Android is well known for its security vulnerabilities. Once again, the Google’s operating system has come into limelight with another scary bug. This time, Google Chrome, the browser, has come under scrutiny for putting users’ privacy in great danger. Although, complete details are not given about how one can hijack an Android device through a loophole in Google Chrome, however, it has something to do with Java v8. The attack can take the attacker through all the security hurdles at once. Bypassing devices’ security systems, the said attacker will have the administrative rights of that Android phone and he can install any sort of app, even the spying apps that can track all users’ activities.
Guand Gong, a Quihoo 360 researcher demonstrated the attack at the Pwn2Own panel at the Pacsec Conference in Tokyo. As there was a chance that someone can exploit that loophole in Google’s browser and can harm users. The demonstration revealed that Google’s very own Nexus 6, which is running Android 6.0 Marshmallow and running on Project Fi is also that weak area. He showed the attendants that he could easily install a third party application on a Nexus 6 device without even touching that device. The amazing thing about Gong’s demonstration is that it was a sure shot; he didn’t have to attempt twice or more. He knew what he was doing and he was confident at it.
The threat of this security loophole is that it uses Java v8, thus, it can be virtually recoded and can harm other Android devices as well. A Google security engineer was present at the conference; he took this vulnerability and said they will test the patch and will find a speedy solution for that. Guand Gong is likely to receive a cash bounty with the courtesy of Google’s bug bounty program. Gong will also visit CanSecWest security in Vancouver in March 2016.
It is not the first case, where security researchers have found a nightmarish loophole in Android’s security. One of them was Stagefright, which is still considered to be the biggest one. With the help of Stagefright, an attacker could control an Android device just by sending a text message. Sounds scary! Google tends to address these security bugs continuously and aims to issue monthly security patches. But, the depressing fact is that, only the in line Nexus devices can easily receive those patches. Other devices continue pose threats to users’ privacy.
Security Vulnerabilities On Android
1. Unpatched Operating System: Android devices often run on outdated versions of the operating system, which can contain known security vulnerabilities.
2. Unsecured Wi-Fi Connections: Unsecured Wi-Fi connections can allow attackers to gain access to an Android device.
3. Malicious Apps: Malicious apps can be downloaded from third-party app stores or websites, which can allow attackers to gain access to a device and steal information.
Types Of Security Vulnerability
1. Input Validation Vulnerabilities: Input validation vulnerabilities occur when user input is not properly validated, allowing malicious code to be injected into a system.
2. Authentication Vulnerabilities: Authentication vulnerabilities occur when authentication methods are weak or not properly implemented, allowing unauthorized access to a system.
3. Authorization Vulnerabilities: Authorization vulnerabilities occur when authorization methods are weak or not properly implemented, allowing unauthorized access to a system.
4. Data Exposure Vulnerabilities: Data exposure vulnerabilities occur when sensitive data is exposed to the public, allowing malicious actors to access and exploit the data.
5. Cross-Site Scripting (XSS) Vulnerabilities: Cross-site scripting (XSS) vulnerabilities occur when malicious code is injected into a web application, allowing attackers to execute malicious scripts in the user’s browser.
6. SQL Injection Vulnerability: SQL Injection occurs when malicious code is injected into an application’s Structured Query Language (SQL) code, allowing attackers to access and modify data stored in a database.
Most Common Security Vulnerability
The most common security vulnerability is SQL Injection. SQL Injection occurs when malicious code is injected into an application’s Structured Query Language (SQL) code, allowing attackers to access and modify data stored in a database.
Example Of Security Vulnerability
An example of a security vulnerability is Cross-Site Scripting (XSS). XSS is a type of vulnerability that allows attackers to inject malicious code into webpages that are then executed by the browser of a user who visits the page. This can be used to steal data or take control of a user’s computer.
Which Type Of Vulnerability Cannot Be Discovered?
There is no type of vulnerability that cannot be discovered, as all types of vulnerabilities can be identified through various methods such as penetration testing, source code analysis, and vulnerability scanning.
Types Of Security
The six types of security are: physical security, personnel security, operational security, communications security, information security, and network security.
Mobile Security Vulnerabilities
Mobile security vulnerabilities are weaknesses in the security of mobile devices and applications, which can be exploited by malicious actors to gain access to sensitive data or cause harm to the device or its user. Examples of mobile security vulnerabilities include insecure data storage, weak authentication, insecure communications, insecure data transmission, insecure application programming interfaces, and insecure device configurations.