Fake ID Flaw Puts Android Users at Risk

Bluebox Security reveals fundamental flaws in how Android validates the identity of app developers. Full details will be given at the upcoming Black Hat event.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Bluebox Fake ID

At last year's Black Hat USA conference, Jeff Forristal revealed the Master Key vulnerability impacting millions of Android users. For the upcoming Black Hat 2014 event, Forristal is back with another deep flaw within Android, this time a Fake ID vulnerability that could enable attackers to impersonate valid app developers.

Forristal plans on providing full details of the Fake ID flaw, identified as Google bug 13678484, in a session at Black Hat USA 2014, which runs Aug. 4-7 in Las Vegas.

Forristal is CTO of Bluebox Security, a company that focuses on mobile security.

"Bluebox discovered a vulnerability in how Android processes the digital signature identities that are attached to Android apps," Forristal told eWEEK.

Forristal explained that his team was able to find a way different from the Master Key vulnerability he exposed in 2013 to exploit Android. With Master Key, Bluebox found a family of bugs that allow an attacker to bypass Android's signature verification process. By enabling that bypass, a malicious Android app could potentially be enabled to run on a user's device.

With the new Fake ID vulnerability, applications are able to fraudulently use the identification of a legitimate app author.

"So an attacker can create malware and use the Fake ID to claim that they are Adobe, for example," Forristal said. "So now when a user installs the attacker's app, Android gives the app special access."

Android is actually hard-coded to give apps from Adobe special permissions, such that Adobe is allowed to be a plug-in for other apps, Forristal explained. In the case of the Fake ID vulnerability, a malicious app can then be enabled to inject malicious code into any other app.

There are other identities beyond just the Adobe one that can potentially be abused by the Fake ID vulnerability. An attacker could, for example, leverage the Google Wallet identity, Forristal said. Google Wallet is a payment system that is integrated with Android and can enable near-field communications (NFC) for transactions.

"Normally Android provides a firewall that does not allow anything other than Google Wallet to manage the credit card operations of the secure NFC element," he said. "By having the Google Wallet identity, our malware can bypass the firewall and talk to the hardware."

From a security model perspective, the ability to validate identities is a well-understood process in the Web browser world. With any standard Web browser, secured sites have Secure Sockets Layer (SSL) certificates that can be validated via a certificate authority (CA). Every Web browser has mechanisms by which SSL certificate authenticity can be checked with the CA, including the use of the Online Certificate Status Protocol (OCSP). Google's Android, however, does not follow the same model for security verification as the browser world has for the past decade.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.