The latest flagship phone from Samsung, the Samsung S6 Edge, is currently in hot water when Google's Project Zero team revealed some of the handset's security flaws. According to a blog post by the team, whose main job is to discover unknown security flaws in Android, revealed that they have unearthed "11 high-impact security issues."
The team chose the Samsung Galaxy S6 Edge as a sample to know how it is different to attack an Original Equipment Manufacturer (OEM) device. OEMs are companies not owned by Google that use the Android Open-Source Project (AOSP) in manufacturing their mobile devices. The team also wanted to know how difficult it will be to find bugs in such devices and how quickly it would take to resolve them once reported.
The team took on three challenges, which, according to them, are "representative of the security boundaries of Android that are typically attacked." These challenges, are also "components of an exploit chain that escalates to kernel privileges from a remote or local starting point."
After a week, Google's Project Zero team unearthed 11 security issues on the Samsung Galaxy S6 Edge, which are the following:
- Samsung WifiHs20UtilityService Path Traversal (CVE-2015-7888) - A directory traversal bug that allows a file to be written as system.
- Samsung SecEmailComposer QUICK_REPLY_BACKGROUND Permissions Weakness (CVE-2015-7889) - A lack of authentication in one of the client’s intent handlers.
- Samsung SecEmailUI Script Injection (CVE-2015-7893) - Allows JavaScript embedded in a message to be executed in the email client.
- Three Driver Issues - Two of which (CVE-2015-7890 and CVE-2015-7892) are buffer overflows in drivers while the other (CVE-2015-7891) is a concurrency issue that leads to memory corruption in the driver.
- Five Image Parsing Issues - Two of the issues (CVE-2015-7895 and CVE-2015-7898) occur when an image is opened in the gallery while three others (CVE-2015-7894, CVE-2015-7896 and CVE-2015-7897) pop up during media scanning.
Dr. Steven Murdoch, a security researcher at University College London, explained to BBC News the implication of Google's recent findings. "There is definitely a tension between Google and the handset manufacturers because Google wants to protect its Android brand, and when it comes to security, Android has been quite tarnished," he told the news outlet.
Meanwhile, Google's Project Zero team has reported the issue, and the South Korean tech giant said that they have fixed eight out of the 11 security flaws via a monthly update. "Maintaining the trust of our customers is a top priority," Samsung said in a statement.