Open Source in the Light of Android’s Stagefright Vulnerability

August 20, 2015 Patricia Johnson

The Stagefright bug has been getting a lot of attention since it was announced. And not without a good reason…

So, What Is Stagefright?

Stagefright is a security vulnerability that makes it possible for a hacker to turn your smartphone to a trojan phone by just sending an MMS containing a video with malware. All a hacker needs is your mobile number. Further, if Hangouts if your default app for messaging, you might not even be required to open and view the video at all. The malware will get live by itself as Hangouts automatically processes image and video MMS. Your mobile can be exposed to an attack if you just view the message (yes - even without running the video).

Stagefright is believed to affect nearly one billion smartphones worldwide that include the problematic library called "libStageFright". This library is implemented in C++ as part of the Android Open Source Project (AOSP) and is used as a backend engine for playing various multimedia formats such as MP4 files.

 

 

The Role of Open Sourcing in Making Android the Mobile Market Leader

Google released the Android operating system at 2007. It was the first open source mobile operating system and generated a lot of interest. Carriers, OEMs, Developers, open source enthusiasts, and customers all over the world adopted it quickly as it enabled them to make their innovative ideas a reality.

In today’s highly competitive market, Android obtains about 80 percent of the global market share, making it the clear leader among mobile operating systems. One of its strongest points is the fact that it is open source. It allows developers and users to fork, modify and redistribute the code base in a way that suits their particular needs.

The Advantages of Open Source — Even in the Face of Bugs Like Stagefright

The stagefright vulnerability was originally discovered by Joshua Drake, from Zimperium zLabs, in April. They immediately reported it to Google and even provided their own patch for the software. Google was given the accustomed 90-day quiet period before going public. Google presented Stagefright at the Black Hat conference on August 5th and released a patch that was supposed to remediate the vulnerability. Unfortunately, in this case, the patch hasn't gone down very well. Just days after announcing the fix, Exodus Intelligence revealed that Google’s fix could be bypassed. So apparently, hackers can still exploit the Stagefright bug.

Google claims that its fix applies to 90% of devices (Android 4.0 or higher) as they are protected by a security feature called address space layout randomization (ASLR), which should make the hacker’s job a lot harder.

We all know that both proprietary and open source code contains security issues and every software company is dealing with these threats on a daily basis. But when you release your code to the community and have tens of thousands of capable contributors working on the same project, it is easier to find and patch flaws.

Approximately 4,000 security vulnerabilities are discovered every year in open source projects and usually, a patch is released few days after it’s announced. This does not mean open source is not safe, on the contrary, it means you have more eyes looking into these projects and an active community that works together to fix it. All software companies need to do is to track NIST database and match their components with all known security vulnerabilities, which are not getting any publicity but can be more problematic for their software.

The bigger challenge

Stagefright affects the Android operating system all the way back to its 2010’s version 2.2. However, only the newer Android phones are receiving the patches. An even bigger problem with Stagefright is that it will take a long time to make the fix at the source level available to the final consumer.

"Stagefright is the early warning alert to a much bigger challenge," said David Baker, the security officer for computing firm Okta. "There isn't a comprehensive update solution for Android, since there are so many device makers modifying the software."

Mobile devices manufacturers are routinely modifying Android’s base code to achieve various competitive advantages and to customize it to their own hardware. These manufacturers are responsible for updating their own devices with the latest software. But many do not do it well, especially when they use customized versions of Android which need to be rebuilt when security changes are made.

It’s no wonder that only 2.6% of Android phones run the latest version of the Android’s operating system. This is highly contrasting as compared to the 85% of iOS consumers that use the latest Apple version. Manufacturers controlling both the HW and SW are able to ship patches and improvements easily to the market.

Google has no mechanism to push patches to all the Android phones that are created by companies such as Samsung, HTC, or LG. These companies are further required to negotiate with mobile network operators to make the patches available to the end users.

The Stagefright bug seems to have shocked manufacturers into taking smartphone security seriously. Many are busy releasing updates, while some have announced that they will be sending out security patches on a regular basis. Samsung has stated that it will work with carriers and partners to implement a monthly security update program. Carriers too, are forthcoming with updates with Sprint, AT&T and Verizon issuing statements regarding their update plans.

Generally, as we have noted in the past, open source projects are good at quickly fixing security issues, at par or even better than many commercial vendors. 

The main challenge software companies, using open source components, need to face is the time it takes them to respond to new issues being discovered. 

Companies using open source components need to track the 4,000 CVEs announced every year to know if their software is vulnerable. This can be done using automatic tools that monitor your open source usage and provides real-time feedback. 

In addition, companies also need to act quickly, once they are aware of any vulnerability, and release updates to their customers as quickly as possible.

 

 

Previous Article
Are All Bugs Shallow? Questioning Linus’s Law
Are All Bugs Shallow? Questioning Linus’s Law

In Eric S. Raymond's seminal essay on open source, The Cathedral and the Bazaar, he defines Linus's Law, wh...

Next Article
You Might Be Doing It Wrong: Handy Tips to  Secure Your Proprietary and Open Source Code
You Might Be Doing It Wrong: Handy Tips to Secure Your Proprietary and Open Source Code

Potential security vulnerabilities are of great concern to software developers and users alike. Software de...