Google warns manufacturers that modifying the Android kernel will bring more potential security vulnerabilities

by · Published · Updated

A few days ago, Google Project Zero issued a warning that if Samsung continues to modify the kernel source code in Android, it may bring more potential security vulnerabilities.

The reason for this warning is that Google Project Zero, such as Samsung, has a very common problem with modifying the Android kernel source code.

Usually, the manufacturers modify the Android kernel source code to add custom drivers, but this will also cause many kernel security vulnerabilities to fail directly.

Researchers have discovered potential security issues in Samsung’s custom Android system, and Google has issued a warning to manufacturers to stop doing so.

Android-based on the Linux operating system development is, therefore, the same in terms of the kernel, and the kernel itself is very complex and requires multiple developers to maintain it.

Android 10

Google found that Samsung will add custom drivers when addressing certain security holes, and these drivers have not been reviewed by kernel developers.

Although Samsung does not have the obligation to submit the added upstream and downstream code for review, these drivers defined by Samsung allow hardware to directly access the kernel.

And without universal verification, this may cause the kernel security function to fail, thereby increasing the security errors related to memory corruption in the kernel part.

That is, although this type of repair method does seem to fix some known security vulnerabilities, it unknowingly leads to some vulnerabilities that have not yet been discovered.

In fact, Google also spends a lot of time adjusting at the kernel level of the Android system. Based on the Linux kernel and Android system, it adds security features.

The manufacturers modify the Android kernel will waste the work of Google and even the Linux kernel project team, and expose the majority of Android users to security risks.

In turn, when new security vulnerabilities appear, manufacturers such as Samsung need to spend time to repair them, and then this patch may bring new vulnerabilities.

So researchers at the Google Project Zero reminded manufacturers to follow standard procedures for repairs, otherwise, the Android system would be unsafe.

Tags: