X-rayMobile security has become a major concern both for consumers and for enterprises worried about the integrity of their sensitive data. Part of that worry centers on the security of the apps on mobile devices, something that’s largely unknowable in a lot of cases right now. Duo Security today is releasing a new app called X-Ray that scans Android devices for known vulnerabilities and alerts users to which ones remain unpatched.

X-Ray doesn’t look for malicious apps, as some existing security scanners do, but instead searches for a set of known vulnerabilities in the core Android operating system, some of which have been used in the wild by malware and attackers. Many of the bugs are still unpatched on Android devices sold by the major carriers, and the average, non-technical user likely has little idea that the vulnerabilities exist or what can be done with them.

Jon Oberheide, one of the co-founders of Duo Security, who has done a lot of security research on Android, said that part of the reason for releasing X-Ray, which is free, is to light a little fire under the carriers who may nothave patched these flaws yet.

“Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices. We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users’ devices,” Oberheide said.

Some of the vulnerabilities that X-Ray looks for are several years old. The so-called GingerBreak bug, for example, has been around since last year, and is in Android 2.3, known as Gingerbread. Many of the flaws X-Ray identifies are privilege-escalation bugs and have been known among security researchers for some time.

“X-Ray has detailed knowledge about a class of vulnerabilities known as ‘privilege escalation’ vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old,” the X-Ray documentation says.

The unfortunate part is that mobile users really have no control over the patching of their devices. That operation is up to the mobile carrier, and some of them tend to be on the slow side when it comes to updating. 

Android users can download the app from the X-Ray site rather than the Google Play app market.

Categories: Mobile Security

Comments (4)

  1. Anonymous
    1

    Has anyone vetted this?  It’s installed directly and not through Google Play.

     

     

  2. Independent
    3

    Some of us have known from our first experience with our Android devices that security was non-existant at any level. I NEVER access my banking services or any other site that I could not tolerate the loss of my security information on. That doesn’t leave much! Weather, recreational browsing, and nothing written that I didn’t want the world to see! (Google, Yahoo, and who knows what else). 

    So, essentially, Xray makes us aware of our vulnerabilities, and it’s up to us to pester the daylight out of our OEM’s? Good luck with that. Has anyone tried to get Google to respond to anything, ever? The bottom line is clear: This entire Android experiment was & is NOT ready for prime time. One must be an ignorant child to ignore the severity of this issue/problem. I can’t believe I fell for it. Trying to unload this 60 day old tablet, for anything close to what I spent for it and accesories is proving very difficult.

  3. Anonymous
    4

    It does not.  These are vunerabilities in the core operating system that can only be patched with an update.  Saddly the update system is largely broken.  Manufactures have to push updates and carriers have to approve them.  Security is one of their least concerns.  The exception to this is most Nexus devices which get updates directly from Google.  

Comments are closed.