Mobile security has become a major concern both for consumers and for enterprises worried about the integrity of their sensitive data. Part of that worry centers on the security of the apps on mobile devices, something that’s largely unknowable in a lot of cases right now. Duo Security today is releasing a new app called X-Ray that scans Android devices for known vulnerabilities and alerts users to which ones remain unpatched.
X-Ray doesn’t look for malicious apps, as some existing security scanners do, but instead searches for a set of known vulnerabilities in the core Android operating system, some of which have been used in the wild by malware and attackers. Many of the bugs are still unpatched on Android devices sold by the major carriers, and the average, non-technical user likely has little idea that the vulnerabilities exist or what can be done with them.
Jon Oberheide, one of the co-founders of Duo Security, who has done a lot of security research on Android, said that part of the reason for releasing X-Ray, which is free, is to light a little fire under the carriers who may nothave patched these flaws yet.
“Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices. We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users’ devices,” Oberheide said.
Some of the vulnerabilities that X-Ray looks for are several years old. The so-called GingerBreak bug, for example, has been around since last year, and is in Android 2.3, known as Gingerbread. Many of the flaws X-Ray identifies are privilege-escalation bugs and have been known among security researchers for some time.
“X-Ray has detailed knowledge about a class of vulnerabilities known as ‘privilege escalation’ vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old,” the X-Ray documentation says.
The unfortunate part is that mobile users really have no control over the patching of their devices. That operation is up to the mobile carrier, and some of them tend to be on the slow side when it comes to updating.
Android users can download the app from the X-Ray site rather than the Google Play app market.