Is it possible to implement virtual patching on mobile devices? I am trying to develop some out-of-the-box methods to protect smartphones, especially Android devices, from attacks until OS patches can be implemented.
Before we address the question, let's briefly cover the somewhat-complicated origins of the Android mobile device platform. Android was developed by the Open Handset Alliance, which is led by Google. The Android source code was released by Google under the Apache License. The Android Open Source Project (AOSP) is tasked with its maintenance and further development.
Unfortunately, in part because of the parties involved with Android's development and upkeep, the patch process for Android poses a risk to users running it on their devices. Smartphone manufacturers must first create custom builds of the patched operating system that include their own add-on software and then test to ensure everything still works. Next, the telecom carriers need to check and test this new firmware does not impair their networks.
This long and complex supply chain often results in lengthy delays before users can receive even the most urgent updates. Case in point: The Android 2.2 Froyo operating system fixed several vulnerabilities when it was released in May 2010. However, Motorola and HTC took seven months to issue an update for their smartphones, and Samsung took even longer. These delays mean malicious hackers can study the fixes and create exploits to take advantage of unpatched phones. Unfortunately, Android is not the only operating system that suffers from these issues. Google’s Chromium browser was patched quickly when a flaw in the WebKit HTML rendering engine, which powers most smartphone browsers, was discovered, but Apple took eight months to implement the fix on its iOS devices.
Given this situation, it is understandable that an organization would weigh the possibility of implementing virtual patching for mobile devices, especially Android virtual patching. A common method of implementing a virtual patch is to place some type of a proxy or intrusion detection system in front of desktops to prevent or eliminate the malicious behavior. However, this is not a real option for mobile devices as they have so many ways of connecting to the Internet and other devices.
The other form of virtual patching is to change the operating system’s runtime code. This method not only introduces new risks like programming errors, but also creates device instability. Even if an organization has the skilled coders who understand the Linux kernel and Java enough to mitigate newly discovered risks successfully, they could break the network carrier contract terms by “jailbreaking” the phones.
If an organization still wants to pursue this route, analyze how AOSP reviews and processes patches. Android can be set up on a test machine using a free LiveCD for Android, while the Android Compatibility Test Suite helps developers ensure their software remains compatible throughout the development process.
There is no doubt that virtual patching is an extremely valuable technique that can be used to reduce the risk created by lengthy intervals between vendor patch cycles, especially amid growing Android malware attacks. However, protecting mobile devices this way is not easy, particularly as updating frequently requires the whole firmware to be modified and replaced on a user's device.
This was first published in January 2012