Google’s Project Zero security team recently turned its attention to Samsung’s Galaxy S6 Edge, and the results make for awkward reading: it found it found a total of “11 high-impact security issues” with the smartphone, with OEM software introducing new vulnerabilities.
In a blog post, the team details its findings and describes its motivations for carrying out the research in the first place. “OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels,” it writes, “and they decide the frequency of the security updates that they provide for their devices to carriers.”
In just a week of research, the team attempted to find security flaws that could allow them access to contacts, photos, geolocation, and other personal data, as well as the ability to remotely wipe the device. In total they discovered 11 separate vulnerabilities. In particular, issues with Samsung’s own email client and gallery app created new security risks — suggesting that the bloatware installed by OEMs can be dangerous as well as annoying.
Fortunately the biggest flaws have already been fixed by Samsung, and a few smaller bugs will be patched in an update that will be issued later this month. It does, however, serve as a reminder that OEM software can easily be flawed, and the fact that Google has no control over its installation should remain a real concern. While a crack-team of Google researchers have solved a series of issues on the Galaxy S6 Edge, there’s no way it can achieve that across the many thousands of other Android devices on the market.