The $30 Device Thieves Can Use To Hack Your Car And Garage Door
Reddit Shuts Down Racist Communities

Researchers Find Major Security Flow In Biometric Storage in Android Phones

HTC logo Many consumers like the security of locking their smartphone with a fingerprint. That security approach works if the phone manufacturer adequately protects consumers' fingerprints. It seems that the phone manufacturer HTC is not doing enough to protect consumers' sensitive and very personal fingerprint information. The Register reported:

"Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder... Yulong Zhang, Zhaofeng Chen, Hui Xue, Tao Wei say in the paper Fingerprints On Mobile Devices: Abusing and Leaking [PDF] presented at Black Hat in Las Vegas last week that most device manufacturers fail to use Android's Trust Zone protection to safeguard biometric data."

That means the fingerprint information wasn't encrypted. That means any person or app accessing files on the phones can access (and steal) users' fingerprint information. This is a no-no in data security. This should not happen. This is data security 101.

TechCrunch highlighted the situation at HTC:

"Internet hyperbole (and financial analysis) have rendered HTC, a once high-flying mobile brand, essentially valueless. In short, the company is trading below cash on hand which means if you bought all HTC stock the company would have to pay, you, the buyer to take it over. This means the company’s factories, stock, and brand are worth nothing, at least on Wall Street. Furthermore, the researchers have discovered that the HTC One Max X has been keeping fingerprint biometrics used to unlock the cellphones in an unencrypted “world-readable” file, a definite no-no in the world of security. Hackers could easily open the file /data/dbgraw.bmp on the phone’s memory and capture your fingerprint data. It’s bad. In short, HTC is hosed."

Lately, the news hasn't been good for smartphones that run Google's Android operating system. Last month, researchers found a security flaw that would let hackers access Android phones via a text message. With access, hackers can view, copy, and delete files, remotely take over the camera, and remotely take over the microphone.

The security flaw highlighted the fact that while Google had developed a patch to fix the flaw in the software, it was up to the phone manufacturers (e.g., HTC, Samsung, etc.) and wireless carriers (e.g., Verizon, T-Mobile, etc.) to distribute the software security update to users. And, some vendors provided updates far faster than others.

Another reminder to consumers that when you buy a smartphone, you are doing business with several companies: the phone manufacturer, the developer of the operating system, the wireless carrier, and the dveloper of each mobile app. The security of your phone is only as strong as the weakest vendor.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Chanson de Roland

It seems that Google is having tremendous trouble of late in providing users of its Android phones with a device that is reasonably and practically secure against malware, so that Android devices can't, as matters now stand, be said to provide adequate and reasonable security, at least for any user who doesn't have an expert's skill and ability to secure an Android phone. That obviously won't do in mass market smartphone for ordinary consumers.

We can thank the author for bringing Android's security flaws to our attention. But he errors when he says that you are doing business with several companies when you buy a smartphone, because that is not true for Apple's iPhones, when it comes to their hardware, software, and apps. The late Steve Jobs and his then senior lieutenants, which included the current CEO, Tim Cook, thought long and hard about security, privacy, and innovation and the control that they needed to have over Apple's iOS devices, which includes its iPhone and iPad tablets, to provide for Apple's ability to innovate without impediment, provide for security, and offer its users at least the option of saying no to apps that didn't offer them an acceptable deal on privacy. To get and maintain the control to do these things, Apple realized that, as have been true of its devices since the companies inception, it needed to be able to have complete control of its hardware, operating system, and native applications for iOS devices and be able to vet all third party apps on its devices to determine whether those apps met Apple's regulations for its users and Apple's security and for users' privacy.

That is why, when buying an iPhone or any of Apple's devices, you are dealing with only one company, Apple when it comes to innovation, privacy, security, and the quality and functionality of its devices. With the iPhone, only Apple makes the device and its operating system. Apple vets all apps made by third parties that are permitted in its App Store. And Apple forbids any wireless carrier from modifying the iPhone's hardware and software in anyway, except perhaps for minor concessions on trademarks. And it is Apple that has the ability to distribute at its discretion enhancements and patches to its iPhone from its own servers across the wireless network of all the carriers that offer the iPhone to their customers. So, with Apple, when it comes to security, privacy, and innovation you are, unlike Android devices, dealing with one company, Apple Inc. Steve Jobs and current Apple executives follow Alan Kay's now venerable maxim of computer technology: “People who are really serious about software should make their own hardware.” Alan Kay's talk at Creative Think seminar on July 20, 1982.

In designing Android, Google chose a very different model for making and distributing the hardware and software and apps of Android smartphones. Google makes the operating system Android, which is only a partially open operating system, but it is open enough so that anyone can get and manipulate its code with the legal, technical, and other protections of a proprietary operating system, like Apple's iOS. Android phone are also made by independent manufacturers, who license the use of Android's marks (trade and service); the right to have access to Google's Google Play App Store; and the right to get updates and security enhancement for Android from Google, provided that they exclusively use certain required Google services, such as search, Gmail, etc., on their Android devices and meet certain minimum standards to for manufacturing Android phones. Yet, Google licensing provisions permit manufacturers and wireless carriers to make significant modification to the Android phones that they make and/or distribute, which introduce incompatibilities that alone would make Android devices a nightmare to make secure and compatible across all applications.

