Stagefright Bug Spurs Android Makers Into Action
The Stagefright vulnerability found in Android has coaxed a swift response from smartphone makers. Both Google and Samsung plan to step up and deliver security updates to their smartphones on a monthly basis to better protect users.
In July, Joshua Drake from Zimperiumdiscovered a new Android weak spot calledStagefright. The bug lets hackers barge their way into Android devices and execute code through multimedia messages. It corrupts Android's system memory and can reset a program's control counter. The control counter is used to figure out what line of code will be executed next.
If a hacker can get their own code into the queue, they can wreak all sorts of havoc.
Users can sort of mitigate the problem by switching off the setting that automatically retrieves picture and video messages. The fix isn't perfect, but it's enough of a road block for now.
The bug is serious enough that it garnered the attention of Google, which makes the Android operating system. Google developed a patch for Stagefright and is actually going to do something about it. The company announced plans to issue monthly security patches for its Nexus-branded devices moving forward.
"Security has always been a major focus for Android and Google Play. Android was built from day one with security in mind," according to an Aug. 5Google blog post. "For example, the 'Application Sandbox' model keeps applications running separately from other apps and the rest of the device to keep your data safe. With Verify Apps, over 1 billion devices are protected via Google Play, which conducts hundreds of millions of antivirus-like security scans of devices per day seamlessly in the background."
Google points out that Android is an open source platform, which means anyone can sort through the code to find and resolve security problems.
Google believes this makes the platform stronger.
Even though plenty of protections are already in place, the Stagefright vulnerability warrants a patch, and Google is already pushing it out. Google is delivering the security update to the Nexus 4, Nexus 5, and Nexus 6 smartphones, the Nexus 7, Nexus 9, and Nexus 10 tablets, and the Nexus Player media device.
Google says the update resolves Stagefight and a number of other vulnerabilities. Google is also offering a fix through the Android Open Source Project.
In this case, Google is in control of updates for the Nexus line of handsets, meaning it can deliver updates without carrier approval. Nexus devices are always the first to see new versions of Android. Google committed to providing Nexus devices with operating system updates for a period of two years, and security updates for a period of three years.
Moving forward, all Nexus devices will receive monthly security patches.
This is great news for Nexus owners, but what of the other billion or so Android devices in the market?
[Read more about Android security.]
Samsung, LG, Alcatel, and others have all said they'll patch Stagefright in the near future, though they are somewhat hogtied by their carrier partners. The carriers often have to approve such updates before they are distributed and the process can take months.
Samsung plans to be more forceful.
"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," Dong Jin Koh, executive vice president of Mobile Research and Development at Samsung Electronics, wrote in a statement. "Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."
Samsung promised to work with its carrier partners to make sure security problems can be resolved quickly. Like Google, Samsung will provide monthly security patches for its smartphones and tablets.