Harnessing the Power of an Android Cluster for Security Research

When the topic of mobile security comes up, users and researchers often discuss Android as if it’s one monolithic operating system like iOS is. But the fact is that there are nearly as many versions of Android as there are Android devices, which has led to plenty of confusion when it’s time to fix a security problem. Security researcher Joshua Drake decided to take a look at the fragmented Android ecosystem in a unique way: by building a cluster of as many Android devices as he could get his hands on.

Android is by far the most popular mobile operating system, and the ecosystem that has grown up around it is extensive, as well. There is a long list of manufacturers that make Android devices, as well as any number of other companies that provide chips and processors and other pieces of the puzzle. The other factor that complicates the Android world is the great diversity of versions of the software that are floating around out there. Many manufacturers and carriers customize the OS for their own purposes, and so even two devices that are running the same version number of Android can have quite a few differences in the software.

Drake, director of research science at Accuvant Labs and one of the authors of the Android Hacker’s Handbook, noticed the great diversity in the Android landscape and wondered how he could get a clear picture of the security and app landscape. He started accumulating as many Android devices as he could find, going all the way back to the first Android phones and up to the newer ones. All in all, Drake has nearly 50 Android phones in the cluster, and he’s been able to use it to get some interesting insights into the ecosystem.

All in all, Drake has nearly 50 Android phones in the cluster, and he’s been able to use it to get some interesting insights into the ecosystem.

One thing he noticed was that the patching practices are pretty haphazard among carriers. Drake looked at the case of a JavaScript interface vulnerability that, at the time he started the research, was still quite new and hadn’t even been assigned a CVE number yet. Drake will be presenting the results of his research at the Black Hat conference in Las Vegas next week.

“When I looked at the addjavascriptinterface vulnerability in the browser, I noticed that there were some older devices that were patched and some newer ones that weren’t,” he said. “There were some that were vulnerable to a slightly different variant, too. The bug was new when I was looking into this, so it was surprising to see it patched in some versions. It was clear that at some point Google had informed their partners and some had fixed it and some hadn’t.”

Drake said that the cluster could be useful for any number of applications in the future, especially as the Android ecosystem continues to splinter and devices become more and more complicated.

“I can run a query for a certain driver or for all devices running Jelly Bean or whatever,” he said. “It could be used for exploit development or fuzzing or to assist in manual research.”

The Android model is in stark contract to Apple’s, not just in the version control, but in the manufacturing model, as well. When Apple fixes security vulnerabilities in iOS, all users get the update at the same time. When Google patches a flaw in Android, their partners all get the information, but it’s then up to them to push it to their users. There also are a number of moving pieces in the Android manufacturing process. Where Apple has a tiny handful of partners for making the iPhone, Android manufacturers often involve many more.

“In the simplest case, there are six companies at least involved in building an Android phone,” Drake said.

Addressing that homogeneity and the issue of getting security fixes into the hands of users more quickly is a sticky problem, he said.

“I don’t know that there’s any way around the backend inefficiency problem they have. It’s the OEMs that have to have a development team that’s savvy enough to do this and test the fixes and it’s a long process,” Drake said. “The easiest way to make it faster is to cut people out of the chain, but carriers aren’t happy about that. Carriers are afraid of updates having adverse effects. No carrier wants to push an update that breaks something. That’s a nightmare scenario.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.