back to article Android sig vuln exploit SEEN IN THE WILD

A github user has demonstrated that the Android APK vulnerability isn't a trivial matter, posting “quick and dirty” proof-of-concept exploit code on github. The demo, here, occupies just 32 lines of shell script – it doesn't actually plant malware into the target code, it merely allows an app to masquerade under another app's …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Ouch, not another Android problem?

    No doubt the deniers will be out in force.

    1. Anonymous Coward
      Anonymous Coward

      The reality is, Android is actually far more secure than iOS, it has proper app sandboxing, fine grained security permissions and digital signing. None of which iOS has.

      Guess what, if you jailbreak an iPhone and go shopping on a dodgy web store, you are vunerable to the EXACT same problems...

      1. Shakes
        Thumb Down

        The reality is, Android is actually far more secure than iOS, it has proper app sandboxing, fine grained security permissions and digital signing. None of which iOS has.

        Sigh. I don't know why I even bother with this, but I would advise anyone actually interested in iOS security mechanisms (which include sandboxing, ASLR, NX, code signing, yadayada) to read this rather informative document:

        http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf

        1. sabroni Silver badge
          Thumb Down

          Downvoted!

          That'll learn you to post a sensible and informative response....

          1. It'sa Mea... Mario
            Thumb Down

            Re: Downvoted! - Downvoted!

            That'll teach you to not say 'that'll learn you'

      2. Anonymous Coward
        Anonymous Coward

        "Android is actually far more secure than iOS"

        Erm but Android is based on Linux which has a weaker security model and more vulnerabilities than any other commonly used OS. IOS is at least based on Free BSD, which has somewhat better security....

        The best mobile security model at the moment is Windows Phone (completely uncracked) followed by Blackberry 10 (1 x critical vulnerability)

        1. asdf
          Trollface

          yep

          >The best mobile security model at the moment is Windows Phone (completely uncracked)

          Yep even the blackhats have never seen a Windows Phone or know anybody with one. The only reason to crack a Windows Phone would be to punish Microsoft and Nokia employees which are the only ones with the devices.

          1. asdf
            Windows

            Re: yep

            >The best mobile security model at the moment is Windows Phone (completely uncracked)

            Notice how the Windows folks brag about their security when their market share is tiny. Isn't that why they say things like OpenBSD have far less critical CVEs than the beloved Windows is because of tiny marketshare?

      3. Confuciousmobil
        FAIL

        What?

        You are kidding, aren't you?

        Do tell me hat you do actually read even a little bit about security and do know what utter claptrap you have written?

    2. Anonymous Coward
      Anonymous Coward

      "No doubt the deniers will be out in force."

      Incompetence knows not race, nation, colour, creed, language, OS nor development platform.

      1. Anonymous Coward
        Anonymous Coward

        "No doubt the deniers will be out in force."

        We'll be in a tight spot in that case!

  2. TeeCee Gold badge

    Oops!

    ....its availability depends on whether the OEM has shipped the new code through carriers to end users.

    And this is where the whole Android model dies like the dog it is. Chances of this critical fix making it as an official release to any device that went into production more than 12 or so months ago? I'll have a fiver on "bugger all" please.

    1. Reda
      Facepalm

      Re: Oops!

      'And this is where the whole Android model dies like the dog it is. Chances of this critical fix making it as an official release to any device that went into production more than 12 or so months ago? I'll have a fiver on "bugger all" please.'

      Whereas the chances of ever knowing what is critical / fixed / broken / serious with anything from Apple are about as high as them issuing a press release saying: Sorry, guys, time to admit we do software and hardware crap sometimes just like every other profiteering, mug-exploiting, worker-exploting company; only we rely on buyers who aren't generally the best endowed in the savvy stakes to be able to get away with it and, yes, sometimes we don't even reckon it's worth our time to acknowledge, let alone fix our problems. Hey, just buy a new one and, you know, maybe it will be better. Trust us.

      That'll be tomorrow, then?

      1. sabroni Silver badge
        Thumb Up

        @Reda

        What a badly constructed and ill thought out rant. The issue is that older Androids do not get updates. It's nothing to do with how stupid Apple customers are or whether Apple publish full lists of vulnerabilities and fixes. Apple do have issues with security. But they don't have problems pushing updates to devices. So bringing them into the argument only emphasises the fact that Android's update infrastructure is crap.

        Well done!

        1. Ru

          Re: @Reda

          Android's update infrastructure is crap.

          Is it that the infrastructure is crap, or is it that the policies regarding updates are crap?

          It is basically left to the discretion of device manufacturers (and potentially network operators) to integrate, test and push updates to end users. The ability of those people and their willingness to do so varies dramatically. Google don't twist any arms, certainly.

          1. Steve Evans

            Re: @Reda

            Manufacturer's customisations are a pain in the butt.

            Network customisations are even worse!

            I gave up with network customised phones many years ago. I was using Nokias at the time. The UK networks never updated their custom firmware. Eventually I unlocked, reflashed the model number to generic Euro and got back on Nokia's direct update train which turned the Orange supplied N95 dog into a very useful smartphone. I still use it as my backup (3 days+ battery life is good for things like that!).

