Android OS hacked at Security Summit

Johannesburg, 16 May 2012
Read time 2min 20sec

The Android operating system (OS), which has taken a great chunk of market share in the mobile world, is full of vulnerabilities that cyber criminals can easily exploit.

This was demonstrated by Tyrone Erasmus, security consultant at MWR InfoSecurity, during the ITWeb Security Summit, at the Sandton Convention Centre yesterday.

Erasmus left the audience shell-shocked after hacking into the Android OS, retrieving data like passwords and SMSes, among other information.

“Android devices and applications have a number of potential vulnerabilities just waiting to be exploited,” he pointed out.

He also explained that, as the Android mobile OS enjoys growing uptake across the world, vulnerabilities in the devices and the apps designed for the platform pose a growing threat to users' security.

“As an operating system, Android is well-designed and inherently secure,” he said. “However, the devices themselves contain vulnerabilities. So too do the apps for Android. I have found certain vulnerabilities in applications across the board - from small developers, to big, reputable companies; from business apps, to entertainment apps.”

Using Mercury, a framework he developed to identify vulnerabilities in the Android OS, Erasmus exposed various vulnerabilities on the platform.

“Mercury is a framework that provides a platform for effective vulnerability hunting and exploitation on Android. It provides a collection of tools to do so from a single console with a familiar look and feel, and allows for easy expansion due to the modular architecture,” he explained.

He added that the Mercury server component installed on the Android device only requires a single permission - the Internet permission - to be granted.

“This ensures that the server requires as little privileges as possible when performing its tasks. The Internet permission is required so that the application can communicate with the client software using socket connections.”

Erasmus also revealed that it is possible to hack into an SD card on an Android device. He pointed out that developers do not always consider the fact that any application on an Android device has read access to the internal and external SD card by default.

“This is because its contents are marked as globally readable according to the UNIX permissions set. Many users mistakenly confuse the storage permission with allowing an application read access to the SD card contents.

“A malicious application looking to steal information from the device would also look for files in other areas of the device that may be marked as globally readable.”

See also