Android hack found
July 25, 2013 6:26 AM   Subscribe

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

Reportedly this vulnerability exists in all Android versions beginning with 1.6.
posted by Chocolate Pickle (55 comments total) 12 users marked this as a favorite
 
But… it's Open!

Seriously though this is seriously concerning overall. It's pretty well established that if there is one collective group unlikely to do ANYTHING AT ALL about this, it's the carriers who would have to push through a software update for each and every individual handset model.
posted by DoctorFedora at 6:30 AM on July 25, 2013 [2 favorites]


The "master key" exploit patch has been incorporated into Android 4.3, just released. For older phones you will indeed be depending on carriers.
posted by DreamerFi at 6:32 AM on July 25, 2013 [1 favorite]


If you want a secure system, buy an IBM zSeries and unplug it from the network. Also, hire experts to watch your admins' every move, and hire other experts to watch them, and hope they all don't conspire against you anyway. Also, put them in a windowless lead-lined room to defeat Van Eck devices and laser mics that can record keytaps and replicate what was typed.

Otherwise, open or closed, you're going to be exposed to risk in the form of software vulnerabilities. The issue is how many you're facing, and how quickly they're remediated. Android doesn't have that bad of a record in that regard.
posted by Slap*Happy at 6:36 AM on July 25, 2013 [8 favorites]


Some more info here (including some info about the exploit being found in a couple apps in the official Play Store). Still, the best advice would be to only install from official, trusted sources and - like any OS - keep your phone's software up to date.

Bluebox may or may not be a legit source but that page - and the updates posted at the bottom of it - are just squeeze pages asking for your email address.
posted by jeffmik at 6:39 AM on July 25, 2013 [1 favorite]


Millions of these phones and tablets will never be updated because carriers and handset makers have -0- financial interest in OS upgrades; they want you to buy a new phone.

So... all of these Android devices will sit out there on the network doing god knows what.
posted by seanmpuckett at 6:40 AM on July 25, 2013 [2 favorites]


Another description that also details additional vulnerabilities.
posted by cloax at 6:43 AM on July 25, 2013


It sounds like patches have been going out for this over the past few days. So the doom and gloom about "Android carriers will never update their phones!" seems to be mostly hype to me. From what Gina Scigliano at Google says in the article I just linked, it sounds like Samsung has already pushed out their patch, for example.
posted by koeselitz at 6:44 AM on July 25, 2013 [4 favorites]


Google should sneak install the patch with one of its android apps, which they keep pestering you about until it auto install anyways. PLAY MUSIC DRIVE PRISM IS UPGRADING AGAIN?! THANKS CHAMP!
posted by Foci for Analysis at 6:46 AM on July 25, 2013 [2 favorites]


(Not that carriers will allow users to update to 4.3; but in this case, it sounds like they don't need to. Which is pretty much standard practice, I think. If there are exploits, it's better to patch the OS versions that are out there than to force carriers / individuals to update completely.)
posted by koeselitz at 6:46 AM on July 25, 2013


Some more info here (including some info about the exploit being found in a couple apps in the official Play Store).
Not in the Play Store, not according to the second sentence of the article you linked:
The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec.
posted by edheil at 6:51 AM on July 25, 2013


Whoa, the fact that anything at all is being done is way better than I'd been expecting. Score one for fewer botnets!
posted by DoctorFedora at 6:51 AM on July 25, 2013


Here's a better article on patches. Apparently the Play store was patched back in February. Also, some people can breathe easily; every Galaxy S4 and HTC One running something later than 4.2.2 has already been patched. And it sounds like more are probably coming. If anything, I think this announcement was aimed precisely at convincing carriers and manufacturers to push out the patch that Google's already provided to them.
posted by koeselitz at 6:54 AM on July 25, 2013


The lack of a Nexus device on CDMA/LTE really sucks. I pretty much had to settle for a Samsung Galaxy S4 (which do tend to get patched pretty quick) but I'd love to not depend on carriers to patch and just get whatever nightly build Google wants to push out without rooting a phone.

