March 1 2016 Security Patch for Android devices said to fix third-party application exploitation
Trouble For Android
Security research firm Perception Point discovered an Android vulnerability within the last few days that can allow third-party applications to exploit Android devices, free themselves from Google’s secure sandbox, and take over other functions of the device. Google responded to the security issue on January 20th by way of a Google+ post that was meant to reassure Android users that the software loophole wasn’t serious and was restricted to only a few devices. The company promised to introduce a March 1 2016 security patch for Android devices, starting with its own Nexus line and spreading to the other Android OEMs:
“We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications. Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices.”
Prior to this statement, Google said that “This patch will be required on all devices with a security patch level of March 1 2016 or greater.”
Google states that Nexus devices are not vulnerable, but if this third-party application exploitation mandates a March 1 2016 security patch, and even Nexus devices are getting monthly security patches (and thus, the March 1 2016 security patch), then are not Nexus devices at risk of seeing this application exploitation by third-party app developers?
Google also said that the risk to Android was minimal, but Android devices do allow Android users to download apps from third-party sites that fall outside of the Google Play Store — without rooting their devices. All one needs to do in order to access third-party apps from other locations is to enable the “debugging” feature present within Android smartphone settings. Of course, Android does remind you that to enable debugging is to leave your device vulnerable, but Apple does not provide this option.
Security Patches for all
The March 1 2016 security patch will first be extended to Nexus devices, which are all part of Google’s Nexus line, then to devices belonging to all other Android OEMs such as Motorola, LG, Samsung, Sony, HTC, and others. Nexus devices such as the Huawei Nexus 6P, LG Nexus 5X, Motorola Nexus 6, and LG Nexus 5 have already received the January 1 2016 security patch, but won’t receive the March 1 2016 security patch until March (a month away).
The March 1 2016, despite what Google says, is a testimony that the vulnerability is serious. If this third-party application exploitation isn’t serious, then the Stagefright vulnerability isn’t serious. And if Stagefright isn’t serious, then why issue the March 1 2016 security patch in the first place? All in all, we think that Google knows how serious this is but wants to downplay a vulnerability that’s existed since 2012. The perception of “keeping hush” about a near 4-year-old vulnerability may sound bad, but the appearance of claiming that it isn’t much of a risk only adds heat to the already growing fire.