Language Selection

English French German Italian Portuguese Spanish

Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security

Filed under
Android
Linux
Google
Security

Samsung's attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ).

Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android's Linux kernel, vendors would be better off using security features that already exist in the Linux kernel, according to GPZ researcher Jann Horn.

[...]

Incidentally, the February update also includes a patch for critical flaw in "TEEGRIS devices", referring to Trusted Execution Environment (TEE) on newer Galaxy phones that contain Samsung's proprietary TEE operating system. The Galaxy S10 is among TEEGRIS devices.

But Horn's new blogpost is focused on efforts in Android to reduce the security impact of vendors adding unique code to the kernel.

"Android has been reducing the security impact of such code by locking down which processes have access to device drivers, which are often vendor-specific," explains Horn.

An example is that newer Android phones access hardware through dedicated helper processes, collectively known as the Hardware Abstraction Layer (HAL) in Android. But Horn says vendors modifying how core parts of the Linux kernel work undermines efforts to "lock down the attack surface".

Read more

Google slams Samsung for making unnecessary changes to Linux

  • Google slams Samsung for making unnecessary changes to Linux kernel code

    We all know that Samsung makes an extra effort in strengthening the security of its smartphones with initiatives such as Knox. However, sometimes those extra efforts hurt more than they help. Now, Google has slammed the South Korean smartphone brand for making unnecessary changes to the Linux kernel code and exposing it to more security bugs.

    According to Google Project Zero researcher Jann Horn, Samsung is creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel. These changes are implemented without being reviewed by upstream kernel developers. Horn found a similar mistake in the Android kernel of the Galaxy A50, and the unreviewed custom driver added security bugs related to memory corruption.

Google Scolds Samsung For Making Linux Kernel In Android

  • Google Scolds Samsung For Making Linux Kernel In Android More Hackable

    Google is accustomed to seeing smartphone vendors making changes to the Linux kernel in Android. It is essential, at times, for some device-specific drivers to function properly.

    However, it was “unnecessary” to make such changes in Samsung Galaxy A50’s Android kernel, writes Google’s Jann Horn in a blog post. Horn is part of Google’s Project Zero (GPZ) team that is responsible for finding bugs and security exploits.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Fast download managers for Linux, Alternative to IDM

Download managers are great. They make the downloading process a lot easier and faster. However, the most popular download manager is IDM which is only available to Window. That is why in this quick guide, You will learn about the fast download managers for Linux that are alternative to IDM and even better in some cases. Having a fast download manager in your system is very essential as we tend to download files from the internet and the default downloader that we have got with the browsers. These download managers are not very efficient and do not provide any modern needed features. Here I have compiled a list of best and fast download managers for Linux. Let’s get started with the first one. Read more

Android Leftovers

Is open source software licensing broken?

Practices and expectations that one may have developed in working with conventional software licensing may lead to frustration when confronting open source software. The modest request, "Please, just show me the license" may be met with an unsatisfying response. While sometimes the response is very simple, often, the license information for open source software is more complicated and does not match the expectations set by conventional software licensing. What's up? Is open source software licensing broken? No. Differences, not just in the type of license terms, but in how the software is developed, lead to differences in how software license information is conveyed. In part, this results from tradeoffs between lawyer convenience and developer convenience. Read more

MauiKit Aims to Bring Apps That Can Run on Linux and Android

Creating the same apps and software for different platforms is not an easy task for the developers. To make an app run on desktops, developers need to write a source code. However, to make the same app run on mobile devices, the developers have to write a different source code. With the new MauiKit, developers would be able to build convergent apps, that can run on both platforms with the same source code. Read more