Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Android camera app bug could affect 'hundreds of millions of phones'

Richi Jennings Your humble blogwatcher, dba RJA

A vulnerability discovered in the Android open-source camera app might appear in countless phones and tablets. It has serious privacy implications.

Google has fixed the flaw in its official camera app, as has Samsung in its forked app. But what about all the other Android OEMs?

There’s no way of knowing—not without adb tweakery, anyway. In this week’s Security Blogwatch, we audit apps’ permissions.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 7CAfrags.

Storage schmorage

What’s the craic? Lawrence Abrams reports—Android Camera App Bug Lets Apps Record Video:

A new vulnerability has been found in the Camera apps for millions, if not hundreds of millions, of Android devices. [It] allows apps to take pictures, record videos, or get a device's location even if they do not have permissions to do so. [It’s] known as CVE-2019-2234.

This vulnerability is quite dangerous as it could allow apps that normally do not have permission, to: Take pictures and videos … pull GPS location data from stored photos … listen in on two-way conversations … silence the camera shutter.

According to Google, this vulnerability in the Camera app was fixed in July 2019 via a Google Play Store update and a patch was issued to other vendors. … All users are strongly advised to upgrade to the latest version.

You don’t say? And Dan Goodin warns—Other makers may still be vulnerable:

Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images. … Camera apps from other manufacturers may still be susceptible. … The specific makers and models haven't been disclosed.

[It] represented a potential privacy risk to high-value targets, such as those preyed upon by nation-sponsored spies. … In a statement, Google officials wrote: … "A patch has also been made available to all partners."

[But] checking if other Android phones are susceptible will be difficult for most users. … The ease of sneaking malicious apps into the Google Play store suggests it wouldn't be hard for [an] attacker to pull off something like this.

Who found it? Checkmarx’ Erez Yalon and Pedro Umbelino blog—How Attackers Could Hijack Your Android Camera:

After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app. [We] designed and implemented a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.

For proper mitigation and as a general best practice, ensure you update all applications on your device.

Or just buy an iPhone? John Gruber is predictably negative:

Google has no idea how many Android phones out there remain completely vulnerable to this exploit.

Or perhaps it knows but isn’t telling? TheDarkMaster masters the darkness:

Most phones will never see this update as they depend on the goodwill of the manufacturers. It should be possible to install Android as you install Linux or Windows: by installing the operating system and then the specific "driver package" of the phone.

And Trout Mask Replica replicates that feeling:

At least iPhone users would likely get security updates. The vast majority of Android users are ****ed because you get maybe a couple updates in a year or so. It's a great business plan for phone makers / carriers because if you want security you gotta pay up for a new phone all the time.

Apple has it's problems [too]. The whole mobile industry sucks.

Surely this class of problem is known to computer science? CluelessKiwi has a clue:

This is a classical case of Confused Deputy problem – entity has no permission to do something, but it can tell some other entity to perform the action on its behalf. It is always an issue in all kinds of distributed systems.

A system can do one of 3 things:
  • Use a capability-based permission system that delegates the permissions of the original application to the "executor" application by trusted (preferably signed) messages …
  • Use an actor-based ambient authority system where actors (entities) can request stuff from one another, and treat all messages as untrusted
  • Pretend to do ambient authority but forget about the "untrusted" part, resulting in an epic failure.

And this Anonymous Coward waxes sarcastic:

Such a good idea to have a storage shared between apps. Then again, does anyone expect decent security design from any Google product?

Meanwhile, help me, Rhonda V. Magee—@rvmagee:

Is this a bug? Or a feature, in this data-scraping, extractive capitalist time in which we live?

Asking for 7B friends.

The moral of the story?

For IT: Use your MDM to find flawed phones in your fleet.
For app developers: Trust, but verify.

And finally

The seven new States of California

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Pexels (Pixabay)

Keep learning

Read more articles about: SecurityApplication Security