Mac Developer: Boffins believe buggy Binder embiggens Android attack surface • The Register
Boffins believe buggy Binder embiggens Android attack surface • The RegisterThe paper notes that “private APIs” in Android – APIs that aren't documented for third-party developers – are a security problem. Since they're unknown, they don't get checked or tested.
Another architectural issue the paper cites is that de-serialisation is “assumed to be always undisturbed”, another assumption that depends on the validity of the client-side transaction.
Reminiscent of the XPC exploit that could be used to root Apple devices. Security "features"
Labels: android vs. ios