I almost almost said screw it and went with a GSM carrier but having to micromanage data usage to avoid overages sucks too bad and my daughter loves watching netflix in the car.

God help you if you are on an old android phone.
posted by vuron at 6:54 AM on July 25, 2013


I'd love to see stats on how many users are using third-party app stores that haven't implemented the (apparently trivial) key reuse check. I suspect it varies wildly by country, but also suspect that there are extremely few people here in the U.S., just based on what I've seen.
posted by introp at 7:05 AM on July 25, 2013


Score one for fewer botnets!

Botnets of phones. The internet is now an even weirder place.

If anything, I think this announcement was aimed precisely at convincing carriers and manufacturers...

Seems like it was more about advertising a talk at BlackHat, plus publicity for the company in general.
posted by kiltedtaco at 7:09 AM on July 25, 2013 [1 favorite]


I get all my apps from Hax0rZ!!!Mart. They're safe, right?
posted by kmz at 7:09 AM on July 25, 2013


The lack of a Nexus device on CDMA/LTE really sucks.

Huh? Nexus devices have been on LTE since the Nexus S.
posted by zombieflanders at 7:13 AM on July 25, 2013


I'm curious whether there's any design criticism of the android developers who created this exposure. It seems obvious to me that any signature should also math-correspond to an .apk (app file) checksum which gets checked each time the code loads. Am I overly simplistic about this?
posted by surplus at 7:15 AM on July 25, 2013 [1 favorite]


It's ok, if you phone gets bricked, just give the NSA a call, they've come a full backup of everything you've ever done.
posted by blue_beetle at 7:20 AM on July 25, 2013


zombieflanders: " Huh? Nexus devices have been on LTE since the Nexus S."

The Nexus S 4G supported WiMax, not LTE. But yeah, the Galaxy Nexus does LTE.
posted by tonycpsu at 7:21 AM on July 25, 2013 [1 favorite]


Also, Verizon supports a "developer edition" of the Galaxy S4 - it runs bog standard Android, and lets you manage your own system.
posted by Slap*Happy at 7:32 AM on July 25, 2013


IPHONE 4EVA

seriously surprised no one else has said this yet
posted by rabbitrabbit at 7:38 AM on July 25, 2013 [6 favorites]


The Nexus 4 doesn't support LTE (not officially, anyway).
posted by dirigibleman at 7:39 AM on July 25, 2013


I can't really tell on my phone if anybody has posted this yet, but saurik (of cydia fame) has a very detailed technical writeup of the vulnerability.
posted by destrius at 7:42 AM on July 25, 2013 [2 favorites]


This is why I always boil my phone in water for 20 minutes after each app update.
posted by KevinSkomsvold at 7:42 AM on July 25, 2013 [17 favorites]


I have a deep and abiding suspicion of security stories, based on many years experience of the security industry - in particular the Symantecs and McAffees. Who are desperate to get the same sort of market presence in mobile devices as they have in Windows, for obvious reasons - and are as adept at FUD as IBM was at its FUDdiest.

So, in this story: a massive, near-universal security flaw in Android has... resulted in two non-Play applications in China reported by Symantec. I don't know how many people on this thread have experienced at first or second hand any mobile malware - I've never met anyone outside the anti-malware companies who has - nor how many have experienced Windows malware - I've never met anyone who hasn't. And as for bad experiences of Windows anti-malware software...

The thing about the major mobile OSs is that they are managed ecosystems, which Windows never was. There will be failures of individual components in the overall security model, but unless there is a concatenation of issues the chances are very good that if you follow the rules (use official firmware, download from official app stores, don't root) you will be far, far safer on your mobile than on your desktop. The further you stray from the path of righteousness, the larger the risk to you - but I'm comfortable with that being a personal choice, albeit one with possible repercussions for others.