In addition, since Google captures nearly all of the post-sale revenues from official Android phones, neither the makers of Android phones or their wireless carriers have any financial incentive to distribute updates and security patches of their Android phones, nor do they have the legal right to even design and distribute such enhancement and security updates, and, not manufacturing its Android devices nor providing any post-sale revenues to wireless carriers, Google can't control distributions of updates to Android's operating systems and apps, as can Apple, and thus Google can't push, i.e., distribute by its self at its discretion enhancements, updates, and security patches for Android phones, as Apple can and does.

And it is only lately that Google was obliged to start vetting third party apps, as Apple has always done, because of the malware that was routinely appearing in what is now called its Google Play App Store.

Google had though that it would become the dominant Microsoft of the 20th Century in the 21st Century by offering a Microsoft-like model of making and controlling its devices' operating systems and services, e.g., search and Gmail, while, like Microsoft, letting others make the hardware. It had thought that it would be able to transform Android, parts of which are distributed under an open license, into what is an effectively a close operating system that would be closed and controlled by means of clever licensing provisions, while claiming for public relations and marketing purposes that Android was open. Instead Google has produce a distribution and ecosystem for Android that is financially and technically incoherent and which thus can't practically distribute either enhancement or security updates to Android devices, because, as the editor notes, with Android phones you are dealing with four different categories of companies, each with their disparate business goals and financial incentives. In violating Alan Kay's maxim, supra, Google has shown that it isn't serious about software but is only serious about its profits.

Together the foregoing may well make Google another Microsoft, but the Microsoft of the 21st Century, rather than the Microsoft of the 20th Century.

George

Chanson:

We disagree on this point. Even when a consumer buys an Apple brand smartphone (or tablet), to use it the consumer still must deal with several companies: wireless provider, app developer, and Apple Computer. History has shown that mobile apps will often violate consumers' privacy (e.g., vacuum up address book, GPS tracking without consent, etc.) regardless of the smartphone brand.

Example:
iPhone App Uploads Users' Entire iPhone Address Books
http://ivebeenmugged.typepad.com/my_weblog/2012/02/path-iphone-app.html

Path Inc. Settles With FTC For COPPA And Privacy Violations With Its Mobile Apps
http://ivebeenmugged.typepad.com/my_weblog/2013/02/path-settles-ftc.html

And, then there was the Thunderstrike firmworm.

Apple readies fix for Thunderstrike bootkit exploit in next OS X release
http://arstechnica.com/security/2015/01/apple-readies-fix-for-thunderstrike-bootkit-exploit-in-next-os-x-release/

According to Sophos, the Thunderstrike 2 firmworm has surfaced:
https://nakedsecurity.sophos.com/2015/08/13/a-virus-on-a-mac-is-nothing-sacred-chet-chat-podcast-211/

George
Editor
http://ivebeenmugged.typepad.com

Chanson de Roland

Dear Editor: For each of the examples that you cite, supra, one company, Apple Inc., was in control, was responsible, and was able to quickly create a patch for the security flaw and issue it and was able to distributed it to all of its devices that were connected to the Internet or cellular network. As for the any offending apps, and the ones that you cite violated Apple's policies, Apple not only banned those apps from its App Store but could and, I believe, did remove them from all of its devices that were connected to the Internet or cellular network.

On the Android, how is Google doing with distributing any of the patches for the security flaws that you've reported on to even just 50% of its connected devices? Google can't even distribute updates to Android so that most users are running the latest version of Android.

So your view that one must deal with several companies when using Apple's devices is misleading and is a straw man, for I never said that using an Apple product doesn't require one to deal with other companies. What I maintained, supra, and what is true, is that, with an Apple product, you are dealing with one company with it comes to security, privacy, design, functionality, manufacture, support, compatibility, and innovation. That one company is Apple Inc., while with Android smartphones you are dealing with different companies for security, privacy, design of hardware and software (e.g., different GUIs on Android phones), functionality of the device, manufacture of the device, support, compatibility, and integrated innovation of hardware and software.

So yes, you are dealing with different companies no matter what smartphone you use, but with Android you are dealing with different companies for all of the factors that I cite, supra, but no so for iPhones and other Apple Inc. products, where, for bette or worse, on those factors, you deal with just one company, Apple Inc. And lately, given the security flaws in Android and the poor quality of the design and manufacture of many Android phones, it has been mostly for the better.

P.S. And would you care to give citations and links for the privacy violations and security breaches with Google's Android devices. And do note that Google, not Apple, was and, I believe, still is operating under an FTC consent order regarding its privacy abuses (See https://www.ftc.gov/enforcement/cases-proceedings/102-3136/google-inc-matter), whereas Apple had a couple of rouge app developers which it quickly disciplined, shut down, and neutralized their apps.

The comments to this entry are closed.