Let’s face it; carriers are slow and conservative to supply patches to their users; a dangerous practice that often leaves their users exposed to public vulnerabilities for months or even years. Yes, we know Google do act fast to plug the hole when they find one. But detecting and fixing them happens only when you find them as we have seen many times.
You know, a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the components (Linux kernel, WebKit, libraries) owned by various project maintainers. It takes a lot of effort and time to coordinate with the various responsible parties that currently defines Android Open Source Project when a brilliant bad guy comes out with something that have the potential to over-turn the boat.
Meet X-Ray, an app from one of the best two-factor authenticating companies on the net; Duo Security. Instead of scanning for malicious apps installed on the device like a mobile antivirus app would do (a nearly-intractable problem), this app identifies known yet un-patched vulnerabilities in the mobile platform itself that could be exploited to take full control of users’ phones.
It does this using a detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities that can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system.
A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.
Let’s say that such vulnerability is present on your device and haven’t been patched. The result will likely be that a malicious application may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, such vulnerabilities allow a malicious application to escalate privileges to a root/superuser privilege and perform any action they desire without you knowing.
So what do you do when you X-Ray have declared your device vulnerable?
- You can check for available official updates from your carrier, usually by going to Settings → About phone → System Updates on your Android device.
- While it might not result in an immediate remediation, we encourage you to contact your carrier about the availability of an update to fix the vulnerabilities that X-Ray detected.
- If no official carrier updates are available, you may be able install a third-party ROM (eg. CyanogenMod) that may have patched the vulnerabilities. It’s worth noting that some third-party ROMs may introduce vulnerabilities of their own, so you should explore this option with caution.
Even if you’re unable to update your device, X-Ray allows you to better understand the risks associated with your mobile device. If you know that any malicious app you download can take full control of your device using publicly available exploits, you should exercise even more caution when downloading and installing third-party apps.
Ok, there is caveat that you should know. While we think that this is a good app, the decision to install it is basically yours alone. The reason is that you cannot install this via Google Play because Google Terms of service of the Play Store disallow applications that are installed directly (via an APK) instead of through the Google Play Store. Google classifies such apps as dangerous. It also disallows apps that checks for Android vulnerabilities as this one does.
So why are we asking you to take a look? Well anything that can safe-guard you on the Net is fair play to us. However in a case like this, even before we consider suggesting it to our readers, we often take a good look at the company that have developed the product. In the case of Duo Security, we have been dealing with them for a very long time and can vouch for their products. We haven’t use X-Ray nor tested it but we believe it is what they said it is.
Duo Security is a privately held company based in Ann Arbor, Michigan with investors such as Google Ventures, True Ventures, Resonant Venture Partners, and Radar Partners. Their hosted two-factor authentication service brings strong, scalable security to organizations of any size. Duo’s unique, high-availability architecture provides centralized management, self-service enrollment, and interactive secondary login through an intuitive web interface, eliminating the high costs, complexity, and confusion associated with traditional two-factor systems.
Wanna give it a try? Download X-Ray then.