A research paper (PDF) out of the North Carolina State University has outlined how Android vendors, including Motorola, Samsung and HTC, are not enforcing the standard Android permissions guidelines with pre-installed apps. As a result of this, applications that don’t explicitly ask for access to send SMS messages, read address books or even wipe the phone’s data are able to do just that.
While the vulnerabilities are less present on Google’s own phones, including the Nexus One and Nexus S, certain intrinsic weaknesses within Android were also uncovered, leading to potential permissions-based exploits. Google and its now-subsidiary Motorla have acknowledged the potential exploits, but the researchers cite having “experienced major difficulties” in reporting these issues to Samsung and HTC.
At this point it’s unlikely anyone has taken advantage of these exploits, as they would have to explicitly sideload an app onto the phone to interact with the pre-installed apps’ permissions weaknesses. Nevertheless the potential for trouble is there, and as always, we caution you on downloading any app from the Android Marketplace that does not appear from a legitimate, trustworthy seller. Be careful out there, folks.
Source: Ars Technica
Via: Engadget
