December 02, 2011, 12:54 PM — Carrier IQ and the WikiLeaks revelation about government domestic cell-phone spying are dominating the mainstream headlines today with a salacious mix of betrayal, corporate and bureaucratic presumption and voyeurism.
There's more bad news about cell-phone security today you probably shouldn't miss, especially if you use or manage anything involving Android phones.
A major source of the innumerable security flaws in Android phones, it turns out, come not from the Android code or specification itself, or even from the delay most manufacturers allow before upgrading existing phones to the most recent version of the OS, as previously reported.
An equally important set of vulnerabilities comes from the failure of many manufacturers to properly enforce or implement Android's permissions-based security model.
Using a security analysis tool called Woodpecker that they developed themselves, researchers found 11 of the 13 applications studied had been given permission for specific functions that were far beyond what they should have had.
That not only gives one pre-installed app more power than it should have. It gives untrusted apps the ability to use the pre-installed app's permissions to do almost anything – from tracking location data to wiping out all the information on the phone – without asking permission, according to the paper from a North Carolina State Univ. research team led by Xuxian Jiang, who has identified or analyzed several major Android malware variants during the past few months.
While Google's standard reference model included few problems with application permissions, the 13 apps installed by default by manufacturers on eight phones tested poked gaping holes in Android's security by taking unwarranted permissions for themselves or changing the default for some security settings to Off.