AH Samsung Galaxy S6 Edge Series 4 June 30th-1

Google Researchers Found 11 Issues With Galaxy S6 Edge Code

November 3, 2015 - Written By Diego Macias

Security on mobile devices is a very serious concern as we store all kinds of personal data in our smartphones or tablets. Recently, Android devices were at risk of being hacked because of a vulnerability called Stagefright. This made Google and other OEMs promise timely updates for their devices in order to prevent future attacks. The process updating Android devices or patching the operating system is quite complicated as every manufacturer modifies the source code to customize the user interface and add some extra features, so it’s up to them to update their own devices. It gets even more complicated because there are several versions of the same model, so they have to create codes for each of them.

Google’s researchers started a competition to understand how much adding these extra codes affect the devices, the ultimate goal is to bring more security to all of Android devices. They chose Samsung’s Galaxy S6 Edge as it is a recent high-end model with some popularity. They tried to gain remote access to personal files, gain access to the same personal data by using an app from the Play Store which required no permissions and execute code that could potentially wipe data. This was done over a week and it turns out that this device had 11 issues. An interesting one was the WifiHs20UtilityService path transversal, as it allowed a .zip file to be unzipped and write code in unexpected locations.

The Email client lacks authentication in one intent handler, so a series of intents can cause emails to be forwarded to another account and another issue could let JavaScript be executed in the email client. There were three driver issues and some bugs could grant kernel privileges to some parts. Five memory corruption issues were found regarding Samsung’s image processing, and they could be triggered just by downloading an image. SELinux is a defense mechanism activated by default on Android, which made it difficult to investigate certain bugs, but some others managed to disable it. All of the issues were reported to Samsung and the company acted very fast to release a patch in most cases (before 90 days), only three issues will be fixed in November.