Opinion: Android Hacks and the Stagefright from Hell

Stagefright, Creative Commons, Gresham College via Vimeo

You may have read about the multiple-hack affecting Stagefright, the code in Android that plays back media in MMS (multimedia messages). An enterprising hacker (allegedly) needs only send an MMS containing the exploit to the phone number of an Android 2.2 or later device and Stagefright will write code to any part of that device for which it has permissions – with the potential to affect 950 million, yes million, Android phones.

Whilst it is in theory quite easy to upgrade your phone to the latest Android (off-brand Chinese phones excepted), the question is how many users of those 950 million (that are still in use) are actually capable of doing so? Even if you go to the right website to get the latest phone software, there are many obstacles to making those phones secure again.

Find the right site, identify your phone, download the software, read, study, backup your data (yes, you!) then cross your fingers as you flash the firmware and wait for the rising smoke from your handset. But don’t even attempt it until you’re absolutely certain you understand the instructions and follow them to the letter.


Unless you have a Moto X 1st generation that you can’t root without asking your carrier for a firmware unlock code. Good luck with that. Can you even talk your carrier into giving you an unlock code? Motorola holds the bootloader unlock codes, but they won’t give them out for phones on certain carriers. I’ve tried requesting an unlock key from Motorola’s Unlock My Device page, but it wouldn’t give it to me because the carrier has blocked the IMEI code.

Most carrier’s business models rely on their specific ROM and bundled Android-ware. Even if you can get into the Bootloader to unlock it, you may find you’ve violated your Terms of Service and thereby any contract you have, assuming all the metering apps and carrier’s apps for the service deals still work. Which they probably won’t because you’ve deleted them in favour of ‘stock’ Android. Contract phones usually depend solely on the carrier, and people don’t know enough about what they’re buying. How many people aren’t even aware they can buy phones outside of their carrier’s store?

Root of the Problem

In a word, fragmentation. Android is Open Source, released into the wild by Google with little restriction, having taken the secure Linux kernel and removed everything that made it secure in the first place. Android is open-source, so a carrier can make whatever changes they want to it. Google let go of the direct line to deploy security patches to all Android phones regardless of manufacturer or carrier; unlike Microsoft which pushes everything to Windows Update on PC’s. Live in the Apple Walled Garden and you have no other options. Which means that carriers, OEMs and Google all have to roll out the fix. So most of those 950 million phones are going to stay vulnerable.

So how do you make a critical software patch available to all of them?  Add ROMS to the Play Store somehow?  Make it easier to acquire root and flash ROMS on every single phone ?

All sensible ideas, except that Google has no idea how carriers and OEM’s have messed with their current versions of Android when it gets to the end user, so any patched code from Google may run fine in their labs, but could break millions of phones where they haven’t anticipated the carrier’s and OEM’s changes to ‘stock’. ASUS, for example, rolls out a lot of updates, many devices upgraded to Android 5.0, with the manufacturer planning to roll out 5.1 shortly.

Perhaps Google should consider allowing only certain parts of Android (non core code) to be modified by carriers? Well, it’s a bit late for that.

Furthermore, if a user modification causes issues then that’s a user problem for which Google shouldn’t be held responsible.

It’s a huge regret that Google didn’t consider some sort of patch process allowing fast deployment to vulnerable phones, baked into Android’s base layer, on which manufacturers and carriers have to build on responsibly without breaking the OS. Power users who know what to do and where to turn for help could be mobilised as a community to help Google deliver tested patches.

Could Google deploy such a system to existing devices? No.

To new devices? To update an app, it must be signed with the same cryptographic key from the same publisher as the original. Stagefright, for example, is compiled from source by each OEM or carrier. Samsung, LG, Motorola and the others augment the OS slightly to customize their Android version, often on a per-phone model basis. How many of them will want to surrender more core system services to Google’s control? The carriers and OEM’s would have to give up some of their freedom to tinker with low-margin phones. Not going to happen, is it?

Couldn’t updates be pushed out via Play stores? Even though that is what Google has done in the past, patching millions of phones, that only reaches the Google Play store – the carrier’s and OEM’s equivalent services are under no obligation so to do.

Stock Answer

So what do we mean by ‘stock’ Android? The Android OS as envisioned by Google through their Nexus program?

Thanks to free market competition, device makers are engaged in price wars; thin margins lead to compromised frequency of updates; is Samsung going to write patches for each and every phone  it releases every week? LG? Motorla? Huawei? If they can save money by not producing updates, that’s what they’ll do. They also try to beat the competition by including proprietary software full of bloat and bugs.

Stock Crash

Expect very little to change until the cost of a widespread and highly-publicized attack against a particular carrier or phone model hardware model trashes somebody’s brand, market share and stock price. Perhaps then, everyone will reconsider. AJS

Image Credit: Stagefright, Creative Commons, Gresham College via Vimeo. ‘The Psychology of Performing Arts: Stage fright and optimal performance’ – Professor Glenn D. Wilson – Gresham College Lectures

One thought on “Opinion: Android Hacks and the Stagefright from Hell

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s