Printer friendly version
Italian Research Team Debugs Android
12 April 2012
Fondazione Bruno Kessler
A group of Italian researchers have discovered and neutralized a serious vulnerability present in all versions of Android, the popular operating system developed by Google specifically for smartphones and tablet computers. The vulnerability could have been easily exploited by malicious software applications, with the effect of making devices based on Google's operating system currently on the market completely unusable. The made in Italy solution proved to be effective and will be included in a future update.
This important result is the fruit of a collaboration between researchers working in various Italian universities and research centers: prof. Alessandro Armando, Head of the "Security & Trust" Research Unit at the Bruno Kessler Foundation in Trento and coordinator of the DIST’s Artificial Intelligence Laboratory at the University of Genoa, prof. Alessio Merlo (Telematic University E-Campus), Prof. Mauro Migliardi (coordinator of the Green Energy Aware Security at the University of Padua) and Luca Verderame (recent graduate in Computer Engineering at the University of Genoa).
The team of researchers promptly reported the vulnerability to Google and to the Android "security team", providing a detailed analysis of related risks. It also designed a solution that was verified by the security team of Android, and that - given its effectiveness - will be adopted in a future operating system update.
If it had not been neutralized, the vulnerability discovered by the Italian team would have allowed a malicious application software (malware) to saturate the physical resources of the device, leading to complete blockage of both Android-based smartphones and Tablet computers. An especially insidious problem because this particular application does not require any authorization during installation and would tend to appear harmless to the user.
The important result of the Italian research team will be published on the proceedings of the “27th IFIP International Information Security and Privacy Conference - SEC 2012” (Heraklion, Crete, Greece, June 4-6, 2012). Part of this work was cofunded by the FP7-257876 SPaCIoS European project. (http://www.spacios.eu/).
The identified vulnerability is based on a defect in the control of communication between applications and vital components of Android that allows to systematically exhaust the memory resources of the device by the generation of an arbitrarily large number of processes. The fundamental principle of the security of Android is the total separation between the applications (sandboxing) to ensure that each of these cannot affect in any way the operation of the others. The team of Italian researchers showed that this separation is violated in current systems and indicated the solution to be able to restore it.