Google calls out Samsung for 'unnecessary' Android changes

Authored by 9to5google.com and submitted by udupa82
image for Google calls out Samsung for 'unnecessary' Android changes

Being the biggest Android OEM, Samsung and Google are generally close partners. Google’s Project Zero, though, is tasked with finding bugs and security exploits. This week, Google is calling out Samsung for an issue on the Galaxy A50, specifically mentioning Samsung’s “unnecessary changes” to Android’s core kernel.

In a very detailed post, Google’s Jann Horn explains this concern with Samsung’s Android kernel on the Galaxy A50. Every Android device makes changes to Android’s Linux kernel in order to work properly, as device-specific changes are important, even necessary in a lot of cases. However, some of Samsung’s changes are apparently creating more vulnerabilities.

Horn says that Samsung’s changes are for creating direct hardware access to the kernel by adding downstream custom drivers. Those changes, though, aren’t being reviewed by upstream kernel developers. In English, Samsung is trying to fix things themselves instead of using more official sources. As a result, this allows for “possible arbitrary code execution” on devices running Android Pie or even Android 10.

One example of this was a bug on the Galaxy A50 which affected Samsung’s PROCA (Process Authenticator) security subsystem. Google first reported this issue to Samsung back in November and a patch was released by Samsung this month.

In this post, Google says that efforts have been made to “lock down” which processes have access to device drivers in order to prevent vulnerabilities. Apparently, device-specific kernel changes are a frequent source of vulnerabilities. When companies such as Samsung make changes to the kernel, though, it negates Google’s work.

Further, Google says that Samsung’s changes are “unnecessary” in the first place. For example, one of Samsung’s changes was a security measure to restrict an attacker that gained “arbitrary kernel read/write.” Google says this seems “futile” and that Samsung’s efforts would have been better spent preventing an attacker from even getting to that point. Horn says that, “ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”

You can read the full post for more details on the Project Zero blog.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Google on YouTube for more news:

samuraisamson on February 16th, 2020 at 01:40 UTC »

If you have issues with their cell phone software, then you wouldn’t last a week working AT Samsung. Every single software package used internally is home brewed proprietary garbage.

Proprietary emailing system. Home brewed OS that disables any Windows OS features on work computers. Basically everything is an extremely slow home brewed web based tool that replaces a much better, more supported commercial alternative. Their Android Kernel mods are a Ferrari in comparison to the Ford Fiesta they deploy internally. 10 second tasks on a Normal OS turn into 2 minutes

dadobuns on February 16th, 2020 at 00:34 UTC »

Samsung needs to get rid of that Bixby shit. Even though I changed the settings for the shortcut button, Bixby is still a pain in my ass.

Doncriminal on February 16th, 2020 at 00:33 UTC »

I wish they'd fix the shitty firmware on their TVs instead. How long does it take to pick up a WiFi signal and close/launch apps adequately?