Google scolded Samsung this week for an issue discovered on the Korean phone maker's Galaxy A50. Google says Samsung made "unnecessary changes to Android's core kernel," adding the changes Samsung made threaten rather than strengthen the phone's security.
Google's increased focused on refinement — The tech giant has a vested interest in making sure Android is secure for OEMs and end users alike. Earlier this week Google announced it has made measurable efforts to limit malicious apps on its Google Play Store and it's clamping down on the permissions apps can request, resulting in a 98 percent reduction in requests for access to user's call history and text messages. It's also been tackling more worrying issues, like self-reinstalling malware. But in this instance, it's a hardware partner that's causing the problems.
In a detailed blog post from Google's Project Zero Team, researcher Jann Honn outlines the exact issue with Samsung's changes to the Android kernel on the A50. Samsung's changes included a security feature to restrict an attacker from reading or modifying user data, but Honn says the move is "futile" and rather than bolstering security, it introduces vulnerabilities that could increase an attacker's ability to arbitrarily execute code.
"Samsung's protection mechanisms won't provide meaningful protection against malicious attackers trying to hack your phone, they only block straightforward rooting tools that haven't been customized for Samsung phones," Honn says.
The issues go deeper — Honn explains he's found a bug that affects Samsung's Process Authenticator (PROCA) security subsystem. The issue was first reported in November 2019 by Google, according to Samsung's security website. A patch for the bug was released in an update earlier this month, making it the fourth Galaxy device to receive a patch in February.
According to Honn, this illustrates a problem where changes can mean previously issued fixes no longer work. "Ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels,” he says.
Google says it has made efforts to mitigate an attacker's ability to access device drivers and add code to the Android kernel but Samsung's changes have undercut those efforts. “Device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers where they can be implemented in safer programming languages," Honn explains. In other words, hands off, please.