Lately many users Android have somehow relaxed. All due to the fact that operating system vulnerabilities have become much less. Although, it is possible that they simply began to talk less about them. This all the same led to the fact that users began to forget about what viruses are, and are more bold to download applications from Google Play. Now it turns out that they relaxed early. Of course, you should not start to panic, but keep in mind that almost every application is under threat, too. What's even more interesting, it's not even about Android and Google can't fix everything at once with one strong-willed decision. But then what to do and who is to blame for this? Again, two eternal Russian questions.
The next problems Android threaten a lot.
According to researchers at Trustwave, users Android around the world may be at risk due to a recently discovered authentication bypass vulnerability that could affect any application. And perhaps there really isn't much that Google can do about it, despite the fact that it affects apps downloaded from Google Play. In fact, the company says it is currently impossible to even determine how widespread the problem is. And that's because it's not about Android.
The problem appears to be a direct result of 'bad programming' and could potentially affect any application. It turns out that the applications themselves and their developers are to blame. It would not be so scary if it could not lead to the leakage of important user information. This, in turn, can potentially lead to compromise or loss of truly confidential information.
The exploitation of this vulnerability has not yet become widespread, but there are prospects for growth. As a result, this can become a big problem for millions of users.
Trustwave says the problem lies with the components that allow messaging with other applications. In their current version, almost all applications are easy to manipulate. If everything is so, then such a problem really cannot be solved at the level Android, and the developers themselves must be involved in the work.
Quite simply, every application for Android comes with a Android Manifest.xml file that can be exported in a variety of ways, but applications and software are the most common ones. Since the actions detected there can be interacted with, it becomes easy for an attacker to manipulate applications, forcing them to do what they should not.
There have been no serious bugs Android for a long time. But then they returned.
Trustwave uses a sample messaging application built by the company for internal use. As a result, the specified vulnerability allowed Trustwave to enter directly into the messaging system without credentials. This gave them the ability to access all messages on the system. All that was needed was access to the manifest file and a way to perform actions like ADB.
Vulnerability abuse can be very different. For example, you can force an application to share data, including remotely, or simply run ads inside it. Advertising will naturally run within the capabilities of the application. But, for example, almost every application can display notifications. This is a potential channel for unwanted advertising. The issue of its effectiveness is of little concern to crackers, since in this case they will rather take volume.
Given the peculiarities of the vulnerability, Google really can't do anything other than send recommendations to developers, and at the very least, start banning their applications in its store. However, at this stage it is unlikely, since literally everyone will have to be banned. And the scale of the problem is not yet large enough to speak of the need for serious measures.
Google will not be able to fix the application vulnerability problem.
On the other hand, developers themselves must somehow move and take the initiative to keep their users safe. One-day applications made as part of the hobby of an amateur programmer are one thing, and serious products made by large studios for commercial projects is quite another.
Trustwave points out that the simplest and potentially most effective solution is for developers to limit the exported components to those they really need. That is, the export should be limited to only those components that simply must be available for other applications.
Second, applications must self-check to verify all data received through exchange commands. Moreover, developers should limit the sources of these commands. This also will not give one hundred percent protection, but it will very significantly reduce the risks of hacking.
If such actions are taken, the system as a whole will become much more secure. Surely all serious developers are already aware of the problem and are trying to solve it. Well, small applications are not particularly interesting to anyone, and the worst thing that cybercriminals can do with them is to stuff them with ads, which are already enough there.