            After Nokia completely lost the plot I jumped to Android. They're all unlocked. The instant HTC failed to pass on an update for my old Desire Z it was unlocked, rooted and jumped to Cyanogenmod which had the security update rolled into its build within a week.

            These days it's Nexus devices all the way.

            It's swings an roundabouts. If you want a phone which you have no control over, and you can endure the shortcomings, then you can buy an iPhone and you'll be pretty much safe (just don't plug in that USB cable eh?).

            If you want more choices than you can shake a stick at, then go Android, but you'll probably want to install an good AV app.

            Want to have the latest updates first, get a Nexus, or vanilla version S4 etc.

            Oh, almost forgot, want a novelty phone with squares all over the screen, go windows.

  3. Anonymous Coward
    Anonymous Coward

    Android, lol

    I feel bad for the people who are unfortunate to have to buy a budget phone and made the mistake of choosing android over blackberry.

    Once you're stuck in the android ghetto you constantly have to fear your data leaking all over the Internet but I do believe that's a design choice given the is was developed by the commercial arm of the NSA.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android, lol

      Oh just give on this NSA bolocks , it really getting fucking tedious.

      Your posting on a open forum FFS so you comment has probebrly already been gobbled up, regardless of what patform you are running.

      1. Anonymous Coward
        Anonymous Coward

        Re: Android, lol

        Yeah, by posting on a forum you obviously give full access to the entire contents of your phone!

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh just give on this NSA bolocks , it really getting fucking tedious.

        Yeah, you'd love us to stop thinking about that "NSA bolocks" wouldn't you. (Funny how merkin intelligence agents can't spell bollocks properly....)

    2. Craigness
      FAIL

      Re: Android, lol

      You have to choose to give an app access to your data and access to the internet. On the other side, Google did not choose for the NSA to syphon all the data going to it and other major internet destinations.

    3. Anonymous Coward
      FAIL

      Re: Android, lol

      I see what you did there, you pretended all Android phones were entry level.

      Ironically, Apple has a far worse track record for " data leaking all over the Internet". For years, any app could simply upload your call log, address book and location history without needing any special permission, and many apps took advantage of this, including Facebook.

      I seem to dimly recall this Blackberry thing you mention, are they still around?

    4. Reda
      WTF?

      Re: Android, lol

      "Once you're stuck in the android ghetto you constantly have to fear your data leaking all over the Internet but I do believe that's a design choice given the is [sic] was developed by the commercial arm of the NSA"

      That'll be the same NSA to which Apple is a signed-up data feeder?

      1. dogged
        Stop

        Re: Android, lol

        That'll be the same NSA to which Apple is a signed-up data feeder?

        s/Apple/Everyone/ sadly.

    5. Anonymous Coward
      Anonymous Coward

      Re: Android, lol

      "I feel bad for the people who are unfortunate to have to buy a budget phone and made the mistake of choosing android over blackberry."

      No one buys Blackberry anymore. The budget choice if you want it to actually work is now Nokia / Windows phone.

    6. Chika
      Trollface

      Re: Android, lol

      The commercial arm of the NSA? You mean Microsoft were in on it after all? ;)

  4. SiempreTuna

    OEMs?

    ....its availability depends on whether the OEM has shipped the new code through carriers to end users

    Err .. I have a Nexus - so my updates come direct from Google - and according to the information on the phone, it hasn't been updated since January. What happened to this update in March?

    1. This post has been deleted by its author

    2. Craigness

      Re: OEMs?

      The Play Store has been patched. If you choose to side-load something from an untrusted source and grant it permission to send SMS to premium rate numbers then Android will warn you, but not stop you. The vulnerability is useless to criminals - they can defraud you in much better ways.

      1. sabroni Silver badge
        Meh

        Re: How quickly the argument changes...

        ..from "our OS is super secure" to "that vulnerability is useless".....

        1. Paul Shirley

          Re: How quickly the argument changes...

          Far from useless, it looks very like the way I've been hacking otherwise untouchable bloat out of apps for the last couple of years without the hassle of resigning them...

          Will be an unfortunate loss when patched.

          1. sabroni Silver badge

            Re: otherwise untouchable bloat

            Do you mean the ad server code that generates a small amount of revenue for the developer of the app? If so my heart bleeds for you....

            1. Paul Shirley

              Re: otherwise untouchable bloat

              No, I mean fun like stripping 15Mb of foreign language dictionaries out of the keyboard apk and still having a working keyboard. Probably with a broken signature (not checked) but working. 15Mb I'd rather waste on games ;)

              Anyway, had a look at the purported bug fix and it looks like Google (for a change) haven't overreacted and outlawed all zip file manipulation.

              But it's a serious bug, trivially simple, trivially simple to exploit. Also however trivially simple to detect exploits and it looks like that detection could be added without a full OS update. Just don't wait for Google to get off their lazy arses and actually do it.

