Android is a hulking beast as far as global user share is concerned — hell, it's the most-used operating system in the world, surpassing even Windows (in terms of internet usage). When Samsung announced that it was creating its own open-source alternative to Google's mobile OS, it was not really a surprise. We've had several upstarts over the years, like Sailfish, Firefox OS, Ubuntu Touch, and so on, but all of them have failed in some form or another. There were a few people, however, who thought Sammy could be the one to unseat Google and Android with a mobile operating system that it called Tizen.

Whether it's pronounced TEE-zen or TIE-zen is still a mystery (Wikipedia and I say it's the latter), but up until now, word on the integrity and security of the code has been relatively scant. Israeli researcher Amihai Neiderman finally dove into Tizen's guts to see what he could find. According to his report to Motherboard, what he found wasn't good.

Niederman claims that the operating system contains what "may be the worst code [he's] ever seen" with signs of amateur mistakes/practices and no less than 40 zero-day vulnerabilities. All of those 40 allow for remote-code execution, which permits nefarious parties to access and assume varying levels of control of a Tizen device. Remember, there are quite a few devices running Samsung's OS, including the Gear smartwatches and some phones.

One of the most critical vulnerabilities was in the Tizen Store (the equivalent of the Play Store or App Store), which allowed Niederman to inject malicious code into his Samsung TV (also running Tizen). His conclusion from this was that you as a hypothetical third-party could "update a Tizen system with any malicious code you want." Even the store's authentication measures weren't enough — he just used a heap-overflow vulnerability (which he also discovered) to hijack the software before the security protocols activated.

Moving on, Niederman says that Tizen's code base is quite outdated and even borrows some elements from Bada, its predecessor. However, he claims that most of the issues he found were in the new code, which was written in the last two years or so. Some of the mistakes are those one might find programmers making twenty years ago. As Motherboard puts it, this shows that Sammy lacks any basic code development or review practices. To prove his point, Niederman points to one example that he claims was everywhere in Tizen, strcpy(). Basically, strcpy() is a flawed function that is easily exploitable and is not used anymore because of that, yet it is supposedly prevalent in Tizen.

To top everything off, Niederman says that the programmers failed to use SSL encryption in certain areas during specific data transmissions. This led him to conclude that they made the wrong assumptions on what needed to be encrypted and purposefully left out SSL in those places.

When he initially reached out to Samsung to declare his findings, he was greeted with an automated response. Motherboard's attempts to contact the Korean conglomerate resulted only in the basic PR drivel about the company's focus on security and whatnot. However, after the original article got published, Sammy reached out again to Motherboard to claim that it was working with Niederman to resolve the issues, who corroborated this by saying he was in talks with the corporation.

You can read more at the source link below if you're interested. Honestly, I can't say that I'm too surprised. As Mr. Niederman puts it, Samsung should reconsider deploying Tizen to its appliances and future phones before doing a serious overhaul on the code. I find that I agree with him.

Source: Motherboard