The Stagefright Bug, and Your App

By now, it is fairly likely that you have heard about the Stagefright security vulnerability existing in most current versions of Android.

There is not much that developers can do to help prevent their apps from being the means for malware to exploit this bug. The only absolute way to prevent an app from causing this problem is to not play any multimedia obtained from arbitrary sources through Stagefright, and that restriction is impractical for many apps.

In theory, one could attempt to devise some sort of scanner that looks for the sorts of media content that would signal an attempt to exploit Stagefright. However, creating such a scanner is likely to be rather difficult, and it implies that you are in position to scan all media ahead of time. For apps reliant upon streams, that alone may be a show-stopper.

Until we understand more about the types of media and forms of playback that could trigger this vulnerability, it is unclear if switching to a different playback engine (e.g., ExoPlayer) will help mitigate the risk or not. Hopefully, we will learn more after the presentations on this vulnerability scheduled for Black Hat USA and DEF CON 23 in August.

If your app automatically plays media obtained from outside sources, consider disabling that, so users at least have to specifically request the media playback. In effect, this is what the “prevent MMS messages from automatically loading” guidance is suggesting to users. Fortunately, many SMS clients have the ability for users to toggle off MMS auto-playback. If your app has a similar auto-play capability, if nothing else, provide an equivalent setting where the user can disable the auto-play feature.

Where this is really going to be a problem is with ads.

If your ad network might be sending down something other than plain images or simple HTML, such as audio or video, see if you can disable that type of ad. If that is not possible, contact your ad network and ask them when they will integrate this sort of control, or what else the ad network is doing to ensure that the ad network is not taking on ads that might trigger the Stagefright vulnerability.

In the meantime, we need to wait patiently for somebody to provide us a bit more to go on with respect to the scope of the vulnerability, so that we can perhaps come up with more specific guidance for developers.