              ...although modifying the actual dex chunk does have it's appeal. Just tends to be easier to find a less abusive app than recompile one.

        2. Craigness
          WTF?

          Re: How quickly the argument changes...

          @Sabroni

          No, the claim "our OS is super secure" is not attributed to Android. However, every story about Android malware is BS and plays on the fact that you can install malware if you really want to, and grant it permission to send premium rate SMS if you really want to. Some people fall for it, but plenty of Commentards point out that the reported vulnerabilities are massively overstated. Do Not make the mistake that they are claiming it's super secure.

          Yes, the vulnerability is useless.

      2. Anonymous Coward
        Anonymous Coward

        Re: OEMs?

        >The Play Store has been patched. If you choose to side-load something from an untrusted source

        Not really - Play only uses http for the actual apk download.......so it's quite simple to install side-load if you control dns or poison the (web) cache....like when someone chooses to use the 'free public wifi' some kid or other is supplying from a Euston Square coffee shop etc ..... previously with Play, installation would have failed so it didn't matter, but no more.

        .... a lot of money involved for telcos if they supplied the phone and still provide it with network service....but I suspect they'll just give away new handsets rather than playing catch-up patch-up.....consumer outrage will be non-existent to short-lived either way.

  5. mark l 2 Silver badge

    Although the vulnerability is serious it is only going to affect people who use 3rd party app stores or side load them, which even if this vulnerability hadn't been found are still a risk of getting malware if they are dodgy. So even if your phone doesn't get patched it shouldn't be a big deal if you only install apps from the Google play store

    Not sure what the big alternative to the google play store the Amazon app store are doing about this but i expect they will release a patch soon

    1. sabroni Silver badge

      So effectively...

      ..you're saying that Apple's walled garden approach is the only way to be secure?

      1. Intractable Potsherd

        Re: So effectively...

        "..you're saying that Apple's walled garden approach is the only way to be secure?"

        No, sabroni - the only way to be secure is not to use any mobile phone at all. Slightly less secure is not to use smartphones at all. A bit further down the list is to use a smartphone but don't download any apps from anywhere. Just a little way down is to use a reliable store, regardless of supplier. Perhaps twice that last distance is to use an unauthorised app store. Even then, you are barely 5mm down a 10cm scale of "risk".

    2. Dan 55 Silver badge

      The store shouldn't matter in that sense. If you download the same app from two different app stores and assuming there's no store-specific code in it (e.g. DLC), the apk will have the same code and the same signature. It's the OS which enforces the signature check. All the app stores can do is not serve malware in the first place, signed or unsigned.

      The fact that the install setting is all-or-nothing is the problem (as with app permissions too, incidentally). It should a) enforce the signature check on all apks and b) enforce the origin check on all apks. All legitimate app stores should be taken as acceptable origins. How do we know what's an acceptable app store? Google should serve it up on Google Play, much as it may pain them. That way there the user has no need to touch the 'Install everything' setting.

      Google Play is not a guarantee of no malware. Remember that advertising networks have been known to change app code, and that's precisely because there's a borked code sign check. This kind of thing should have shown up in testing. One has to wonder why Google aren't taking security seriously. I hope it's not to 'fix' the problem by enforcing Google Play only.

      1. Paul Shirley

        What's this 'install everything' setting?

        Anyway, the problem here is not lack of signature checks, the device signature check itself is broken. Its easy to spot tampered with apps but you're now more reliant on trusting the distribution chain to actually do it.

        1. Dan 55 Silver badge

          "Unknown Sources - Allow installation of non-market applications."

  6. Lee D Silver badge

    What worries me is not that an exploit exists, but one so simple.

    As far as I can tell from the code, all it does is extract the APK with apktool, lets you modify files that were inside, then zips it back up again (using a python zip library, so nothing fancy) into an "evil apk".

    It seems, then, that all the cryptographic verification or integrity of an APK has absolutely no relevance to its actual contents whatsoever. Which kind of makes you wonder why you'd bother to sign anything in the first place.

    That's just worthless. And no wonder it takes a firmware update to fix - you've actually got to put in the damn checking you were supposed to have in the first place. It's not a question of finding some clever flaw in the signing or installation process - it's just literally changing the executable you run but keeping it called the same thing and having the same signing details stuck inside it.

    1. sabroni Silver badge
      WTF?

      Wow.

      If you're correct, and I have not reason to doubt you, that is truly pathetic. Paying lip service to security while allowing any old bollocks to claim to be a signed app. Giving the illusion of security is worse than no security.

  7. BleedinObvious

    Reputable app stores ++

    Google Play, Amazon, et al can scan their stores with updated verification.

    The flaw is in the phone's cert verification, but Google Play, Amazon etc can update their server-side verification to detect any dodgy packages.

    From what I understand of this particular exploit, it's detectable now that it's understood.

    Cyanogenmod users will be happy to know it looks like they're busily releasing new CM7 thru CM10's.

  8. h3

    I hope they update the Xoom GED 4.1.2.

This topic is closed for new posts.

Other stories you might like