Android security

'Fake ID' is an important find, but Google Play and Play Services updates mean many users are already protected

Today security research firm BlueBox — the same company that uncovered the so-called Android "Master Key" vulnerability — has announced the discovery of a bug in the way Android handles the identity certificates used to sign applications. The vulnerability, which BlueBox has dubbed "Fake ID," allows malicious apps to associate themselves with certificates from legitimate apps, thus gaining access to stuff they shouldn't have access to.

Security vulnerabilities like this sound scary, and we've already seen one or two hyperbolic headlines today as this story has broken. Nevertheless, any bug that lets apps do things they're not supposed to is a serious problem. So let's sum up what's going on in a nutshell, what it means for Android security, and whether it's worth worrying about ...

Update: We've updated this article to reflect confirmation from Google that both the Play Store and "verify apps" feature have indeed been updated to address the Fake ID bug. This means the vast majority of active Google Android devices already have some protection from this issue, as discussed later in the article. Google's statement in full can be found at the end of this post.

Certs

The problem — Dodgy certificates

'Fake ID' stems from a bug in the Android package installer.

According to BlueBox, the vulnerability stems from an issue in the Android package installer, the part of the OS that handles the installation of apps. The package installer apparently doesn't properly verify the authenticity of digital certificate "chains," allowing a malicious certificate to claim it's been issued by a trusted party. That's a problem because certain digital signatures provide apps privileged access to some device functions. With Android 2.2-4.3, for instance, apps bearing Adobe's signature are given special access to webview content — a requirement for Adobe Flash support that if misused could cause problems. Similarly, spoofing the signature of an app that has privileged access to the hardware used for secure payments over NFC might let a malicious app intercept sensitive financial info.

More worryingly, a malicious certificate could also be used to impersonate certain remote device management software, such as 3LM, which is used by some manufacturers and grants extensive control over a device.

As BlueBox researcher Jeff Foristall writes:

"Application signatures play an important role in the Android security model. An application's signature establishes who can update the application, what applications can share it's [sic] data, etc. Certain permissions, used to gate access to functionality, are only usable by applications that have the same signature as the permission creator. More interestingly, very specific signatures are given special privileges in certain cases."

While the Adobe/webview issue doesn't affect Android 4.4 (because the webview is now based on Chromium, which doesn't have the same Adobe hooks), the underlying package installer bug apparently continues to affect some versions of KitKat. In a statement given to Android Central Google said, "After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."

Given that BlueBox says it informed Google in April, it's likely any fix will have been included in Android 4.4.3, and possibly some 4.4.2-based security patches from OEMs. (See this code commit — thanks Anant Shrivastava.) Initial testing with BlueBox's own app shows that the European LG G3, Samsung Galaxy S5 and HTC One M8 are not affected by Fake ID. We've reached out to the major Android OEMs to find out which other devices have been updated.

Google says there's no evidence 'Fake ID' is being exploited in the wild.

As for the specifics of the Fake ID vuln, Forristal says he'll reveal more about at the Black Hat Conference in Las Vegas on Aug. 2. In its statement, Google said it had scanned all apps in its Play Store, and some hosted in other app stores, and found no evidence that the exploit was being used in the real world.

Verify apps

The solution — Fixing Android bugs with Google Play

Through Play Services, Google can effectively neuter this bug across most of the active Android ecosystem.

Fake ID is a serious security vulnerability that if properly targeted could allow an attacker to do serious damage. And as the underlying bug has only recently been addressed in AOSP, it might appear that the great majority of Android phones are open to attack, and will remain so for the foreseeable future. As we've discussed before, the task of getting the billion or so active Android phones updated is an enormous challenge, and "fragmentation" is a problem that's built into Android's DNA. But Google has a trump card to play when dealing with security issues like this — Google Play Services.

Just as Play Services adds new features and APIs without requiring a firmware update, it can also be used to plug security holes. Some time ago Google added a "verify apps" feature to Google Play Services as a way to scan any apps for malicious content before they're installed. What's more, it's turned on by default. In Android 4.2 and up it lives under Settings > Security; on older versions you'll find it under Google Settings > Verify apps. As Sundar Pichai said at Google I/O 2014, 93 percent of active users are on the latest version of Google Play services. Even our ancient LG Optimus Vu, running Android 4.0.4 Ice Cream Sandwich, has the "verify apps" option from Play Services to stand guard against malware.

Google has confirmed to Android Central that the "verify apps" feature and Google Play have been updated to protect users from this issue. Indeed, app-level security bugs like this are exactly what the "verify apps" feature is designed to deal with. This significantly limits the impact of Fake ID on any device running an up-to-date version of Google Play Services — far from all Android devices being vulnerable, Google's action to address Fake ID via Play Services effectively neutered it before the issue even became public knowledge.

We'll find out more when information on the bug becomes available at Black Hat. But since Google's app verifier and Play Store can catch apps using Fake ID, BlueBox's claim that "all Android users since January 2010" are at risk seems exaggerated. (Though admittedly, users running a device with a non-Google-approved version of Android are left in a stickier situation.)

