Google tells Samsung to stop making changes in Android
Rather than securing the devices, changes make them vulnerable to hacks
Google has slammed some of the leading mobile manufacturers for altering Linux kernel codes within the its Android platform.
According to Google's Project Zero security team, several phone makers have tinkered with the software in order to make their devices more secure - however, in the process, have actually ended up making the phones vulnerable to serious security bugs.
This includes Samsung, whose tinkering with the Android Linux kernel has resulted in exposing the company's devices to a range of threats.
- Google clamps down on Android app access to personal data
- Google urged to kill off Android bloatware
- Best privacy apps for Android in 2020
Creating vulnerabilities
Google has suggested that manufacturers should use Android’s inbuilt security features rather than making unnecessary changes to the core kernel.
Citing an example of Samsung’s Galaxy A50, Google’s Jann Horn revealed that while making these changes, Samsung added custom drivers, thus creating direct access to the kernel. While this was meant to enhance security on the device, it created a memory corruption bug.
Samsung described the bug as a moderate issue consisting use-after-free and double-free vulnerabilities on devices running Android 9 Pie and Android 10 and affected company’s PROCA (Process Authenticator) security subsystem. This bug was patched with an update in the recent February update by the company.
Horn’s posts also suggest that device-specific kernel changes are a frequent source of vulnerabilities and termed these them “unnecessary” which negates Google’s work in making the OS secured.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
He highlighted another example from Samsung stating that one of the changes in a device was aimed at restricting an attacker that gained “arbitrary kernel read/write.” Calling these changes as “futile”, he mentioned that the engineering resources could’ve been better utilized had it ensured that a hacker does not even reach this point.
He concluded with an appeal that “ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”
- Secure your devices with the best antivirus software
Via: Google Project Zero
Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.