9 Pro XL offers stunning hardware, lovely cameras, and much-improved specs — making it one of 2024's best flagship smartphones.”

Mobile

Apple iPad mini (2024) vs. iPad Air (2024): Which one to buy?

ipad mini 2024 and ipad air 2024 product shots on a light maroon background

Apple launched a bunch of iPads in 2024, including the much-awaited iPad mini refresh and a new iPad Air, which was the first to be available in two screen sizes. The company's tablet portfolio is now bigger than ever, which can be confusing if you are in the market for a new great tablet. Even if your priorities are clear with size and price, there are a number of overlapping models, which can make decision-making difficult.

Do you need a more pocketable iPad or a more powerful tablet? Are you fixated on a specific screen size? Are you confused about how much power is required to run your creative tasks? Which is the best iPad overall? Don't worry if you don't have answers to any of these questions right now. This comparison between two of our favorite iPads from 2024 will help answer them so you can make an informed decision.
iPad mini (2024) vs iPad Air (2024): specs