By Vlad Savov
The Project Zero team at Google, tasked with discovering severe bugs and exploits in Android, recently turned its attention to Samsung’s Galaxy S6 Edge smartphone, and its findings, published this week, have identified “11 high-impact security issues” with the handset. Samsung’s email client and gallery app were both shown to create added security risks on top of those already inherent in the underlying Android operating system. In other words, Android OEM software is adding insecurity as well as visual clutter and update delays to Android phones.
There’s a major positive to be taken away from this investigation, as the biggest of the 11 identified flaws were fixed within 90 days of discovery, and the three remaining ones pose lesser risks and will also be patched in November. But in order to get to that level of security consciousness and responsiveness, Google had to commit a team of 10 security analysts for a week. That’s entirely unfeasible for the full cornucopia of Android devices, which are now provided by more than 1,300 brands. Each company will have its own drivers, and many will duplicate basic Android functionality with their own apps, just as Samsung has done, and thereby introduce their own vulnerabilities. And that’s really the biggest security risk of them all for Android: Google doesn’t control the final software that most people use and experience, and it doesn’t have the means to secure each of the 1.4 billion Android devices in active use today.