Samsung's Galaxy S6 Edge is blighted by 11 security problems according to the Project Zero team at Google. The team carried out research to determine how easy it would be for an attacker to exploit an Android phone produced by an OEM.
Over the course of just a week of investigations, Google discovered "a substantial number of high-severity issues". While Samsung has now fixed some of the problems, at least three are still to be addressed.
The Project Zero researchers said that many of the security issues were "high impact and easy-to-exploit". One particularly interesting and easily-exploitable issue was found in the Samsung Email client whereby email could be forwarded to another account. A script injection problem was also found in the same app which could allow JavaScript embedded in a message to be executed. The team warns that this could "make JavaScript vulnerabilities in the Android WebView reachable remotely via email".
Writing on the Project Zero blog, "planner of bug bashes", Natalie Silvanovich says:
A week of investigation showed that there are a number of weak points in the Samsung Galaxy S6 Edge. Over the course of a week, we found a total of 11 issues with a serious security impact. Several issues were found in device drivers and image processing, and there were also some logic issues in the device that were high impact and easy-to-exploit.
The majority of these issues were fixed on the device we tested via an OTA update within 90 days, though three lower-severity issues remain unfixed. It is promising that the highest severity issues were fixed and updated on-device in a reasonable time frame.
She also highlights the problem of OEMs introducing "additional (and possibly vulnerable) code into Android devices at all privilege levels". Despite the number of problems found, Samsung was praised for issuing security patches in a timely fashion.