COMMSEC: The Nightmare of Fragmentation: A Case Study of 200+ Vulnerabilities in Android Phones


Android Fragmentation has been recognized as a significant cause of booming Android security issues. In this talk, we will demonstrate our deep analysis of this infamous problem by using Samsung which is a major manufacturer of Android phones as a case study.

We will present more than 200 security vulnerabilities we have found in our research. These vulnerabilities commonly exist in Samsung phones such as s8+, S7, S7 edage and Galaxy C9 Pro. Most vulnerabilities take Samsung a long time to fix, and some of them even last for half a year.

In the vulnerabilities we have identified, we would like to highlight one we find in settings. We will demonstrate how attackers can completely bypass the authentication mechanisms on Samsung phones, including iris recognition, pattern, password and fingerprint, and abuse payment functions like Samsung pay, by exploiting this vulnerability. We also find that similar vulnerabilities exist in other Android OS such as Huawei and so on. We will reveal how these vulnerabilities differ in each platform. A live demo or video demonstrating these vulnerabilities will be given on the conference.

Finally, we will reveal the differences between the variant Android OS in Samsung’s phones and the Google’s official AOSP, and analyze how these differences result in the vulnerabilities which never exist in Android Pixel especially in android N. Based on this, we will summarize the typical patterns of inappropriate implementation and modification of AOSP on samsung.

Location: BALLROOM 3 Date: August 25, 2017 Time: 5:00 pm - 5:30 pm Bai Guangdong Zhang Qing