Skip to main content

Understanding the Common Android Security Vulnerabilities

Harry Samuel is a mobile technology expert and reviews new productivity/monitoring software programs and apps.


Common Android Security vulnerabilities in the past

According to the security vulnerability website CVEDetails, there have been a whopping 4043 security vulnerabilities in Android's existence. The most common of these have been code executions, second comes memory overflow, and third is Denial of Service (DOS) vulnerabilities. There have been 37 vulnerabilities this year alone.

Hackers have exploited Android security vulnerabilities in the past. In May 2021, Google disclosed four Android vulnerabilities that enabled malicious code to get executed, giving complete control of the devices. Google released this information as part of its Android Security Bulletin. The tech giant released security updates to device makers, who then distributed the security patches to the devices as over-the-air updates.

CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664 vulnerabilities

The four vulnerabilities are CVE-2021-1905, CVE-2021-1906, CVE-2021-28663, and CVE-2021-28664. CVE-2021-1905 and CVE-2021-1906 exploit vulnerabilities in Qualcomm GPUs, whereas CVE-2021-28663 and CVE-2021-28664 exploit vulnerabilities in ARM Mali GPUs. These exploits got classified as zero-day exploits, meaning hackers discovered these exploits before being unveiled by software vendors. Hackers use zero-day exploits to utilize system vulnerabilities before they get patched.

Two of the flaws are in Qualcomm's Snapdragon CPU, used in many Android devices in the United States and other countries. The first vulnerability, identified as CVE-2021-1905, is a memory corruption weakness that allows attackers to run malicious code with full root rights. This vulnerability is considered severe.

The other bug, CVE-2021-1906, is a logic fault that might result in new GPU memory address allocation problems. The severity level is set at 5.5. Hackers frequently use two or more exploits to get around security measures. With the two Snapdragon faults, this is most likely the case.

The other two flaws got discovered in drivers for ARM graphics processors. CVE-2021-28663 and CVE-2021-28664, are both corrupt memory vulnerabilities that enable malicious actors to gain root access to vulnerable Android devices. These 4 exploits utilized how memory and graphics processing interacted with the Android operating system.

Successful exploits of the vulnerabilities allow complete control of the data and operations. The device's security becomes compromised, and the data gets unprotected from elevating privileges.

Google was unsure what techniques hackers would employ to exploit the vulnerabilities. Security experts theorize that a cyber attacker could send malicious texts, dupe users into installing a fraudulent app or redirect them to a malicious webpage.


The Android runtime, Framework, Media Framework, and System components all got impacted by the 2020-11-01 security patch level that resolved a total of 17 vulnerabilities.

CVE-2020-0449, a crucial security flaw in the system that might get used to executing harmful code remotely, became the most dangerous of all the discovered vulnerabilities. The problem affects Android versions 8.0, 8.1, 9, 10, and 11. According to Google, a security vulnerability in the System component carries the most damage potential. A hacker can exploit the security flaw to run code hidden as a privileged process in a malicious message.

Android App Vulnerabilities

It's not just the Android ecosystem at fault. Most Android apps have built-in vulnerabilities. Some of the most common app vulnerabilities include insecure data storage, weak server-side configuration, insecure client-server data communication, and vulnerable app components

Scroll to Continue

Hackers can easily exploit these vulnerabilities and extract user data for their gain. In most situations, according to expert testing of Android mobile apps, unsafe data storage is the most common security vulnerability. Vulnerabilities and Threats are slightly more widespread in Android apps than they are in iOS apps, according to research (43 percent versus 38 percent).

Security methods are sophisticated in today's smartphone operating systems. An installed device may only access files in its sandbox directories by default, and user privileges prevent data from being edited by the system. Nonetheless, there have been blunders made by developers in the past while coding the apps. Technically speaking, the more data available to an app, the higher the risk of a security attack.

Client-Server attacks

A client-server design gets used in many of these apps. The client runs on the most popular operating systems—Android and iOS. This client gets downloaded by the user from app distribution platforms like the App Store and Google Play Store, where the apps are available.

The mobile program is the client installed on the user's smartphone. They communicate with the application to make payments, compose emails or send tweets. But there's another factor to consider: the server, which gets hosted by the developer.

Injection defects are the most common, damaging, and diversified type of flaw (SQL injection, code injection, XSS, XPath). If server-side restrictions are not in place, an attacker can send backend requests or orders to run malicious code. In a SQL injection attack, for example, an attacker can extract database records or modify the database's contents by changing a SQL query.

IDOR (Insecure Direct Object Reference) attacks are based on the same type of vulnerability. A user can manipulate the behavior of an application, host malware, extract, change, or remove sensitive data by depending on the absence of server-side controls. Therefore, adding a security layer before publishing your mobile applications on the app stores can protect you from such hacks.

Unsafe data storage

A mobile application can store a variety of data (cookies, text files, settings, and so on) on a variety of storage media, including SQL databases, data warehouses, XML files, internal storage, and so on. To ensure the secrecy of sensitive data utilized in the application, it is required to encrypt it efficiently.

When well-designed, iOS and Android applications store data that isn't meant to be shared over a secure network, each application stores all of its data, including preferences and files, in a single directory. In most cases, only your application has immediate access to this directory, and no other program may view this data. But both Android and iOS offer features that allow data from an application to be viewed by another application.

Most apps nowadays need permission to operate fully, such as permission to view Gallery, permission to open mic, permission to view contacts, etc. But having control over the amount of access becomes crucial. Furthermore, rooted Android devices or jailbroken iOS devices allow malicious apps to access the data of other apps, increasing the danger of data compromise. If a device is lost or stolen, an attacker will have a much easier time recovering data.

As a result, strong data protection and encryption are required for secure storage. The most common problem is insecure data storage, which is present in 76 percent of mobile apps. Passwords, financial data, personal information, and contacts are all in jeopardy.

It is how most remote monitoring apps operate. These apps can spy on Android smartphones and iOS devices by acting as the device's owner. They grant access to third-party users who want to monitor Android smartphones or iOS devices. XNSPY, which is a smartphone spy app for Android 12, showcases exactly how to spy on someone's Android phone.

Why it is necessary to fix cybersecurity vulnerabilities?

Risks are not always the result of a single vulnerability on the client- or server-side. They are frequently the result of several relatively minor flaws in various portions of the mobile application. These oversights, when added together, can have major implications. These include financial losses for consumers in terms of ransomware payment and damage to the developer's image which leads to business opportunity losses.

It is why developers must fix server-side vulnerabilities and use encrypted channels when the app communicates with the client. Consumers, on the other hand, should ensure that their data storage is up to scratch. And mobile operating system engineers should frequently develop security patches to overcome the existing vulnerabilities.

Related Articles