Samsung may be one of the most popular Android device makers, but that hasn’t stopped Google from taking it to task for making Android more vulnerable.
Jann Horn, Google Project Zero researcher, outlined how Samsung’s efforts to customize the Android kernel—or core of the operating system (OS)— for specific devices was not only unnecessary, but introduced security vulnerabilities. Horn was researching the kernel of the Galaxy A50 specifically, and had not yet tested his findings on other Samsung device kernels.
“On Android, it is normal for vendors to add device-specific code to the kernel,” writes Horn. “This code is a frequent source of security vulnerabilities. Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific. Modern Android phones access hardware devices through dedicated helper processes, which form the Hardware Abstraction Layer (HAL).”
In the case of the A50, Horn wrote an exploit for a memory corruption issue in Samsung’s kernel that was aided by yet another kernel vulnerability. That second kernel issue had long since been fixed in the Android common kernel, but Samsung had yet to address it in their customized version.
The entire blog post is a long, extremely detailed breakdown of the technical issues at play. Google has been working hard to address security issues with Android, but those improvements are only as good as the vendors that implement them. Horn makes a compelling case that vendors who customize the Android kernel are putting their users at serious risk for questionable benefits.
“In my opinion, some of the custom features that Samsung added are unnecessary, and can be removed without any loss of value,” adds Horn.
“I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won’t complicate updates to newer kernel releases.”
One thing is clear: Android vendors need to take security as seriously as Google does.