The custom software running on manufacturers roms is almost always installed with higher privileges than even the user has. That’s simple because the apps ‘have’ to be system apps, so a user can happily use the Samsung Gallery instead of the perfectly working Google Photos and not uninstall it, while often being a single App/Bundle with at least one feature requiring highest privileges, eg. a remote control, security or app store feature. That goes against all security conventions and philosophies, but who cares. Also, why bother about carefully granting permissions if just allowing everything works too?
So, you could attack Android itself, Google Apps or specific manufacturers system apps:
Android:
+ Would grant high permissions
+ Present on all Android devices (the majority of phones)
+ High bug bounty
+ Open source (easy to research)
- Open source (already researched very well, so it’s hard to find new bugs in a short time)
- Generally structured very securely
- High bug bounty (already researched a lot)
GApps:
+ Present on nearly all Android phones and therefore also the majority of phones
+ High bug bounty
+ Closed source (not researched as much)
- Closed source (hard to research, but possible with fuzzing or decompiling)
- Also made considering security and integrated correctly into the permissions construct of Android (so for most apps there are only user level permissions to gain)
- High bug bounty (already researched a lot)
Third party manufacturers apps:
+ Would grant high permissions
+ Low/inconsistent bug bounty (not researched that much)
+ Closed source (not researched as much)
+ Only on a few devices (not researched as much)
+ Often bad code and security standards
- Only on a few devices (not as much impact globally)
- Low/inconsistent bug bounty
- Closed source (hard to research, but possible with fuzzing or decompiling)
For a normal researcher with a lot of time and skill, Android or the GApps would probably be the better target. Especially because after finding bugs, they’ll be potentially more impactful, means you could get more bug bounty, and this is much less complicated than as if you’d need to contact a company not offering such programs.
In this case they needed quick bugs, without any consideration for bug bounty and usefulness, it’s about finding some bugs leading to high permissions no one has seen before. This essentially eliminates Android and the GApps, so custom ROMs remain. As Samsung is one of the biggest with many custom Apps, it’s a good target.
The custom software running on manufacturers roms is almost always installed with higher privileges than even the user has. That’s simple because the apps ‘have’ to be system apps, so a user can happily use the Samsung Gallery instead of the perfectly working Google Photos and not uninstall it, while often being a single App/Bundle with at least one feature requiring highest privileges, eg. a remote control, security or app store feature. That goes against all security conventions and philosophies, but who cares. Also, why bother about carefully granting permissions if just allowing everything works too?
So, you could attack Android itself, Google Apps or specific manufacturers system apps:
Android:
+ Would grant high permissions
+ Present on all Android devices (the majority of phones)
+ High bug bounty
+ Open source (easy to research)
- Open source (already researched very well, so it’s hard to find new bugs in a short time)
- Generally structured very securely
- High bug bounty (already researched a lot)
GApps:
+ Present on nearly all Android phones and therefore also the majority of phones
+ High bug bounty
+ Closed source (not researched as much)
- Closed source (hard to research, but possible with fuzzing or decompiling)
- Also made considering security and integrated correctly into the permissions construct of Android (so for most apps there are only user level permissions to gain)
- High bug bounty (already researched a lot)
Third party manufacturers apps:
+ Would grant high permissions
+ Low/inconsistent bug bounty (not researched that much) + Closed source (not researched as much)
+ Only on a few devices (not researched as much)
+ Often bad code and security standards
- Only on a few devices (not as much impact globally)
- Low/inconsistent bug bounty
- Closed source (hard to research, but possible with fuzzing or decompiling)
For a normal researcher with a lot of time and skill, Android or the GApps would probably be the better target. Especially because after finding bugs, they’ll be potentially more impactful, means you could get more bug bounty, and this is much less complicated than as if you’d need to contact a company not offering such programs.
In this case they needed quick bugs, without any consideration for bug bounty and usefulness, it’s about finding some bugs leading to high permissions no one has seen before. This essentially eliminates Android and the GApps, so custom ROMs remain. As Samsung is one of the biggest with many custom Apps, it’s a good target.