Google’s Project Zero, which investigates the security of popular software, recently turned its attention to the Galaxy S6 Edge.
A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge. Over the course of a week, we found a total of 11 issues with a serious security impact. Several issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit.
The majority of these issues were fixed on the device we tested via an OTA update within 90 days, though three lower-severity issues remain unfixed. It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame.
I love that Google has Project Zero, and that the Zero team is not afraid of exposing the weaknesses in the company’s own products (in this case, Android). Few companies out there would allow this.
I like to see the same thing about their week encryption of my data in their cloud. I know you can encrypt your disk content but my data still is not encrypted in Google’s servers. That’s a threat for my security IMO.
The weaknesses were not in Android but in extra stuff that Samsung added (device drivers, Gallery app, etc.). But yes, Google deserves to be commended that their strict disclosure standards are the same for themselves, their business partners and the competition.
So two small groups of competent security professionals working on the device for a week could expose 11 vulnerabilities. Imagine what a state actor and/or criminal organization with much more resources can achieve. And what the QA at Samsung must be like with such bugs slipping through unnoticed.
If Samsung wanted this to be secure, they would have included security specialists from the earliest planning stages and throughout the cycle. But as is often the case, security is thought of as an after thought and not integral to the design and implementation. The blame is then levied on the “last” ones in the chain. The testing/QA team.
You can’t expect QA to catch every bug and exploit. The reality is, all software has bugs. But if you plan sufficiently with the appropriate skills in the room (QA/Security/etc), most can be avoided.
What kind of inside information do you have that shows that they didn’t?
I don’t buy that argument. For example in the email client vulnerability, they did authentication checks on all handles except one. This means the programmers knew what was necessary but due to some oversight authentication was not checked in one case.
A “security specialist” could not have told the programmers anything they didn’t already know.
What the security teams at Google did is precisely what Samsung QA should have done. They can’t catch all the bugs, but at least the obvious, common and easy to exploit ones.
“I love that Google has Project Zero, and that the Zero team is not afraid of exposing the weaknesses in the company’s own products (in this case, Android). Few companies out there would allow this.”
When you’re open source you kinda have to, to try and keep ahead of the thousands of others are doing the same. They wouldn’t do this for their closed source projects.
Let’s be honest, project zero is just a platform for them to try to embarrass closed source companies who can’t always cohere to their 90 day deadline.
Yup, they took samsung down a notch. I don’t think it was an accident that they chose them. The more changes you make away from google apps, the more potential problems you introduce.
Say, what’s the easiest way to not include code that isn’t present in Google’s? Use Google’s.
Surely closed source companies have MORE control over the release status and schedule with their codebases than do open source companies/projects ?
It’s kinda funny how the Project Zero team worked on finding bugs on a device codenamed zero (well, actually “zerolte”).
Well, is it completely true in this case? The effort is really appreciable as it stands now, but they’re anyway targeting a Samsung phone. I believe the above statement would really be 100% true only if they had performed a similar activity on the Nexus.