It’s been a tricky month for Android, with two notable flaws receiving publicity, dubbed Stagefright and Certifi-Gate. This week IBM’s X-Force security division has revealed another significant issue that could allow a malicious app to take over a device by elevating its privileges after attacking something called the OpenSSLX509Certificate. The firm also spotted vulnerabilities in third-party SDKs.
Which versions of Android are affected? For the OpenSSLX509Certificate class, versions 4.3 to 5.11 including the unreleased Android M Preview 1.
How many devices is that? The researchers estimate around 55 percent of Android population
How serious are the flaws? Pretty serious although this was only a proof-of-concept and was not documented in detail
Is there a patch? The flaws have been patched by Google in Android 5.0 and 5.1 and ‘backported’ to 4.4. The SDK issues are in third-party products used to build apps but have also been patched.
For every device? Many devices might not have received an update and Android 4.3 remains open to attack. Having a patch it being implemented are two different things for Android.
CVEs: CVE-2015-3825, CVE-2015-2000/1/2/3/4/20
Why are so many flaws being found in Android? The simple answer is that researchers are motivated to look for them – Google recently launched its Android bug bounty programme, which pays on a sliding scale of severity. It is also show season with Black Hat and Usenix Woot 15 prominent venues.
Will this continue? The current rate is unusual but it’s clear that Android is now a good (and financially rewarding) place to look for flaws so the issue is live.