ZTE of China has revealed the existence of a backdoor in its Score M Android 2.3.4 Gingerbread smartphone which would be used for handling the install and uninstall of apps. The root shell backdoor vulnerability was posted on Pastebin.
First up, this root shell access is actually used in development by manufacturers, but what is clear is that the backdoor should have been disabled. It does however appear that ZTE and MetroPCS are using this root shell to install and uninstall apps and in particular software updates (otherwise referred to as ‘fragmentation’). ZTE have confirmed the vulnerability on their Score M devices, but it isn’t clear whether the same backdoor affects other mobile phone models.
ZTE is working on an OTA (over-the-air) security patch, but hasn’t indicated when this patch will be made available to end users. It’s well known that legitimate Google-supported APIs can open backdoors but actually don’t introduce any security issues. It is rumoured (in particular in the US) that many Chinese manufacturers include backdoors (using the software update route) and spyware in their technology, but it has been especially hard to prove. So, how best might it be to handle the OS fragmentation process?
I’d like to see smartphone manufacturers and the carriers evolve the Android OS fragmentation (software updates) process to incorporate WiFi/HotSpot OS updating. Only time will tell (along with the obvious costs), whether this is a viable option. An option for ZTE (and other manufacturers) might be to incorporate an OS updating alert/prompting mechanism whereby the user can decide to install the update. Some analysts suggest smartphone software updates should be silent (like the Google Chrome and Mozilla Firefox browsers), and I tend to agree with this approach.
An example could be when an Android device nears a WiFi or Hotspot network (OTA updates just take too long right now), the user could be prompted to connect and a compressed ZIP update is downloaded while at the same time not affecting the current activity of the device. The update could then be installed when the user is either prompted to reboot or when the user next reboots the device.
There seems to be a lot of speculation on Chinese technology businesses right now. That said we must not forget that some well known recent similar cases involved Western companies, one of which should be well known to my readers – Carrier IQ, which I covered back in May of 2011.
Safe surfing folks!