Our collection of stories in Android Secured last week included one about a team of researchers from Google’s Project Zero bug-hunting group setting out to find bugs in the Samsung Galaxy S6 Edge smartphone and coming up with a haul of 11 in just one week. What’s interesting is not the number of vulnerabilities that were discovered, the severity of the bugs or the vendor or device that was affected. It’s almost certain that the Google researchers would also have found similar issues in other devices had they chosen to look. Rather, what is significant is Google’s motivation for conducting the research.
As a Google security researcher noted in a blog post last week, device manufacturers have a tendency to introduce additional and sometimes vulnerable code into Android devices. Such code can exist at all privilege levels on the device, and Google is trying to understand how OEMs (phone makers) respond to the discovery of flaws in their products and how quickly they patch the flaws. Unlike Apple, Google does not control the code that runs on Android systems from other vendors, and it does not distribute updates and security fixes for them. Some believe that the bug-hunting exercise could be a sign that Google wants to exert more direct control over the Android ecosystem and eventually even prohibit others from writing Android code altogether. Read Google Goes Bug Hunting In the Android Ecosystem in Android Secured for more.
Other stories that made Android Secured last week include the following:
Toronto School District Serves Up Lesson on BYOD Use
Even as many enterprises continue to be bogged down by mobile security concerns, there are some, like the Toronto School District, that are actively encouraging personal device use because of the potential upsides. School district officials see BYOD as a way to promote better learning inside and outside the classroom and are willing to spend over $14 million to roll out WiFi to all 562 schools in the district. Gartner has somewhat enthusiastically predicted that nearly half of all enterprises will follow the same model by as soon as 2017.
Device Rooting Adware An Emerging Threat In The Android Ecosystem
Add device-rooting adware to the list of reasons why you should avoid downloading Android apps from third-party apps stores. Security vendor Lookout has a report out on new adware strains that not only serve up annoying ads but also root Android devices and install themselves as system applications that are almost impossible to get rid of without professional help. Many of the 20,000 copies of such adware that Lookout discovered were disguised as legitimate apps like Facebook, Candy Crush, Google Now and Twitter.
Google Releases Fixes For Two Critical Android Flaws in Latest Monthly Update
Following the discovery and disclosure of the Android Stagefright vulnerability earlier this year Google has committed to releasing monthly security patches for the operating system. Last week Google released its patch set for November with fixes for several flaws including two remotely exploitable ones that the company described as critical. Four of the remaining flaws garnered a “High” rating from the company, while one was classified as a “Medium” risk vulnerability.
Learn how to take the pain out of securing business data on your employees’ Android devices. Join Google and BlackBerry at a free, half-day seminar, Bring Android to Work with BlackBerry Software, hosted at Google offices in Toronto, Chicago, San Francisco, Washington DC and New York City.