News  Android
The Fake-id bug hits Android

Not fully checking security certificates

A long-standing defect in the Android certificate security system has been uncovered by BlueBox Labs. Google has confirmed a fix has already been applied, but concerns still exist over Android devices which live outside the Google mothership, and therefore won't be updated automatically. A Google spokesperson said "We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users."

Forgot to double-check

Present in Android versions 2.1 to 4.4, the origins of the bug actually begin with the Apache open source web communications code, which is used by Android for managing its security certificates. Put simply, what's been happening is that the system of "I trust who you trust" - i.e. the chain of trust relationships - has been failing to actually double-check those in the chain really are who they say they are. This is important because some apps are granted special privileges - for example, Adobe's flash player - which then gain access to areas not usually allowed even with the users permissions. These special apps just wouldn't work otherwise, such as in the Flash example which needs access to lower-level functions by its very nature. So, if an app could somehow switch the Adobe cert to a fake one but keep its id, Android wouldn't then "phone home" to check the cert is genuine and continue to grant it these elevated privileges. It's the "phone home" part which has now been fixed.

No exploits discovered

Google said: “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability”. This is a great start, but it does leave the vendors who forked Android, such as many Chinese manufacturers and even Amazon with its Fire OS, on their own when it comes to applying the fix.



As usual, the advice is to Play safe

To keep as safe as possible, the usual advice applies:

  • Update your device to the latest Android version
  • Only download Apps from the Play Store
  • Use quality anti-virus software
  • If you side-load apps, ensure their source is trusted.