Project Zero made the news a few months ago by publishing unfixed vulnerabilities with their exploit in Microsoft operating systems before Redmond's company succeeded to ship patches.
A lot was written back then about the fact Google was attacking their competitor, accusing also this team to be irresponsible by operating following a fixed 90 days time-frame.
Well, this time they went against the worldwide leader Android manufacturer and its Galaxy 6 Edge, with the same rules and similar results which should address any bias concerns.
The report itself is fascinating and illustrates how additional software, like apps or support for more media formats natively (Samsung always has been good with that) increases the attack surface with more code, that might also not be as solid as AOSP's.
Then there is hardware drivers (like for the GPU) and you can't really skip shipping that.
How many vulnerabilities can be found in the phone you are using right now (any phone) with a few weeks of work from a dedicated team?
It's safe to assume quite a few. With sufficient resources it seems there will be ways to find a way in which is not reassuring given the amount of data our gadgets have access to – especially through Google account credentials.
Location history being the perfect example of over the top tracking yet required for Google Fit and probably enabled after tapping a Google Maps launch dialog without realizing the consequences by many.
This is why I highly recommend two factora authentication… Yet it doesn't change anything if a root vulnerability allows to escape the sandbox and steal credentials from the active device or access the data from there directly.
It is also difficult to know where to learn about manufacturers' security practices.
Do they have a security team like Project Zero evaluating their products internally continuously with fuzzing and more?
There are no guarantee of results and certainly no such thing as perfect security, but it's something it would be good to know.
Hack The Galaxy: Hunting Bugs in the Samsung Galaxy S6 Edge
Posted by Natalie Silvanovich, Planner of Bug Bashes Recently, Project Zero researched a popular Android phone, the Samsung Galaxy S6 Edge. We discovered and reported 11 high-impact security issues as a result. This post …
This is like the EuroNCAPs crash tests and reports, but for software. I think it would be good to have some organization(s) that tests this things throughly and reports them so that patches are issued and we all have better quality software and security.
+Juan Manuel Tastzian it probably already happens, a myriad of private security researchers and firms are doing that.
They're often funded by permanent bounty programs put in place by manufacturers.
Some companies are vocal about it some not hence the lack of publicly available information.
+François Simond yeah, what I think it would be nice is the publishing of the problems / results as the tests I mentioned before, so that people can have yet another angle to see when evaluating which manufacturer they give they money to. I guess it will never happen because it would almost always act as bad press.
+Juan Manuel Tastzian Yes there is a fundamental contradiction because being known for fixing vulnerabilities also highlights how many vulnerabilities there are.
Plus it would likely be ignored due to instant press fatigue with the constant repetition, especially since things in software can be fixed so quickly unlike cars were the cycle are slower.
In a way, things work already how they are today: the world has not yet fallen apart due to smartphone security 😉
+François Simond no one is going to say "look at company X, it's so good they never talked about it in that vulnerabilities site". They will be probably something like "lol, look at that iPhone. I mean, iNsecure lololol" and that kind of stuff.
+Juan Manuel Tastzian in the meantime, Apple who's lacking such bounty program just made the news for the expected opposite result:
https://nakedsecurity.sophos.com/2015/11/03/secret-apple-iphone-zero-day-exploit-earns-1000000-well-maybe/
Perfect. The safest phone apart from Nexus is probably the OnePlus One, Cyanogen started rolling out the November Security Bulletin fixes yesterday 🙂
Their build-manifest.xml points to the wrong commit IDs though, which makes me unhappy.