Stop messing with our code – Google Project Zero

A Google Project Zero engineer has scolded Samsung, suggesting alterations to Android’s Linux kernel has actually made Galaxy devices more vulnerable.

While making some adjustments to Android code downstream is relatively common, rarely has Google come out in opposition. In a blog post, Jann Horn of Project Zero examined the modifications made by Samsung coming to the conclusion the firm would be better off using existing security features in the Android code.

“In my opinion, some of the custom features that Samsung added are unnecessary, and can be removed without any loss of value,” said Horn.

“That I was able to reuse an infoleak bug here that was fixed over a year ago shows, once again, that the way Android device branches are currently maintained is a security problem. While I have criticized some Linux distributions in the past for not taking patches from upstream in a timely manner, the current situation in the Android ecosystem is worse.

“Ideally, all vendors should move towards using, and frequently applying updates from, supported upstream kernels.”

In this example, Horn found a mistake in the code for the Samsung Galaxy A50. This is a single case, but as Horn states, it is very common for code to be added to the Android kernel code downstream for additional features.

In February, Samsung added an additional security features known as PROCA. Horn was able to figure out what PROCA does, perhaps limits the impact of threats already inside the security perimeters but suggests it would be more effective to add more attention to preventing access in the first place. Horn suggests this code does in fact create more issues than it does solve.

What is worth noting is that this is hardly surprising. Google wants Android to be seen as perfect. The less modifications made to Android code the more influential it becomes, so it will of course reprimand those who try to improve on what it classes as perfection. But then again, the Google engineers might have a point.

Many have tried to replicate the success of Android as a mobile operating system, including Samsung, but all have failed. Only Apple’s iOS is an alternative, though it is not a direct comparison considering only Apple uses it. If no-one is able to replicate the product, why should they be able to improve on it with their own modifications?