A researcher found that Samsung abandoned its \u201cS Suggest\u201d app which could have opened a security vulnerability for millions of users.<\/p>\n
S Suggest<\/a> is an app and widget for Android that recommends other apps that Samsung had preinstalled on most of its phones \u2013 including flagship devices like the Galaxy S III \u2013 between 2012 and 2014<\/a>. After failing to gain popularity, Samsung shut down the service in 2014 and later let the ssuggest.com domain expire, too. The app communicates with that domain to download new content report data about the user\u2019s device.<\/span><\/p>\n Anyone could notice that ssuggest.com was available, register it and begin serving malicious content or recording device data.<\/p>\n Samsung gave a statement to Motherboard<\/a> denying that this posed a security risk, stating that controlling the S Suggest domain \u201cdoes not allow you to install malicious apps, it does not allow you to take control of users’ phones.\u201d<\/p>\n However the S Suggest app\u2019s permissions contradict that statement<\/a>. The most dangerous of them was the ability to install apps and packages. It also had the ability to retrieve a list of the user\u2019s running apps, view their network and Wi-Fi connections, and delete other apps.<\/p>\n There would have been plenty of other ways to use the ssuggest.com domain in harmful ways, too \u2013 such as replacing existing assets with tracking scripts or advertisements that could have been used to generate profit for criminal hackers.<\/p>\n Samsung should have avoided this vulnerability by keeping ownership of the domain or updating the app to disconnect it from the site (though that would expose some users who don\u2019t update).<\/p>\n Luckily Jo\u00e3o Gouveia, the researcher who discovered the domain was available<\/a>, has registered the domain to prevent it from being misused. This practice is known as \u201csinkholing\u201d and refers to the act of discarded\/deleting traffic sent to that addresses. This is the same technique used to defeat the \u201cWannaCry\u201d ransomware<\/a> which attacked millions of unpatched Windows devices last month.<\/p>\n Gouveia recorded connections from more than 2.1 million unique devices in a 24 hour period \u2013 and those devices were frequently connecting to the ssuggest.com domain (a total of 620 million times).<\/p>\n So while Samsung is finished with its S Suggest service, millions of users are still using phones that came with the app pre-installed.<\/p>\n Thanks to Gouveia no harm has been done but this vulnerability highlights the role that manufacturers have in keeping devices secure.<\/p>\n Android handset manufacturers often struggle to differentiate themselves from their competitors.<\/p>\n Because Android is easy and affordable to license there are literally hundreds of choices that offer nearly identical features. Samsung, like many other major brands, creates additional (and often proprietary) features that can be unique selling points for its phones.<\/p>\n This is mostly copycat software that tries to compete with \u2018big name\u2019 features on other phones like Apple\u2019s App Store or Google\u2019s \u201cOk Google\u201d voice commands.\u00a0 Brands like Samsung, LG, and HTC have all created similar functionality<\/a> which usually goes unnoticed<\/a>.<\/p>\n In order to spur adoption these apps usually come pre-installed and may be turned on by default. Manufacturers may even replace Android\u2019s stock functionality with their own versions.<\/p>\n Samsung has an entire \u201cS\u201d line of products, including both hardware and software \u2013 which S Suggest was part of.<\/p>\n When they fail \u2013 as Samsung has with S Suggest \u2013 manufacturers are quick to abandon their software. They want to have their cake and eat it too \u2013 by pushing their proprietary software and then leaving the users with the risk of abandoned apps and unmaintained software.<\/p>\n This is not the first time that Samsung has prioritized marketing new features over security. Their Tizen operating system \u2013 intended to compete with Android \u2013 was heavily criticized earlier this year for its poor programming. Researcher Amihai Neiderman said \u201cit may be the worst code [he\u2019s] ever seen<\/a>.\u201d<\/p>\n Samsung is not the only company guilty of foisting unwanted software on its users or abandoning apps. The Android ecosystem is frequently criticized for \u201cbloatware\u201d – apps that come preinstalled on phones that are developed by the manufacturer or part of sponsorship deals \u2013 and for stopping critical OS updates only a few years after release.<\/p>\nManufacturers\u2019 Responsibility To Support The Software They Force on Users<\/h2>\n