Public Service Announcement
Today, News.com.au Technology Editor Claire Porter claimed that almost all Android phones are vulnerable to hacking or being completely taken over remotely by cyber criminals. In this alarmist, and almost completely inaccurate news story, Porter claims:
Cyber criminals wait for legitimate apps to be approved for sale, and then go in and modify the code after and create an exploit that allows them to take over people’s phones by an app.
This simply isn’t true. This implies that cyber criminals are, in some way, able to get into apps that are approved for sale via the Google Play Store, and insert trojan code into these which will then take over user’s phones. Not only is this remarkably unlikely (and not detailed anywhere in the source story on BlueBox’ blog), but any app containing this trojan code that was uploaded to the Play Store will be detected by Google and prevented from being published. You can see our story on this exploit yesterday for more detail on how this works.
In brief, Jeff Forristal, Bluebox CTO explains that when a developer initially uploads an App to Google Play for approval, Google scans the files digital signature and records it. Subsequent updates for the App are scanned against this signature for aberrations. Google has actually updated the Google Play Store application approval process to specifically look for this exploit and remove the possibility of it affecting users, at least for app updates in the official store.
So far it appears though this flaw only affects non Google apps, considering the amount of third party apps that exist in the Google store that’s hardly a paltry number.
This flaw only affects apps that are distributed through channels other than the Google Play Store. From what Ausdroid knows, and from what information about this exploit there is publicly available, no app that is uploaded to, and subsequently downloaded by users from, the Google Play Store can infect a user’s phone with this exploit. Only APK files (Android’s application file format) that are downloaded from other sources, such as directly from web sites, or potentially third party app stores, are potentially vulnerable.
We repeat. The Google Play Store mechanism detects and prevents any APK containing this trojan code from being uploaded. It doesn’t effect “all third party apps”.
Well, the news isn’t good. Until further notice, news.com.au recommends that you don’t download any non-Google apps.
This is just an overreaction. Ausdroid believes, and has seen many sources stating, that any app you download from Google’s Play Store will be free of this vulnerability. Why? Because Google are aware of it, and have ensured that the Play Store detects and prevents any apps containing this vulnerability from being uploaded or made available.
You need only be careful downloading apps from third party sources, such as direct from websites, forums or questionable sources, though of course, you should be careful downloading apps from those sources anyway, as you do not benefit from Google’s Play Store protections.
Also, if you have any apps which store your personal information such as credit card or PayPal information (like eBay, Amazon or Etsy), you should remove this information immediately. Remove any personal information from your phone (do you have your credit card pin stored in your notes? Get rid of it).
Apps like eBay, Amazon, and Etsy do not store your credit card or PayPal information on your phone. Rather, this information is stored in these companies’ online services, which your apps access. Removing all these apps is probably an overreaction, but if you are concerned, by all means remove them.
The last point — removing personal information from your phone — is a good way to make your phone fairly useless, and is probably an overreaction as well. Keeping your credit card PIN stored in notes on your phone is a remarkably bad idea, regardless of the existence of any vulnerability.
Ausdroid does recommend, however, that you do not leave the ‘Allow installations of apps from sources other than the Play Store’ ticked. This will prevent any third party apps from being installed unless you specifically allow it to occur, this offering you some further protection. I think that’s one part of the story we can all agree with.