Google has just issued the largest set of Android security updates in its history. Over two separate updates during the period of a week it has dealt with 108 security patches. 20 of these patches are listed as critical. For those checking their calendar, this is not April 1 and this is absolutely no joke.
The vast majority of the patches, 79 to be precise, deal with elevation of privilege vulnerabilities. This is where hackers can exploit a piece of code to get a higher level of access on a device. This can then allow them to install other software or take control of the device without the user knowing. There were also 9 remote code execution vulnerabilities and a number of instances where information could be disclosed.
These are not trivial issues and more than 40 of the patches related to Qualcomm components. Patches have been issued for multiple drivers such as camera, sound, GPU, WiFi and others. There has been no comment from Qualcomm as to why so many of their drivers needed patching.
There is already a lot of pressure on Qualcomm after security researcher Gal Beniamini revealed it was possible to break Android’s full disk encryption. In that case it appears that the problem is with two vulnerabilities in the Qualcomm implementation of the ARM CPU TrustZone. These patches do not address either of those vulnerabilities which will worry those affected. From a security perspective it suggests that Qualcomm needs to rethink its security validation process.
Will this help Google with its antitrust issues?
Yes and no. Google has come under fire for not allowing its apps to run on other people’s Android implementation. It has said that this is because it cannot guarantee the security level of those implementations. As such it does not want its applications running on a version of Android it doesn’t trust.
This leads to a second issue. Regulators say that Google should be more willing to work with these alternative versions of Android. This highlights another issue with Google pointing out that it often knows nothing about those versions and has no input into the quality of those products. This will leave a lot of consumer devices unpatched as Google has no responsibility for maintaining those devices.
Google says that it has told partners about these patches. However, it will be up to those partners to implement these patches in their versions of Android. For those Android clones it has no relationship with, it will be down to those who created them to sort out their own patching. Google has placed the code for all these patches into the Android Open Source Repository but that does not mean people will use it.
Will Google use this as evidence in its defence that it should be allowed to restrict where its own apps run? We won’t know for some time but it does make an interesting defence.
Google is saying that there are no reports of anyone exploiting any of these vulnerabilities at the moment. That is good news for customers. However, the fact that the patches don’t deal with the full disk encryption issue is bad news. For those companies that allow users to Bring Their Own Devices (BYOD), this will raise concerns.
The most worrying issue out of all of this is the fact that Qualcomm seems to be the biggest security challenge for Android. It would be interesting to hear what Qualcomm has to say but since the revelation of the full disk encryption issue they’ve been very quiet.