Security on mobile devices is a very serious concern as we store all kinds of personal data in our smartphones or tablets. Recently, Android devices were at risk of being hacked because of a vulnerability called Stagefright. This made Google and other OEMs promise timely updates for their devices in order to prevent future attacks. The process updating Android devices or patching the operating system is quite complicated as every manufacturer modifies the source code to customize the user interface and add some extra features, so it’s up to them to update their own devices. It gets even more complicated because there are several versions of the same model, so they have to create codes for each of them.
Google’s researchers started a competition to understand how much adding these extra codes affect the devices, the ultimate goal is to bring more security to all of Android devices. They chose Samsung’s Galaxy S6 Edge as it is a recent high-end model with some popularity. They tried to gain remote access to personal files, gain access to the same personal data by using an app from the Play Store which required no permissions and execute code that could potentially wipe data. This was done over a week and it turns out that this device had 11 issues. An interesting one was the WifiHs20UtilityService path transversal, as it allowed a .zip file to be unzipped and write code in unexpected locations.