Play Services 5.0.x -- Dynamic Security Provider question

secdroid

New member
Joined
Apr 21, 2013
Messages
91
Location
U.S.A.
I've been trying to find out more about which OpenSSL security bugs are fixed by the Play Services 5.0 Dynamic Security Provider update -- so far, without success. Any pointers would be greatly appreciated.

Here's what I learned (emphasis added):

Dynamic security provider

Provides an API that apps can use to easily install a dynamic security provider. The dynamic security provider includes a replacement for the platform's secure networking APIs, which can be updated frequently for rapid delivery of security patches. The current version includes fixes for recent issues identified in OpenSSL.

Source -- http://android-developers.blogspot.com/2014/07/google-play-services-5.html

The phone is a ZTE Valet (Z665C) running Android 4.1.1
Google Play Services vers. 5.0.84 (1259630-032)

I have no idea whether any OpenSSL fix(es) would change what a Heartbleed Scanner would find, but here is what I get:

Bluebox Heartbleed Scanner 1.2.2
Android OS OpenSSL version 1.0.1.c with heartbeats enabled
Apps with OpenSSL -- none found

This means that the Bluebox scanner thinks the phone is vulnerable -- but does Dynamic Security Provider OpenSSL fixes change that?
 
I did a bunch more searching.

One redditor provided a bit of info (from Google I/O) on the intent of DSP -- quick fixes between updates. Others worried about that, but it really seems like a good idea. AOSP will ultimately get the security fixes, in the fullness of time. Given the lack of timely updates from many phone vendors and/or network operators, DSP seems like it could be a good thing. As presently used, who can tell?

As to what specific OpenSSL fixes might have been introduced into Play Services 5.0.84, that apparently is not documented on the public Internet. The DSP API is documented for developers, but any use Google may have made of this API is not public.

It appears not to be possible to determine whether or not any particular OpenSSL CVE has been patched via Play Services Dynamic Security Provider.

IMHO, this is a huge mistake of Google's part and ZDNet's Adrian Kingsley-Hughes continues to be correct about Android being a "toxic hellstew of vulnerabilities."

He goes on to say "I believe that the bigger problem is that Google lacks the empathy to properly connect with consumers. Google is a tech company led by very brainy tech people, but in my experience, these people have a hard time seeing the human element in things. It is a company populated by people who don't understand why users don't get updates..."

For anyone interested in Kingsley-Hughes' reasoning:

http://www.zdnet.com/android-fragmentation-turning-devices-into-a-toxic-hellstew-of-vulnerabilities-7000028342/

http://www.zdnet.com/the-android-toxic-hellstew-survival-guide-7000030336/

To me, a phone or tablet is a computer. A computer that can not get security patches in a timely manner is worse than useless. It is dangerous.

:doh:
 
For the most part, you'd have to engage in a fair amount of risk (side loading, clicking things on shady websites, etc) in order to encounter a problem. And in between updates (which are far more for features than security purposes, this isn't Windows after all), there are a lot of good security apps, such as Lookout, AVG, etc.

I saw an article recently that exposed some sort of awful security vulnerability in iOS too. Nothing is perfect, it would seem.
 
Back
Top