No one cares about the security of unlocked Android phones

There can not be such that the Amazon company participated in the launch of the flagship product, having a back door, and secretly sending all your personal information to an incomprehensible server in China. Of course, their developers or production partner would catch this behavior during a routine security check. This just can't happen, right?

Nobody cares about the security of unlocked Android phones that are not attached to the provider, sold in the US (and many other regions). OEMs manufacturing and supplying Android phones don't care; Google, the supplier of the Android platform, does not care; Retailers like Amazon and Best Buy, selling millions of Android phones every year, don't care. Worst of all, the average user doesn't care about computer security until something bad happens, which is how it all goes.

This has always been the case with Android devices, but Google began to take this situation more seriously in the summer of 2015, when Stagefright's error was widely reported in the media. Security experts claim that Google devices, Nexus and Pixel, came close to iOS by security standards, but in general the situation worsens when most consumers buy smartphones with software not supported by Google.
')
We remembered this serious problem when Amazon had to recall the BLU R1 HD , their best-selling phone, after a security specialist discovered a hidden backdoor in it due to "a combination of curiosity and lucky chance." These devices, as well as some other BLU models, collected and transmitted personal information to a server in China every 24-72 hours. This behavior was not noticeable to the user. The data included the exact position of the device, text messages, contact lists, call log, installed applications, and so on.

The BLU director told NYTimes that "obviously, we knew nothing about this," and admitted a mistake. And although it’s good that she corrected it so quickly, it’s very disturbing that neither BLU nor Amazon have caught her on their own since the launch of the phone in July 2016.

How could this happen?

Honestly, I just can’t imagine how such a school could enter the market and go unnoticed for so long, so I did some research. I worked for Android OEMs, I have a general understanding that all software releases with Google’s mobile services must pass the Compatibility Test Suite (CTS). A brief conversation with computer security experts opened my eyes to how serious security problems continue to arise.

Google maintains a blacklist of bad software that cannot be shipped with Android phones. I was surprised that Google and BLU were aware of one of the vulnerabilities associated with the ADUPS application in Mediatek chips back in 2015 - a year before the release of BLU R1 HD. The security team Red Naga found the vulnerability on March 1, 2015 and made several attempts to fix it, but was faced with the fact that " BLU does not have a security department, and therefore it cannot help anything ."

After Mediatek's silence and the lack of help from the BLU, Google finally accepted the patch in the CTS to check the system socket ADUPS. This should have solved the problem, but after that, Mediatek simply changed the name of the socket to deceive the CTS check.

Simply put, Google's CTS does not detect vulnerabilities that it does not know about. And Mediatek is a repeat offender who periodically bypasses the CTS check, and some experts from the security industry call it the worst chipset manufacturer.

Although Mediatek has a poor security record, it still wins design competitions because it does all the hard work for OEM partners choosing their platforms. If you want to quickly and inexpensively run your device on Android, then Mediatek is often an affordable solution.

Can this be avoided again?

We all need to worry about hidden backdoors, but a more serious problem is known vulnerabilities that are not fixed in most android devices. Google is trying to solve this problem by drawing the attention of users to it. The company publishes monthly security reviews, Android Security Bulletins , and makes OEMs show the level of Android Security Patch in the device settings.

After the FTC forced HTC to fix known vulnerabilities in 2013, OEMs and wireless carriers took some action, and most of the flagship devices sold in stores regularly receive updates. But not all devices receive them, and there is no guarantee that the devices will be maintained for long enough.

Progress comes only when something breaks down, and the media begins to fuck Google with its partners. For example, the already mentioned Stagefright forced the FCC and the FTC to join forces to “better understand and, as a result, improve the security of mobile devices,” but the results of this study have not yet been published.

I can predict what conclusion they will come to in their report. For OEMs, there is no incentive to invest in supporting device security patches after they are launched. The release of updates takes time and money, and this direction does not affect consumer purchasing decisions. Most OEMs do not want to spend extra money on improving security, as long as consumers do not want to pay for them.

Who can fix this?

This is the fault of the entire supply chain, but in the near future we should not expect improvement. Some thoughts on what different players could do to improve the security of android phones.

Google : keeps a list of good and bad OEMs by how they maintain security and release updates, and, according to rumors, can publicly shame the worst manufacturers - but by doing so it will damage relationships with partners. If Google seriously wants to improve security, it can find a way to inform consumers which OEMs, component manufacturers and other partners are not protecting their user data. For example, do you feel safe when you buy a BLU product or a device with a Mediatek chip? Google can change its next specification of the Android Compatibility Definition Document in such a way as to require the delivery of devices with a security patch of the appropriate level, and to maintain these devices for a sufficiently long time.

OEM : When I worked for Huawei, I tried to pay attention to security issues by working with the international Honor team on a 24-month Software Update Policy program . To my amazement, the marketing team did not want to mention this during the product launch, but I am proud that at that moment we became the only OEM that had similar rules. They are not perfect, but better than nothing. Only Google guarantees security updates for 3 years after the launch of Pixel and Nexus devices. I would like more OEMs to take a similar initiative and develop their own software update rules.

Retailers : Amazon did the right thing by suspending BLU R1 HD, but following this logic, they need to block other sold devices with known security issues. In the Amazon store, when choosing a device, it is easy for the consumer to know which networks it will support, but there is no information about the level of security it provides.

Technology browsers : keep reporting bad behavior to OEMs of Android devices. Focus in the reviews on how the software is supported and on the history of its updating. Educate your audience so that people can make informed purchasing decisions.

Consumers : I would urge you to vote with your wallet and buy devices from those companies that take your security seriously - but their choices are too limited. In addition to previous Nexus phones and current Pixel, there are not too many options available for people who value their privacy and security.