Android’s Messaging Vulnerability Has a Simple yet Sophisticated SolutionArcPoint Strategy
One of the biggest challenges in mobile application and device development is finding a balance between delivering a quality user experience and ensuring it is as secure as possible. The recent discovery of a video injection vulnerability in Android’s messaging system is a great example of how, too often, the focus becomes creating a unique and pleasing user experience instead of a secure one.
The exploit found in Android takes advantage of a feature that was intended to provide a more user-friendly engagement. Instead of waiting for a user to select a text message, Android is designed to prepare it for the user in advance. It has been reported that this enables a hacker to launch an attack by simply sending a text message. Because Android automatically plays videos and messages, all a hacker has to do is hide some malware within a video, text it to your phone and as soon as the phone receives it the vulnerability will be triggered. This technique was demonstrated in the 2014 thriller, Non-Stop, where US Air Marshall Bill Marks (Liam Neeson) used a similar exploit to attempt to determine the terrorist within the passengers of the airplane he was threatening – so the idea has been out there and still these devices remain at risk.
What exactly does it mean to have your cell phone hacked? Hackers might do any number of things to your phone: they might redirect you to porn sites, run bitcoin miners, falsify advertising statistics, steal contacts and data, shut down functions and hold you at ransom, and possibly worst of all, take over your camera and microphone and monitor what you do and say. Situations like this are unnerving, potentially dangerous for users, and are already occurring every day.
The fundamental challenge with sophisticated mobile devices is that it is almost impossible to predict how a combination of technologies may interact to create an unanticipated security hole. The approach in the traditional enterprise market has always been to patch the holes as quickly as they are discovered. This does not work in the mobile world, where for a variety of technical, logistic, and business reasons patches only reach around 50% of devices, and the time to patch runs into many months.
With such long lead times, and such low patch penetration, hackers are able to stay ahead of the defenders and can go from one unpatched weakness to the next while IT departments and users struggle to protect themselves. Mobile security needs a better approach – one that can react immediately to security incidents and ensure all devices are patched.
Building security into products is necessary if we expect to see impactful strides forward. As industry specialists, we at OptioLabs build in safety valves for these types of vulnerabilities. For example, our product OptioCore is able to analyze potential vulnerabilities, , and block access to vulnerability (in this case a particular use of a media player) without requiring an operating system update. OptioCore can block a new attack in a matter of minutes. The image below shows the vulnerable part of Android. You will notice that it uses a binder to communicate from the applications to the vulnerable media player system. OptioLabs makes the Android framework safer for users by vetting the data that applications have access to and preventing bad behavior. We know what constitutes valid actions, and normal communications/behaviors. Because we have this knowledge we are able to key in on meaningful deviations in code and filter those out.
With an endless landscape of threats and unexpected vulnerabilities, the mobile industry will need to begin implementing solutions to provide emergency stop-gap measure to proactively protect users. OptioLabs on the cutting edge of developing these solutions.