Smartphones optimize

A new way to X-Ray your Android device for privilege escalation threats

Your Android device might have vulnerabilities you can't see, but help is on the way today with X-Ray. Michael Kassner introduces this new security tool and gets the inside scoop from its creators.

Privilege escalation: The act of exploiting a design flaw or configuration oversight in an operating system to gain elevated access to resources.

Experts say fixes are available for most Android privilege-escalation vulnerabilities. So what's the problem? The susceptible devices are not getting updated -- that's what.

The how, why, and when Android firmware is updated is a mystery. And people on the "dark side" hope it stays that way. If I were them, I would too: Millions of phones with exploitable weaknesses in active use -- what's not to like?

Our options:

  • Jailbreak the phone, then manually update it.
  • Buy a new phone.

How's that work for you?

Need proof

I gave a talk about this conundrum last week. Afterwards, a veteran IT manager mentioned, "What you say may be true, but unless I have proof there's nothing I can do." She was right. And, I didn't have an answer -- until today.

There's this little IT company in Ann Arbor, Michigan called Duo Security. They may be small in size compared to other Ann Arbor residents -- Arbor Networks and Barracuda Networks, but they make up for it in staff horsepower.

For instance, consider the two co-founders, Dug Song and Jon Oberheide. That's Dug, up close and personal with Android (at right), whereas Jon is wondering why they took the training wheels off (below).

I'll get serious now. Dug, Jon, and the staff at Duo Security are well aware of the Android-update mystery and users not knowing whether their version of Android is vulnerable or not. So they did something about it.

X-Ray

What they did was create X-Ray, a vulnerability scanner for mobile Android devices. And it debuts today. So you can imagine how busy Jon and the others have been making sure X-Ray is ready.

But, I had some questions I needed answered for this article. So I twisted Jon's arm, mentioning I could say far worse about his biking prowess.

Kassner: Hey, Jon. Congratulations on the release of X-Ray. Can you provide more detail as to what X-Ray does? Oberheide: I'd like to start by explaining why vulnerabilities are not getting fixed, and why we felt it important to create X-Ray.

When you buy an Android device, a number of parties besides Google, including the carriers, manufacturers, and other third parties, control the installed software. When a security vulnerability is discovered, the process should be:

  • A patch is developed.
  • An Over-the-Air update needs to be pushed out to all the affected devices.

The onus is on the carrier to deliver the patch in a timely manner to their users.

Unfortunately, carriers have consistently failed to roll out security patches. There's little incentive for them to expend the resources required to develop, test, and deploy patches and new Android versions to their users, especially when they can make money by forcing users to buy new devices in order to get newer firmware.

While Google has attempted to improve the situation with the Android Update Alliance, many have considered the effort a failure. The end result is users remain vulnerable for months after an exploit is disclosed, and actively exploited in the wild. The reason malware exploits Android vulnerabilities is to escalate privileges, and take full control of the mobile device.

X-Ray aims to give users visibility into the unpatched vulnerabilities on their device. While X-Ray can't patch the vulnerabilities, it provides information on what vulnerabilities may be exploited by malicious apps.

Kassner: Jon, I see the app is not in Play Store. Why is that? How do we get X-Ray?

Oberheide: X-Ray can be downloaded by visiting the the X-Ray site or using the QR code.

X-Ray is not distributed through the Play Store due to issues with Google's terms of service. According to Google, security-testing tools that probe for firmware vulnerabilities are not allowed in Google Play.

Kassner: Even with vulnerabilities, I thought the user had to give permission for an app to install, how does this work? Oberheide: The vulnerabilities detected by X-Ray can be exploited by malicious parties in a couple different scenarios:
  • The most common attack is when a user installs a malicious app and that app exploits one of these vulnerabilities to escalate its privileges.
  • A less common attempt, but still feasible, especially in targeted attacks, is when a user visits a malicious website that exploits the Android browser to first gain code execution. Next, a privilege-escalation exploit is used to take full control of the phone.

As to your point, we are concerned about malware that's able to exploit vulnerabilities without requiring permission, so users are out of the loop.

Kassner: X-Ray detected vulnerabilities on my test phone. But it still does everything I want. What is the significance?

Oberheide: Security is rarely something that affects the end user until it's too late. Despite being vulnerable, your phone may do everything you want. Even after you install a malicious app that exploits a vulnerability, your phone may still continue to do everything you want. The difference being your phone now does everything an attacker wants too. Kassner: If X-Ray finds vulnerabilities what are our choices? Oberheide: There are a few options:
  • The user can check for available official updates from their carrier, usually by going to Settings > About Phone > System Updates.
  • While it might not result in an immediate remediation, we encourage users to contact their carrier about the availability of a patch for vulnerabilities detected by X-Ray.
  • If no official carrier updates are available, the user could install a third-party Read Only Memory (ROM) -- such as CyanogenMod -- that may have patched the vulnerabilities. It's worth noting that some third-party ROMs may introduce vulnerabilities of their own, so users should explore this option with caution.

If all else fails, X-Ray allows the user to understand the risk. If the user understands any malicious app they download can take full control of their device, perhaps they will be more cautious about the apps they're downloading and installing.

Kassner: I see that Dug and you are former Arbor Network employees. Is that where you met? What future plans are in store for the Duo? Oberheide: We met a bit prior to Arbor and have been scheming since to shake up the security industry. At Duo, we've taken a fresh approach to two-factor authentication that struck a chord with folks tired of a technology that has been stagnant for decades and everyone hates to use. We have a lot more in the pipe, continuing our quest of making security technology easy to deploy and use.

Final thoughts

When researchers find defects in software, the developer fixes them and uses some means to update all active copies. Case in point, notice how often your Android apps update. That's been the process for years. For whatever reason, Android firmware is not following suit. Are you okay with that?

I'd like to thank Dug, Jon, and the crew at Duo Security for creating X-Ray and helping with this article.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

10 comments
Daughain
Daughain

The QR code method works, but using the site just took me in circles. It doesn't like my firewall either. The first time you run it, it wants to use the web. Takes forever to get it to run, but once it finally does, it runs quickly. Took seven tries to run, first was my fault, since I didn't give it access through my firewall, then had 4 connection timeouts with WiFi on, then three crashes, finally it ran. Can't say I am impressed.

soonguy
soonguy

There are several dozen Android apps with the name x-ray. Methinks they need to somehow differentiate this from them all!

Michael Kassner
Michael Kassner

New post I didn't either until now. X-Ray is the app you need to determine where your Android OS needs shoring up.

sionathan
sionathan

On WiFi through my office, their site is filtered by our security appliances; but when i turned off WiFi and connected OTA i was able to get directly to their site and download the .apk file. Just a thought. :) PS -- +MKassner, thanks for posting this article! You seem to have a lot of interesting connections in this area, and we appreciate you sharing them.

Michael Kassner
Michael Kassner

I and several others are able to see the website http://www..xray.io/dl after scanning QR code. Then Android lets you click on it and it is downloaded to your default download folder. You go there and click on the apk installing it. Are you sure that you have allowed installation from other than Play Store?

Michael Kassner
Michael Kassner

I tried it on several different phones and versions of Android without any problems. If you provide more details I will pass the information along to Dug or Jon. Thanks for letting me know what happened.

Michael Kassner
Michael Kassner

They were aware of that. Since their app will never be in Play Store, they still wanted to use X-Ray.

Michael Kassner
Michael Kassner

I will pass that along to Jon. Thanks for mentioning it.

Michael Kassner
Michael Kassner

I am fortunate to have wonderful sources who are willing to put up with endless questions.