Google’s Project Zero, which investigates the security of popular software, recently turned its attention to the Galaxy S6 Edge.
A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge. Over the course of a week, we found a total of 11 issues with a serious security impact. Several issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit.
The majority of these issues were fixed on the device we tested via an OTA update within 90 days, though three lower-severity issues remain unfixed. It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame.
I love that Google has Project Zero, and that the Zero team is not afraid of exposing the weaknesses in the company’s own products (in this case, Android). Few companies out there would allow this.
I like to see the same thing about their week encryption of my data in their cloud. I know you can encrypt your disk content but my data still is not encrypted in Google’s servers. That’s a threat for my security IMO.
The weaknesses were not in Android but in extra stuff that Samsung added (device drivers, Gallery app, etc.). But yes, Google deserves to be commended that their strict disclosure standards are the same for themselves, their business partners and the competition.
So two small groups of competent security professionals working on the device for a week could expose 11 vulnerabilities. Imagine what a state actor and/or criminal organization with much more resources can achieve. And what the QA at Samsung must be like with such bugs slipping through unnoticed.