Google Play services

Letting Play Services act as gatekeeper is a stopgap, but it's a pretty effective one.

Regardless, the fact that Google has been aware of Fake ID since April makes it highly unlikely that any apps using the exploit will make it onto the Play Store in the future. Like most Android security issues, the easiest and most effective way to deal with Fake ID is to be smart about where you get your apps from.

For sure, stopping a vulnerability from being exploited is not the same as eliminating it altogether. In an ideal world Google would be able to push an over-the-air update to every Android device and eliminate the issue forever, just as Apple does. Letting Play Services and the Play Store act as gatekeepers is a stopgap, but given the size and sprawling nature of the Android ecosystem, it's a pretty effective one.

It doesn't make it OK that many manufacturers still take way too long to push out important security updates to devices, particularly lesser-known ones, as issues like this tend to highlight. But it's a lot better than nothing.

It's important to be aware of security issues, especially if you're a tech-savvy Android user — the sort of person regular people turn to for help when something goes wrong with their phone. But it's also a good idea to keep things in perspective, and remember that it's not just the vulnerability that's important, but also the possible attack vector. In the case of the Google-controlled ecosystem, the Play Store and Play Services are two powerful tools with which Google can handle malware.

So stay safe and stay smart. We'll keep you posted with any further information on Fake ID from the major Android OEMs.

Update: A Google spokesperson has provided Android Central with the following statement:

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

Sony has also told us it's working on pushing out the Fake ID fix to its devices.

 

Reader comments

'Fake ID' and Android security [Updated]

54 Comments

Considering his claim, that he was able to scan all apps in the app store himself to confirm that no one is using this exploit, I'll go out on a limb and say the Google Verify Apps security is able to do the same...

Your speculation could be true, however just another added example of Google/android security issues. The "if you only download google play apps" contention may be spurious and inaccurate.

@alex didn't google say in the recent i/o that play services has been updated to handled security updates just like this and the heart bleed ones so it doesn't have to do a 4.x.x update to patch a security hole which has to go through oem, carrier testings even though it's just a security fix.

Posted via Android Central App on nexus 7 (2nd gen)

Don't worry, none of us are in danger right? I mean no one checks off the "Allow installs from outside G Play" right?
There's no confirmation for the verify apps thing so, if you're really scared, check off the third party app installs unless it's something like Amazon Store.

Hasn't Blue Box already been exposed about stretching Android scares and when issuing so - called clarification, burying it so far down that it was hard to notice? As a firm that sells security software, I'm taking their scare stories with a grain of salt.

Posted via Android Central App

Cue flack for android about how insecure it is and how other platforms are so secure.

Every computer and it's operating system will always have bugs and exploits, there's no such thing as a foolproof system.

It's also especially annoying when banks and such claim 100% security for things like online banking and chip and PIN card readers.

Posted via Android Central App

Exactly. While security software advances so will malware and other forms of viruses and Spyware

Posted via Android Central App

So let me get this straight... some people from some company found out that if someone somewhere wants to harm you or take advantage of you, they can do it? But it hasn't really been done yet... WHAT THE!?!?!?!?

It blows my mind sometimes to what lengths people go to make news... guess what! Somebody somewhere could somehow get your keys to your car, take your car to a gas station and put diesel fuel instead of gasoline AND TOTALLY RUIN YOUR CAR!!!!!!! I should report this to the news sites... not because it's happened to me or anyone I know, but it's a possibility...

It reminds me of a story on the actual news a few months ago about how theives and predetors can target people that use those family cartoon stickers that people put on the back of their cars. So the reporter was just trying to discourage people to not use those stupid little stickers on their back window... nobody before or since then has been arrested due to violence or cruelty where family drawing stickers made the victim more of a risk than anyone else... but hey, it filled a 4 minute spot on the news, so it must be important.

Okay, i'm off my soapbox now...

I agree that it's just more fearmongering if it is not exploitable. It is not something the general public needs to know because messages will be misinterpreted.

It falls upon media to convey it properly and give this "issue" as much attention as it deserves (or not), I thought Alex did a rather nice job of it. The general public doesn't read AC anyway, but I for one am glad this kinda info is out there anyway.

A big part of open source software is dissemination of info and peer review of code, this kinda process ultimately makes the OS better; if the security firm wants to make mountains outta molehills that's another story.

I agree Alex wrote it very well and informatively. This article was not fearmongering. But I worry about other reporters.

I have heard about this "peer review" thing before. In my opinion, it just doesn't hold water. It is a deflection and absconds responsibility for a fragmented and insecure OS. Open source makes things LESS secure NOT more secure, in my opinion

I just mean who are these "peers"? Do they create blog sites that we can comment on? Or are they more substantial and unbiased? I got a feeling the peers are biased to be open source at all cost. For instance for their livelihood.

An example of one of the peers that review and assist in security for android is the NSA.

They have no vested interest in open source software.

