PINDROP BLOG

Lessons Learned From the Android Stagefright Bug

LAS VEGAS–Security engineers and developers typically view vulnerabilities as problems, things to be avoided. But they also can be valuable learning opportunities, especially for a the engineers on Google’s Android security team who are trying to protect more than a billion devices.

Android is by far the most widely deployed mobile operating system, and its huge user base, along with its openness, make it a highly valuable target for attackers. Researchers also spend a lot of time looking at the OS and that results in a high volume of vulnerability reports hitting the inboxes of the Android security group. Perhaps none of those flaws is as well-known as the Stagefright bug discovered last year by researcher Josh Drake. That vulnerability allowed an attacker to get complete control of a device just by sending a specially crafted MMS message to it.

Stagefright affected nearly a billion devices at the time it was disclosed, and was seen as one of the more serious mobile vulnerabilities to emerge recently. But it also became a catalyst for security improvements in Android that have gone a long way toward making the OS safer, says Nick Kralevich, Android security team lead at Google.

“We consider Stagefright to be a successful failure.”

“It seems like you often read in the press that a billion devices are affected by some bug. But you never hear about the lessons we’ve learned and how we make it safer,” Kralevich said in a talk at the Black Hat conference here Thursday.

“We consider Stagefright to be a successful failure. The mitigations we had in place actually bought time and did exactly what they’re intended to do and the exploit containments worked and forced vulnerability chaining to get a successful exploit.”

In the wake of Stagefright, Kralevich’s team made a number of changes to Android that are designed to make exploitation of future vulnerabilities more difficult and remove areas of weakness. The team took a hard look at the Stagefright media server and decided it needed some work.

“The mediaserver refactoring was a huge improvement for Android security,” Kralevich said. “The most dangerous code was moved to the most isolated process. We turned on integer overflow protection across Android. The goal is to turn security bugs into just plain bugs.”

Google also has made a number of other improvements to Android’s security model recently, many of which will show up in Android Nougat, which is due for release soon. Kralevich said Google has increased the randomization in the operating system, adding more entropy from the kernel.

“We started inserting random gaps between shared libraries, so there’s more randomization and it’s harder for the attacker to find a region to jump to,” he said.

After the Stagefright disclosure, Google also started issuing monthly security patches, something that is still a bit of a work in progress. Google sends the fixes to the device manufacturers, who then get them to carriers, which are responsible for pushing them to users.

“Most Android devices still aren’t getting updates so we’re continuing to work with our OEM partners to make sure they’re reaching customers faster,” Kravelich said.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed