Quokka, Inc., a mobile security and privacy solutions company, released a technical report at DEFCON 31 named Still Vulnerable Out of the Box: Revisiting the Security of Prepaid Android Carrier Devices, detailing their discovery of multiple security vulnerabilities found in 21 prepaid Android smartphones sold by American carriers. The Quokka R&D team examined the local attack surface of the smartphones and uncovered flaws in the preloaded software, that if leveraged can escalate privileges to indirectly perform actions and obtain data without having the necessary permissions to do so. This means that even when an app requests minimal permission levels from its users, it could be exploiting vulnerabilities on the phone itself to illicitly escalate its privileges.
CIO INFLUENCE: World Password Day: Password advice for CIOs
“We found that due to a wide range of local interfaces with missing access control checks and inadequate input validation, a third-party app’s behavior is not truly circumscribed by the permissions that it requests”
“We found that due to a wide range of local interfaces with missing access control checks and inadequate input validation, a third-party app’s behavior is not truly circumscribed by the permissions that it requests,” said Dr. Ryan Johnson, Sr. Director of R&D at Quokka. “These findings are concerning because they suggest that prepaid Android carrier devices may be vulnerable out of the box.”
To help mitigate the risks associated with the prepaid Android smartphones, Quokka released Q-Scout 2.0.0 for Android that enables end users to scan their devices and informs them if they are impacted by the vulnerabilities discovered by the R&D team. Many of these vulnerabilities are not publicly disclosed yet; therefore, the sole means to identify whether your Android device harbors such vulnerabilities is by utilizing the Q-Scout app.
CIO INFLUENCE: CIO Influence Interview with Lior Yaari, CEO and Co-Founder at Grip Security
“Quokka has been working diligently since 2015 to identify and mitigate security risks posed by mobile applications and devices, as well as, IoT devices, we believe it’s our responsibility as an industry leader to keep our customers informed about emerging security risks,” said Dana Waldman, CEO at Quokka. “Our team will continue researching mobile security issues and develop cutting-edge solutions for improved safety and privacy.”
As we become increasingly reliant on our mobile phones for communication and other activities like banking or shopping online, it is important for us all to remain vigilant about keeping our devices secure. It is essential for manufacturers as well as consumers alike to prioritize mobile device security during production and use respectively – especially when it comes to prepaid Android carrier devices – which are still vulnerable out of the box.
CIO INFLUENCE: CIO Influence Interview with Russ Ernst, Chief Technology Officer at Blancco
[To share your insights with us, please write to sghosh@martechseries.com]
