Amazon Prime Exclusive BLU R1HD
Theres no way Amazon would co-launch an exclusive flagship product that has a hidden backdoor that secretly sends all of your personal information to a mysterious server in China. Surely their software team or device partner would catch that kind of thing during a routine security audit. That could never actually happen, am I right?
No one cares about the security of unlocked or open market Android phones that are sold in the US (and many other regions). The OEMs that produce and ship Android phones dont care; Google, the provider of the Android platform, doesnt care; Amazon and Best Buy, the retailers that sell millions of Android phones every year, dont care either. Maybe worst of all, the average consumer doesnt care about computer security (until something really bad happens) which allows this all to continue.
This has always been the case for Android devices, but Google started to take the situation more serious in the summer of 2015 after the Stagefright bug created a lot of bad press. Security researchers now say that Google devices like the Nexus lineup and Pixel have caught up to iOS in terms of the protection they provide, but the situation continues to get worse as the majority of consumers continue to purchase smartphones that ship with software not maintained by Google.
We were reminded of this glaring problem when Amazon was forced to pull the BLU R1 HD, its #1 best selling unlocked phone, after a security researcher discovered a secret backdoor by a combination of happenstance and curiosity. The devices, and several other models from BLU, were collecting and transmitting Personally Identifiable Information (PII) to a server in China every 24 to 72 hours. This behavior occurred without the users consent and included data such as fine-grained device location, text messages, contact lists, call logs, installed apps, and other information.
BLUs CEO told the NYTimes, It was obviously something that we were not aware of, and admitted they made a mistake. And while its good to see they moved quickly to correct the issue, it is alarming that neither BLU nor Amazon caught this issue since the phone launched in July of 2016.
I honestly had no idea how something this offensive could come to market and go undetected for so long, so I did a little research that I think is worth sharing. Having worked for an Android OEM, I had a basic understanding that all software releases with Googles mobile services have to pass Googles Compatibility Test Suite (CTS). A quick chat with some computer security experts quickly opened my eyes to how serious these ongoing security issues continue to occur.
Google actively maintains a blacklist of bad software that is not allowed to ship on Android phones. I was surprised to learn that Google and BLU were both aware of a specific vulnerability related to the offending ADUPS software in Mediatek chips back in 2015a full year before the Amazon BLU R1 HD even shipped. Security research team Red Naga discovered the flaw on March 1, 2015 and made multiple attempts to get it patched, but found that BLU claims they have no security department and cannot assist.
After receiving radio silence from Mediatek and no help from BLU, Google eventually accepted a CTS patch to check for the ADUPS system socket. That should have solved the problem, but then Mediatek just changed the name of the socket to purposely evade Googles CTS check.
To put it simply, Googles CTS cant detect vulnerabilities it doesnt know about. Apparently Mediatek is a repeat offender when it comes to evading Googles CTS tests, and some in the computer security industry have called them the worst chipset vendor when it comes to security measures.
Even though Mediatek has a bad reputation for security, they still get a lot of design wins because they do all the heavy lifting for ODM partners that select their reference platforms. If you want to launch an Android device fast and not spend a lot of money, then Mediatek is often a viable solution.
Hidden backdoors are something we should all be concerned about, but a more alarming problem is all the known security vulnerabilities that never get patched in the majority of Android devices. Google started to address this problem by creating more awareness with consumers. They now publish their monthly Android Security Bulletins, and force OEMs to display the Android Security Patch level in the devices settings.
After the FTC required HTC to fix known vulnerabilities back in 2013, the OEMs and wireless operators have taken some action and most of the flagship Android devices sold in carrier stores do receive regular security patches. However, not all devices receive timely updates and there is no guarantee that devices will be supported for any length of time.
Progress is really only made when things go wrong and the media hammers Google and its partners. For example, the previously mentioned Stagefright scare forced the FCC and FTC to join together to better understand, and ultimately to improve, the security of mobile devices, but the results of that investigation have not been released yet.
I can predict what they might conclude when they eventually release their report. There is virtually no incentive for the OEMs to invest in the resources to maintain security patches for devices after they launch. Releasing Android updates is time consuming and costly, and it is not a meaningful differentiation the drives purchase decisions of consumers. Most OEMs are just not willing to spend the extra cash on resources for improving computer security when consumers are not willing to pay the premium to get it.
Everyone in the supply chain can share some of the blame, but dont expect any drastic changes in the near term. The following are some quick suggestions for what different players could do to improve security on Android phones.
Google: They actually do keep a list of which OEMs are good and bad at keeping devices secure with the latest patches, and there were rumors they might publicly shame the worst offenders, but they would risk damaging the relationships with partners. If Google is really serious about improving computer security, they could find a way to educate consumers which OEMs, component vendors, carriers, and other partners do a poor job of protecting their customers data. (For example, do you really feel safe buying another BLU product or any device with a Mediatek chipset?) Google could also modify their next Android Compatibility Definition Document to require that devices ship with a certain level security patch and that it has to be maintained for an extended period of time.
OEMs: When I worked for Huawei, I tried to address this security issue by working with the global Honor team to introduce their 24-month Software Update Policy. To my surprise, the marketing team did not want me to discuss this during the product launch, but Im proud that we were the only OEM to have such a public policy at the time. Its not perfect, but it is better than nothing. (Only Google guarantees security updates for 3 years after launch on their Pixel and Nexus devices.) I would encourage more OEMs to take the initiative to develop their own software update policies as soon as possible.
Retailers: Amazon did the right thing by suspending the sale of the BLU R1 HD, but if they follow the same logic then they should also ban other Android devices they sell with known security vulnerabilities. Amazon makes it very easy to see which networks an unlocked device will support, but they provide no information to potential buyers about the level of security it might provide.
Tech reviewers: Continue to call out the bad Android OEMs when you see them misbehaving. Put more focus in your reviews to detail the level of software support and the history of maintaining it. Keep education your audience so they can make informed purchase decisions.
Consumers: I would say vote with your wallet and only buy devices from companies that take computer security seriously, but the choices are really limited. Outside of the previous Nexus devices and new Pixel phones, there are not many affordable options for those that value their privacy and security.