Google has called out some of the leading mobile manufacturers for altering Linux kernel codes within the its Android platform.
According to Google’s Project Zero security team, several phone makers have tinkered with the software in order to make their devices more secure – however, in the process, have actually ended up making the phones vulnerable to serious security bugs.
This includes Samsung, whose tinkering with the Android Linux kernel has resulted in exposing the company’s devices to a range of threats.
Google has suggested that manufacturers should use Android’s inbuilt security features rather than making unnecessary changes to the core kernel.
Citing an example of Samsung’s Galaxy A50, Google’s Jann Horn revealed that while making these changes, Samsung added custom drivers, thus creating direct access to the kernel. While this was meant to enhance security on the device, it created a memory corruption bug.
Samsung described the bug as a moderate issue consisting use-after-free and double-free vulnerabilities on devices running Android 9 Pie and Android 10 and affected company’s PROCA (Process Authenticator) security subsystem. This bug was patched with an update in the recent February update by the company.
Horn’s posts also suggest that device-specific kernel changes are a frequent source of vulnerabilities and termed these them “unnecessary” which negates Google’s work in making the OS secured.
He highlighted another example from Samsung stating that one of the changes in a device was aimed at restricting an attacker that gained “arbitrary kernel read/write.” Calling these changes as “futile”, he mentioned that the engineering resources could’ve been better utilized had it ensured that a hacker does not even reach this point.
He concluded with an appeal that “ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”