Google: OEM Mods Make Android OS Less Safe

Google says phone and tablet makers who alter Android's code to add security measures may actually be undermining security. It says device manufacturers should stick to Android's own measures.

Jann Horn of Google's Project Zero security team specifically pointed to an alteration made by Samsung for the Galaxy A50 phone, which he says contained a bug that made the device vulnerable to attack. He says he discovered and reported the bug to Samsung in September 2018 but it wasn't patched until Samsung's security updates released this month. (Source: blogspot.com)

Ironically Horn believes the alteration was actually designed to restrict any attacker who had already gained access to the kernel, which is the most fundamental part of an operating system. Horn says that's a case of misplaced priorities as it's more efficient to concentrate on stopping anyone accessing the kernel without permission in the first place. (Source: techradar.com)

Modifications Are Legitimate

The dispute boils down to the way Android is largely based on the open source concept, meaning manufacturers can use the system on their devices and relatively freely adapt it.

For the most part the changes are about the look and feel of Android, such as the menu system or the way gestures work on the device. In those cases, it's usually a case of adding to the basic Android code.

'Biggest Security Risk'

Horn's criticism is targeted at those developers who change the underlying code itself, the technical term for which is an upstream kernel. This means Google has produced the kernel, and then sent it down to developers.

Indeed, Horn goes as far as to say such modifications are a bigger security risk than the more commonly cited problem of manufacturers taking too long to roll out Google's security patches for Android. He says that although manufacturers altering the code has become "normal", the practice is "a frequent source of security vulnerabilities."

What's Your Opinion?

Do you use the Android operating system? If so, do you know - or care - much about how the device manufacturer has modified the system? Does Google have a point here, or is this just the price of offering a largely open source system?