Attendees at the Android Developer Conference in San Francisco this week were treated to a host of discussions on topics ranging from virtual reality to security.
Jonathan Levin, CTO of Technologeeks and author of the “Android Internals: A Confectioner’s Cookbook” series of books, gave attendees a poetic yet frightening talk about the intensely dangerous Dirty COW local privileges exploit. Though he found a way to make his warning rhyme, the exploit itself is anything but comforting.
Using Dirty COW, attackers can gain root privileges on any Linux device with a kernel older than a few months. The exploit goes back nine years, so in theory all Android platforms are vulnerable. Even more worrisome, said Levin, is the fact that most of those older devices will never be patched due to the expense associated with delivering security patches to devices that are no longer on the market.
(Related: Google discusses Android 7.1)
One way to prevent security woes is to use Sony’s Secure Coding Checker. This online tool allows developers to upload APK files and have them automatically evaluated against the intense security requirements laid out by the Japan Smartphone Security Association. Sony was not only showing off this web-based tool at the show, it was handing out an almost 500-page book detailing security practices for developers on Android.
Students learn how to hack Android
Rim Khazhin, senior software architect at DarkBlue Systems, gave a short talk detailing his experiences in working with 15 million Android devices that were rolled out to students in Turkey. In the year following the rollout, those grade-school students were violating every aspect of their Android devices. Despite the fact that these kids were all under 13 years old, they were seen putting devices through a gamut of security tests.
Students discovered that as the device shut down due to low power, a tiny button would appear on-screen for 5 milliseconds. Pushing it would put the device into recovery mode, allowing them to escape the sandboxing put in place by Android administrators.
Students also found and installed clean firmware without restrictions onto their devices, though Khazhin was unsure how they managed to get ahold of this code.
In the end, the best solution for the managers of these devices was to ease restrictions on usage, allowing kids to install games for use outside of school hours. This, coupled with penalties for rooting their devices, resulted in a far less confrontational relationship with the students.
Among the conference’s three keynotes, Branch Metrics was the newcomer. The company offers app discovery help and user retention through deep links that can route through to the application. Branch Metrics’ system allows developers to automatically link into their apps on a device, or to push the user into their app page on the Play Store if the app isn’t installed.