Android Intelligence Analysis

Behind the scenes: The anatomy of an Android security flaw

An in-depth look at what actually happens when Google discovers a vulnerability -- and why alarmist headlines frequently fail to tell the full tale.

Android Security Flaw

Reading about Android security flaws is enough to give anyone an ulcer.

It's okay; we've all felt it at some point. Based on the headlines you see every few weeks, it's hard not to think your phone is constantly being surrounded by evil demon monkeys just waiting to pounce and pry your data into their cold, calloused, monkey-smellin' hands.

I'm not saying that isn't the case -- I haven't been privy to the evil monkey community's plans since the late 90s -- but more often than not, Android security flaws present little reason for panic from a typical user's perspective.

We've talked plenty about the realities of Android malware and how sensational most Android virus narratives tend to be. In addition to the theoretical malware, though, there is the occasional real security flaw in the OS itself -- something we've heard a fair amount about over the past several days. So what's the deal with that?

Let's break it down, because -- as is the case with most sensational subjects -- a little bit of knowledge and logic goes a long way in combating irrational fear.

Late on Friday, Google posted an "Android security advisory" about a flaw discovered in the operating system. In the simplest possible terms, the glitch could allow a specific type of application to gain control over a device and do some genuine damage -- far beyond what should be possible -- in a very specific scenario most users are unlikely to encounter.

Specific or not, that's some serious stuff. But alarmist headlines like one I saw warning that the bug had "opened Nexus phones to 'permanent device compromise'" -- PERMANENT DEVICE COMPROMISE! -- don't tell the whole story. And quite frankly, the picture they paint is pretty misleading.

What actually happens when a flaw is discovered

First, some background: Google first heard about this latest flaw in February, when a third-party security firm discovered the potential for it to be exploited. At that point, it wasn't a publicly known issue -- and there was no evidence of anyone else being aware of it or attempting to take advantage of it -- so engineers started work on a fix to be incorporated into the next regularly scheduled monthly security patch.

They also -- and here's a crucially important point in this process -- quickly and quietly confirmed that no apps in the Google Play Store, where the vast majority of people make their downloads, were affected. Android's Verify Apps system, which watches for problematic apps as they're installed from external sources and then continues to monitor all apps on a phone over time, was also checked and updated. 

"That gives us the ability to protect users faster than making a patch and then getting a patch distribution out to all devices, and it protects devices that might never receive a patch," Google's head of Android security, Adrian Ludwig, explained to me when I asked him about the process.

All those steps happened behind the scenes on Google's end, without any of us even being aware our phones were being protected. And that's the point headlines like the one I mentioned a minute ago tend to miss: Even without the final security patch in place, practically every Android device in America was already safe from harm.

When things start to get real

Let's keep going, though, because there's more to this tale. Fast forward to March 15th, when a separate firm called Zimperium found a living, breathing app out in the wild that was actually trying to take advantage of the glitch.

"We discovered that a fully updated Nexus device was compromised by a publicly available rooting app in our lab," Zimperium VP of Platform Research and Exploitation Joshua Drake told me. 

The app wasn't in the Play Store, which means you would have had to go out of your way to find it on a website and download it in order for it to affect you. And remember: Android's Verify Apps system was already safeguarding devices from that kind of threat. So you would have had to either opt out of that system or decide to ignore its warnings in order to be in any sort of danger (and the term "danger" itself is pretty relative, as Google says no actual malicious activity was observed in this scenario).

Nevertheless, with a realistic threat in the picture, Google lit a fire under its own patch-producing keister. The company had already been working on the patch, so rather than wait for the next month's bulk release, engineers went ahead and released it a la carte to manufacturers a day later -- on the 16th. We learned about all of this on the 18th, when the company posted its public bulletin and described the patch as a "final layer of defense."

So practically speaking, with the previous layers of protection already in place, does that patch really even matter? In a case like this one, for most people, probably not. It's just another brick in the wall of protection -- an extra layer that'll ultimately make the OS itself safer, but one that's generally redundant with the other layers Google had already provided.

The final step -- in perspective

There's one more step to this process, of course -- and as of this moment, it's one that's still pending. That step is to actually take the patch and get it onto devices, and it's by far the trickiest and most inefficient part of the equation.

Ludwig tells me that Google expects to start rolling the patch out to its Nexus devices within the coming days, as soon as the company finishes its testing to make sure the software will work smoothly on all those products. But as we see throughout the year, the updates that reach Nexus devices quickly -- be they security patches or full-fledged OS upgrades -- often take far longer to reach the bulk of Android phones and tablets. Some devices never end up seeing them at all.

It's an inherent effect of Android's open-source nature and the fact that manufacturers are free to modify the software as they see fit. That leads to the diversity in software we see across the platform -- which can sometimes be a good thing -- but it also means it's up to each individual manufacturer to process every update, make sure it fits in with its own customized version of the OS, and then get it out to its consumers.

Once you also add carriers into the equation -- many of whom tend to conduct their own turtle-paced testing in addition to the manufacturers' efforts -- what should be a quick turnaround frequently turns into a frustratingly prolonged process.

From a consumer's standpoint, it's an annoying part of the Android platform -- no two ways about it. Some manufacturers are better than others at reliably delivering updates, but even in those instances, carriers tend to muck things up and get in the way of any consistent success (especially here in the U.S., where lots of people still buy phones from carriers instead of purchasing them unlocked).

And though some patches may seem superfluous, others are actually important -- like the October 2015 patch that protected phones against the seemingly immortal Stagefright exploit. That exploit can theoretically be activated by way of a malicious link or text message, so the app-scanning systems alone can't keep you safe from it.

(That being said, for context, there's yet to be a real-world case of an actual user being affected by Stagefright. What's more, Google's Hangouts and Messenger apps were long ago updated with their own low-level protections, and the Chrome Android browser also has its own constantly updated Safe Browsing system that prevents you from pulling up risky sites on your phone in the first place. So, again, all things in perspective.)

The big picture

Basically, there are two ways to think about this. One is that if fast and reliable ongoing updates are important to you -- and, let's be honest, they probably should be -- you should pick a phone that's known to provide that feature. Google's Nexus devices are the safest bet, as they receive software directly from Google without any third-party interference or delays. Whether we're talking about security or broader system-level improvements, that's an extremely valuable assurance to have.

Second, as we've been discussing, remember that updates on Android really aren't the same as updates on other platforms. Google knows about the challenges created by its open source setup, and that's why it's taken steps to create all the other methods of reaching users directly -- both via the security-oriented paths we've been discussing and via the company's ongoing deconstruction of Android. The latter has resulted in an ever-increasing number of pieces typically tied to an OS being pulled apart into standalone apps that Google can update frequently and universally throughout the year.

"We have to be thoughtful in a way that isn't necessary if you have perfect control of the system," Ludwig explained. "It's different from other ecosystems where the only answer they have is patching."

So the take-home message? Take a deep breath. Take a few minutes to check up on your personal Android security and make sure you're taking advantage of all the tools available to you. And perhaps most important, arm yourself with knowledge so you can interpret security scares intelligently and keep things in perspective.

After all, even an evil demon monkey isn't so scary once you understand its tricks.

Android Intelligence Twitter
To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Related:
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.