There will always be risks in programmable networked systems, and the user bears some responsibility, as do the platform owners, app developers and journalists. By and large, those responsibilities have been well handled - witness the many hundreds of millions devices out there with no real record of malware. I wish the security industry took its responsibilities more seriously; of all the parties involved, I think it is the one that misinforms most consistently.
posted by Devonian at 7:45 AM on July 25, 2013 [8 favorites]


From destrius's link, the key comment that explains the premise of the exploit:
The zip format doesn't structurally guarantee uniqueness of names in file entries. If the APK signature verification chooses the first matching file entry for a given name, and unpacking chooses the last then you're screwed in the way described.
That's actually kind of hilarious.
posted by kiltedtaco at 8:01 AM on July 25, 2013 [2 favorites]


IPHONE 4EVA

seriously surprised no one else has said this yet


Okay, I'll say it. Speaking as an iPhone developer I have zero (0) worries about about crap like this because a) the closed ecosystem means that any program that wanted to exploit it would have to make it through the gatekeepers at the Apple Store, and b) the highly inconvenient yet highly effective sandbox model severely limits the damage a rogue app can cause.

In short I've traded liberty for security and I'm feeling pretty smug about it.

Also unlike the MacOS platform which is low on viruses primarily because there are so few Macs out there compared to PCs, the iPhone is a viable target and hackers have been trying to attack it for years now with little success.

The iPhone -- Smug developers make for smug users. (TM)
posted by Tell Me No Lies at 8:32 AM on July 25, 2013 [5 favorites]


This was also discussed in some detail on the excellent Risky Business podcast "Planet Android safe from flaming pwncomet".

Expect more of these stories over the next two weeks as Blackhat/Defcon happen.
posted by These Premises Are Alarmed at 8:35 AM on July 25, 2013


The iPhone -- Smug developers make for smug users. (TM)

Which is funny, because last week Apple's developer website was hacked.
posted by Pogo_Fuzzybutt at 8:38 AM on July 25, 2013 [9 favorites]


In short I've traded liberty for security and I'm feeling pretty smug about it.

So, checked your developer portal lately?
posted by kmz at 8:39 AM on July 25, 2013 [3 favorites]


Only you can prevent platform wars. Only you.
posted by seanmpuckett at 8:48 AM on July 25, 2013 [8 favorites]


I'd rather deal with the developer portal getting hacked than millions of users devices. Just sayin'.
posted by frijole at 9:00 AM on July 25, 2013 [5 favorites]




If I understand this exploit correctly, taking advantage of it requires a user to install an APK from a malicious or compromised third party, not the Google Store. This requires the user to specifically accept "unknown sources" and the OS provides a warning against this when the switch is made. It's not like just visiting a website will get the phone pwned. Hopefully as many people as possible get the fix, but I don't see it as a reason to flee Android to the overpriced and over-controlling iPhones (the new iOS seems to have finally copied the better usability aspects from the jailbreaking community and Android, but the keyboard remains immutable crap).
posted by exogenous at 9:26 AM on July 25, 2013 [1 favorite]


@exogenous: what's an abstract warning about "unknown sources" when there's the promise of OMG FREE ANGRY BIRDS?!?

Sadly, I fear that a lot of Android users don't care about the security of their devices and just want to play some free games now and then, by any means necessary.
posted by sbutler at 9:44 AM on July 25, 2013


Otherwise, open or closed, you're going to be exposed to risk in the form of software vulnerabilities.

While it seems there is a patch, wouldn't one way to protect yourself be only downloading apps that you trust? Or can you spoof a publisher on Google's app store?
posted by KokuRyu at 9:45 AM on July 25, 2013


No worries from the official, major app stores. They can easily scan their inventory for apps that may be exploiting this vulnerability and pull them.
posted by sbutler at 9:52 AM on July 25, 2013


Which is funny, because last week Apple's developer website was hacked.

