Android app signing flaw underscores patch paralysis

Credit: Image credit: flickr/Tsahi Levent-Levi

OEMs drag their feet in distributing Google's patch.

The news last week about a serious security hole that affects almost every Android mobile device in circulation became dire this week, after a security researcher published of a proof-of-concept program to exploit the vulnerability. Even more troubling are revelations that the vast majority of Android customers are blocked from using a software fix for the flaw that Google released more than three months ago.

Some background: last week, Jeff Forristal, the Chief Technology Officer at Bluebox Security, posted a description of the flaw on that company’s blog. Long and short: there are discrepancies in how Android applications are cryptographically signed and then verified by the operating system. Those flaws allow a malicious attacker to modify the application package file (or APK) and install it on an Android device without changing the cryptographic signature of that application. In short: attackers could modify a legitimate Android application to their liking without Android detecting those changes. Forristal disclosed the problem to Google in February and went public with details of it ahead of a talk he’s scheduled to give at The Black Hat Briefings hacker conference in Las Vegas at the end of this month. It affects almost every version of the Android operating system in use, going back four years. Forristal warned that a malicious application installed on a vulnerable Android device could access any data stored on the device, including e-mail, SMS messages, documents and stored account information. The only limit would be the application’s permissions on the device, Forristal warned.

That news was followed, this week, by the appearance of a simple, proof of concept tool to exploit the vulnerability. Pau Oliva Fora, a security researcher for the firm Via Forensics, wrote some simple code to leverage APKTool, a common, open source tool for reverse engineering Android applications, to decompile a legitimate Android application and then recompile it, creating an altered, “malicious” APK that will have the same, cryptographic signature as the original file. Fortunately, Google patched the problem in March, soon after learning of it. Problem solved, right? Wrong. As we’ve all learned, Google issuing a patch for Android isn’t the beginning of the end for security flaws. Nor is it (as Churchill famously quipped) even the “end of the beginning.” Instead, patches from Google must follow a tortuous path from OS vendor to original equipment maker (OEM) – the folks who make the phones and tablets that run Android – and, often, to telecommunications firms that sell those devices to consumers. That journey can take weeks, months or even years to complete. In some cases, patches released by Google will never make it to handset owners because Google’s downstream partners refuse to distribute them. That’s the case with owners of the HTC One S Android phone – a device that was first released to market waaay back in 2012 – practically the Dark Ages by mobile industry standards.

As Graham Cluely noted this week, HTC notified customers that the device will “not receive further Android OS updates,” but “will remain on the current version of Android and HTC Sense.” Oliva Fora, the Via Forensics researcher who wrote the proof of concept exploit said he knew of two OEMs who have patched the hole “in some devices.” Namely: Samsung, which issued a patch for its Galaxy S4 and HTC, which issued an update for the One device. It’s safe to assume that many Android device users haven’t yet seen, and may never see the patch for the APK signing flaw.

Google maintains that it hasn’t seen any efforts to exploit the hole on Google Play yet. However, that could change now that a proof of concept exploit is public. Beyond that, Oliva Fora said that, in his testing, Google’s “Verify Apps” security feature wasn’t effective in protecting devices from malicious files that exploit the vulnerability. The issue of Android “fragmentation” is well documented. Just this week, Google published data that shows that “Gingerbread” (Version 2.3), a three year-old Android distribution, is still running on 34% of devices in circulation, just behind “Jelly Bean” (Version 4.1 and 4.2). Until recently, Gingerbread was the most common Android distribution in use, despite known security flaws. And Jelly Bean still only accounts for around 38% of Android devices. A strong majority of devices in use – around 60% - are one or more operating system releases behind.

It’s not clear what, if anything, Google intends to do about this. Speaking at a forum in Boston this week, Android co-founder Rich Miner downplayed the fragmentation issue, saying that it was an “overblown” concern. Most consumers, he argued, don’t know or care what version of the OS they’re running. On the issue of security, Miner pointed to Google’s fix of the APK flaw as “evidence that the tech giant has become more nimble in working with Android handset makers,” according to one report. While that may be true, the truth of Android’s fragmented and vulnerable ecosystem is hard to ignore and dangerous to downplay.

True, the APK vulnerability may not be the security hole gets everyone talking about Android malware and attacks. But if it isn’t, history suggests that another security hole is waiting in the wings that will be.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies