Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Android
    • Android
    • Applications
    • Cybersecurity
    • Development
    • Mobile

    Fake ID Flaw Puts Android Users at Risk

    By
    Sean Michael Kerner
    -
    July 29, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Bluebox Fake ID

      At last year’s Black Hat USA conference, Jeff Forristal revealed the Master Key vulnerability impacting millions of Android users. For the upcoming Black Hat 2014 event, Forristal is back with another deep flaw within Android, this time a Fake ID vulnerability that could enable attackers to impersonate valid app developers.

      Forristal plans on providing full details of the Fake ID flaw, identified as Google bug 13678484, in a session at Black Hat USA 2014, which runs Aug. 4-7 in Las Vegas.

      Forristal is CTO of Bluebox Security, a company that focuses on mobile security.

      “Bluebox discovered a vulnerability in how Android processes the digital signature identities that are attached to Android apps,” Forristal told eWEEK.

      Forristal explained that his team was able to find a way different from the Master Key vulnerability he exposed in 2013 to exploit Android. With Master Key, Bluebox found a family of bugs that allow an attacker to bypass Android’s signature verification process. By enabling that bypass, a malicious Android app could potentially be enabled to run on a user’s device.

      With the new Fake ID vulnerability, applications are able to fraudulently use the identification of a legitimate app author.

      “So an attacker can create malware and use the Fake ID to claim that they are Adobe, for example,” Forristal said. “So now when a user installs the attacker’s app, Android gives the app special access.”

      Android is actually hard-coded to give apps from Adobe special permissions, such that Adobe is allowed to be a plug-in for other apps, Forristal explained. In the case of the Fake ID vulnerability, a malicious app can then be enabled to inject malicious code into any other app.

      There are other identities beyond just the Adobe one that can potentially be abused by the Fake ID vulnerability. An attacker could, for example, leverage the Google Wallet identity, Forristal said. Google Wallet is a payment system that is integrated with Android and can enable near-field communications (NFC) for transactions.

      “Normally Android provides a firewall that does not allow anything other than Google Wallet to manage the credit card operations of the secure NFC element,” he said. “By having the Google Wallet identity, our malware can bypass the firewall and talk to the hardware.”

      From a security model perspective, the ability to validate identities is a well-understood process in the Web browser world. With any standard Web browser, secured sites have Secure Sockets Layer (SSL) certificates that can be validated via a certificate authority (CA). Every Web browser has mechanisms by which SSL certificate authenticity can be checked with the CA, including the use of the Online Certificate Status Protocol (OCSP). Google’s Android, however, does not follow the same model for security verification as the browser world has for the past decade.

      Fake ID Flaw Puts Android Users at Risk

      Forristal explained that in the Fake ID vulnerability, the attacker creates a certificate saying it is issued by Adobe, for example, and Android accepts it. The fake certificate is chained to the legitimate Adobe certificate, though the fake certificate is never in fact issued by Adobe.

      “If you were to cryptographically verify that Adobe issued the certificate, the verification would fail,” he said. “But Android doesn’t do that verification, so the vulnerability is the fact that we can get an arbitrary third-party certificate shoved into our certificate chain and be accepted as valid.”

      So why doesn’t Android simply follow the same model as Web browsers? According to Forristal, it’s all about developer convenience. Most Android apps are self-signed and don’t actually use a third-party CA, he said.

      “If Google had the same certificate verification as browsers do, it might have solved this [Fake ID] issue, but it might have prevented the entire Android ecosystem from starting,” Forristal said. “If a developer had to go out and buy a security certificate before they could put their app in the Android marketplace, it would extremely impact the openness and the time-to-market concept of Android.”

      That said, the Fake ID problem can be fixed in other ways. Forristal first reported the Fake ID flaw to Google back in April. That same month, Google produced a patch, and it is in the process of pushing out the fix to its handset partners.

      However, just because Google has a patch doesn’t mean that all Android device manufacturers have made that patch available to users.

      “Of the 40 or so devices we use in our lab environment, the only one we’ve witnessed patched at present is certain Motorola devices,” Forristal said. “It is relatively unknown to us what the current patch status is for those other 6,260-plus Android devices at this time—perhaps more of them are patched.”

      For users, Bluebox has its Bluebox Scanner app, which was originally released in 2013 to help Android users determine if their devices were at risk from the Master Key vulnerability. The Bluebox Scanner app has now been updated to identify the potential risk for the Fake ID vulnerability.

      There is likely one additional mitigating factor for the Fake ID vulnerability: Google’s own scanning of apps in the Google Play store.

      “Google is known to scan apps, but to what extent and how they scan apps are details we don’t have,” Forristal said. “Certainly there are no guarantees that something can’t slip through the Google Play store.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×