At last year's Black Hat USA conference, Jeff Forristal revealed the Master Key vulnerability impacting millions of Android users. For the upcoming Black Hat 2014 event, Forristal is back with another deep flaw within Android, this time a Fake ID vulnerability that could enable attackers to impersonate valid app developers.
Forristal plans on providing full details of the Fake ID flaw, identified as Google bug 13678484, in a session at Black Hat USA 2014, which runs Aug. 4-7 in Las Vegas.
Forristal is CTO of Bluebox Security, a company that focuses on mobile security.
"Bluebox discovered a vulnerability in how Android processes the digital signature identities that are attached to Android apps," Forristal told eWEEK.
Forristal explained that his team was able to find a way different from the Master Key vulnerability he exposed in 2013 to exploit Android. With Master Key, Bluebox found a family of bugs that allow an attacker to bypass Android's signature verification process. By enabling that bypass, a malicious Android app could potentially be enabled to run on a user's device.
With the new Fake ID vulnerability, applications are able to fraudulently use the identification of a legitimate app author.
"So an attacker can create malware and use the Fake ID to claim that they are Adobe, for example," Forristal said. "So now when a user installs the attacker's app, Android gives the app special access."
Android is actually hard-coded to give apps from Adobe special permissions, such that Adobe is allowed to be a plug-in for other apps, Forristal explained. In the case of the Fake ID vulnerability, a malicious app can then be enabled to inject malicious code into any other app.
There are other identities beyond just the Adobe one that can potentially be abused by the Fake ID vulnerability. An attacker could, for example, leverage the Google Wallet identity, Forristal said. Google Wallet is a payment system that is integrated with Android and can enable near-field communications (NFC) for transactions.
"Normally Android provides a firewall that does not allow anything other than Google Wallet to manage the credit card operations of the secure NFC element," he said. "By having the Google Wallet identity, our malware can bypass the firewall and talk to the hardware."
From a security model perspective, the ability to validate identities is a well-understood process in the Web browser world. With any standard Web browser, secured sites have Secure Sockets Layer (SSL) certificates that can be validated via a certificate authority (CA). Every Web browser has mechanisms by which SSL certificate authenticity can be checked with the CA, including the use of the Online Certificate Status Protocol (OCSP). Google's Android, however, does not follow the same model for security verification as the browser world has for the past decade.