Google’s Project Zero Discovers More BYOD Vulnerabilities


Thought Leadership

Google’s Project Zero Discovers More BYOD Vulnerabilities

Neil Farquharson

Google’s Project Zero team has just made public a series of security flaws found on the popular Samsung Galaxy Edge smartphone. Project Zero is a team of Google security analysts formed in July of 2014 with the aim of finding zero-day exploits. It is most famous for releasing details of an exploitable Windows 8.1 bug in January 2015 after giving Microsoft a 90 day notice to issue a patch.

Source: Kārlis Dambrāns


For the new Galaxy Edge S6 analysis, the Project Zero team gave themselves one week to attempt three challenges:

  1. Gain remote access to contacts, photos and messages
  2. Gain access to contacts, photos, geolocation, etc. from an application installed from the Google Play store with no permissions
  3. Persist code execution across a device wipe, using the access gained in parts 1 or 2

By the end of the week, the team had found 11 issues with the smartphone; and Samsung was given the details. Most of the exploits have now been fixed by Samsung. The majority of the vulnerabilities were via the device’s own drivers and on-board image processing and, apparently, “trivial to exploit.” While it is good to note that both Google and Samsung will be pushing out security updates to their Nexus and Galaxy products more often, I am reminded that Android flaws continue to be found. Take for example the Stagefright vulnerability discovered by Joshua Drake of Zimperium in July of this year, or all of these vulnerabilities reported in 2014 alone. The truth is that all BYOD and company owned devices have vulnerabilities that can and will be exploited. However the opportunities for stealing corporate data from mobile devices can be dramatically reduced by avoiding traditional mobile management applications and instead having a solution that gives access to company data without downloading that data to permanent memory. Zix has a tried and tested BYOD solution named ZixONE. With ZixOne, your employees have access to corporate email without jeopardizing data protection or productivity, because corporate data never resides on their personal devices. Find out more about Zix’s groundbreaking solution by clicking here.