Another day, another report of an Android security vulnerability. Overnight, security researchers Bluebox – the same team that found the so-called ‘Master Key’ vulnerability last year – have advised of a new flaw they have found with the way that Android authorises apps within Google Play.
Before you start worrying, the vulnerability has already been seen to by Google, but it’s slightly worrying. The flaw is based around in the way that Android views certificates used to verify application identities. According to Bluebox the Fake-ID exploit, as it’s being called, allows malicious apps to masquerade as a special class of app which allows access outside of the sandbox which Android normally limits apps to.
The way that the exploit works is that Android fails to correctly verify the authenticity of certificate chains when installing apps. Android has for a number of years contained so-called ‘Super Apps’, apps which can access areas outside of a sandbox, which Android normally places all apps within to restrict access and prevent apps from accessing sensitive data or parts of Android that they shouldn’t. Apps which have been elevated to Super App status include Adobe Flash, which used something called Webview which allows apps to open a window to view web content, prior to the implementation of Chromium in Android 4.4.
Malware developers can use certificates from these Super Apps to masquerade as the app itself, and because Android fails to properly verify the certificate and the application package, the apps can then install whatever they want – Trojans, Malware etc. or as Jeff Forristal, CTO of Bluebox Security says ‘It’s pretty much game over’.
But, relax, it’s been fixed. According to Google who issued the following statement to Arse Technica in response to the report, devices running Google Play Services and accessing Google Play should be fine :
The problem then lies with any non-Google AOSP devices with no Google Play Services. Any device running a version of Android from version 2.1 upwards, all the way through to the Android L Preview will still be affected by the flaw. This especially rings true for apps installed from outside of Google Play. But again, Google are on it, at least for future devices based on AOSP.
Bluebox informed Google of the flaw in April, at which time, OEMs were notified of the flaw and the patch to resolve it. A commit to AOSP added around Android 4.4.2 (that probably means the fix came out in Android 4.4.3 or 4.4.4) addresses the flaw. This seems to have been implemented at least on flagship devices, with Android Central advising they have tested a variety of late model phones, including the LG G3 (European version), Samsung Galaxy S5 and HTC One M8 and found all three models to not be affected by the ‘Fake ID’ flaw.
So, as you were, the flaw is resolved, everyone seems happy and there doesn’t seem to have been any instances of this flaw being used. Although now it’s in the public view, it remains to be seen if non-Google devices will see something in the coming months or years until manufacturers update their code.