Google has recently published the latest security bulletin, a monthly event where security flaws in Android are disclosed and fixed. Nexus device owners, including owners of the Nexus Player, shortly receive OTA updates that give them these security fixes.
This month there are a large set of fixes across various APIs, and they’ve split it into two different security patches: July 1st and July 5th. Some of the bugs from July 5th only affect particular Nexus devices. The bulletin also now mentions whether Nexus devices are affected by this flaw or if it’s a stock Android / hardware bug. Google has implemented their own security features on top of the platform such as Verify Apps. This routinely scans your phone for potentially malicious apps and is allowed to remotely uninstall them.
You can read the entire list of patches in the bulletin, but we’ll highlight a few interesting vulnerabilities.
There is an elevation of privilege vulnerability in the LockSettingsService that could allow the screen lock to be reset without the user’s authorization.
There is also an elevation of privilege in the ChooserTarget service, a new service that allows users to share content to specific users in an app instead of just abstractly to the app. This could allow a background service to execute code and access activities it isn’t supposed to
A elevation of privilege vulnerability in the USB driver could allow a malicious app to run kernel code and compromise the device.
Google seems to have done a thorough job recently of vetting their codebase, both on the platform and individual device drivers, and this bulletin is the result of that work. Overall, there were 9 critical, 29 high, and 16 moderate vulnerabilities published and fixed, and these patches will make users a lot safer.
When Android Nougat is released, users will also have these fixes built-in. Google continues to improve the software.