Most readers will know that the Google Android operating system can be vulnerable to hacking that enables malicious apps on devices to access sensitive data. This is not a new development and some may hope that the upcoming Android L update will introduce new measures against this. However, it’s reported that the underlying bug still exists in the developer preview of Android L, and now Google has reviewed Android malware app security.
Bluebox Security says that this high level of susceptibility has been apparent in Android since 2010 when version 2.1 was released. They refer to this as the Fake ID bug as it enables malicious apps to gain access to data that would usually be off-limit, in the same way that a person using Fake ID can use it for fraudulent purposes.
Changes were introduced to Android 4.4 to try to limit some of this kind of damage, but the bug is still not unpatched in the early version of Android L. Bluebox Security CTO Jeff Forristal explains that the platform is vulnerable because malicious apps can include invalid certificates and Android doesn’t verify the certificates used in the certification process of an app. This means that rogue apps can attain privileges given to legitimate apps.
Forristal said, “All it really takes is for an end user to choose to install this fake app, and it’s pretty much game over.” Google responded to this issue within the last 24 hours and acknowledged appreciation for third-party researchers such as Bluebox in reporting the vulnerability.
Google went on to say that after being notified they have now issued a patch and that this has been distributed to AOSP and Android partners, and that it has also enhanced Google Play and Verify Apps to protect users. Google also said that all submitted Google Play applications have been scanned, along with apps reviewed by Google outside of Google Play and said, “We have seen no evidence of attempted exploitation of this vulnerability.”
It’s not clear exactly how Google patched the vulnerability but Bluebox’s Forristal said that he plans to reveal more information at the Black Hat security conference next week. It will certainly be interesting to hear further developments about the so-called Fake ID bug and app security over the coming weeks. What are your thoughts on Google’s response to this?
Source: Ars Technica