I prefer it when people hack the CIA website. It's a much better example of how defacing a company sign can expose the deep and persistent security flaws throughout an organization.
posted by Tell Me No Lies at 9:58 AM on July 25, 2013


I'd rather deal with the developer portal getting hacked than millions of users devices.

Which millions of users' devices were hacked?
posted by juiceCake at 10:13 AM on July 25, 2013


juiceCake: “Which millions of users' devices were hacked?”

None of them.
posted by koeselitz at 10:57 AM on July 25, 2013 [2 favorites]


NQ Mobile’s 2012 Security Report is based on insights from NQ Mobile’s Security Lab, a team of over 250 mobile security professionals, scientists and developers around the world who proactively monitor the mobile landscape for new malware threats and mobile hacking methods. The report is also based on data collected from NQ Mobile proprietary tools and services...

2012 Overview

In 2012, the Android OS continued to be the number one target for mobile malware. Overall, the number of malware attacks more than doubled from 2011 to 2012...

• 94.8% of malware discovered in 2012 was designed to attack Android devices vs. only 4% targeting Symbian

• More than 32.8 million Android devices were infected in 2012 vs. 10.8 million in 2011 according to NQ Mobile estimates – an increase of over 200 percent

• 25.5% of infected mobile devices were in China, followed by India (19.4%), Russia (17.9%), the United States (9.8%) and Saudi Arabia (9.6%)

• 65% of malware discovered in 2012 falls into the broader category of Potentially Unwanted Programs (or PUPs). PUPs include root exploits, spyware, pervasive adware and Trojans (surveillance hacks)

• 28% of mobile malware discovered in 2012 was designed to collect and profit from a user’s personal data

...

What are the real risks to smartphone users?

• Android Fragmentation

Two years after its introduction, more than 39% of Android users are still using Gingerbread. As a result, these mobile consumers are lacking many of the major security updates provided by Ice Cream Sandwich and Jelly Bean.

• App Sideloading

More and more Android users can now download and install mobile apps outside of Google Play.
This means that more users than ever are able to visit and download apps from third party marketplaces, where the majority of malicious apps are being hosted.

posted by Blazecock Pileon at 11:26 AM on July 25, 2013 [1 favorite]


Great report, mostly user error and bad sources. Get a Nexus device and don't download from bad sources and you're fine. I'll take Android over iOS any day because I can get things from outside Google Play and do so on a regular basis. App side loading is a massively great feature.
posted by juiceCake at 12:09 PM on July 25, 2013 [1 favorite]


App side loading means that I can cook up a very niche app on a lazy Sunday and make it available to people on very niche web forums with zero friction.

I am sorry for my iPhone only friends who still have to calculate drug concentrations by hand.

Off topic: The way the nexus 4 glass goes all the way to the edges and then gently curves downwards makes is possible to mix powders and liquids directly on the screen. Then one can scoop them up with a squeegee. I am working on something that draws circles on the screen. Drip glycerine here until you fill up this circle, then add one drop of oil number 6.
posted by Doroteo Arango II at 2:10 PM on July 25, 2013 [2 favorites]


Well, it's one report from a company that makes its money selling Android security products. I spent a little while trying to see if any of its headline reports were backed up with independent figures, or testable methodologies, or user problems reported in numbers that matched the claims - and didn't do so well.

Not that I'm saying the report is biassed or false or self-serving, just that there's no way to tell.
posted by Devonian at 2:14 PM on July 25, 2013


backed up with independent figures

Two figures are verifiable with data from Google:

Two years after its introduction, more than 39% of Android users are still using Gingerbread. As a result, these mobile consumers are lacking many of the major security updates provided by Ice Cream Sandwich and Jelly Bean.

Three years later, that number is now 34.1%, with 5% using even older versions, and significant fragmentation remaining across the board.