Posted via Android Central App

They dont need to they can get anything they want. It's not the NSA I care about it is nefarious "peers" that could ruin my own person OR just disrupt my everyday life

The NSA do assist that's the point. Anyone can review the code, but not anyone can add to the code base. They can suggest additions to Google but they can't randomly add their own code.

Posted via Android Central App

So, what other peers do you care about?

You appear to have asked a question to which you do not want an answer.

Posted via Android Central App

OK if the NSA is the only peer than I've been informed but if there are others than you can sermise that some of them may not be on the up and up. I don't any, do you? Who knows maybe nobody knows the peers Google listen to. They are a powerful entity in this world and nonchalant is not a prudent method of having your life handled by a corporation in any way. I want a secure phone and when I get a chance I think I will head to blackberry.

I used the NSA as an example of an entity with no vested interest in open source software. Another obvious example of a peer Google have listened to is blue box.

The problem is you don't seem to understand what "peer review" means, or how open source software works.

If I as an individual, or a corporation, or a hacking group, email Google and say "yo, I noticed this bug. Add these lines of code to fix it." Google don't just say "oh, OK." and add the code.

What they MAY do is check out the bug themselves and if it exists, fix it.

Posted via Android Central App

"I just mean who are these "peers"?" Thousands of IT professionals as well as government entities from numerous countries. And of course enthusiasts.

"Do they create blog sites that we can comment on?" Yes.

"Or are they more substantial and unbiased?" Some do it because they use the code themselves, some do it for a bounty, some do it because it is fun.

"I got a feeling the peers are biased to be open source at all cost. For instance for their livelihood." I've got a feeling you simply don't understand how it works. The more eyes that examine something, the quicker bugs can be found and patched. I can not help you with that.

With this latest problem with Google Android and reading today's znet article about it. It seems you MUST buy an android phone with the latest version (in this case anything 4.4 and higher) or you will have exploits. Fragmentation is an issue whether android lovers want to admit it or not, especially when the consumer can't depend on updates. My anrdroids are at 4.1ish. I want to buy phones every 5 years so androids make me insecure most of the time

5 years? Really? You're officially trollololing there. So right now you'd wish you could be using a super duper iPhone 3G or something like a Blackberry Curve (8900), I'm sure they'd represent the pinnacle of security right now.

Way to conveniently ignore every point you'd made about open source in order to jump into this new ridiculous argument btw. Nevermind that you don't even need the latest Android version to be protected against this so called exploit.

Seriously man, at least put some effort into it.

I am sincerely concerned. I have an HTC evo and is part of this so calling me a troll is just not true. HTC and sprint will not patch this. Read the article. Fake ID IS a problem and it isn't covered prior to 4.4. I believe what the znet article says more than an android site and fanboys like yourself. I probably will go to blackberry

What part of Google scanning for the vulnerability from their end didn't you understand? An app that can exploit it couldn't even make it to your phone in the first place unless you're installing shady non-store apps. Troll on.

All platforms have bugs and vulnerabilities. Android, iOS, Mac, windows... None of them are special.

Posted via Android Central App

I was listing OS's that are currently relevant.

But yes, BlackBerry too.

And webOS and Symbian.

Posted via Android Central App

Being able to exploit rsa keys would affect Blackberry as well.

You should Google exactly what those are, how they are used, and just how difficult that portion of this particular exploit would be. This is why this has never happened.

The same thing has been said about Microsoft Windows over the years. But it's all just hyperbole. If I may make a suggestion, please educate yourself on operating systems and security a bit before engaging in a debate about it. Because there's a lot more to it than the statements you've made here so far.

@ John Grabb

Freudian slip? Sounds like you're admitting you don't know anything about OS security. :O Either way, it's not me who needs to prove anything. With all due respect, you're the one making ignorant comments about it. Anyway, I should've known better than to engage trollish behavior. My bad.

You're entitled to your opinion, the facts don't seem to bear it out tho.

The peers I alluded to are thousands upon thousands of developers who will willingly explore the source code tho, anything from security firms with their own agendas, to small independent developers, to large companies like Samsung. How do you think something like Knox gets incorporated into the main trunk just like that? It'd be many times harder for them to develop and eventually share/contribute something like that otherwise...

There's many examples large and small of the open source model working out and making things more secure in the long run, things like Heartbleed get discovered largely because something like the OpenSSL code is open source and there's many more eyes on it than when it belongs to a single entity. Exploits are gonna be revealed either way, but open source code sorta levels the playing field.

Oh and no, when I said peers I was certainly not alluding to random bloggers, unless said bloggers also spend a lot of time coding on the side.

Pretty much how all security disclosures happen (in public) anyway in enterprise IT.
1. Exploit details
2. Scenario
3. Risk(s)
4. General public informed.

I think we will must burden our phons with antiviruses in the future. Antivirus = phone lag ??
Posted via HTC ONE M8 Gunmetal Gray

So essentially, we were potentially exposed to a vulnerability which no one ever took advantage of. Now, the ability to exploit what was never exploited in the first place was made impossible.
WGAS file

Posted via Android Central App