Posted by Kylie McRoberts, Program Manager and Alec Guertin, Security Engineer

Android graphic

Google’s Android Security & Privacy crew has launched the Android Partner Vulnerability Initiative (APVI) to handle safety points particular to Android OEMs. The APVI is designed to drive remediation and supply transparency to customers about points we now have found at Google that have an effect on gadget fashions shipped by Android companions.

Another layer of safety

Android incorporates industry-leading safety features and day-after-day we work with builders and gadget implementers to maintain the Android platform and ecosystem protected. As a part of that effort, we now have a spread of present applications to allow safety researchers to report safety points they’ve discovered. For instance, you possibly can report vulnerabilities in Android code through the Android Security Rewards Program (ASR), and vulnerabilities in fashionable third-party Android apps by the Google Play Security Rewards Program. Google releases ASR stories in Android Open Source Project (AOSP) based mostly code by the Android Security Bulletins (ASB). These stories are points that might impression all Android based mostly units. All Android companions should undertake ASB adjustments in an effort to declare the present month’s Android safety patch degree (SPL). But till not too long ago, we didn’t have a transparent strategy to course of Google-discovered safety points outdoors of AOSP code which might be distinctive to a a lot smaller set of particular Android OEMs. The APVI goals to shut this hole, including one other layer of safety for this focused set of Android OEMs.

Improving Android OEM gadget safety

The APVI covers Google-discovered points that might doubtlessly have an effect on the safety posture of an Android gadget or its person and is aligned to ISO/IEC 29147:2018 Information know-how — Security methods — Vulnerability disclosure suggestions. The initiative covers a variety of points impacting gadget code that’s not serviced or maintained by Google (these are dealt with by the Android Security Bulletins).

Protecting Android customers

The APVI has already processed a variety of safety points, enhancing person safety in opposition to permissions bypasses, execution of code within the kernel, credential leaks and technology of unencrypted backups. Below are a number of examples of what we’ve discovered, the impression and OEM remediation efforts.

Permission Bypass

In some variations of a third-party pre-installed over-the-air (OTA) replace answer, a customized system service within the Android framework uncovered privileged APIs on to the OTA app. The service ran because the system person and didn’t require any permissions to entry, as a substitute checking for information of a hardcoded password. The operations accessible different throughout variations, however at all times allowed entry to delicate APIs, resembling silently putting in/uninstalling APKs, enabling/disabling apps and granting app permissions. This service appeared within the code base for a lot of gadget builds throughout many OEMs, nonetheless it wasn’t at all times registered or uncovered to apps. We’ve labored with impacted OEMs to make them conscious of this safety situation and supplied steering on how you can take away or disable the affected code.

Credential Leak

A preferred net browser pre-installed on many units included a built-in password supervisor for websites visited by the person. The interface for this function was uncovered to WebView by JavaScript loaded within the context of every net web page. A malicious web site might have accessed the complete contents of the person’s credential retailer. The credentials are encrypted at relaxation, however used a weak algorithm (DES) and a identified, hardcoded key. This situation was reported to the developer and updates for the app had been issued to customers.

Overly-Privileged Apps

The checkUidPermission methodology within the BundleManagerService class was modified within the framework code for some units to permit particular permissions entry to some apps. In one model, the tactic granted apps with the shared person ID com.google.uid.shared any permission they requested and apps signed with the identical key because the com.google.android.gsf package deal any permission of their manifest. Another model of the modification allowed apps matching an inventory of package deal names and signatures to move runtime permission checks even when the permission was not of their manifest. These points have been mounted by the OEMs.

More info

Keep an eye fixed out at https://bugs.chromium.org/p/apvi/ for future disclosures of Google-discovered safety points beneath this program, or discover extra info there on points which have already been disclosed.

Acknowledgements: Scott Roberts, Shailesh Saini and Łukasz Siewierski, Android Security and Privacy Team