Sideloaded apps run by regular users are apparently now a problem for Google, which appears to have chosen to start addressing this security issue by forcing experienced developers to jailbreak the Glass device.
posted by Blazecock Pileon at 2:28 PM on July 25, 2013


Tell Me No Lies: "Also unlike the MacOS platform which is low on viruses primarily because there are so few Macs out there compared to PCs, the iPhone is a viable target and hackers have been trying to attack it for years now with little success."

Not to derail this, but there are more than enough Macs in the wild by now to be a lucrative target for malware authors. MacOS is a fundamentally more secure operating system than Windows is.

The presence of one huge bug (like this) also doesn't necessarily mean that Android is an inherently insecure OS (although many will undoubtedly take this opportunity to say so). AFAIK, Android was doing sandboxing long before iOS was. The Play Store (which 99% of Android users use as their only source of apps) also has an approval process – it should be possible (albeit a pain in the ass) for Google to weed out any apps that exploit this vulnerability.
posted by schmod at 2:44 PM on July 25, 2013 [1 favorite]


Well, yes. fragmentation is a thing. I've got Gingerbread, ICS and Jellybean devices here (although I don't use all of them all the time). Question is, how is that reflected in actual malware?

Certainly can't tell from that report, as it doesn't give any useful breakdowns by platform. Its major thrust seems to be OMG DROID MALWARE, which - as I noted in my first posting in this thread - is typical of anti-malware vendor reports. Are 'malicious URLs' and phishing, two classes of 'malware' it calls out, particularly more successful on Gingerbread than, say, 4.3? (I'd think both would be applicable to iOS too, btw - if you can get your target to go to a fake website and enter data, it's not really a function of the OS, although subclasses of both approaches might be. But I can see that such things would usefully bulk up the figures for the underlying argument of the report.)

What the report isn't, is a source of data on which one can reach much by way of conclusions beyond the observation that they'd like you to buy their software.
posted by Devonian at 4:05 PM on July 25, 2013 [1 favorite]


AFAIK, Android was doing sandboxing long before iOS was.

Android's sandboxing is a very different thing than Apple's. Apps are allowed to set their own security model and share resources all over the place. Basically Apps are sandboxed by default but you're free to open them as wide as you like. That is impossible for apps under iOS, which are really strictly tied down.

The Play Store (which 99% of Android users use as their only source of apps)

I'm curious about that stat. I've heard everything from 75% to 99%. Is there any way to really find out?
posted by Tell Me No Lies at 4:17 PM on July 25, 2013


Fuller regards bottom end Huawei candy bar dumbphone fondly.

OTOH I have always admitted that I would get some kind of handheld smart device someday. But since they're basically not repairable (by me) the price has to reach the point where they're disposable. Oh oops, I bricked it (tosses it).

And we're actually getting there. $99 at Walmart for a full Android tablet, however crummy, and I expect to see $79.95 during Christmas season. "Disposable" for me means $39.95, and honestly it's looking like that's only a couple of years away.
posted by jfuller at 6:04 PM on July 25, 2013


What are the real risks to smartphone users?

Charging it.
posted by MikeKD at 7:44 PM on July 25, 2013


Assuming I'm a complete luddite with phones, how does one go about updating one's phone if the pushed updates from the provider fail?
posted by dejah420 at 8:57 PM on July 25, 2013


If you have root access (which is sounds like you don't - you would probably know) you can use this.

I'm not sure there is a solution otherwise but if you and anyone else who might use your phone are careful not to install apps from strange places you should be safe. Or you could root the phone - on the phones I've had it's not been difficult.
posted by exogenous at 6:34 AM on July 26, 2013


Saurik wrote up a new Android Bug Superior to Master Key
posted by exogenous at 9:49 AM on July 26, 2013 [1 favorite]


Similar method could be used on iOS.
posted by juiceCake at 8:37 PM on August 19, 2013


« Older The Doom that came to Doom   |   Sicker, sadder world Newer »


This thread has been archived and is closed to new comments