Josh Drake, the researcher who discovered the Stagefright vulnerability in Android that lets an attacker hack into an Android device by sending a specially crafted picture or video in a text message, was on the Risky Business security podcast this week to talk about it. What he had to say was interesting.
Patrick Gray, the host, tends to be a pretty outspoken critic of Android and isn’t shy about talking up Apple. He tried to get Drake to say Android is a trainwreck, security-wise, but Drake wouldn’t say it. Drake actually went as far as to say he thinks Android and IOS are fairly close, security wise.
So why do we see so many more Android bugs? Drake had an answer.
Drake said that it’s a lot cheaper to research Android. To research Apple vulns, you have to buy an expensive device, then immediately void the warranty on it. To research Android, you just pick a phone lind that has a good mechanism in place to restore the ROM–Samsung phones are generally a good bet for that–buy the model you can afford, then go to town.
But just because the researchers are finding Android bugs doesn’t mean bugs aren’t present in other systems, and it doesn’t mean governments aren’t looking for them. To a government agency, the price difference between an Android phone or an Apple phone is immaterial. They’ll buy as many phones as they need, rip them apart looking for vulnerabilities to exploit, and exploit them. Drake knows about those too–he once found a vulnerability in Apple’s graphics library that could brick an IOS or an OS X device, and he found it by accident. He created a proof of concept for OS X and it just turned out that it worked on IOS as well.
Drake also pointed out that it’s one thing to find a vulnerability and it’s another thing to write a reliable worm that uses it. He’s written a demonstration but it doesn’t work reliably on all phones or all operating systems. Drake suggested that someone who wanted to use his vulnerability would probably have to stick to a specific popular model of phone. Apple often touts how the diversity of Android versions and chips and OEMs in circulation is a disadvantage, but this is an instance where that diversity actually improves security.
He has a point. In the Windows space, where there’s one dominant chipmaker, even the very most reliable exploits don’t work all of the time. I’ve had more than one red team penetration tester tell me stories of finding a system with MS08-067, the most notorious Windows vulnerability, and when they went to exploit it, the system bluescreened instead of running their code like it was supposed to.
So the guy who discovered this horrible Android bug is basically saying everyone is overreacting to it. I found it interesting.
Google does need to seize more control of Android from the OEMs and from the carriers. They started doing that in the last couple of years, and there’s no question they’ll continue to do that as they find ways to. The carriers may not care if everyone is carrying around the equivalent of Windows XP SP1 boxes around, but Google does. It will be interesting to see what Google does, but one thing is for certain: With this highly publicized flaw, Google only became more motivated.
It took Microsoft about three years to get Windows security to the point of being respectable. Google is about two years in and arguably has a tougher job. But I do think in another couple of years, the situation with Android will look a bit different from now.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.