Android 7.0 may have brought many security improvements, but all code can be vulnerable to bugs. In its security patch for October, Google seems to have fixed dozens of bugs with most being of “High” severity, and a few “Critical” ones. However, because only Nexus users and owners of a few other smartphone models will receive this update, most users should remain vulnerable to all of the discovered vulnerabilities.
Many New Bugs Despite Architecture Enhancements
Android 7.0 “Nougat” brought multiple security enhancements and features this year. The new OS comes with improved file-based encryption, a strictly verified boot process, mandatory hardware-backed keystore, a universal and unmodifiable certificate store, and more modular and sandboxed media capabilities (to avoid Stagefright-level vulnerabilities in the future).
Despite all of these security improvements, there have already been dozens of bugs fixed in last month’s security update, and this month there seem to be even more security fixes as Google came closer to releasing its Pixel phones. Most of the bugs do seem to involve core Android components, but many of them are also vendor specific. Qualcomm, especially, seems to have been hit with multiple “High” severity bugs that could’ve given attackers elevated privileges.
The most dangerous, “Critical”-level bugs include three remote execution vulnerabilities in the kernel, one in MediaTek’s video driver, and three critical bugs that strangely enough don’t seem to have any description of what they do in “Qualcomm components.”
It’s likely that the three vulnerabilities are related to the QuadRooter vulnerability, which was revealed this summer but uncovered in spring (when Qualcomm was also notified about it).
“High” Severity Bugs
A few more high-severity elevation of privilege vulnerabilities were uncovered in other components of Qualcomm’s software stack, including in its crypto engine, sound, video, camera, QSEE (Qualcomm Secure Execution Environment), and networking drivers.
A few high severity bugs in their drivers hit Nvidia and MediaTek as well, but not nearly as much as Qualcomm (it’s also possible Google didn’t analyze their drivers as thoroughly as it did Qualcomm’s).
Stagefright mediaserver library vulnerabilities also make a comeback. One “moderate” severity bug could allow an attacker to access sensitive information without permission, while another high severity one could cause denial of service attacks that could create hanging or phone reboots. Three other high severity mediaserver bugs that affect Android versions 4.4.4-7.0 could also allow an attacker to execute arbitrary code.
Google found a few more elevation of privilege and denial of service vulnerabilities in the core components of Android, such as ServiceManager, Lock Settings Service, the Zygote process, framework APIs, Telephony, Camera service, fingerprint login, AOSP mail, Wi-Fi, GPS, and the Accessibility services.
Most Users Left Out Of Security Patches
Despite Android being “only” a mobile operating system, the codebase is already quite large now, so many vulnerabilities will continue to be found, especially right after a major new release. Android is not alone; Apple fixed around 100 iOS bugs in one go as well in the past.
With the new monthly update schedule, the vulnerabilities aren’t as big of an issue as they would’ve been otherwise, at least for Nexus/Pixel devices and a few other large smartphone makers that have committed to the monthly security updates However, the bigger danger is to those users that may never get these patches, which includes the majority of the Android user base. This will continue to be Android’s biggest weakness for the foreseeable future.