Fake ID Flaw Puts Android Users at Risk

By Sean Michael Kerner  |  Posted 2014-07-29 Print this article Print
Bluebox Fake ID

Forristal explained that in the Fake ID vulnerability, the attacker creates a certificate saying it is issued by Adobe, for example, and Android accepts it. The fake certificate is chained to the legitimate Adobe certificate, though the fake certificate is never in fact issued by Adobe.

"If you were to cryptographically verify that Adobe issued the certificate, the verification would fail," he said. "But Android doesn't do that verification, so the vulnerability is the fact that we can get an arbitrary third-party certificate shoved into our certificate chain and be accepted as valid."

So why doesn't Android simply follow the same model as Web browsers? According to Forristal, it's all about developer convenience. Most Android apps are self-signed and don't actually use a third-party CA, he said.

"If Google had the same certificate verification as browsers do, it might have solved this [Fake ID] issue, but it might have prevented the entire Android ecosystem from starting," Forristal said.  "If a developer had to go out and buy a security certificate before they could put their app in the Android marketplace, it would extremely impact the openness and the time-to-market concept of Android."

That said, the Fake ID problem can be fixed in other ways. Forristal first reported the Fake ID flaw to Google back in April. That same month, Google produced a patch, and it is in the process of pushing out the fix to its handset partners.

However, just because Google has a patch doesn't mean that all Android device manufacturers have made that patch available to users.

"Of the 40 or so devices we use in our lab environment, the only one we've witnessed patched at present is certain Motorola devices," Forristal said. "It is relatively unknown to us what the current patch status is for those other 6,260-plus Android devices at this time—perhaps more of them are patched."

For users, Bluebox has its Bluebox Scanner app, which was originally released in 2013 to help Android users determine if their devices were at risk from the Master Key vulnerability. The Bluebox Scanner app has now been updated to identify the potential risk for the Fake ID vulnerability.

There is likely one additional mitigating factor for the Fake ID vulnerability: Google's own scanning of apps in the Google Play store.

"Google is known to scan apps, but to what extent and how they scan apps are details we don't have," Forristal said. "Certainly there are no guarantees that something can't slip through the Google Play store."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel