Apple is indirectly responsible for a security flaw that affects millions of Android smartphones. Checkpoint security researchers have indeed unearthed a vulnerability in the open-source version of the ALAC encoding format, created by Apple in 2004 and available as an open-source version since 2011.
While Apple regularly updates the proprietary version of the ALAC format in its software and operating systems, the open-source code has not been tracked as thoroughly. In fact, it hasn’t had a patch since… 2011. And that’s a serious problem, since these libraries are found in many devices and applications on platforms other than Apple’s.
Qualcomm and MediaTek, two of the largest vendors of mobile chips for Android smartphones, integrate the open-source version of ALAC into their audio decoders, which are used in more than half of phones worldwide. This concerns devices running Android 8.1, 9.0, 10.0 and 11.0.
Checkpoint has determined that crooks might exploit a flaw in the open-source ALAC to launch remote attacks on smartphones using a malicious audio file. The consequences range from installing malware to taking control of the device’s media data. It can even go as far as listening to conversations.
The security flaw was dubbed “ALHACK” by its discoverers. Informed upstream as the rule requires, Qualcomm and MediaTek published patches last December (CVE-2021-30351 in the first, CVE-2021-0674 and CVE-2021-0675 in the second), that the manufacturers must now broadcast as soon as possible on their devices if it is not already done. Checkpoint will provide full details of this vulnerability during the CanSecWest conference in May.
This story demonstrates in any case that it is not enough to open the code to the community to ensure foolproof security. If no one does the job of keeping it up to date, following a while the vulnerabilities that were present there end up showing up in everyone who uses it.