This week saw some more interesting news come through in relation to the safety, or lack therefore, of Android. The news came in the form of a report published by Perception Point and Red Hat and which stated that there was a new security flaw which could be affecting Android devices. In fact, it was being claimed by the groups that it could affect as many as 66-percent of all Android devices. This was largely due to the vulnerability said to be at the kernel level.
Well, as you would expect, it was unlikely to be long before Google (or someone at Google) responded to these claims and that is exactly what has happened today. Googler, Adrian Ludwig, hit back at the claims stating that they do not believe the affected number of devices is anywhere near the level first reported. Not to mention, Nexus devices and devices running Android 5.0 (Lollipop) or greater are also protected from exploitation by third party applications. This is due to the Android SELinux policy preventing applications getting anywhere near the code necessary to facilitate the issue. Further adding to the notion that it is unlikely to be affecting as many devices, Ludwig also points out that Android devices running Android 4.4 (KitKat) and below are not exposed to the version 3.8 of the Linux kernel – which is said to be the starting point for the issue. In addition, Ludwig also made the point that as the Android Security Team was not made aware of the issue prior to it being made public (which is considered to be normal practice), they have opened an investigation into the claims and their significance to Android.
In terms of the actual issue at hand, Ludwig also does note that they have prepared a patch and it has been made available through open source and has also been shipped out to partners from today. By March 1st it is said that all Android devices will be required to have the patch installed (if not already running an even newer patch by then). As such, when any particular device will receive the patch (between now and March 1st) will be highly dependent on the normal channels of update distribution with manufacturers and carriers.