Project Zero selected the Edge to investigate because Samsung is the biggest OEM in the world and most of the bugs found in its phones would be found in other Android phones.
“In particular, we wanted to see how difficult finding bugs would be, what type of bugs we would find and whether mitigations in AOSP would make finding or exploiting bugs more difficult [on an OEM device]. We also wanted to see how quickly bugs would be resolved when we reported them. We chose the Samsung Galaxy S6 Edge, as it is a recent high-end device with a large number of users,” Project Zero said.
The gave themselves a week to root out vulnerabilities. North American Project Zero members competed against their European counterparts in this exercise. Each side was given three challenges: gain remote access to data stored on the device such as contact information, photos and messages; gain access access to the same data from an app installed from Google Play with no permissions; and using the access gained in either of the first challenges, maintain persistence even if the device was wiped.
None of the official press releases say who won though.
Among the 11 vulnerabilities, the “most interesting” of which was CVE-2015-7888. It’s a directory traversal bug that allows a file to be written as a system. Project Zero said it was a doddle to exploit and it has since been fixed.
After reporting the issues to Samsung, it rolled out fixes for eight of the 11 vulnerabilities, which Project Zero confirmed by re-testing an updated Galaxy S6 Edge. As for the remaining three, they’ll be fixed sometime this month.