Android 7.0 may have brought many security improvements, but all code can be vulnerable to bugs. In its security patch for October, Google seems to have fixed dozens of bugs with most being of “High” severity, and a few “Critical” ones. However, because only Nexus users and owners of a few other smartphone models will receive this update, most users should remain vulnerable to all of the discovered vulnerabilities.
Many New Bugs Despite Architecture Enhancements
Android 7.0 “Nougat” brought multiple security enhancements and features this year. The new OS comes with improved file-based encryption, a strictly verified boot process, mandatory hardware-backed keystore, a universal and unmodifiable certificate store, and more modular and sandboxed media capabilities (to avoid Stagefright-level vulnerabilities in the future).
Despite all of these security improvements, there have already been dozens of bugs fixed in last month’s security update, and this month there seem to be even more security fixes as Google came closer to releasing its Pixel phones. Most of the bugs do seem to involve core Android components, but many of them are also vendor specific. Qualcomm, especially, seems to have been hit with multiple “High” severity bugs that could’ve given attackers elevated privileges.
The most dangerous, “Critical”-level bugs include three remote execution vulnerabilities in the kernel, one in MediaTek’s video driver, and three critical bugs that strangely enough don’t seem to have any description of what they do in “Qualcomm components.”
It’s likely that the three vulnerabilities are related to the QuadRooter vulnerability, which was revealed this summer but uncovered in spring (when Qualcomm was also notified about it).
“High” Severity Bugs
A few more high-severity elevation of privilege vulnerabilities were uncovered in other components of Qualcomm’s software stack, including in its crypto engine, sound, video, camera, QSEE (Qualcomm Secure Execution Environment), and networking drivers.
A few high severity bugs in their drivers hit Nvidia and MediaTek as well, but not nearly as much as Qualcomm (it’s also possible Google didn’t analyze their drivers as thoroughly as it did Qualcomm’s).
Stagefright mediaserver library vulnerabilities also make a comeback. One “moderate” severity bug could allow an attacker to access sensitive information without permission, while another high severity one could cause denial of service attacks that could create hanging or phone reboots. Three other high severity mediaserver bugs that affect Android versions 4.4.4-7.0 could also allow an attacker to execute arbitrary code.
Google found a few more elevation of privilege and denial of service vulnerabilities in the core components of Android, such as ServiceManager, Lock Settings Service, the Zygote process, framework APIs, Telephony, Camera service, fingerprint login, AOSP mail, Wi-Fi, GPS, and the Accessibility services.
Most Users Left Out Of Security Patches
Despite Android being “only” a mobile operating system, the codebase is already quite large now, so many vulnerabilities will continue to be found, especially right after a major new release. Android is not alone; Apple fixed around 100 iOS bugs in one go as well in the past.
With the new monthly update schedule, the vulnerabilities aren’t as big of an issue as they would’ve been otherwise, at least for Nexus/Pixel devices and a few other large smartphone makers that have committed to the monthly security updates However, the bigger danger is to those users that may never get these patches, which includes the majority of the Android user base. This will continue to be Android’s biggest weakness for the foreseeable future.
As we are now a phone only receives 1 OS update then forgotten. The time it takes to receive that update is months because it have to go to the manufacturer first who injects bloatware, then the manufacturer gives it to the carrier who injects their own bloatware and gives it to the customer.
By the time a phone on the market for 18 months gets an OS upgrade the next model is already out and the manufactures are focusing on the new model. So the only way to get upgrades seems to be to buy a new phone or rooting and installing third party roms.
The Pixel line is a step in the right direction where the phones are made for Google and Google do what ever they want similar to how Foxcon makes the phones for Apple and Apple do what ever they want.
The problem with the Nexus phones was that they lacked what others offered.
- No expandable storage
- lame camera resolution
- no wireless charging
They now have the opportunity to drop the entire line and start fresh with specs on par with the heavy hitters. Best of all there will be no OEM branding on the outside of the phone.
nexus phones were not about having the best features. they were meant to be feature rich phones with no bloatware, and can be found at a low price (the price on the last 2 was really high though). some nexus phones had wireless charging and phones like the nexus 6P have a camera comparable to the camera on the iphone 7 and expandable storage has never been a big issue as much as the trolls make it out to be. if you are looking for security in the android world you could always get it from nexus phones because of the fast updates and even when google stops updating the phone after a few years its easy to put a custom rom on it that will still keep it up to date
Expandible storage and replaceable batteries are a must for folks like me - why label us as trolls?
With the replaceable battery, it's also fairly important as my Note Edge would be brick right now if I couldn't replace it. There was a bug in Android 5.01 where it would chew through a 100% battery in less than 30 minutes when signal was lost. Needless to say, my previous battery is completely toast to where even a booster couldn't even start the phone.
Those are the ones they put in for the NSA, you know like the back-doors that MS puts into their NSA co-authored OS's. Wouldn't surprise me at all.