Home > News content

A Professor at Fudan University has reported more than 400 Android bugs that could corrupt any Android device, and it took Google 16 months to fix them

via:大数据文摘     time:2022/1/1 9:01:10     readed:110

Big Data Abstracts

Most Android users probably don't realize how dangerous their phones are.

Yang Min, a professor at fudan University's School of Computer Science, and his colleagues submitted more than 400 vulnerabilities to Google last September, but they were not fixed until the end of this year.

They also include high-level vulnerabilities that can "brick every living Android device on the market."

Abstract bacteria can not help but take out their Android machine, glad this year more than their mobile phone has not become a brick.

Professor Yang min sent several emails to the Android security team after submitting the vulnerability, only to receive endless delays. After countless delays, Google fixed the vulnerability.

And Google expects Yang to "keep it secret."

After discovering more than 400 vulnerabilities, he wrote a paper

Professor Yang Min is not idle looking for more than 400 loopholes.

According to Yang, the more than 400 vulnerabilities were discovered by him and his colleagues based on a systematic study of Android's resource management mechanism, affecting manufacturers using Android code.

The research was published in a paper entitled "Exploit the Last Straw That Breaks Android Systems" and was published in IEEE S& P. 2022.

The abstract explains:

Android services often play a key role in performing multiple important tasks and providing a seamless user experience, such as easily storing user data. In this article, we conducted our first systematic security study of data stored procedures in Android services and discovered a new class of design flaws (Straw) that can lead to serious denial-of-service attacks, such as, Permanently crash the entire affected Android device.

We then propose a new direction-based fuzzy approach called StrawFuzzer that automatically checks Straw vulnerabilities for all system services. StrawFuzzer balances the tradeoff between path exploration and exploit. By applying StrawFuzzer on three recent security updates to Android systems, we identified 35 unique Straw vulnerabilities, affecting 474 interfaces of 77 system services, and successfully generated corresponding vulnerabilities that could be used for various permanent/temporary DoS attacks. We have reported our findings and recommendations for fixing the vulnerabilities to the appropriate vendors. So far, Google has rated our vulnerability as high severity.

As you can see, the design flaw called Straw, which Google rates as highly serious, could be open to a serious Dos attack that would crash android devices and turn them into bricks.

Fortunately, until Google's belated patch arrived, the vulnerability was not exploited to wreak havoc on a scale that would have been unthinkable.

It was supposed to take two months, but it took 16 months

After Professor Yang min and his team submitted the vulnerability, the Android security team replied that it would fix the vulnerability within two months. But after much Delay, the announcement that the bug was finally being patched was delayed until late this year.

So why was the Android security team so slow to fix this bug when it was so serious?

The answer is -- too many bugs.

The Android security team is responsible for finding bugs as well as fixing them, but in this case relies on third-party reporting as well as internal discovery.

These include issues reported through the Android security issues template, published and pre-published academic studies, upstream open source project maintainers, notifications from device manufacturer partners, and publicly disclosed issues posted on blogs or social media.

Not only that, but Google also has a Google Bug Hunters platform, which has a leaderboard for Bug Hunters, just to encourage people to try to find bugs.

As a result, the android security team was busy, and almost all of the bugs were not updated in a timely manner.

Professor Yang Min made fun of the slow speed of the Android security team to fix the vulnerability. You can go to his micro blog to have a look. Professor Yang Min's own fun can be very interesting.

Professor Yang Min is currently the Deputy Dean of the School of Computer Science and Technology at Fudan University and the Deputy Director of the China Institute of Cyberspace Strategy at Fudan University. His research field is network security, including malicious code detection, vulnerability analysis and mining, AI security, blockchain security, Web security and system security mechanism.

translate engine: Youdao

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments